Hashemian Blog
Web, Finance, Technology, Running

Linux Shellshock Bash Bug Workaround

by @ 12:55 pm
Filed under: computers,hacking,internet — Tags: , ,

The warnings about the shellshock bash bug are ominous and not unfounded. This is perhaps a greater risk than Heartbleed. Here are the gory details of this bug.

To test your system for this bug run the following command from the shell:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

if you see the word 'vulnerable' anywhere in the output, like below, you have the bug.

shellshock bash bug

Because bash is such a fundamental part of Linux/Unix and used in so many ways and so prevalent, it wouldn't be that difficult for malicious hackers to use this bug to penetrate a machine and do all kinds of bad things including completely take over the machine. Web sites would the most obvious target of such attacks.

Now how to fix this. New bash versions with the bug patched have become available so users can update bash and be done. But this is not as easy to do for everyone. Some people may have older, obsolete versions of Linux, so they may not find the new patched bash version. They would need to get the source code and the patches, and then build and install it themselves. Yes, I know everyone should be on the latest version of everything, and I am guilty as charged, but let's dispense with the tarring and feathering for now.

Redhat however, in its haste and panic, had released a workaround on this page with a small block of C code that once installed, would disable function definitions and therefore mitigate this risk. They called it dangerous because one must assume this workaround would disable a legitimate feature of bash and possibly cause system failure if it were being used. Unfortunately a while later this workaround vanished (Update: actually here is the Redhat page for LD_PRELOAD mitigation. I don't know,  maybe the page never vanished at all. Just use the steps on that page then), but not before I had availed myself to it. For me, the ease and speed of its deployment made it worthy of a try. And here are the steps.

1- Put the following C code in a new file, bash_ld_preload.c.

#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

static void __attribute__ ((constructor)) strip_env(void);
extern char **environ;

static void strip_env() {
  char *p,*c;
  int i = 0;

  for (p = environ[i]; p!=NULL;i++ ) {
    c = strstr(p,"=() {");
    if (c != NULL) {
      *(c+2) = '\0';
    }
    p = environ[i];
  }
}

2- Compile bash_ld_preload.c to get bash_ld_preload.so using the following command.

$ gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so

3- copy bash_ld_preload.so to the /lib/ directory like so:

$ cp bash_ld_preload.so /lib/

4- Add the following to the file /etc/ld.so.preload on a line by itself:

/lib/bash_ld_preload.so

5- Restart all relevant services or just reboot the system to be sure.

 

There you have it. I deployed this on several machines that run various applications. It killed the bug and there were no adverse effects. That means that those machines were not using the function definition feature of bash. Of course at some point we may write code or install applications that need to use this feature and if we have forgotten about this workaround, there will be a lot of head-scratching.

So, use the above workaround at your own risk. It will probably work for you, but the best approach as always is to update your platform and of course your version of bash.

Amazon FireTV

by @ 6:10 pm
Filed under: internet,technology — Tags: ,

amazon-live-tvSo we have wireless-ready TVs, wireless-ready DVD players, Roku, Chromecast, game consoles, and who knows how many other devices attached to our TVs.

Now here comes Amazon with its amazingly innovative Fire TV that does incredible things such as, wait a second, stream videos to your TV just like any other device.

Why again do we need this device? Must be the cool logo 🙂

Was Bitcoin a Fad?

by @ 2:56 pm
Filed under: financial,internet — Tags:

bitcoinRemember the Million Dollar Homepage? Back then everyone thought pixel advertising was the future of web marketing. People went crazy over it, pixel sites popped up like weed, and then the whole thing faded away like it was never there.

To me that is what bitcoin is. Sure, I have a few bitcoins and I'd like to fantasize that each will be worth a million dollars some day. But let's be real, the possibility of bitcoin fading into oblivion is so much greater. Bitcoin is nothing like gold and there are 2 reasons why it'll never achieve the success some people may dream of:

1- There may be a limited number of bitcoins that can be mined but there are no limits on how many types of crypto-currency can pop up. Everyone can come up with their own version and flood the market. There are already dozens of them out there and probably thousands vying for recognition.

2- Governments will never allow bitcoin or any other type of anarchist currency gain real traction in their countries. It's just too dangerous to their existence. We've already seen moves by China and Europe to crack down on bitcoin. More will come if bitcoin's popularity survives.

