Shellshocked? Then Build the Web We Need
Tech seduces us because we're in love with the new, new thing -- the idea that the software and hardware that remade phones, shopping, communication, thermostats and grocery delivery will someday transform cars, space travel, and, for the more far out futurists, death. It's a progressive narrative in which life gets newer, faster, more connected and, well, better. It's like living in a city that innovation constantly makes richer, sleeker, and more accessible.
As we all know, though, there are myriad glitches in the Matrix.
A new security bug dubbed Shellshock reminded us late last week that our ultra-modern technopolis is built on a corroding, porous digital infrastructure; a snarl of ancient connective pipes from which, sooner or later, problems will and must emerge. Stand atop any Midtown Manhattan skyscraper and it's hard to imagine that a day of snow and sleet can cripple the subway system. But, of course, it happens.
Shellshock, for those who missed it, is a security flaw that affects Bash, short for Bourne-Again Shell. Vox has a good explainer of it here, but the super-short, super-simple version is that Bash is the standard way that humans and computers run commands on everything from computers and servers to security cameras and so-called smart-home appliances. Bash is used in machines that run such ubiquitous computer operating systems as Linux, Unix and Mac OS. Because of Bash's vulnerabilities, an intruder could theoretically tack nefarious commands onto the ends of good commands and then remotely steal information and take control of other parties' networks.
Shellshock has followed the pattern set by the Heartbleed bug, a vulnerability found earlier this year that let attackers steal encrypted data. (For maximum creepiness it was likened to a faulty lock that let intruders walk unseen around our homes.) When news of Heartbleed first erupted, there was panic. Then patches were released to fix it. Soon it receded into memory, along with the screaming headlines, and the public grew less frantic. Eventually, many people will forget about Heartbleed, and will also eventually forget that it still represents a very serious threat.
Perhaps the most instructive lesson we can learn from Shellshock isn't simply that we're vulnerable to the Internet to the same extent that we're dependent upon it. High-profile breaches like the Target and Home Depot credit-card hacks, endless online scams, and freakouts that emerge whenever the Web gets assaulted by a potent scavenger like Heartbleed have all already driven that point home.
Rather, Shellshock is a reminder that the Internet was originally launched on a digital foundation that hasn't substantially changed in decades -- and we're continuing to build our gleaming technopolis on top of it. It's too late, perhaps, to even roll that back and address the foundational gaps that give bugs a chance to wriggle inside networks and do their worst. And the growing importance of software to every industry in every part of the world, the vaunted Internet of Things, means that all of those old corroded pipes have flaws we have yet to discover and of which we may have little awareness. Viruses may only be known when, like a massive burst pipe beneath Sunset Boulevard, they suddenly explode into view.
Bash, for example, is 25 years old and distributed pretty much everywhere on the Web. Security researchers have described it to me like this: when these viruses pop up we're reminded of the increasing dependency of everything in tech. Instead of saying, 'This is doomsday,' we should focus on the fact that a piece of critical software can have a vulnerability for decades before anyone finds it.
Unix and Linux are too entwined and central to software innovation for us to rip all the bad stuff out and begin again. It would be like asking New York City's 8.4 million residents to find somewhere else to live while the city uproots its entire public transportation system, roads and power grid so it can start over from scratch.
In an effort to more closely scrutinize the software that has become, in effect, the Web's critical infrastructure, some professionals have called for a line-by-line code review of the underlying architecture. In the aftermath of Heartbleed, researcher Dan Kaminsky told The Information earlier this year that such a task would be substantial, expensive and necessary.
"We need to find the 1 million most important lines of code and make sure there's an ongoing effort to watch over them, not just happen upon flaws," he said. "We spend a lot of money in this country on things that are a lot less important than the underpinnings of the global economy."
Kaminsky is right, but this won't be an easy fix.
Imagine a lovely community where glorious new houses are springing up by the hour, with families rushing to buy them, move in and raise families. The community keeps expanding and, as new roads and subdivisions are built, it grows ever more populous, ever more desirable, and ever more permanent. Then a sinkhole opens, swallowing one of the houses. (OK, you don't really have to image this. Go visit Florida.) Examining the sinkholes, the community discovers that it's been building on a rickety foundation. But to replace the foundation, the families have to be moved out, the houses have to be propped up on enormous stilts, and serious spadework and renovation has to take place.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the editor on this story:
Timothy L O'Brien at firstname.lastname@example.org