Back to 28: A Heck of a Security Hole in Linux

In December of 2008, some guy made a change to a program used by almost every flavor of Linux, and he (probably he, anyway), made a simple mistake. The program is called Grub2, and it’s the part that manages the user password business. For seven years it was broken.

It turns out that due to careless programming, hitting the backspace key could cause Grub2 to clear a very important chunk of memory. Normally this would cause the machine to reboot, but if you hit the backspace key exactly 28 times, it will reboot in the rescue shell, a special feature to allow admins access to the computer when things are fairly badly broken.

In the rescue shell, one can perform all sorts of mischief on a machine, including installing spyware or just deleting everything. Yep, walk up to (almost) any Linux box, hit the backspace key 28 times, press return, and blammo. Its undies are around its ankles.

Worse, a long sequence of backspaces and characters can write all kinds of stuff into this critical memory area. Pretty much anything an attacker wants to write. Like, a little program.

Since, (as far as I know) the attacker has to have physical access to the machine to press the keys or attach a device that can send a more complex key sequence automatically, most of the world’s Linux-based infrastructure is not directly at risk — as long as the Linux machines people use to control the vast network are well-protected.

The emergency patches have been out for a couple of weeks now, so if you use Linux please make sure you apply it. The change comes down to this: If there’s nothing typed, ignore the backspace key. Magical!

You can read more about it from the guys who found it: Back to 28: Grub2 Authentication 0-Day. It’s pretty interesting reading. The article gets steadily more technical, but you can see how a seemingly-trivial oversight can escalate to dire consequences.

The lesson isn’t that Linux sucks and we should all use OpenBSD (which is all about security), but it’s important to understand that we rely on millions and millions of lines of code to keep us safe and secure. Millions and millions of lines of code, often contributed for the greater good without compensation by coders we hope are competent, and not always reviewed with the skeptical eye they deserve. Nobody ever asked “what if cur_len is less than zero?”

The infamous Heartbleed was similar. Nobody asked the critical questions.

Millions and millions of lines of code. There are more problems out there, you can bank on that.

Impressions of Lion

So just to be clear, even though I work for Apple I have no special access to the plans of the hardware and OS guys. If I did have access, I wouldn’t be able to post speculations like these. All this is the same guesswork you can do if you stop and look at your operating system as it evolves.

Last night I installed the latest Mac operating system (‘Lion’) on my work machine. We’ll see how that goes before I put it on anything more important. A couple of things struck me immediately, however, that I think may be indicators of where Apple is heading.

1) No scroll bars. Well, barely. There’s something scrollbar-like that appears when you move stuff around, but there’s a fundamental shift in the UI going on here. In the past you worked the thumb on the scrollbar to move the content in its window. When you worked the scroll wheel on your mouse, you were in your mind moving the scrollbar thumb. Now, in your head you grab the content of the window and move it around – which goes in the opposite direction as the scroller thumb. So the wheel on your mouse works ‘backwards’ in Lion; before you were moving the scroll thumb down, now you’re moving the content down, which moves the thumb up.

Opinion: I’m ok with this overall, but there are times when there is no indication that you can scroll. There are also cases where there’s no indication that the corner of a window can be dragged to resize the window. I’m not comfortable with designs that presuppose you know stuff.

2) Bold prediction: the magic mouse is Apple’s last major mouse. It’s a mouse/touchpad hybrid, bringing people closer to the touchpad replacement. The company that brought the mouse to the consumer will also be the first to take it away. Interestingly, the company that only put one button on its mouse will be hanging its hat on a very complicated set of finger gestures and combinations. They can do a hell of a lot, and they’re intuitive, if you already know them. (I just accidentally discovered the gesture for switching tabs in my browser — only, shit! It’s not switching tabs, it’s like using the back arrow. And there’s a bug! I almost lost this entire episode!)

Opinion: with the iPad and whatnot, multiple-finger user interfaces are here. I should have applied for a patent fifteen-plus years ago when I thought about making touch screen interfaces with actual knobs to turn and stuff like that. If I’d had this blog back then it would have shown up in the Get-Poor-Quick pages. But I didn’t, and now that invention belongs to other people. Because they built it, and I only talked about it.

Apple’s Latest Security Update

Mention Viruses to a Mac user and the response will often be… well, smug. Many Mac users believe that viruses and other malicious software are a Windows problem. Apple hasn’t done much to discourage that notion, not even to warn users when real threats are afoot.

