Researchers found a major bug in Samba, a core component of many Linux and Unix systems as it controls storage and interfaces with Windows and other non-Unix things.
The issue allows a bad guy to run unapproved code uploaded remotely as a root user. Your firewall has to have the right port open, but lots of folks do that to solve a temporary need and then forget to close the port to outsiders.
So, should you have home or work Linux machines, take a few minutes and update them. This also applies to many less-obvious Linux machines such as my personal favorite, the RaspberryPi.
Many use them as cheap controllers for home storage, media centers, home automation, etc. So don’t neglect them folks – if they get compromised, that’s just a ticking time bomb waiting to get worse.
Unrelated to this news, we’ll be tightening the site up a bit more in anticipation of increased efforts by bad guys.
On the test server front, the good news is that it’s up and running. There are still a few more details to take care of, and I’m pretty much not doing any work from now until Tuesday as I have lots of IT duties and plan to take apart, re-organize and put back together my home office. Fun fun.
Finally, don’t forget that tomorrow at 12:30 Eastern, my guest post on Oceanography will launch, with the author in the comments ready to answer questions. I found his intro to be very interesting, and it led he and me into an in-depth discussion of the numerous crises in our oceans that are here, or will be soon.
Open Thread!
Major Major Major Major
It’s things like this that are why I say the internet of things is going to kill us all.
Also, your dropcap tags are broken.
Alain the site fixer
@Major Major Major Major: thanks, just seeing them now, was testing them. Don’t like them. Away they go.
zzyzx
I thought for sure that those initial letters were going to spell something, but I’m not getting anything out of RUOF.
…and this comment makes less sense now that the first letter of each paragraph isn’t all dramatic.
Alain the site fixer
Yeah, much better. ttfn
rikyrah
THE RACHEL MADDOW SHOW 5/24/17
Senate learns consequences of passing House health bill
Rachel Maddow reports on the CBO’s assessment of health care bill passed by House Republicans who voted without knowing the costs of the bill, but which now faces a more informed Senate vote.
rikyrah
THE RACHEL MADDOW SHOW 5/24/17
Trump blurts classified submarine intel to Philippine president
Rachel Maddow reports on the revelation that Donald Trump, while on the phone with Philippine President Rodrigo Duterte, revealed the classified location of U.S. submarines.
rikyrah
THE RACHEL MADDOW SHOW 5/24/17
Senate Intel briefed on cyber firm with odd Trump-Russia ties
Rachel Maddow reports on the Senate Intelligence Committee being briefed on Kaspersky Lab, a Russia-linked cyber firm that happens to have paid money to Mike Flynn and had an employee charged with treason in Russia.
rikyrah
THE RACHEL MADDOW SHOW 5/24/17
Trump loans, Russian money laundering eyed in Congressional query
Greg Farrell, investigative reporter for Bloomberg News, talks with Rachel Maddow about how two seemingly disparate stories about Russian money laundering and Deutsche Bank loans to Donald Trump are being lumped together in a new Congressional query.
schrodingers_cat
@Major Major Major Major: Forget internet of things, I find all the stupid recommendations YouTube comes up with, annoying. I do not fucking need those suggestions. I finally figured out how to mute them, thank Ceiling Cat.
rikyrah
PS-Gianforte has Russian ties too…
Uh huh
Uh huh
THE RACHEL MADDOW SHOW 5/24/17
MT GOP candidate Gianforte allegedly ‘body slams’ reporter
Rachel Maddow reports on the claim by Guardian reporter Ben Jacobs (and mounting evidence) that Republican special election congressional candidate Greg Gianforte “body slammed” Jacobs after being asked a question.
rikyrah
Kremlin Trolls are really out in force today. All the Usual Suspects, nothing new. Told you they’d be amping it up to defend failing Trump.
— John Schindler (@20committee) May 25, 2017
Mike J
Smb 1 was the root of the windows ransom ware recently. An ancient, creaky protocol nobody should be using anyway. Is this related?
