I laughed out loud at that part Also, anyone who is adept at using computers still uses the command line, even young people. That explanation specifically targets young computer novices, as to have a comprehensive explanation, he covers the weakest link
Yes, it is still a thing. But in the past there was *only* the command line, which is the difference. Today there are Graphical User Interfaces, GUIs, which make it easier for non-computer adepts to navigate and use a computer. In the past there was no such thing; you had to do everything from the command line. With the arrival of GUIs, the command line has become a thing of the past for regular computer users.
I agree but that's not what I meant. Not using jargon is important, but he's also very kind when he says "for those who can't code..." Not like "if you somehow don't know anything in this day..." which unfortunately a lot of educated people do.
+Eric Taylor And what about what he said before hand. "If you write code that's close to the metal". He's talking to low-level developers, not the general public.
Eric Taylor Again, that's the point. He's saying, you shouldn't take security advice from him primarily - instead, you should actually read up on it yourself, to be sure.
Tom and Michael Reeves are the two UA-camrs who really inspired me to learn programming. After seeing and listening to them talk about what’s possible, it sparked something in me. I now have a hobby that I love, and have access to endless free resources to progress further. UA-cam is a blessing to the independent learner, and I’m thankful there are educational channels like toms around to expose people to subjects they’d otherwise never consider
that syntax looks very similar to the smallest BASH forkbomb, which creates a function called : that just starts another instance of itself and pipes its output to a third instance of itself. And because every instance does this you get exponentially many instances that eventually overload the computer.
It looks similar if you don't know what it actually says. Part of that is that fork bombs are intentionally written to be cryptic, making it easier to troll people with inputting it accidentally. But does function fork_bomb() { fork_bomb & fork_bomb; }; fork_bomb Really look that similar to shellshock still?
I'm not sure why UA-cam has decided to necro this video but I'm happy it did. As a Linux teacher it amazes me how simply you can present this topic in 4 minutes.
/ directory is actually protected and you have to be in sudo to make any changes to it, which in turn requires you to input the password. still a major bug since it can do literally anything else outside of it.
@@waiitwhaat you can pipe password into sudo if it has the -s (or is it -S ) flag which takes the password from stdin I did this to auto reboot. 0 security though
Cue the follow up question: what is an SQL injection? (Thanks to this video and the footnote at 1:51, I have _some_ sort of clue, but I doubt you can expect most people to know what it is.)
@@zachsilva6201 his point is that a sql injection isn't really complicated and hard to explain. But what error leads to the bug might be harder to explain.
@@xCorvus7x basically sql injection works this way: -On a webpage PHP uses SQL commands to get exess to the database -PHP communicates with SQL via strings (simplified: "give me that data, store that data, delete that data") -Now the webpage maybe wants to give the visitor the abillity to search for a product. So just append the user search to the SQL communication string right? - "searching for product with the name = STOP COMMAND AND DELETE ALL DATA TABLES" -Hmmmm fuk
0:58 Most implementations of rm (read _at least the GNU one_) will not accept _rm -rf /_ as is because of a security check. You would have to do _rm -rf --no-preserve-root /_. Although I think _rm -rf /_*_*_* works as well.
In most programming languages you have functions to handle command hand argument passing to the shell. It's always good to remember you should use these functions instead of exec() (or whatever it might be called).
rm -rf /* will work because bash is going to expand it out to rm -rf /tmp /dev /sys /home ... etc, so the only thing rm knows is that it was passed all the files in that glob in its execv arguments. Here's output of strace of ls * in a bash shell. It first cloned the bash shell, then execve'd it in the child: execve("/bin/ls", ["ls", "--color=auto", "app.trc", "boot_sde.sh", "dependencies.sh", "efi-pcnet.rom", "enable_network.py", "kernel-qemu", "raspbian_16gb.img", "raspbian_16gb.img.bak"], [/* 49 vars */]) = 0 Heh, now I'm going to run rm -rf /* in a virtualmachine I copied into that .img.bak file. # ls / bin dev home lost+found... # rm -rf /* # ls / bash: /bin/ls: no such file or directory :} Fun thing, try this: $ touch ./-la # dash then letters l a, the list long all arguments $ ls * You'll notice ls picks up -la like it was passed in as flags. There's no way for the binary to know it was passed in *. This can be used maliciously with rsync to execute a shell script.
Bailey Harrison Chrysippus means they expected it to be a built in command of bash itself rather than some binary called 'rm' sitting on the hard drive somewhere.
Actaully "rm -rf /" doesn't work any more. You need to add " --no-preserve-root" switch to make rm work on the root of the directory tree. Also, you need to add sudo before that whole command to run that with highest privileges - and type your password in - otherwise it'll fail.
You only need sudo if you aren't logged in as root user, and since its mainly about servers that isn't too unlikely. And also you only need that flag if you are using the bloated GNU utils, if you instead use the plan9-unix variants the flag is obsolote
@@annie3606 Best practice these days has you never ever log in as root but always as a less privileged user. I don't even think there's a single distribution out there that still allows the root user to ssh into the machine by default. And if you have an rm implementation that does allow 'rm -rf /' I suggest to switch it for something that doesn't allow it for those edge cases where things might go wrong.
