Thursday, September 25, 2014 ... Deutsch/Español/Related posts from blogosphere

Bash ShellShock: upgrade your Linux-like platforms

I have often emphasized that Linux is an example of non-commercial, communism-based software architecture where no one is financially motivated to take his responsibility for the quality and safety of his products seriously.

Today happens to be a day which makes my words much more important than they have been for many previous years. Yesterday, a serious bug that the media often declare to be worse than Heartbleed was found in Bash, the world's most widespread command line shell for Unix (a Unix counterpart of DOS, you could say).

The bug affects all versions of Unix and Linux released between 1994 and 2014 (yesterday) and everything that is sufficiently Unix-like so that it incorporates "Bash" in some form – in particular, lots of "things" on the Internet of things, routers, Apple's MacOS X system, but in principle also Android and iOS – and applications that may call "Bash" during their routine tasks.

Everything with "*nix" and "*nux" in it is in danger; the only exception is Richard Nixon who is already safe. He died in 1994, exactly when the flaw was introduced to the Unix system by Brian Fox (not Cox) who was ordered to create "Bash" by the hardcore communist named Richard Stallman. Thank you, comrade. So much for the claims that open-source software is safe because everyone can look into it. The problem is that almost no one does because this extra work creates no profit.

The mobile devices with Android and iOS – like the newest bendable iPhone 6 Plus – are less likely to be targets because "Bash" isn't used that often. However, MacOS X is a full-fledged target. Attacks against the vulnerabilities have already been detected and because "Bash" is comprehensible to millions of people, the creativity of the attacks is likely to grow exponentially in coming weeks.

A complete list of programs and devices that are affected by the bug cannot be written down due to the immense complexity – this unverified toxic communist crap has been inserted almost everywhere, indeed.

The website tells you how to find out whether your Linux installation or anything that has "Bash" in it is vulnerable. Type

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
and if you see the word "vulnerable" in the output, you are vulnerable. Yes, indeed, the bug may be abused by some funnily tricky combination of brackets and special characters. The point of the bug is that if you define an environmental variable as a string in the shell, the commands written in the string may get executed.

My Ubuntu in the Virtual Box where I ran the Higgs Kaggle xgboost code was vulnerable, of course. In principle, it is enough to upgrade your Linux installation so that the "Bash" is fixed, too. I did so and the bug above went away. Recall that you may write commands like
sudo apt-get update
sudo apt-get upgrade
in Ubuntu – both of them. The first one updates a database, the second one uses the database to update the packages. Be ready for packages that belong among the larger ones. Even if you fix the bug above by the update, you may still be vulnerable to another exploit. Try
env X='() { (a)=>\' sh -c "echo date"; cat echo
and if you see the actual date (aside from any other things and error messages) in the output, you are still vulnerable but no fix is known at the moment.

The cure seems trivial as long as your gadget is able to upgrade the system. It seems virtually impossible with various kinds of Linux-based firmware in other electronic devices – or with Android whose updates come so rarely that it may be too late. In those cases, you must simply hope that nothing wrong will happen, just like passengers in the Paris and New York subways must hope that the credible threats by the Islamic State (according to the Iraqi prime minister) are not quite credible.

If you feel nervous about that bug in your phone etc., I recommend you to switch from Android or iOS to Windows Phone. The users of "Preview for Developers" on Lumias like myself had a cute update today – a smooth 35-minute process that finally installed Lumia Cyan instead of Lumia Black. It went fine and because I can't see any detectable changes, I am happy that I wouldn't try the complicated downgrade procedure just to get Cyan after a glitch in the spreading of the beta software. It was enough to wait, Microsoft is really doing a superb job here.

Add to Digg this Add to reddit

snail feedback (72) :

reader kingkevin3 said...

i'm struggling a bit with this one. Who uses cgi scripts nowadays and accessing backend systems via a web frontend is not trivial and certainly not possible using CGI? Any halfway secure systems require at least ssh with key authentication to access them and of course what the user can do is restricted by user permissions etc. This won't affect us and we use 100% unix. Or am I really missing something here?

reader Swine flu said...

There is more to an OS than security, and Linux is useful for many things - you've been using it yourself, after all. Unix/Linux shells are very powerful and useful, way more powerful than the DOS you compare them to. Windows 7 & 8 may have something comparable in power - i am not sure, but they would have developed it in response to the unix shell, and too many years to get there.