Major Major Major Major
@schrodingers_cat: if you think YouTube recommendations are bad you should have seen Netflix recommendations five or so years ago.
rikyrah
Reince Priebus Has Reason to Worry About a Comey Memo
by Nancy LeTourneau May 25, 2017 9:57 AM
So far, White House Chief of Staff Reince Priebus has managed to stay out of the headlines of the stories about the Trump/Russia probe. He was not a member of the Trump campaign team as head of the RNC during the election. But according to a report in the Daily Beast, he might have cause to worry about being implicated in the cover-up. To understand why, perhaps a timeline of events from mid-February would be helpful.
…………………
From the Daily Beast article, here is why all of that could pose a problem for Priebus:
According to one former general counsel of a large law-enforcement organization who is familiar with Comey, the fired FBI director took judicious notes on likely every conversation he had with anyone from the White House—and he almost certainly wrote a memo about the Feb. 15 conversation with Priebus.
Alain the site fixer
@Mike J: not that I know of. Perhaps researchers were inspired to poke around Samba based on that.
NotMax
We’re all persons of interest now.
;)
Belafon
Do you have a link? I would like to forward that to my sys admin here at work.
The Moar You Know
My father’s wi-fi thermostat (from Lennox) was compromised in exactly this fashion. Was hijacked by a botnet and was part of a DDoS attack on a machine in Germany. We found out by looking at the firewall logs. SMB port (and some others) was getting hammered. A similar SMB vulnerability also comprised a large part of the latest ransomware attacks on Windows. Glad this is getting patched, but almost all IoT devices are not patchable, and even if they are, the users of said devices won’t have the faintest idea how.
Winter is coming, as they say on that stupid show.
Belafon
@Major Major Major Major: The internet of things isn’t going to kill us any more than the interstate highway system has.
NotMax
@Belafon
Y2K! Y2K!
Alain the site fixer
@Belafon: https://arstechnica.com/security/2017/05/a-wormable-code-execution-bug-has-lurked-in-samba-for-7-years-patch-now/
Alain the site fixer
@The Moar You Know: having a good firewall is important. I’m developing a few iot projects I hope to market and security is pretty much job #1. Disabling everything you don’t need and ensuring that encryption and strong passwords are employed goes a long way to securing these devices.
I’ll never forget the first time I was hacked on broadband. Mid-late 1990’s and my new computer had never been on the internet before. I just got DSL and hooked it up (without firewall hardware or software) and spun up Warbirds to fly around a bit online.
About a minute later, the game minimized and I saw a text box pop open and someone was typing commands. I reached over and turned off the power for the DSL modem then rebooted my machine. I used my other machine (and dialup!) to download ZoneAlarm firewall then installed it. I’ve never been without a firewall since except debugging network issues!
MomSense
I just noticed the In Memorium for greennotGreen.
cain
Man, I haven’t used samba in forever. Mostly because I exclusively use Linux and have been for 20 years. So meh.
geg6
If I had any clue what any of this meant, I’d be freaking out probably.
Since I don’t, I’ll just ignore it and pretend I never saw it.
NotMax
@Alain the site fixer
Remembering back to when ZoneAlarm was the bee’s knees and still had a small yet puissant footprint.
Good times, good times.
Alain the site fixer
@cain:At home, one Pi runs home backups, and an old laptop runs Ubuntu to run Plex to view my DVD/Blu-Ray collection.I’m still moving disc-based media to it, and Samba makes it easy to work on my Windows desktop and upload movies/shows once I’m ready.
Alain the site fixer
@NotMax: I still remember the jump from 300 to 1200 baud! I even used an acoustic coupler to call pops back before 300 baud modems were out (and before the internet was a thing really). It’s like magic to me now, what with wireless and speeds we could never have dreamed of.