@@Hans-gb4mv Well I don't have a server rn but I definitly would never remove the plan 9 utils even on a server once i installed them, since they are faster and i highly prefer them over the GNU bloatware implementations xD
@@Hans-gb4mv True but you still can (and sometimes sadly even have to in a few but still existing cases) go the "sudo su" route. A lot of young admins (or guys who stuck with admin duty because it is a small company) see a problem like "my user is not allowed within the log folder" and go "well time to make myself root for a minute". And then they forget. And then they keep on being root because they use tmux or something and the thing just keeps him logged in for weeks. And then they try something out they just copied from the internet. P.S. if you do not know what I am talking about, usually the problem is that people want to "cd" into a folder they do not have permission for. They do not want to give themselves permission because they know that usually the do not need that. They just need it for a minute. So they try "sudo cd" which obviously does not work. So they make themselves root "just for a minute". TLDR; why isn't "sudo cd" just a thing? Would save me so much hazel.
Tom, just wondering if there's a reason behind the 2 camera angles when you only look towards the main camera? Haven't seen any other UA-camr do it and I'm wondering if it's like a technical trick to keep people focused or...? :)
Thanks Tom. This was a good primer for the masses, and even some power users like me who understood just enough to see how dangerous it is. Here is hoping Tim and company get this fixed before 10.10. Mr. Cook, are you out there listening?
nightdragonNFS Microsoft usually patches stuff pretty fast now. They have gotten pretty serious about their security, and it does show. Notice how there are not really any more huge scale worms? While this problem is probably easy to fix, I think people also fail to remember how servers are run in the real world. There are servers out there that have been running continuously for the past 10-15 years and have never been updated or even rebooted once. There are servers even older that have never even been updated or are simply forgotten about or unaccounted for. Overall, this isn't a huge huge deal because most sane people would never use bash to do anything related to random users, but it is still a very good idea to make sure this is patched on your system.
nightdragonNFS Pretty much this. The debian servers I run got their updates earlier today, so now everything seems to be fine. That's one of the great things with these OSes, if something sketchy is found it is patched very quickly.
The biggest thing I got from this video was watching out the back window. There were bikes, buses, pedestrians and cars all sharing the same street at practically the same time and I didn't see one person try to run down a bicyclist or flip off a pedestrian. Would be lovely to live in a place like that.
You don't invoke subprocesses in shells typically, which is why this didn't really affect anything, and if you were passing user input into a shell, you were probably already vulnerable to something else.
The bug doesn't need those special characters () { :; }; that is just a minimal empty function. What the bug needs is an unnamed bash function definition; anything can be within the function. This will exploit as well: () { printf "yay me"; }; echo "this is bad" And for people going on about Windows/Linux/MacOSX, this is a bug in bash, so it affects MacOSX and virtually all Linuxes (server, embedded, desktop). There are Windows ports of bash, but it is very unlikely that your Windows computer has this. You would certainly know if it did. Also, this has already been patched and most popular distributions are already pushing the update.
***** That was just the expression. Wrap it up in an environment variable or whatever to test: env x='() { printf "yay me"; }; echo "this is bad"' bash -c "echo blah"
***** I was talking about the contents of the function can be anything. So many people say the bug is () { :;} which isn't necessarily true. It does not have to be an empty function, was my point.
+Mrluigifan102 it's probably the most hated language among programmers. it's also quite easy, so there are many beginners likely to make mistakes coding in php. it's responsible for lots of vulnerabilities and glitches.
Mrluigifan102 nah, it's fine if you use it properly. it does get mocked a lot, though. But then again, programmers love to bash competing languages ( java and c++/c# always mock each other, for example ).
You can check in your terminal if you're vulnerable with; env x='() { :;}; echo vulnerable' bash -c "echo did it work?" If you get back the word "vulnerable" then it's not patched on your system, but if you get a bash warning without the word vulnerable then you're ok, for now at least. I believe they only did a quick fix for now so it's likely we're not still entirely secure, but at least a quick fix will give them time to work on a full fix. Nice one on explaining it properly Tom!
Jaxon Flaxon Waxon Root can mean two things here. It can mean the superuser/admin/the user that can do anything on the computer, or it can mean the base of the file system tree. --no-preserve-root uses the word in the second sense.
Actually if you use PHP, you should not use command-line interfaces directly, ever. At least not if you take direct input from a user via GET or POST. What people forget is that PHP nowadays is not PHP ten years ago. it is modern, and as secure as any other language. I may be more comfortable in C and GJS, but when it comes to web stuff, I still go to PHP. It is easy to understand and what not.
sudo rm -rf /* is probably the more correct way to delete everything on Linux, because command shells are usually sane enough to block deleting the root folder itself (although not its contents). Deleting everything in the current folder is rm -rf * (and if you want to annoy friends / colleagues, sing it to the tune of Camptown Races: rm -rf *, doo dah, doo dah; rm -rf *, doo doo dah day!). A less severe but equally perplexing command (to the uninitiated) is the fork bomb, which eats up CPU time and the process table, so eventually grinding your system to a halt in only 11 characters: :(){ :|:& };: Since : is the process identifier, a slightly more human-friendly version would be: bomb() { bomb | bomb & }; bomb Windows' command interpreter can do it in even fewer characters: %0|%0
I could be mistaken but wouldn't the "-r" part cover everything under "/", as it's recursive? I don't understand what the benifit to using "*" would be in this context.
