![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnFirst, if you're a unix sysadmin or anyone running any web services that pass through a unix server, ow. Hope you've got overtime pay.
For anyone who cares to read more about the details of what the bug is and what it can do, etc, I refer you to Troy Hunt's post of yesterday ( http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html ).
If you're a normal person hearing about this, then then there are a few things you can and should do:
1. Check that your home wifi router is not able to be accessed via the Internet (usually for administration purposes). If that is on, and your router runs Linux (and many of them do), it's potentially a problem. Check your instruction leaflet for whether this can be on or not and turn it off if it is. Then check how to download the latest "firmware" for your router, in a few weeks time you'll want to do that. If you have any other devices that are accessible "via the Internet", you probably want to find out if they're Linux based and turn that feature off too.
2. If you're a Mac OS X user, if your machine only ever joins networks with trusted machines on it, you're probably safe for now. But just in case or if you ever join public networks, open System Preferences - Sharing. If Printer Sharing is on, you want to turn it off. if you're using an old version of Mac OS, you may have Web Sharing turned on, you also want to turn it off. New versions of Mac OS don't have Web Sharing, unless you're running OS X Server. If you have Remote Login active, just check that you do not Allow Access for All Users. Other than that, wait for Apple to issue an OS Software Update that fixes the problem.
3. If you're a Linux user, you probably want to run your Linux version's package updater right now. And again in a few days time, as the bash maintainers have not actually released a patch that fully fixes the problem yet.
4. This is a similar situation to the Heartbleed bug ( my PSA from last time - http://thorfinn.dreamwidth.org/tag/heartbleed ) in that web servers may potentially be broken into (it's even worse technically). You will need to confirm with website owners that they were either not vulnerable, or were vulnerable and have fixed the bug, then change your password on that service. Again. Yes, I know. Tiresome. Sorry. :-( It's probably best to just prioritise the important sites (net banking, and anything with serious personal consequences), and do those in a few days time.
5. If you use unique passwords for every site you log in to, that at least limits any potentially stolen passwords to sites that are vulnerable and lessens the urgency on changing every password you have. That's why, if you haven't already, now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). LastPass ( https://lastpass.com ) showed themselves to be reasonably good at security (and they support Linux). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.
For anyone who cares to read more about the details of what the bug is and what it can do, etc, I refer you to Troy Hunt's post of yesterday ( http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html ).
If you're a normal person hearing about this, then then there are a few things you can and should do:
1. Check that your home wifi router is not able to be accessed via the Internet (usually for administration purposes). If that is on, and your router runs Linux (and many of them do), it's potentially a problem. Check your instruction leaflet for whether this can be on or not and turn it off if it is. Then check how to download the latest "firmware" for your router, in a few weeks time you'll want to do that. If you have any other devices that are accessible "via the Internet", you probably want to find out if they're Linux based and turn that feature off too.
2. If you're a Mac OS X user, if your machine only ever joins networks with trusted machines on it, you're probably safe for now. But just in case or if you ever join public networks, open System Preferences - Sharing. If Printer Sharing is on, you want to turn it off. if you're using an old version of Mac OS, you may have Web Sharing turned on, you also want to turn it off. New versions of Mac OS don't have Web Sharing, unless you're running OS X Server. If you have Remote Login active, just check that you do not Allow Access for All Users. Other than that, wait for Apple to issue an OS Software Update that fixes the problem.
3. If you're a Linux user, you probably want to run your Linux version's package updater right now. And again in a few days time, as the bash maintainers have not actually released a patch that fully fixes the problem yet.
4. This is a similar situation to the Heartbleed bug ( my PSA from last time - http://thorfinn.dreamwidth.org/tag/heartbleed ) in that web servers may potentially be broken into (it's even worse technically). You will need to confirm with website owners that they were either not vulnerable, or were vulnerable and have fixed the bug, then change your password on that service. Again. Yes, I know. Tiresome. Sorry. :-( It's probably best to just prioritise the important sites (net banking, and anything with serious personal consequences), and do those in a few days time.
5. If you use unique passwords for every site you log in to, that at least limits any potentially stolen passwords to sites that are vulnerable and lessens the urgency on changing every password you have. That's why, if you haven't already, now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). LastPass ( https://lastpass.com ) showed themselves to be reasonably good at security (and they support Linux). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.