Recently someone launched a bit of malware targeted directly at Macs. The program would lurk on Web sites (I think that’s where it came from, anyway), and flash up a message “Your computer is infected with a virus! Download our software to clean it up!” The software to install had a noble, protective-sounding name. People followed the instructions, and infected their own machines. Before long a couple similar threats appeared, including a much worse one that required less participation by the owner of the computer.

Now, it could be argued that only an idiot would fall for something like this. I occasionally see alerts that my windows computer is infected and I must download something to fix it — even though I’m on a mac. You don’t have to be around the Internet very long to learn not to trust strangers. Unfortunately, there are a lot of idiots, and even more newbies who have not learned that hard lesson.

A couple of days ago at work I got an email addressed to all Apple employees telling them not to fall for “Scareware”. The evil had been circulating for a month or more before Apple even alerted its own employees about the threat. Yesterday Apple released a security update that removes this particular family of bad guys and takes some measures to make similar attacks more difficult in the first place.

But there’s one thing no virus protection can do: prevent the user from giving permission to dangerous software to run on their system. Once the user says the software is OK, that’s it. Mac users’ feeling of immunity from harm could make them more gullible; they’ve never given much thought to how they would react when confronted by an urgent message like the ones in this latest outbreak.

So, fellow Mac users: Don’t be stupid! Almost as important: Put that smug attitude away. Your day is coming, sooner than you think.

Working With a Screen-Toucher

Yes, It’s true. One of the people I work with touches his computer monitor with his fingers. I never suspected that a place like Apple could harbor such people.

Today we were in a meeting discussing our project. He’s doing the database stuff; I’m concentrating on the presentation layer (see my previous rants about HTML). We were sitting side-by-side, each with his laptop open. On his screen was a dump of the data structure he was sending over to my code. “Here is the list of …”

Actually, I’m not sure what he said after that. I was staring in horror at the end of his finger, where it was pressed firmly against the surface of his screen. “Data list value array,” my co-worker said. I heard none of it. Here’s what I was thinking: Fingerprints. Photons baffled and confused. Acidic oils burning through the surface. Pixels, suffocating, twisting in agony. His screen was covered in fingerprints, the oils from countless screen-touchings built up into a layer that my eyes could no longer focus past.

“Will that work?” he asked.

“Um…” I replied. I wondered what it was that he was talking about. I wondered how he could work when his screen was—

His hand shot out, left index finger extended, directly at my screen. My lovely, lovely, screen, only three weeks out of the box — pristine, innocent of the bruising touch of errant digits. Nooooooooooo!

Perhaps it was my sharp intake of breath that interrupted the course of his rampaging digit. Perhaps he’s already aware that while touching one’s own screen is one thing, touching the screen of another is quite something else. The tip of his finger stopped just above the surface of my virgin monitor and hovered there, twitching, as he described something about something. There was a corner of my mind sending up a flare that perhaps the actual words that my co-worker spoke might be important. The signal was lost among the klaxons and Emergency Broadcast System alerts that demanded that every neuron be devoted to ongoing analysis of the motion of The Finger. The Homeland Security lobe of my brain was altering the threat level meter a dozen times per second, adjusting duct tape and adrenaline with every minute vibration of the chemical-weapon-bearing heathen on the doorstep. The threat level never dipped below ‘orange’.

After two draining seconds the threat receded. My screen, even now, does not understand the horror that nearly came to pass. (Or does it? My laptop shares an intimate network with thousands of others. Perhaps there are legends and stories that pass between them. Perhaps those other computers smile to themselves at the excited puppylike banter of my computer — “Wow! I’m running MySQL server!” — while the grizzled veterans roll their eyes. Meanwhile, the old-timers quietly admire the stoicism of my co-worker’s laptop. “Someone did that to me, I’d just kernel panic,” the headless X-serve in its air-conditioned enclosure says.)

Meanwhile, my co-worker thinks he’s told me stuff. I was sitting right there and looking where he pointed, so I must have been paying attention. I’m reasonably confident that he was speaking, I think I would have noticed if his voice stopped. Probably. He isn’t talking now, however, so he must be waiting for me to say something.

“I’ll be working on that next,” I say. “Can you send me a summary in an email?”

4