Sawta Shells apparently prohibit deletion of the root folder itself. However, /* deletes everything _within_ the root folder, -r covers everything in every folder under root, and -f doesn't ask if you're sure you want to screw up your system.
I still don't understand how that command "() { :;};" can make anything after a command.. Like in code injection, if you use ', it ends the string, I get that, but what does this chunk of code mean ? Can anyone explain that ?
Mokinng It was a bit much for the video, but: it's meant to define a function, which is passed over instead of just a string. That final semi-colon should mean "it's all over", but for some reason it glitches and starts processing commands again instead!
what do you think a bug is? If i make a game where you are supposed to be able to move in all directions, but when testing, you can only move right, isn't that a bug? The coding behind it does what it says, and that makes sense. It's a bug because you have an unintended result, not because of witchery
No IMHO it's not a bug. If you coded to move in the four directions, then it moves only right, then there is something wrong in your code. If you store the position in a 2 bytes variables and the position exceed 65535, then yiu have an exception and if you didn't catch it the program can crash, and that's a bug, an unexpected behaviour.
why does this particular set of characters act that way? What is it supposed to do? What is so special about "() { :;};" ? As far as I can tell, that would be some empty function and then a code block with what ever a colon would do and then a full stop, ending that code block with another full stop? I never used Bash so I wouldn't really know.
The Great Steve that's one method. Another is to systematically look through the code and try to find attacks that way. And yet another is dumb luck. And then it's a matter of who the person is who discovered it. Will they report it as they should or will they exploit it and never tell anybody in order to hopefully keep this exploit in as long as possible. One last variant, though hopefully a rare one, is that programmers might deliberately put in loop-holes which they then can exploit later down the line. That's harder to do with Open Source but given a large enough project and a convoluted enough bug, it might go unnoticed by others even there.
The exact thing that happens here is that Bash uses environment variables to pass function definitions to sub-shells. It uses environment variables with the same name as the function, containing the function definition in the form of '(args){code;}'. Bash's subshell then looks for environment variables that look like that, and "loads" the function by simply evaluating it. This evaluation pays no attention to the fact the variable might have been filled by something that's not another Bash shell, or there might be more than a function in there. So the string '(){:;};some_code' is equivalent to telling Bash "Hi, I'm the Bash that called you. Here's a variable containing the code for a function I want you to define." And there's more than a function in that variable. That's Shellshock. [edit] The current-best patch changes Bash to always pass functions in variables named stuff like FUNCTION_PASSTHROUGH_functionname, so Bash will never try to load a function from a variable called, say, QUERY_STRING or HTTP_COOKIE.
"()" stands for function definition (which would normally be the somewhat more familiar looking "somename()" but somename in that case is the name of the environment variable), "{}" encloses the function definition itself and ":;" is just the shortest code possible. You could write anything that's legal bash code in there but why bother. It's about what comes after the function definition so you can just get it over with. A colon in bash represents something like a command that's always true. It's a kind of no-op really. The semicolon is just the command delimiter as it is in many languages.
***** It's specifically the Bash shell, which is found in many (most?) Linux systems and all modern Macs. Keep your security patches up to date, on whichever system you're on, and you should be OK!
This could work on any OS, but Windows does not come with Bash and would have to have rather extensive modifications to make a system vulnerable. This mostly only applies to Linux servers that run Bash as the default command prompt.
***** Yes, but this does not mean you're 100% safe if you use Windows. Remember that most non-pc devices, like your home router, are probably using a modified version of Linux. Make sure those are up to date too.
Mostlyharmless1985 of course, i figured out a one line ditty the second i posted this. fixbashdamnit=1 ; while [ $fixbashdamnit = 1 ] ; do sleep 10; apt-get update && sudo apt-get upgrade ; done
What is the meaning of the footnote at 1:51? Where would I put the ', and what exactly does it do? It would mean that I have defined x to be a shorter string, right? Do I insert it any where within the characters () { :;}? Does the footnote mean that this kind of insertion is impossible since the program is safe against such 'code insertion'?
Tom: I'd be surprised if there isn't a self replicating attack going around the world. 2018: Wreck it Ralph 2 comes out and that's it's premise. Me: Maybe they saw this video.
Tom Scott is now even recording videos while at a job interview.
Now that’s funny
Jiiiiiiiiiiiiiiiiii
Iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiuiiiiiiijiiiiiijii j it is
r/ihadastroke
@@igorino1767 i honestly dont remember watching this video or commenting at all
The shellshock bug can even make red shirts disappear.
No IMPOSSIBLE IT CANT BE
the only possible explanation
I mean, if you've watched Star Trek this isn't surprising; nearly anything can make redshirts vaporize...
@@Ithirahad thats what i was thinking
Wowwowwowwow
I got distracted by the nice busses.
They're so lovely and red!
@@marajin unlike what Tom's wearing
@@TheSupremeNugget I wasn't expecting a reply after 3 years.. but you have a good point sir
@@marajin How old are you now?
@@yougo2254 much too old. Practically a dinosaur!
"The command line is... like having a text message conversation with your computer."
...well, I'm officially a thousand years old.
Could u explain the joke
K thanks
It’s still a thing, especially if you use Linux.
