A tale of Hyperbole, Incompetence and Bullying
Well well well. We do live in interesting times.
This evening while checking my Google Alerts I discovered, to my great surprise, that the various global software Security Research Firms are phenomenally incompetent.
You'll love this!
Apparently, and despite all their best efforts, these so called Security Researchers have been unaware of a "High Risk", Local and Remotely exploitable vulnerability in just about every Linux and or Unix based webserver on the entire Internet!!!! I've got screen shots to prove it!
For how long has this vulnerability been around? Would you believe 2 days? No? How about 2 weeks? No? Try nearly 5 years and probably longer! No? Pity, cause according to them that's the truth! Amazing isn't it. I'll probably wear out the shift and 1 key's on my keyboard at this rate.
Internet Armageddon Comes. Behold. I am the prophet of our DOOM!
I know. I found it hard to believe myself.
These are reputable firms who surely wouldn't try and bully or brow beat a lone individual into doing their work for them. Oh no no no! And when that individual refuses to do their work for them and finds remarkable similarities between how they work and phishing attempts, and even protection racketeering, they do something really wonderful. Yup. You guessed it. If the mark doesn't come through, you carry through with the threat.
Don't do as well tell ya kid? We burn the house down. .... We warned ya kid. You didn't do our work for us, so here comes Mr Match and Mr Box of Firelighters. Flames everywhere.
Remarkably like protection racketeering isn't it.
But see Dear Reader there's a twist to this tale I tell.
The company that started this issue failed in one teeny tiny little detail.
They didn't actually do any research.
At all.
Verifiably.
Yet again, incredible to believe isn't it? I mean they stake their reputation on how good they are at researching these issues! Let me be very clear: They didn't do any background checking on their claims at all. Despite it being pretty frikken obvious to anyone even remotely competent who even tried to look.
And this is where things get bleak. If they had done even the barest amount of actual research, they would have discovered something wonderful. Something amazing. Something truly incredible.
That potentially millions of servers are also equally vulnerable. And without even trying to help protect all those millions of servers, they spill the beans. They go public. They set the Internet up for one of the biggest cracks in the history of crackerdom. It'll be mayhem. Cats and Dogs living together in harmony. Mass Hysteria. Apologies to Ghostbusters.
How can this be????? I hear you all cry.
The tale starts like this.
I have this dinky little Open Source, GPL'd, project called AWFFull. It's a fork of the great Webalizer program. You all know Webalizer. It runs on heaps of webservers giving folk basic reports on how their websites are going. If you work it a bit, you can even do some quite useful web analytics with Webalizer.
I've done a number of changes that have been gradually drifting Awffull away from Webalizer over the past year or so. One of the changes has been to put in internationalisation. You know: "$ LANG=de_DE program" and "program" runs giving German output. Change LANG to en_AU and you get Australian English. Crikey!
Well in the last couple of weeks various folk using Awffull have noticed that it segfaults. Ouch. Not good. It appeared to be related to the internationalisation work.
One of the fine folk who uses Awffull, very generously submitted a patch which may not have completely fixed the entire problem, but surely showed me the way forward very nicely. I took that patch, applied it, went through and hit all like problem areas, backported another segfault I'd found in the next version which hasn't yet been released, and pushed out a new tarball.
A little advertising never hurts, so I announce the release on Freshmeat.net as well.
At no stage did I ever claim or state that this was a security issue. 'Cause it isn't. Anyone who can exploit this sucker already owns your server. It's like saying that 'cause root can "rm -rf /" that rm is a Critical Security Risk.
So how does this involve millions of webservers?
Recall how I said that AWFFull is a fork of Webalizer. Heck even the name AWFFull gives that away: "A Webalizer Fork, Full 'o features". AWFFull. Blame Tony for coming up with the name. I just liked it. A lot. :-) The name has going for it: Homage to it's progenitor; Acronym bizarrely bent to fit; Really bad pun; Possibly even accurate in it's self description. Perfect! How could anyone not like it!?!?!
Well it would appear that apart from the backport, all the other fixes also fix code that exists in Webalizer too. And given Brad stopped Webalizer development in approximately April 2002, that equals your 5 years. Did I mention that it's these fixes that remarkably co-incidentally would apply very cleanly to Webalizer and all it's forks, that have apparently caused the fuss and hence revealed these long standing security vulnerabilities?
Did I also mention that I emailed the Awffull list stating that In My Professional Opinion there is no security weakness with this update? But somehow "the vendor" (ie me), without me knowing anything about my own actions, advised that it is a critical vulnerability. I must have been sleep-emailing.
So Dear Reader. Get a comfy chair. Sit yourself down and enjoy the show that's just about to begin. Internet Armageddon has arrived. Behold even.
Unless.... unless these wonderful Security Researchers are talking out their behind. And what we're now seeing is their childish revenge 'cause a lone person stood up to their bullying and protection racket like antics.
Actually I've just remembered. See I have a really strong IT Security Background too. Nowhere near as good as these wonderful Security Researchers, but, well, you know...?
I reckon they're talking shit.
Steve
