Brian Fox drove from Boston to Santa Barbara, with two tapes stashed in his trunk.
These weren’t music tapes or video tapes. They were computer tapes—two massive reels loaded with software code and data, the sort you can see spinning on furniture-sized computers in classic movies like Dr. Strangeloveand Three Days of the Condor.
The year was 1987, and as Fox drove cross-country to his new home, the tapes held a software program called Bash, a tool that Fox had built for the UNIX operating system and tagged with a license that let anyone use the code and even redistribute it to others. Fox—a high school dropout who spent his time hanging out with MIT computer geeks such as Richard Stallman—was a foot soldier in an ambitious effort to create software that was free, hackable, and unencumbered by onerous copy restrictions. It was called the Free Software Movement, and the idea was to gradually rebuild all of the components of the UNIX operating system into a free product called GNU and share them with the world at large. It was the dawn of open source software.
Fox and Stallman didn’t know it at the time, but they were building the tools that would become some of the most important pieces of our global communications infrastructure for decades to come. After Fox drove those tapes to California and went back to work on Bash, other engineers started using the software and even helped build it. And as UNIX gave rise to GNU and Linux—the OS that drives so much of the modern internet—Bash found its way onto tens of thousands of machines. But somewhere along the way, in about 1992, one engineer typed a bug into the code. Last week, more then twenty years later, security researchers finally noticed this flaw in Fox’s ancient program. They called it Shellshock, and they warned it could allow hackers to wreak havoc on the modern internet.
Shellshock is one of the oldest known and unpatched bugs in the history of computing. But its story isn’t that unusual. Earlier this year, researchers discovered another massive internet bug, called Heartbleed, that had also languished in open source software for years. Both bugs are indicative of a problem that could continue to plague the internet unless we revamp the way we write and audit software. Because the net is built on software that gets endlessly used and reused, it’s littered with code that dates back decades, and some of it never gets audited for security bugs.
When Bash was built, no one thought to audit it for internet attacks because that didn’t really make sense. “Worrying about this being one of the most [used] pieces of software on the planet and then having malicious people attack it was just not a possibility,” Fox says. “By the time it became a possibility, it had been in use for 15 years.” Today, it’s used by Google and Facebook and every other big name on the internet, and because the code is open source, any of them can audit it at any time. In fact, anyone on earth can audit it at anytime. But no one thought to. And that needs to change.
How the Web Was Built
In digital terms, Fox’s Bash program was about the same size as, say, a photograph snapped with your iPhone. But back in 1987, he couldn’t email it across the country. The internet was only just getting off the ground. There was no world wide web, and the most efficient way to move that much data across the country was to put it in the trunk of a car.
Bash is a shell utility, a black-boxy way of interfacing with an operating system that predates the graphical user interface. If you’ve used Microsoft’s Windows command prompt, you get the idea. That may seem like an archaic thing, but as the internet took off, fueled by web browsers and the Apache web server, the Bash shell became a simple yet powerful way for engineers to glue web software to the operating system. Want your web server to get information from the computer’s files? Make it pop up a bash shell and run a series of commands. That’s how the web was built—script by script.
Today, Bash is still an important part of the toolkit that helps power the web. It’s on the Mac, and virtually any company that runs the Linux operating system, the descendant of UNIX, uses it as a quick and easy way to connect computer programs—web server software, for example—with the underlying operating system.
But the lead developer of the program doesn’t work for any of these big names. He doesn’t even work for a tech company. His name is Chet Ramey, and he’s a coder at Case Western Reserve University in Cleveland. He works on Bash in his spare time.