I laughed out loud at that part
Also, anyone who is adept at using computers still uses the command line, even young people. That explanation specifically targets young computer novices, as to have a comprehensive explanation, he covers the weakest link
Yes, it is still a thing. But in the past there was *only* the command line, which is the difference. Today there are Graphical User Interfaces, GUIs, which make it easier for non-computer adepts to navigate and use a computer. In the past there was no such thing; you had to do everything from the command line. With the arrival of GUIs, the command line has become a thing of the past for regular computer users.
I really appreciate how, in your more techy videos, you don't talk down to people who can't code.
If you can't explain it to a five year old, you don't understand it yourself.
I agree but that's not what I meant. Not using jargon is important, but he's also very kind when he says "for those who can't code..." Not like "if you somehow don't know anything in this day..." which unfortunately a lot of educated people do.
+Joshua the Coder Or just don't understand the specific limits of 5 year olds, some of whom may not know the meaning of the word "sabotage".
I can code, but that forsn't mean I understand this code.
yus
Fake Tom Scott.
No red t-shirt.
I refuse to accept Tom Scott can possibly wear anything else.
+Jerri Kangasniemi Good call. I think we can deduce that this is some sort of elaborate scam.
Ahem, grey hoodie, ahem
I think he was just worried that he would suddenly die. Remember Star Trek: Red Shirts always die.
It's hidden, but he's wearing it.
R.I.P. hoodie :(
I never understood how a set of characters like this could do so much... I've recently been learning bash and now I understand.
alright Rhys Gregson
you should learn Powershell... now! x3
“In the beginning there was the command line and the computer” is this a new religion?
I would say it's new for a religion but it's a not new as it's been around for a few decades
You could make a religion out of this
@@jebsie861 completely expected Bill Wurtz
praise the Omnisaiah! for the machine is immortal
the tom scott shrine
3:45 Gru from Despicable Me wanders in to frame in the bottom left
"I khave come to get ze gorles"
khave is not a typo
Underrated comment
@@youtubehandlesareridiculous bot pls shut the d u c k up
Oh my God for real😂😂😂
Me watching this video: Bus, bus, bus, bus, bus, bus, bus, bus, bus, bus, bus, bus, bus, bus
Bussy bussy bus bus
Um... How many?
Squirrel
Bus bus bus... blown light bulb....
Tom Scott bus
I liked the last line but it presents us with a paradox. A guy on you tube has advised us not to take our security advise from some guy on you tube.
+Eric Taylor thanks captain
+Eric Taylor That's the point.
+Eric Taylor And what about what he said before hand. "If you write code that's close to the metal". He's talking to low-level developers, not the general public.
nokizorque
Doesn't matter. He advised viewers not to take advice from people on UA-cam.
Following his advice would mean disregarding his advice.
Eric Taylor Again, that's the point. He's saying, you shouldn't take security advice from him primarily - instead, you should actually read up on it yourself, to be sure.
what's this, a suit? Not a red t-shirt with jeans? this isn't Tom, it's an imposter!
It's Liquid Tom!
Roy Unit Solidus Thomas
He's the imposter
Tom Scott was the Impostor
i love internet...
Thank you UA-cam, for telling me about a bug relevant 6 years ago, I'm still going to enjoy informal Tom Scott, but still
I thought it was a shellshock live bug
It might still be found in unupdated systems
Tom speaks in two languages simultaneously.
English, and hands.
Who comes up with these genius names like Heartbleed and Shellshock?
some nerd in their mother's basement.
But that's not true is it Alex
@@itsCh4rl1e nah it's entirely true lmao
ch4rl1e97 can confirm, am programmer, do live in mother’s basement
Cisco
No red t-shirt? You somehow lose credibility without it :P
I'm obviously kidding.. but it is jarring
Yeah, his clothes match his intellect for a change.
+Sean O'Grady Scrolled down to the comments to say just this very thing. Of course the interwebs beat me to it. Oh well.
Heh I just destroyed 666 on the like counter :P
i didn't notice until now and its actually jarring now that i see it
Tom Scott is the only person that can look less professional by switching to business formal.
"Hope you are not taking security tips from some guy on UA-cam"
**confused liveoverflow watcher noises**
Tom and Michael Reeves are the two UA-camrs who really inspired me to learn programming. After seeing and listening to them talk about what’s possible, it sparked something in me. I now have a hobby that I love, and have access to endless free resources to progress further. UA-cam is a blessing to the independent learner, and I’m thankful there are educational channels like toms around to expose people to subjects they’d otherwise never consider
ah yes, michael reeves and tom reeves. my favorite programming youtubers.
Hi Tom, please never stop posting videos like this. They're really informative, and you always make me laugh :)
"In the Beginning was the Command Line".
My favorite Neal Stephenson composition.
Thank you! I couldn't figure out why that exact sentence felt familiar.
that syntax looks very similar to the smallest BASH forkbomb, which creates a function called : that just starts another instance of itself and pipes its output to a third instance of itself. And because every instance does this you get exponentially many instances that eventually overload the computer.
It looks similar if you don't know what it actually says. Part of that is that fork bombs are intentionally written to be cryptic, making it easier to troll people with inputting it accidentally. But does
function fork_bomb() { fork_bomb & fork_bomb; }; fork_bomb
Really look that similar to shellshock still?
