As many are explaining, one of the biggest problems with this #shellshock vulnerability is that it's in part of the Unix and Linux operating systems -- which means it's everywhere, particularly in things that were built decades ago and in things that were never meant to be updated. There will be a lot of hand-wringing over this one.
But I think I have a way to address it.
It's a worn-out analogy, but bear with me here. Windows in buildings. Now, we know glass is fragile to different extents, depending on how it's made. Imagine that we had hundreds or thousands of "glass researchers" who published things like this:
"Say, did you know that a 5-pound rock can break this kind of glass?"
Whereupon business owners and homeowners say:
"Oh jeez, okay, I guess we'd better upgrade the glass in our windows."
Researchers:
"Say, did you know that a 10-pound rock can break this kind of glass?"
Business- and homeowners:
"Sigh ... all right ... it's going to be expensive, but we'll upgrade."
Researchers:
"Say, did you know that if you tap on a corner of the glass right over here that it'll break?"
Business- and homeowners:
" ... "
Researchers:
"Say, did you --"
Business- and homeowners:
"WILL YOU FOR CHRISSESAKE GET A LIFE??"
Yes, glass is fragile. So is IT. We all know that. And we don't expect everyone in the world to have the same level of physical security that, say, bank vaults do.
If there's a rash of burglaries in a neighborhood, we don't blame the residents for not having upgraded to the Latest and Greatest Glass.* No, we go after the perps.
Without falling too much into the tactical-vest camp, I think we ought to invest more money and time into defending the Internet as a whole, by improving our ability to tag, find and
This is a case where expecting the world at large to defend itself against an infinite number of attacks just doesn't make sense.
*If you think it's cheap to patch, you haven't worked in a real enterprise.