Origuy
@NotMax: Y2K wasn’t a big deal largely because programmers spent the previous two decades making a big fuss about it so that their management would give them the time and budget to fix the problems. Everybody knew that their code was ok, but they had no idea if other people had been able to fix the problems. I was working for Compaq at the time on large business-critical servers. I spent December 30 in the office to see what would happen in New Zealand, Australia, Japan, and China. I carried a pager to a New Years Eve party. My company rented huge generators to keep our lab systems running, in case the power grid went down and we had to duplicate a customer problem. There weren’t any significant ones, fortunately.
Alain the site fixer
@MomSense: I’ve been in touch with her sister. As soon as I can, I’ll be making a post to which I hope everyone who knew and loved her will contribute. More about that when ready.
Villago Delenda Est
“The Bad Guys” = In part, the scum that is Wikileaks.
NotMax
@Alain the site fixer
Was utilizing (and in a small way aiding in expanding) the proto-internet back in the very early 80s, on monochrome screens.
Tex (not a typo) was the buzzword for the face of the future then.
Alain the site fixer
@Origuy: I’ll never forget prepping for Y2K and, during one discussion on medical tech that hadn’t yet been tested, For me, the ultimate in embedded computers is a pacemaker and many hadn’t been programmed correctly Luckily there wasn’t a wave of folks dying because their hearts stopped beating!
My suspicion is that in many cases, Y2K problems weren’t solved. I know that the elevators in the building I worked in had issues post Y2K for the next 6 years, until I left. I assumed that there were some lurking Y2K issues that made them twitchy,, but what do I know.
Villago Delenda Est
@rikyrah: Speaking of the scum of the Intertubes, Wikileaks has been running smear tweets on Ben Jacobs.
Alain the site fixer
@Villago Delenda Est: Yes, and their compadres.
Watch yourselves people. Do you think that whomever it was that stole all that GSA info about people isn’t identifying and digitally following people they think will be someone in 5 or 10 year’s time they want to control or compromise? It’s never too soon to tighten up your security!
Alain the site fixer
@NotMax: I was a kid. We used the acoustic coupler to call local pops to get onto Arpanet and then, of course, we explored.
Back in those days, many systems’ help for logging in would provide example logins and passwords! lol Someday I’ll regale y’all with the story of how we almost got caught. Good times.
NotMax
@Alain the site fixer
Was part and parcel of the program resulting in my obtaining the M.A. in Interactive Telecommunications.
The Moar You Know
@Alain the site fixer: Back in the early 00s I was doing a lot of audio production on the computer (still do). And I used Zone Alarm.
One day my tracks started falling out of sync. Took a couple of weeks of downtime before I figured out that Zone Alarm had “updated” and was hitting the system with some good high-priority threads that were killing my music program. So I ended up buying a dedicated machine just for projects, no connection outside at all (which would be SOP now, but most people, me included, didn’t understand the issues of having production machines on line back then).
Nowadays, I and any family member I can get to sit still for it gets Sonicwall firewalls, locked down to bare minimum functional ports.
I am very glad to hear that at least one IoT developer is making proper efforts to implement security. I wish you all the luck with those projects.
SiubhanDuinne
@Alain the site fixer:
Bless you for that. If you can, please let us know how sister and family are doing, and make sure she knows we all love them and continue to think about them.
Major Major Major Major
@Belafon:
So, by the millions, then.
Alain the site fixer
@Major Major Major Major: ROFLMAO
Chris T.
@Alain the site fixer: Most (edit: embedded) stuff doesn’t (well, “didn’t”, this is from the point of view of the 1990s) care what year it is. You can’t have a Y2K bug if you don’t have a year number. :-) Elevators can be stupid (most are) or smart (a few are), and the smart ones care about the day of week as well as the time of day, so that they can hover idle elevators at the right floors. Those might use the year as a proxy for calculating day of week, so they could have such bugs.