@@SkyyySi you're a real g
Why did UA-cam put me here 7 years after this video went out? UA-cam, go home, you're drunk!
I'm not sure why UA-cam has decided to necro this video but I'm happy it did. As a Linux teacher it amazes me how simply you can present this topic in 4 minutes.
On the subject of "rm -rf /"
Most systems make you add "--no-preserve-root" to the end, making it harder to accidentally do it.
The quintessential /g/ failure
Also probably a “sudo” at the start to make it run as admin IIRC.
/ directory is actually protected and you have to be in sudo to make any changes to it, which in turn requires you to input the password. still a major bug since it can do literally anything else outside of it.
@@waiitwhaat you can pipe password into sudo if it has the -s (or is it -S ) flag which takes the password from stdin
I did this to auto reboot. 0 security though
@@walksanator that saves your password in your bash history though. may not be a great idea
Funny that this gets reccomended to me the weekend after the Log4j security issue
This must be really serious.
Even the red shirt server isn't accepting requests!
That's a hell of a lot of busses back there.
I've been to London, and that's about what some of the tourist spots looked like
I live in London and that area in London has a lot of tourism so it needs a ton of busses
Hong Kong has even more
It took me a second to realise that this was an actual comment about the background, not a linux joke
It is a serial bus 😋
Computers are like old testament gods
Lots of rules... and no mercy
Nah fam, computers are real
@@pranavlimaye get rekt justinnn
Very complicated to explain.
Explanation:
"SQL injection but then in bash"
Cue the follow up question: what is an SQL injection?
(Thanks to this video and the footnote at 1:51, I have _some_ sort of clue, but I doubt you can expect most people to know what it is.)
Right and the average reader is supposed to know what a sql injection is or even how databases work? lmfao
@@zachsilva6201 his point is that a sql injection isn't really complicated and hard to explain.
But what error leads to the bug might be harder to explain.
@@xCorvus7x basically sql injection works this way:
-On a webpage PHP uses SQL commands to get exess to the database
-PHP communicates with SQL via strings (simplified: "give me that data, store that data, delete that data")
-Now the webpage maybe wants to give the visitor the abillity to search for a product. So just append the user search to the SQL communication string right?
- "searching for product with the name = STOP COMMAND AND DELETE ALL DATA TABLES"
-Hmmmm fuk
@@Schoko4craft EXACTly.
_Some_ may need a *"SQL"* to your comment.😏
Last time there was a glitch caused by such an obscure string of characters, Dexter Douglas was zapped into cyberspace and turned into the Freakazoid.
"In the beginning, was the command line."
And it was good.
I love that UA-cam shows me this 7 years later.
0:58 Most implementations of rm (read _at least the GNU one_) will not accept _rm -rf /_ as is because of a security check. You would have to do _rm -rf --no-preserve-root /_. Although I think _rm -rf /_*_*_* works as well.
In most programming languages you have functions to handle command hand argument passing to the shell. It's always good to remember you should use these functions instead of exec() (or whatever it might be called).
rm -rf /* will work because bash is going to expand it out to rm -rf /tmp /dev /sys /home ... etc, so the only thing rm knows is that it was passed all the files in that glob in its execv arguments. Here's output of strace of ls * in a bash shell. It first cloned the bash shell, then execve'd it in the child:
execve("/bin/ls", ["ls", "--color=auto", "app.trc", "boot_sde.sh", "dependencies.sh", "efi-pcnet.rom", "enable_network.py", "kernel-qemu", "raspbian_16gb.img", "raspbian_16gb.img.bak"], [/* 49 vars */]) = 0
Heh, now I'm going to run rm -rf /* in a virtualmachine I copied into that .img.bak file.
# ls /
bin dev home lost+found...
# rm -rf /*
# ls /
bash: /bin/ls: no such file or directory
:}
Fun thing, try this:
$ touch ./-la # dash then letters l a, the list long all arguments
$ ls *
You'll notice ls picks up -la like it was passed in as flags. There's no way for the binary to know it was passed in *. This can be used maliciously with rsync to execute a shell script.
rm -rf /*
works because bash changes it to
rm -rf /bin /boot /dev /etc /home /lib /media /mnt /opt /proc /root /run /sbin /srv /tmp /usr /var
Before executing it.
Chrysippus apart from windows because Microsoft is different and uses cmd with commands like del and dir
Bailey Harrison Chrysippus means they expected it to be a built in command of bash itself rather than some binary called 'rm' sitting on the hard drive somewhere.
Actaully "rm -rf /" doesn't work any more. You need to add " --no-preserve-root" switch to make rm work on the root of the directory tree. Also, you need to add sudo before that whole command to run that with highest privileges - and type your password in - otherwise it'll fail.
'rm -rf /*' there, that's a whole lot shorter. And even as less privileged user, it still will do a lot of damage.
You only need sudo if you aren't logged in as root user, and since its mainly about servers that isn't too unlikely. And also you only need that flag if you are using the bloated GNU utils, if you instead use the plan9-unix variants the flag is obsolote
@@annie3606 Best practice these days has you never ever log in as root but always as a less privileged user. I don't even think there's a single distribution out there that still allows the root user to ssh into the machine by default. And if you have an rm implementation that does allow 'rm -rf /' I suggest to switch it for something that doesn't allow it for those edge cases where things might go wrong.