They will need to find a way to make Linux more secure, but there is not need to throw out the baby with the bath water. I don't know if this bug was identified due to some sort of ongoing scrutiny of Linux after the Heartbleed bug, or if it was a random find.

reader Mike P said...

Lots of sites use CGI. The vector is that /bin/sh is often just a link to /bin/bash on many Unix-based systems. Bash in sh mode is NOT a faithful version of sh(1). You are safe if your backend doesn't link sh to bash and your CGI never runs an explicitly bash script. Also, for normal upkeep, apt-get update does update both the packages and the db to match. Do not EVER do apt-get upgrade unless you really want to jump a whole major version.

reader Curious George said...

An extremely severe bug, indeed. Microsoft products are so refreshingly bug-free and safe to use. Measure your knowledge by a shadow it casts.

reader R T Deco said...

For almost anything that might possibly be security sensitive, /bin/sh is used instead of /bin/bash. Thus, if you want to check whether you're REALLY vulnerable, you should try the following instead:

env x='() { :;}; echo vulnerable' sh -c "echo this is a test"

It is very likely that the Ubuntu box passes this test, because Ubuntu uses dash, as the default for /bin/sh, not bash.

Of course, computer-unsavvy Microsoft partisans don't know stuff like this. ;-)

reader Peter Risdon said...

Yes, you do keep saying this and it's a shame you don't recognise free market forces when they're so blindingly obvious. Richard Stallman is a communist, certainly, but he was getting nowhere before market forces kicked in. Try telling Eric Raymond he's a communist.

OpenSBD is the most secure operating system by several orders of magnitude. It's true Linux has symlinked sh to bash - and that was stupid and makes this worse. But my FreeBSD systems don't even come with BASH unless you choose to install it, and you'd be insane to make it a default shell for any users because of the default partitioning system.

It's a shame you favour a company that's been devotedly anti-market since it began, using various anti-competitive tricks to gain and maintain dominance.

For security holes that remain unpatched for years and have given us a world of botnets, stick with Internet Explorer. Every DDoS attack I've dealt with has come from Windows zombies.

This is your blind spot.

reader Luboš Motl said...

I have only used it because I was de facto forced to do so - just like paying the taxes or avoiding traveling to Western Europe during communism.

reader Luboš Motl said...

The terminals I open in that Ubuntu surely have bash and they run .bashrc and/or .bash_profile, and all these things, and even if there were any "dash" or anything like that, I would have to change it either to bash or (my more favorite) tcsh because I don't know how to use "dash".

At any rate, I didn't do any changes of the sort because I would do the change to "tcsh" not "bash" which pretty much shows that there had to be bash as the default shell from the beginning and your information is just wrong. Even if the default shell were something else, it's still possible to call bash.

reader Luboš Motl said...

Your story makes absolutely no sense. Richard Stallmann got far with his communist bashes and šits not because of the market but because there were millions of deluded teenagers who loved to *fight* against the market but spreading Stallmann-linked šit like bash.

reader Peter Risdon said...

No, the GNU project never even got a kernel organised. When's the last time you heard of anything running Hurd? It was just a convenient source of userland software for Linux - though they'd have been better using BSD stuff.

Instead of placing bogus error messages in Windows 3.11 to eliminate competitors, and engaging in lawfare and patent trolling, Open Source has developed the way physics has - with a healthy mixture of business involvement (Yahoo was built on FreeBSD and contributed full time engineers from early on, IBM made a big commitment to Linux and so on), academic input and enthusiastic amateurs of the type who are still important in astronomy.

Meanwhile, the single greatest contributor of security holes to the world has been Microsoft. Do you dispute my assertion that the world of botnets has a Windows logo?

reader Luboš Motl said...

Who uses CGI-BIN? I surely do. Look e.g. here

It's my undergraduate cgi-bin directory from the college. I didn't have access to that computer account for a decade so I can't even delete it. There are surely tens of millions of servers with such directories all over the world.

reader Gordon said...

Hmm, I think that Microsoft must have planted a viral meme in your neural circuitry, or else you are blinkered by Richard Stallman's politics. Nothing really wrong with Ubuntu and the evolving microsoft os versions seem to be full of code-bloat. Hackers write worms and viruses for OS which are most used and dominant to get the biggest bang for their devious buck, and for better or worse (mostly worse), Microsoft fills that role. Soon mobile phone and tablet OS will be the primary targets.

reader scooby said...

