RSS Feed
Unless you've been living under a rock avoiding the news, you've probably heard about shellshock by now.
The shellshock threat did impact c9 servers, they have now been patched.
The threat to c9 servers and websites hosted on c9 is virtually non-existent though. It is difficult for me to explain the nature of shellshock to a non technical audience, but I'll try to explain the risks by analogy.
The analogy is this: with a bank. You have the main doors, guards, alarms, security cameras and the vault. Now someone has figured out how to easily pick the lock on the vault : this is shellshock. But as long as you have systems in place to ensure no-one gets near the vault you are okay. The risk though is that people forget about the vault, assume it is rock solid, so they design their bank such that they don't mind people walking past it. Suddenly, it is now a problem.
To the best that I can tell, and the best of my knowledge, shellshock could not be exploited with the systems and services c9 has setup; but there is still a risk that something deep in our website design would do something that would potentially open up a path to shellshock. So to be sure I've updated our systems anyway, because I'd rather have a solid vault than a vault that can be easily picked, even if it is cordoned off.
The wider implications of this for the IT industry will be interesting to see as it develops. Shellshock is not straightforward to exploit : you don't just download a magic hacker tool, point it at a heap of websites and hope for the tool to discover an opening. It requires skill, patience and care for a hacker to discover a vulnerability that allows them to get 'close enough to the vault', so to speak. We may hear over the next few weeks or months news of high profile IT companies and websites being exploited, or maybe the whole thing will blow over and nothing at all happens.
Update: since writing this post, I've been thinking about this more. I generally don't go for sensationalist news stuff, but Shellshock is indeed a very serious security problem and it is actually fairly straightforward for hackers to search for and find systems that are compromised by it. C9's systems should be secure though, and I am fairly confident that during the time c9 wasn't patched, our systems weren't actually vulnerable anyway.