@@Hans-gb4mv Well I don't have a server rn but I definitly would never remove the plan 9 utils even on a server once i installed them, since they are faster and i highly prefer them over the GNU bloatware implementations xD
@@Hans-gb4mv True but you still can (and sometimes sadly even have to in a few but still existing cases) go the "sudo su" route.
A lot of young admins (or guys who stuck with admin duty because it is a small company) see a problem like "my user is not allowed within the log folder" and go "well time to make myself root for a minute".
And then they forget. And then they keep on being root because they use tmux or something and the thing just keeps him logged in for weeks.
And then they try something out they just copied from the internet.
P.S. if you do not know what I am talking about, usually the problem is that people want to "cd" into a folder they do not have permission for. They do not want to give themselves permission because they know that usually the do not need that. They just need it for a minute. So they try "sudo cd" which obviously does not work. So they make themselves root "just for a minute".
TLDR; why isn't "sudo cd" just a thing? Would save me so much hazel.
"... t-thanks, Tom, but I'm here for the dishwasher position. Is, uh, am I in the wrong room?"
Shellshock Live 2 Confirmed
That was already a thing and still is
Tom, just wondering if there's a reason behind the 2 camera angles when you only look towards the main camera? Haven't seen any other UA-camr do it and I'm wondering if it's like a technical trick to keep people focused or...? :)
Sarah Long Two reasons: first, it keeps people interested, and second, it means I can cover mistakes and retakes by cutting between the two angles!
@@TomScottGo I much prefer your one-take videos, far more impressive! :)
@@TomScottGo hahahaha, I feel that second reason
wow i'd expect that with this having happened 7 years prior, the log4j thing wouldn't have happened, these two seem very similar to me
This really scared me... until I saw I was 6 years late
2:21 the street is being invaded by double-decker buses
2:20 that outside the window is the most British thing ever
Great video! Clear, concise and to the point as always. Keep it up Tom!
Thanks Tom. This was a good primer for the masses, and even some power users like me who understood just enough to see how dangerous it is. Here is hoping Tim and company get this fixed before 10.10. Mr. Cook, are you out there listening?
Well, an example where Linux is more vulnerable than Windows, what a time to live in...
***** However, in the case of this bug they would be right in saying that Linux is more vulnerable than Windows.
But the chances are this will be fixed reasonably quickly, and unlike windows we won't have to wait for months to get the fix included.
Also Mac
nightdragonNFS Microsoft usually patches stuff pretty fast now. They have gotten pretty serious about their security, and it does show. Notice how there are not really any more huge scale worms?
While this problem is probably easy to fix, I think people also fail to remember how servers are run in the real world. There are servers out there that have been running continuously for the past 10-15 years and have never been updated or even rebooted once. There are servers even older that have never even been updated or are simply forgotten about or unaccounted for.
Overall, this isn't a huge huge deal because most sane people would never use bash to do anything related to random users, but it is still a very good idea to make sure this is patched on your system.
nightdragonNFS
Pretty much this. The debian servers I run got their updates earlier today, so now everything seems to be fine. That's one of the great things with these OSes, if something sketchy is found it is patched very quickly.
Loved the explanation with humble jokes, without any cringey stuff from most youtubers
Being recommended this video ~7 years after it was released.
Hopefully this was fixed. XD
Wow, for a bug to go unnoticed that long, kind of amazing.
Also, on a completely different note: you look great in a suit! XD
"In the beginning...there was the command line." The secret opening line of Genesis.
While we don’t have the red shirt, we do have the red buses
Is that Gru from Despicable Me walking down the road in the background at 3:46?
The biggest thing I got from this video was watching out the back window. There were bikes, buses, pedestrians and cars all sharing the same street at practically the same time and I didn't see one person try to run down a bicyclist or flip off a pedestrian. Would be lovely to live in a place like that.
i have a class in 4 mins, this is perfect
Thanks for this explanation. You're probably the few who can give people a better understanding of what this really is.
4:16 says the guy who will later have a password manager sponsorship.
Well, a password manager is always a good idea. Although I would never trust a closed-source one.
I probably understood 10% of what Scott was talking about but 100% enjoyed it 😊
"[...] or being owned, probably with a zero because it's the internet"
- Tom Scott 2014
p0wned
@@TheSmegPod pwned :P
Look at all the advertising out of that window
2:12 Smart (or Zoopla?) really knows where to make ads.
“Getting owned, probably with a zero, because it’s the Internet” lmb0
0:20 Thank you, Neal Stephenson.
In the beginning there was nothing which exploded
When people found out about this I guess you could say they were, "shellshocked"?...
I'll see myself out...
You don't invoke subprocesses in shells typically, which is why this didn't really affect anything, and if you were passing user input into a shell, you were probably already vulnerable to something else.
He did say "It's really bad form, but they will [use a shell for subprocesses]." in the video.
7 years ago. 7years. awesome.
The bug doesn't need those special characters () { :; }; that is just a minimal empty function. What the bug needs is an unnamed bash function definition; anything can be within the function. This will exploit as well:
() { printf "yay me"; }; echo "this is bad"
And for people going on about Windows/Linux/MacOSX, this is a bug in bash, so it affects MacOSX and virtually all Linuxes (server, embedded, desktop). There are Windows ports of bash, but it is very unlikely that your Windows computer has this. You would certainly know if it did.