75% of the contributions to the Linux kernel are made by programmers working for corporations such as Oracle, IBM, HP.

Commercial open source applications have been part of the software industry for quite some time. Look, for example, at most of the NoSQL databases.

If Linux were such a piece of toxic communist crap, would the US navy (for example) use it to equip its most modern warships (

I'm a software developer, working mostly on Microsoft platforms (.NET) these days. But in my spare time I contribute to an open source project. I do it because I enjoy it, not for any financial motivation.

reader Luboš Motl said...

Thanks for the info, Mike.

When I started the Linux machine, it offered me new updates but needed half a gig of disk space for that update, which I didn't have at that moment. So I pressed "cancel". I created some extra space, barely above 500 MB.

Even after I restarted the machine, it failed to offer me the updates again. So I spent 10 minutes by searching the Internet how to force the check for updates again. I found "sudo apt-get update" and "sudo apt-get upgrade" and I refuse to spend more than 10 minutes with this extra hassle. If the Linux system collapsed completely, it wouldn't be a tragedy, it's just some stuff inside a virtual box that isn't too important for me.

More generally, I don't know what is wrong about wanting to jump to the latest major version of the operating system. I am surely used to do such things on the Lumia. It came with Windows Phone 8, got updated to 8.1, now 8.1.1, and we're promised that Windows (Phone) 9 will be available for all Lumias as well, including Lumia 520.

So why shouldn't I want to switch from Ubuntu 14 to Ubuntu 15 or whatever the numbers are? At any rate, the upgrade took a minute so I was probably on the latest major version, anyway.

If there's some "culture" among the Linux users that teaches them that it's "politically incorrect" to upgrade to the latest major version of the OS, it's too complicated. I just don't want to learn this whole "culture". There's just so much mess that simply shouldn't annoy the user. If something breaks, I will just erase the annoying OS and nothing bad will happen. It's still better for a Linux virtual machine to collapse than to enslave its owner and convert him to one of the zombies who are spending their time by mindlessly writing 10 shell commands just to do things that should be made by one click, like installing an application in the most standard way.

reader Swine flu said...

I used "ongoing scrutiny" as something desireable and necessary. After Heartbleed Linux must certainly be scrutinized.

reader Luboš Motl said...

I find it amazing that even on days like today, you are able to defend the indefensible.

The reason why Linux is communist crap is not whether it's produced by people who also work in some companies. The reason is that this product itself isn't directly linked to the profit of its core parts' producer, so it is not developed in a proper capitalist framework. It is produced with the ideology that everyone does everything for everyone for free. And it simply doesn't work, at least not systematically and repeatedly and in the long run.

reader Lars P. said...

Nobody is perfect and nobody is always right.

My Ubuntu is patched, I ran today an update, thanks for the warning, however referring your bashing of linux... ROFL I can only laugh about that.

Sorry Lumo, if you want your windows you can keep your windows.
Nobody should force you to give up your windows.

But with this rant I am not sure you gain any windows fans :).
I'm happily using Ubuntu since years now. It has its goodies and also not so good parts, but I am much happier then I was with any windows I had before so am happy to stick with it for a while.

For instance my old windows was starting to "do something" always when I needed it the least to disturb me, slowing me down. What was it doing? Difficult to find out, no good task manager, no easy way to find open files, etc... Now I can better control what the pc does. I do not need it to reorganise I do not know what indexes whenever it thinks it needs. It did not came to me as a good organised system where I could properly manage what I want it to do and what not.

Furthermore all those interruptions from all those applications to update are gone.
I respect your opinion, you many time nail it, but sorry, I would say you do not know much of programming and pcs.

reader Luboš Motl said...

Microsoft has never had a real monopoly. Even those 10-20 percent of Apple which were always present was a huge market share that makes the word "monopoly" inappropriate.

But Microsoft was still beating others because it was creating software and ecosystem for the software that was useful for billions of people.

Of course that to some extent, every software company does that. But if one simplifies a little bit, things like Linux are more favored by communist activists and anti-Microsoft haters while Apple is favored by snobs who don't know what to do with their money and they think that buying 2-5 times overpriced products improves their image if not themselves.