Meanwhile, everyone should get ready to freak out for the Y2038 bug instead, now. :-)
Major Major Major Major
@Chris T.: Y2K was real, and the vast bulk of the effort put into fixing it was needed. Just because some pockets were lined and some of the hysteria was funneled into enthusiasm for (needed! but unrelated) infrastructure upgrades doesn’t mean it wasn’t a real problem.
Chris T.
@Major Major Major Major: Yeah, sure, there was plenty of broken software. But people were freaking out about things that didn’t have a year. Might as well worry that your old analog wall clock will fail because of Y2K, or Daylight Saving Time, or whatever.
Major Major Major Major
@Chris T.: well, DST does make an uncorrected clock fail 50% of the time. If you didn’t know about it that would be a huge bug!
Major Major Major Major
@Chris T.:
We need to be more forward-thinking when designing systems, like the Long Now people who put a leading zero before the year.
Rich2506
I’ve got a computer that runs Ubuntu Linux. Love it as it runs a lot of stuff Windows doesn’t and runs them better. Problem: a while ago, it stopped updating anything. A bigger problem is that I’ve tried a few times to boot into a thumb or flash drive or CD to upgrade it and it keeps going to the C: drive instead.
I’m near Philadelphia, but am willing to drive as far as NYC. Any place that I can bring it and have someone look at it? Thanks!
Mnemosyne
On the assumption that tech types will be showing up here — I’m considering getting an Asus Chromebook Flip (the new one that’s about $499). This would basically be a replacement for my iPad Mini that would allow me to do a lot more writing tasks with a better keyboard and more portability. The fact that it’s pretty stripped-down and I can’t install a ton of programs is part of the appeal, since I want something that will force me to write. Thoughts?
J R in WV
@Belafon:
“The internet of things isn’t going to kill us any more than the interstate highway system has.”
Maybe so, but it sure can become acutely annoying at a moment’s notice. Imagine the dishwasher turning on the fill cycle while the door is open, the stove taps coming on while the spark ignition is disabled, and the home’s HVAC center going to the wrong cycle for the current weather (i.e. heat on in August, cooler on in December) all at the same time, with a polite request for $25,000 in order to regain control of your appliances.
Pretty bad day there, you think?
I uninstalled the computerized thermostat from our HVAC system long ago, the dishwasher and stove (both new and computer controlled in every function) are airgapped, so maybe safe. But this isn’t true for everyone today, is it?
ETA, better wording and speling (sic) ;-)
different-church-lady
@Major Major Major Major: The Internet of Things is basically this cartoon for the digital age.
Alain the site fixer
@Rich2506: pop,me an email. I can likely help you via phone if it’s just a simple bootloader issue.There would be a charge.
Alain the site fixer
@Mnemosyne: it’s a good thing.
Schlemazel
If you ignore Windoze you don’t need samba and have no threat. QED.
Rich2506
@Alain the site fixer: Thanks. Running down near the end of the month, so I’ll await my next paycheck before getting in touch, but I’ll be happy to keep your address on file.
J R in WV
@Rich2506:
Rich,
There are Linux user groups in most cities, and they have meetings where people bring in hardware, running problematic software, for group debugging. There are also small IT shops which have expertise in Linux issues, sometimes specialize in Linux for businesses in their area.
Google with your city/state for linux professional help.
If all this turns up nothing promising, you can probably install Linux ( a new release) after backing up your data to any kind of external data store, from a USB data stick to a small external hard drive.
Rich2506
We do have a group in Philly, but the trouble is with a desktop and nobody advertises a place I can bring it to. Back when I had Linux on a laptop (Windows does NOT like sharing with Linux, it used to be possible to dual-boot, but I can’t do that anymore), I could have people look at it. Yeah, I’ll look around to see if there are other computer user groups.
Backing up the data’s not a problem, the real problem is that I can’t boot into another drive or a CD/DVD. I had planned to get a copy of my boot sequence to Alain to see if that can be manipulated somehow.