The bitcoin fad will pass just like many others have before it. Something else will eventually come along and capture people's attention and what will be left of bitcoin will be http://en.wikipedia.org/wiki/Bitcoin.

Network Solutions, More Like Network Problems

by @ 10:16 pm
Filed under: hacking,internet — Tags: ,

Network Solutions (netsol), the company behind domain names had a rough day today and it dragged its customers down with it. Apparently a DDoS attack knocked out their network making hosted web sites and DNS servers inaccessible. This site, while not hosted on netsol, does have its name servers hosted with them and so it had several outages while netsol was combating the attack.

I don't understand how a company like netsol could fall prey to such attacks. Netsol has been around for decades, they are the original Internic, the only domain provider back when domains were free. I'm sure they have deep pockets and lots of experts working for them. Surely they have fat enough pipes to absorb such attacks and leave plenty of capacity for their users. And to make matters worse, the company's social outlets like Facebook and Twitter were silent for hours during the outage.

Things seem to be back to normal now, but if these guys can't get it right, what hope is there for the rest of us?

The End of Cheap Domains

by @ 4:30 pm
Filed under: internet — Tags:

Got an email from 1&1, the German domain and hosting company, that their domain pricing is being raised.

In order to stay competitive and continue to offer you excellent services, we need to adjust our pricing structure. The following new domain rates will be changed to $14.99/year, dependent on your individual renewal date, at earliest on 07/01/2013.

Hate it when companies sugar coat their message to justify the price gouging. Just tell us you're raising the price and STFU with the rest of the stuff. What kind of an idiot would ever believe that you're doing this for your customers?

I'd like to say that I remember the days when domains were going for $4.95/year and 1&1 was one proponent of cheap pricing. The truth however is that I remember the days when domains were given away for free by Internic, the predecessor of today's Network Solutions.

The good old days when good domain names were free and plentiful. I was too lazy and conceited to grab few names then, like it was beneath me to take 2 minutes to register a few. How time changes one's perspective.

Amazon’s .book domain grab

by @ 7:00 pm
Filed under: internet,law,technology — Tags: ,

I'm not sure why anyone would see any reason behind Amazon's move to hoard a bunch of gTLDs (global top level domains), other than pure greed.

In a recent open letter (PDF) to ICANN, Association of American Publishers rightfully opposed granting Amazon the control of the .book gTLD. It states:

In short, Amazon makes clear that it seeks exclusive control of the “.book” string solely for its own business purposes, notwithstanding the broad range of other companies, organizations and individuals that have diverse interests in the use of  this gTLD or its second-level domains by others or themselves.

Well stated, but does ICANN or anyone else really need a protest  letter to recognize Amazon's true motives in hogging as many domains as it can?

Megaupload Injustice

by @ 12:14 pm
Filed under: internet,law — Tags:

So the founder of Megaupload is back with another file-sharing service. Good for him and good for the millions of would be users who use such services.

Let's reserve judgement on what Megaupload is allegedly guilty of but one thing is for sure, American media is but a means to corrupt and bend minds and subdue society, and  people pay for it on top of that.

In the US the media is used like a sedative  To many, TV, music and movies are like candy to a kid. As long as people are provided with mindless entertainment, they remain passive and controlled. Then commercialism is introduced to sway opinions and move the herd to one direction or another, much like mass hypnosis.

Stealing copyrighted material is illegal, but for the time being we have a choice not to engage in and pay for it. In the end what Megaupload is truly guilty of is giving people a tool to fritter away time with the rubbish called entertainment.

Too Small to Succeed

by @ 6:06 pm
Filed under: business,internet,web

I used to think that the Internet was the great equalizer in the business world. A small guy with programming skills and a big drive sets up a new site and offers a novel service. The service goes viral and the small guy becomes a small company and builds and expands his way to success. The small guy pulls off an IPO or gets acquired and retires to the tropics. It's a happy ending that some have indeed experienced.

But what I have learned is that without some early connections and some cash infusion the small guy can quickly and quietly wither away, no matter how much effort he puts into his novel idea and no matter how many users he attracts. He's destined for a quick failure unless he gets some serious support behind him and fast.