Competition is a normal part of capitalism, but so is the emergence of companies that beat others by an order of magnitude - or monopolies. The ideology that monopolies - meaning companies much more successful or larger than competitors - should be fought against *is* a form of communism.

You clearly have no idea about politics but that's how things are. The whole Marxism was based on the criticism of "imperialism" which was meant to be the "second worse stage of capitalism", after the "free-competition capitalism", and the monopolies had to be broken by diluting them to all the people.

But there's absolutely nothing wrong about an industry where the leading company has 80 or 90 percent of the market share.

And incidentally, only some companies are being fought against because people who consider themselves "warriors against monopolies" are hypocritical jerks with double standards. So even though Apple has at least the same "monopoly" over smartphones as Microsoft has had over PCs, almost none of the usual "fighters against the Microsoft monopoly" are fighting against Apple.

The reason is that Apple got an extra image from the left-wing snobs who are using its products everywhere, so the anti-capitalist fighters don't fight against Apple as much as they fought or fight against Microsoft.

At any rate, I think that all these ideologically motivated fights are idiotic. I am preferring products according to their usability and value/price ratios etc. and it just often happens that Microsoft products (OS, phones, and perhaps office tools, among others) win.

reader scooby said...

As I explained in my previous comment, 75% of Linux code is written by developers who are paid for it. They are paid by corporations who have a vested interest in supporting Linux.

"Linux is communist crap"
This is pathetic. The irony is that the web server running your blog is hosted in a data center somewhere on a machine running a version of Linux.

reader Luboš Motl said...

A software company has the right to place any error messages in its software it finds appropriate, and if this step eliminates competition, then it is a completely legitimate elimination of the competition.

Such a step may be found inconvenient by the competition but it may be good for the consumer, as was in this case. Microsoft really managed to keep control over the ecosystem of its products and it was good for the consumers.

reader Morris said...

'It's still better for a Linux virtual machine to collapse than to enslave its owner and convert him to one of the zombies who are spending their time by mindlessly writing 10 shell commands just to do things that should be made by one click, like installing an application in the most standard way.'

Precisely. A few years ago, when I tried Linux, I was excited but soon switched back to Windows 7—and with palpable relief. Who the hell wants to do something in 10 steps when it can be done equally well, or even better, in 2? I've got more important things to do.

reader john said...

It is amazing that, some socialist people I know, who disparage capitalism and corporations all the time, just love apple products. They have been upset because they couldn't buy new iphone. I was WTF ?

reader Eric said...

Linux has the same base as scientific work. You do not get money for it but it is the best thing around. Calling non-profit collaborative work "communist" says science is communist. I never got an extra cent for my papers, and they are all pubic. And one security breach is little compared to the monthly problems of your beloved commercial software...

reader Jacom said...

I agree with him, you should be a bit less vocal about issues you're not an expert in, because this rant about Linux/Unix just make you sound ignorant. If Linux and Unix systems are so bad, why do the clear majority of servers run on them, rather than Windows? The numbers are something in the range of 70% versus 30% iirc. There is a lot of things that Unix do much better than Windows, and whereas every system will have bugs and flaws, generally Windows machines are much more susceptible to different security risks/malware/viruses (but Microsoft is improving with time, this is true). And also, practically all supercomputers run some version of Linux/Unix, I don't know of a single one running Windows, so for high performance computing, Linux is the way to go.

reader John Archer said...

Right. You're all wrong.

They're all bad as each other.

I just typed up a longish note on an iPad using their standard Notes app. Just as I was finishing I went to make a minor correction. I'm not sure what happened, not even if I tapped an incorrect 'button', but the whole text disappeared.

No problem. Just shake the fucker and tap 'Undo'. So I did.

Result: the Crapple app pasted an old and very short unrelated previous clip from the clipboard. So extra big shake. No luck. Nothing. What I'd written had disappeared completely. There was no way to retrieve it.

Fuck you, apple, and all your fucking shareholders. You anally retentive ARSEHOLES! Burn in hell.

There! I feel better now.

Thanks for listening.

reader Svik said...

I use win32 and redhat (unix) all at the same time using a wyse box on VM. The same VM host windows too.

I ported the unix programs to visual c as the debug is much better there. Finding bugs every day.

Boy u have a lot of over sensitive little unix people here in your comments.

reader Svik said...

Just forgive and forget. Not worth the worry.

What are you doing using an iPad super large with no wings anyways?

reader Svik said...