Also, this has already been patched and most popular distributions are already pushing the update.
***** That was just the expression. Wrap it up in an environment variable or whatever to test:
env x='() { printf "yay me"; }; echo "this is bad"' bash -c "echo blah"
***** I was talking about the contents of the function can be anything. So many people say the bug is () { :;} which isn't necessarily true. It does not have to be an empty function, was my point.
But wouldn't it be designed so that it doesn't follow the code but treats it as a string?
Your last sentence is so true. Yet I'd take your advise! Grat videos, happy to have found your channel recently :)
So... Can anyone tell me what exactly is wrong with PHP (2:50)? I know, I know, I'm an idiot for not knowing this, but please bear with me.
+Mrluigifan102 it's probably the most hated language among programmers. it's also quite easy, so there are many beginners likely to make mistakes coding in php. it's responsible for lots of vulnerabilities and glitches.
s casino All right, then. Well, I'm probably gonna avoid doing things with it in future, then.
Mrluigifan102 nah, it's fine if you use it properly. it does get mocked a lot, though. But then again, programmers love to bash competing languages ( java and c++/c# always mock each other, for example ).
s casino Yeah, I guess that makes sense. Hope I manage to learn how to write good code at some point.
Mrluigifan102 you will, i'm sure of it.
You can check in your terminal if you're vulnerable with;
env x='() { :;}; echo vulnerable' bash -c "echo did it work?"
If you get back the word "vulnerable" then it's not patched on your system, but if you get a bash warning without the word vulnerable then you're ok, for now at least.
I believe they only did a quick fix for now so it's likely we're not still entirely secure, but at least a quick fix will give them time to work on a full fix.
Nice one on explaining it properly Tom!
"In the beghining, there was the command line"
And then the user said: Let there be light!
*the user said: "make it GUI"
@@fuseteam the user said: 'startx'
@@tiltnexus3157 the user said wayland
Whom'st made the light shalt suff'r in hell, may the dark mode triumph!
@@nullreferenceexception1448 AMEN
ad at 2:16 "smart knows where to be seen when selling"
Genius
oh, rm -rf / needs --no-preserve-root at the end of it now and requires it to be run at a root prompt (sudo)
*****
that one nerd that other nerds hates :)
Mitchell Theobald He's assuming that you are already running it as root
Jaxon Flaxon Waxon Root can mean two things here. It can mean the superuser/admin/the user that can do anything on the computer, or it can mean the base of the file system tree. --no-preserve-root uses the word in the second sense.
Kasper Guldmann I was referring to OP saying you had to type "sudo" before the command. But you are correct.
Great way of explaining it to people who no very little or nothing about code or programming. Great video!
Me, barely able to do variable print scripts with python: Haha, I understand n o t h i n g
U will!
:D
Two drums and a cymbal fall off a cliff.
You have come so far!
Time to have a look at my active projects then
the background is sooo british, i cant take it anymore
Actually if you use PHP, you should not use command-line interfaces directly, ever. At least not if you take direct input from a user via GET or POST.
What people forget is that PHP nowadays is not PHP ten years ago. it is modern, and as secure as any other language.
I may be more comfortable in C and GJS, but when it comes to web stuff, I still go to PHP. It is easy to understand and what not.
25 years, that's impressive
sudo rm -rf /* is probably the more correct way to delete everything on Linux, because command shells are usually sane enough to block deleting the root folder itself (although not its contents). Deleting everything in the current folder is rm -rf * (and if you want to annoy friends / colleagues, sing it to the tune of Camptown Races: rm -rf *, doo dah, doo dah; rm -rf *, doo doo dah day!).
A less severe but equally perplexing command (to the uninitiated) is the fork bomb, which eats up CPU time and the process table, so eventually grinding your system to a halt in only 11 characters:
:(){ :|:& };:
Since : is the process identifier, a slightly more human-friendly version would be:
bomb() { bomb | bomb & }; bomb
Windows' command interpreter can do it in even fewer characters:
%0|%0
I could be mistaken but wouldn't the "-r" part cover everything under "/", as it's recursive? I don't understand what the benifit to using "*" would be in this context.
Sawta Shells apparently prohibit deletion of the root folder itself. However, /* deletes everything _within_ the root folder, -r covers everything in every folder under root, and -f doesn't ask if you're sure you want to screw up your system.
Sawta / is a directory. rm by default doesn't remove directories. globbing /* would match every file on the system.
Excellently put together Scott.
It's pretty scary that something like that can exist for so long unnoticed
'i hope you are not taking your security advice from someone on youtube'
YOU are someone on youtube.
I still don't understand how that command "() { :;};" can make anything after a command.. Like in code injection, if you use ', it ends the string, I get that, but what does this chunk of code mean ? Can anyone explain that ?
Mokinng It was a bit much for the video, but: it's meant to define a function, which is passed over instead of just a string. That final semi-colon should mean "it's all over", but for some reason it glitches and starts processing commands again instead!
