A flaw in Internet source code dates back 25 years
A bug that dates back to 1992 has recently been discovered in the open-source code that makes up the Internet. Engineers are calling the bug "shellshock" and claim that it is a major problem because hackers can use it to wreak havoc.
The origins of the internet
The foundation of the Internet was built upon a project by a young programmer from California named Brian Fox. His project was to advance UNIX and turn it into an open-source platform. His project, named Bash, eventually evolved into LINUX, the operating system that so much of the Internet is based on.
In the late 1980's, Chet Ramey took over as the lead developer for Bash. He believes that sometime around 1992 he wrote the faulty code that is the bug engineers refer to as shellshock.
Approximately 25 years ago, the Internet was used by university scientists to send information back and forth. It was a safe medium free from malicious intent or nefarious individuals. The code that was used back then was never meant to become the Worldwide Web. Bash was a shell program that allowed users to interface, through plain text commands, with a computer's operating system.
Eventually engineers expanded upon Bash and through the years people added code on top of code. Computer software is a very lucrative business and companies continued in their efforts to release more applications for users to purchase. The Internet was built in the same way, with companies and individuals adding to an existing pool of data.
Developer Peter Welch wrote an essay discussing how modern day software developers hastily add blocks of code to existing code without reviewing it for bugs or ensuring that it isn't susceptible to hacking. He claimed that programmers cut corners.
"It's less about understanding the academic value of code and more about producing the product. We've lost some safety for speed," said Welch, according to CNN.
The Internet essentially functions by sending and receiving packets of information. More emphasis is placed on the actual sending and receiving than on verifying the source. This is where hackers use their methods to spoof sources and fake sender information or fabricate fake addresses. A bug is an open door for hackers to use in these efforts.
The many eyes mistake
It was assumed that since so many people access and change open source code, that mistakes would be spotted. Shellshock however was never discovered until now. The idea was that millions of eyes are on the code – so it is being checked. Bash was trusted and loaded onto millions of machines worldwide yet its flaw slipped through the cracks. Ultimately, the oversight is a result of the world favoring speed over security.
Robert Graham, CEO of consultancy Errata Security, blogged about how shellshock is evidence that open-source software, which is reviewed by many people, can have glaring problems. He argues that people do not inspect the original code and only focus on the parts they code themselves.
"If many eyes had been looking at bash over the past 25 years, these bugs would've been found a long time ago," blogged Graham, according to Wired.com.
Today the internet is used for everything from ordering food, buying clothes, connecting with friends, reading current news, participating in educational activities and monitoring markets. People want and expect that the machines they use and websites they access are safe from cyber attacks. The truth is the internet is an evolving application that probably had several coding mistakes incorporated into it somewhere along the way.