Somebody fixed Unix a long time ago. Its called qnx. Now owned by rim.

I am going to get a passport running qnx.

reader John McVirgo said...

Comparing Linux to Windows is like... comparing a part time PhD program run by a US community college open to everyone, and one driven by Princeton University with Nima Arkani-Hamed at the helm that's only open to the best and the brightest.

Yeah, I know guys; they both still create papers which get to be published in Arxiv but still... one set will be crappy and the other not, even though the community college may be visited from time to time by the odd top physicist.

reader John Archer said...

Well I'm not sure what sanitary towels have to do with this, Svik.

No soap — radio.

reader Gordon said...

Of course you can choose.

I am hardly an activist or Linux promoter. I used and liked certain versions of Windows for years--95 97 and XP and 2000 were good OS. As is Ubuntu, but really only for coders and hobbyists, but is fun to mess with. Other OS like ME and Vista -- not so good. I also admire Bill Gates, while many on the left demonize him. I use a mac power book now and am not thrilled by the mac OS, but it is ok. The whole package is pretty neat. I would like, however to have a SSD. As is Ubuntu, but really only for coders and hobbyists, but is fun to mess with. I really don't harrass anyone anywhere (except occasionally on this blog.:))

reader QsaTheory said...

Being a dinosaur, I graduated with EE degree in 1979(UofWoming-Dick Cheney!!). That was the beginning of it all for microcomputers, bought my first computer radioshack. It is because of the market/technology forces that you have Linux as it is now and that is not unique to software, all hardware evolve based on the same mechanics. The turbulent history of UNIX goes way back.

It is the competition(greed+bad decisions) in the Unix(most beautiful OS) market between all of its early vendors that created this sad situation for Linux.

I was the first in the world to buy the first 64 bit unix based micro from SGI in 1990($100,000) to do 3D graphics(Boing had a demo). I needed a license from state department to ship it to my country since I was told it could be used to simulate nuclear bombs!! what a fantastic machine. I pleaded with SGI to add some bit of business software and it could have taken over the world. But they refused since their stock was near $60, they kept saying we only care for "core competency". From then on it was almost unlisted with price near 50 cents they were almost killed by HP and IBM. I hope you get the moral of the story.

But anyway, unix still rules in specialized high end computing.

reader Kimmo Rouvari said...

People are complex objects indeed. It's kind of fun to point such a behaviour to them. And yes, I'm complex in that sense too ;-)

reader Luboš Motl said...

The fact that something is done or believed by majority doesn't mean that there is something right about it.

Microsoft software is safer for many reasons. First of all, it's closed-source, so bugs must really be found by trial and errors. In practice, they're found by specialized folks who are preemptively looking for them, and that's the other key issue - Microsoft is actually responsible and financially motivated to make such bugs impossible which is why they're usually found before they are abused.

Show me a comparable bug of Microsoft in the history that would be uncorrected for 20 years. Microsoft really abandons and "disables" products after a decade or so. Some people complain that it's so evil if Microsoft invents tricks that force the consumers to upgrade. But it is very healthy to gradually and systematically eliminate the dependence on unverified stuff from an archaic era.

reader Luboš Motl said...

Sorry but I was surely receiving money when I was writing research papers. And indeed, if I were continuing to release papers without a compensation, I would be behaving in a communist way.

reader Luboš Motl said...

LOL. If you measured the average politics of a Mac user, the result would probably be on the left side from the Communist Party USA.

It just happened that Apple, when it was a relatively minor (but in no way negligible) player with operating systems, got the image of the "anti-capitalist side" while Microsoft, the bigger one, was the "capitalist side". It's completely irrational, of course, because the size is unrelated to the degree of capitalism, but millions of stupid ideologues just established this caricature.

This image of Apple just stuck and exists even now when Apple is the most expensive brand in the world.

reader Mike P said...

1. I guess what happened is the software updater (which isn't apt-get, nor the package db) decided "did it already" based solely on when it last ran (heuristic check only). Knowing you're out-of-date, that's when you run "sudo apt-get update".