How do I know this? Having operated this very site for some 12 years has given me plenty of lessons to that end. I operate this site as a hobby from the corner of my condo and while the free utilities offered here have a decent number of users, which I assume find them useful, and while I never looked to this site as a means of financial success, this site is in fact too small to succeed. Take these cases:

  • For a number of years this site was hosted on various web hosting services such as 1&1 and every few months there was a warning to kick me off the service because the site was exceeding usage quotas. So, like a gypsy, I kept moving the site from one hosting company to another. A financially secure company would have had no issues paying for more resources.
  • A couple of years ago Amazon Associates (an Affiliate Network) I was using for this site accused me of cheating and shut down my account, depriving the site from a small stream of revenue. According to Amazon, I had published URL's with my associate account to other sites, violating their terms of service. URL's had in fact been copied to other sites but not by me. Page-scraping and content-stealing robots had done that. A large site most likely would have never been suspended. In my case my appeals of innocence fell on deaf ears in Amazon.
  • A few years ago I operated a URL shortening service much like tinyurl and bitly. One day a spammer used the links in a widespread spamming operation and suddenly the domain registrar, GoDaddy, cut off the domain registration claiming that is was spamvertized. It took over two months to convince GoDaddy of my innocence and get the domain back. I shut off the service promptly. This would have never happen to bit.ly or goo.gl.
  • Recently a service on this site fell victim to a Nigerian phishing operation to collect bank information from unsuspecting victims. For days my ISP hounded me about this, nearly cutting off my services. That would have never happened to a customer with deep pockets, but I ended up discontinuing the service to guard against possible service termination or potential legal consequences.
  • The latest headache came in the form of a DDoS, paralyzing this site. An outside site using one of the widget services from this site came under attack and the attack spilled over to this site causing capacity issues. I had to resort to all sorts of traffic blocking filters to partially mitigate the effects. This would have been a non-event for a larger site, but for this site it meant lengthy periods of slow performance and outages.

The Internet, a great equalizer? Hardly, great ideas can only go so far and without serious financial backing, they are destined for failure and eventual oblivion. I can't imagine how many great innovations have died premature deaths without that all important cash infusion.

GoDaddy is Sorry

by @ 11:31 am
Filed under: internet — Tags:

Got an email of apology from GoDaddy for the outage they had earlier this week. It sure was a real pain for many and no doubt many lost business over it.

The hosting customers have received a one-month credit for their trouble. The rest, who have a domain or two with GoDaddy, only got the apology email and it was laying it on pretty thick.

We let you down and we know it. We take our responsibilities — and the trust you place in us — very seriously. I cannot express how sorry I am to those of you who were inconvenienced.

Ok, fine, he's sorry and traumatized. Now how about extending the domains for a year to go along with the words?

Amazon, Target, and Showrooming

by @ 10:47 pm
Filed under: financial,internet,law — Tags: , ,

Last week came the news that Target stores will no longer carry Amazon's Kindle readers. The bold move was basically a retaliatory reaction by Target to what is known as showrooming.

Showrooming is how Amazon encourages its users to visit various physical stores, check out or even try out various merchandize and then go back to Amazon to order them for cheaper prices. In a sense Amazon uses the physical stores as showrooms for free and that creates an unfair advantage in favor of Amazon.

Sure, people can visit Amazon's site too to shop around but a page visit costs Amazon a tiny fraction of a penny while a shopper roaming the isles of a store, and specially inspecting and trying various items could cost the stores multiple dollars.

Target may feel good about removing Kindles from its shelves but that maneuver will be but a blip on Amazon's bottom line. Making the playing field fair will be tall order but for starters Amazon should be required to collect sales taxes on all items sold. If there's heavy resistance, then stores should be exempt from collecting sales taxes as Amazon is.

Paying sales taxes on Amazon purchases will not be popular, but if Amazon is allowed to push physical stores out of business through the unfair loopholes, that will result in a monopoly and there's little doubt that its pricing policy will not favorable by any measure once the competition is wiped out.

« Newer PostsOlder Posts »

Powered by


Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Privacy  |   Contact
Donate Bitcoin: 1K9TzBvQ2oaEb4tX9t2vKDtZouMcpfV6QF
paypal.me/rhashemian
© 2001-2020 Robert Hashemian   Powered by Hashemian.com