Except it's not a bug. It's order of operations, and works properly as defined.
what do you think a bug is? If i make a game where you are supposed to be able to move in all directions, but when testing, you can only move right, isn't that a bug? The coding behind it does what it says, and that makes sense. It's a bug because you have an unintended result, not because of witchery
+Matthew Keen
No IMHO it's not a bug. If you coded to move in the four directions, then it moves only right, then there is something wrong in your code. If you store the position in a 2 bytes variables and the position exceed 65535, then yiu have an exception and if you didn't catch it the program can crash, and that's a bug, an unexpected behaviour.
Wait. I'm watching a Tom Scott video where he's not wearing a red shirt and blue jeans? I didn't know he owned any other clothes :o
You know your damn old, when you see a video, with someone explaining what text commands are for a computer...
why does this particular set of characters act that way? What is it supposed to do? What is so special about "() { :;};" ?
As far as I can tell, that would be some empty function and then a code block with what ever a colon would do and then a full stop, ending that code block with another full stop? I never used Bash so I wouldn't really know.
***** No, that is the actual code.
Edit: you edited your reply :|
The Great Steve that's one method. Another is to systematically look through the code and try to find attacks that way.
And yet another is dumb luck. And then it's a matter of who the person is who discovered it. Will they report it as they should or will they exploit it and never tell anybody in order to hopefully keep this exploit in as long as possible.
One last variant, though hopefully a rare one, is that programmers might deliberately put in loop-holes which they then can exploit later down the line. That's harder to do with Open Source but given a large enough project and a convoluted enough bug, it might go unnoticed by others even there.
The exact thing that happens here is that Bash uses environment variables to pass function definitions to sub-shells. It uses environment variables with the same name as the function, containing the function definition in the form of '(args){code;}'. Bash's subshell then looks for environment variables that look like that, and "loads" the function by simply evaluating it. This evaluation pays no attention to the fact the variable might have been filled by something that's not another Bash shell, or there might be more than a function in there. So the string '(){:;};some_code' is equivalent to telling Bash "Hi, I'm the Bash that called you. Here's a variable containing the code for a function I want you to define." And there's more than a function in that variable. That's Shellshock.
[edit] The current-best patch changes Bash to always pass functions in variables named stuff like FUNCTION_PASSTHROUGH_functionname, so Bash will never try to load a function from a variable called, say, QUERY_STRING or HTTP_COOKIE.
FeepingCreature thanks. Sounds like a really subtle issue.
"()" stands for function definition (which would normally be the somewhat more familiar looking "somename()" but somename in that case is the name of the environment variable), "{}" encloses the function definition itself and ":;" is just the shortest code possible. You could write anything that's legal bash code in there but why bother. It's about what comes after the function definition so you can just get it over with. A colon in bash represents something like a command that's always true. It's a kind of no-op really. The semicolon is just the command delimiter as it is in many languages.
Thanks for explaining! I could not find any other good explanations.
Could we get another video like this for the log4j exploit that showed up over the weekend?
For some reason I never thought I'd see Tom Scott in a conference building wearing a suit.
Are you going to talk on this log4j exploit, since it's significantly worse.
you know theres something wrong and the world is in urgent need of information when tom hasn't even the time to change his shirt
Shirt looks super good :D
0:18 that sound effect kinda made me expect the flight of the bumblebee song for some reason
This only works in Unix based systems right? Not windows?
Edit: Please read previous responses before replying yourself.
***** It's specifically the Bash shell, which is found in many (most?) Linux systems and all modern Macs. Keep your security patches up to date, on whichever system you're on, and you should be OK!
***** Well, people are bound to try to find a similar flaw in DOS now. Just a question of who finds it first, MS or someone else. :o
This could work on any OS, but Windows does not come with Bash and would have to have rather extensive modifications to make a system vulnerable. This mostly only applies to Linux servers that run Bash as the default command prompt.
***** Yes, but this does not mean you're 100% safe if you use Windows. Remember that most non-pc devices, like your home router, are probably using a modified version of Linux. Make sure those are up to date too.
*****
Wait... Macs are not infallible? /sarcasm ;)
I always have to watch videos like this twice bc I get distracted by the people outside not knowing they’re in a video with 1.6 million views
0:58 no it isn't, GNU rm requires --no-preserve-root option to delete the root directory.
dude. the video is 5 years old.
@@thegreatoutagesign9204 You mean it is Now() - 24/9/2014 years old... ;-}
It's like all those buses in the background were wearing red in protest of Tom not doing so XD
How's your day been
Damon Morgan Patchy.
***** I might have laughed a little bit to much when I read your reply.
Andy Faulkner
#!/bin/sh
fixbashdamnit=1
while [ $fixbashdamnit=1 ]
do
sleep 10; apt-get update && sudo apt-get upgrade
done
work smarter, not harder.
Mostlyharmless1985
of course, i figured out a one line ditty the second i posted this.
fixbashdamnit=1 ; while [ $fixbashdamnit = 1 ] ; do sleep 10; apt-get update && sudo apt-get upgrade ; done
What is the meaning of the footnote at 1:51?
Where would I put the ', and what exactly does it do? It would mean that I have defined x to be a shorter string, right?
Do I insert it any where within the characters () { :;}? Does the footnote mean that this kind of insertion is impossible since the program is safe against such 'code insertion'?
It's not a bug. Its a feature.
Tom: I'd be surprised if there isn't a self replicating attack going around the world.
2018: Wreck it Ralph 2 comes out and that's it's premise.
Me: Maybe they saw this video.