2, I think of major versions as Win2k -> XP -> Vista -> 7 -> 8. Those migrations required massively reinstalling software and re-customizing preferences from scratch. Even if apt-get upgrade is much easier, I still find myself tweaking prefs for the next few weeks or months. So I'll only do that when the benefits are enough to waste too much time on new habits for awhile. Besides, THIS security problem doesn't affect desktop users. From your description, I'd be surprised if your Linux machine is delivering web content to the open internet. And even if it is, if /bin/sh isn't a link to /bin/bash, again, your CGI would be pretty unusual if it ever runs bash. So, for both you and most of your readers, this probably never was your headache.

reader Mike P said...

3. And if you are running a website, when you jump up a major version, all of your testing is likely invalid. You're well-advised to re-test everything from the beginning. That's why most servers in the world NEVER jump a major version. If it got installed on Win 2k3 or CentOS 4, a high percentage of servers remain so, forever. They still get updates, which will give them all the security patches, but no new unwanted behaviors. The distinction between a major and a minor version is that a major version change (up-grade, not up-date) doesn't have to honor obsolete APIs. IOW they don't need to be backward compatible. IOW they don't need to not break stuff. I don't know about you, but I have better things to do than fix stuff that was working and got trampled by an incompatible "upgrade". Of course, this only applies to your own software that you wrote (your CGI scripts, for example) or 3rd party software that you added. The upgrade will have compatible new versions of all the standard software. Though you may find some programs you were using are replaced by something new that you have to learn to use.

reader Gary Mount said...

RIM changed their name to BlackBerry.

reader Francis said...

According to your reasoning your Kaggle Higgs competition entry must be
communist crap as well, since you didn't get paid for it? Yes, I know,
there was some price money at stake, but the probability for anybody
(including you) to win it was fairly small. With the same argument you
could justify that people who are working on linux in their spare time
do it, because there's a chance they get hired by big software companies
if their work is exceptionally good. In the end all these arguments do not matter anyways, because poeple do what they do in their spare time because they love it. Be honest, you devoted a lot of time into the Kaggle competition because you've enjoyed it, didn't you? From this perspective you're part of the same "communist" open source / crowdsourcing community. And you can't argue that the quality of the Kaggle competition entries was bad.

reader Dream Chaser said...

We can point to individual bugs in Linux or Windows all day, its pointless, the plural of anecdote is not data.. Whether security through obscurity (Windows) is a better approach than "given enough eyeballs, all bugs are shallow" (Linux) would need a serious study to answer, a comparative security analysis of both systems. I have a feeling that it would end up in a stalemate.

But one big advantage of Linux that closed source systems will never have is resistance against deliberate sabotage. If US government orders Microsoft to place a backdoor in Windows (not unimaginable given the recent NSA revelations), no one will ever find it. Placing a backdoor into open source software will be much harder, if even at all possible. So while its possible that the author could be correct about accidental bugs (not saying he is), open source software is still superior for other reasons.

reader FlanObrien said...

This is one of Lubos' favorite bones. Rebutting the software fallacies would take too long and anyway, I never argue with Jehova's Witnesses. Here are some science/statistics base points:

1.The translation of ideas into symbols (programming, theoretical physics) is a fascinating activity for most educated persons. Due to the internet, there is now a critical mass of users and contributors that busts MS ass. The fact that this does not happen in string theory is of course mainly due to the difficulty in acquiring the knowledge, but also because string theory has no known practical application, unlike Open Source.
2. Stallman is one loon amonst millions of participants. Lubos' dataset is tending to 1/infinity.
3.Open Source is now critical to the progress of science, whether Lubos likes it or not. Visualizing nanotechnology in 3D with open source software
One cannot prove the correctness of software based science (95%???) using MS buggy black boxes.

4.X-prize did not choose MS for its latest innovation. I wonder why?
"XPrize Foundation announces $15-million open-source literacy prize"

reader OneStringToRuleThemAll said...

Linux systems are especially for people who want to learn and try stuff out and do their own thing in customizing everything. If you are a mainstream sheep and the only thing you want is a system that works out of the box, then you can go with windows and associated mainstream stuff. I prefer Linux, and the best is always a Linux system which almost starts from nothing, for example Arch Linux, because then it is easy to know every program you ever installed and know what it did and with which other program it may conflict. But of course you need to master a steep learning curve before you can control your system in that way. And the other thing which is great about Linux is that you don't have to rely on other expensive software.

reader Luboš Motl said...

Dear Francis, my rank-eight code in the Higgs Kaggle contest was crap in the very same sense as Linux.

It wouldn't be usable in a professional context, being a conglomerate of ideas and tricks that sometimes worked, sometimes were neutral, sometimes didn't work. I didn't send it to some extra "human committees judge the code" because I think that due to the subjectivity, this contest is crap and my code was crap, too.

I was happy to reinvent lots of things but at the end, there are many people in the world who know the equivalent of each of them, and perhaps dozens who know all of them, so I didn't make any super original breakthrough - just rediscovered the wheel.

My submission was no communist crap because there was no communism in what I did. My best estimate of the probability that I would win a medal money was 50% - the expectation value of the won money was $2,000+ or so.

My having spent an hour or two (of human time, plus 2+ hours of computer time) each day for three months was proportional to those chances. Others would estimate my probability of being in the money either above 50% or below 50% for various reasons, but my estimate was what I said.

Also, I learned a great deal - how the statistical evaluation of the collisions actually works in the real world - in a context that was arguably among the most complicated ones in the LHC physics, even though some "even more experimental features" such as many systematic errors were omitted.

It is normal that people *pay* tuition if they learn something. You may misunderstand why but I think it is very sensible so I find it totally normal when people spend time if they want to learn something. There is no contradiction between this fact and capitalism - they are making an investment, or having fun, or becoming more valuable experts, or whatever like that. It is not something they should get immediate profit out of it.

You may see that for the African soil contest where I am in the table, I am in the top 5% but I am spending about 30 times less time than with the Higgs contest, and not depleting the daily entries. Not just because it's softer science and less challenging but also because I feel that there is a much lower probability that the smartest participants will really win this one.

reader Gordon said...

or offer you toast :)

Way too serious, Lubos. Each to his/her/its own. OS preferences are like Rorschach tests. I like the idea of open source...and experiments like Wikipedia and MOOCs--they are inclusive, not exclusive. Also, I think that people who contribute code and information do it out of mostly interest, idealism, altruism, and curiosity, not because of some communist perversion :)

reader Rathnakumar said...

And as far as I know, with Linux unlike Windows you don't have to worry about viruses as well!

reader Rathnakumar said...

After years of using Fedora, I too inevitably feel that Windows sucks!

reader R T Deco said...

That's your user account. You can already run arbitrary commands from there. If you think that you need to use an exploit in the shell to hack your system from your own account, then you're trying way too hard. ;-)

The potential security hole comes from services (web server, etc.), which run /bin/sh for shell operations, unless they have a genuine need to run something else.

This is a problem that needs to be fixed, but its importance has been way overblown in the media, particularly by PC Magazine, which has long been a mouthpiece for Microsoft.

reader Zyland said...

In the irony of all ironies, during world war 3 the price of tungsten goes to $3000 per oz due to a critical shortage of the metal. President Hillary Clinton sets up a clandestine operation to steal the tungsten bars from Fort Knox.

reader lukelea said...

I'm computer illiterate but love my 3 lbs. macbook air, which I can hold in one hand. Now if there were a 2 lbs. windows machine with a 13" display, I might switch to it. For an old man like me, lightness is all.

reader Oleg said...

Just imagine what the reaction of the "international community" would be if the Russians were to sing "Hang the Hohols (Ukranians)", " Who does not jump is a Hohol", etc. on the streets of Moscow. In Ukraine, the mirror image of that has been happening for years and it's all fine, it's just a "friendly" joke. Or "you need to understand the poor guys, they have been oppressed by the Soviet Union". Revolting.

reader Oleg said...

I do apologise for my inappropriate behaviour. Sir.

reader Gary Mount said...

The Microsoft Surface Pro 3 weighs 1.76 pounds.

reader Peter F. said...

I'm still very young (somewhere between 60 and 70) and I, too, have used a friendly interfacing digital processing device with a nice interface (a Nexus 10) lying down. However, as a result, my nose now knows how an even lighter such device than yours can, when dropped from a near yet far enough distance, make one wake/sit up and pay it unpleasant actention. %}

reader Luboš Motl said...

Right, Swine Flu, in other words, being "fearful" as you use it doesn't mean anything whatsoever for the behavior of the person or the nation. It's just some negative adjective you may always attach to discriminate against two otherwise identical situations.

Sorry,I think like a physicist so if something can't have any detectable consequences, it's unphysical bullšit.

reader Luboš Motl said...

It would be quite a story in Moscow, Oleg, indeed. But I can't really imagine such a thing anywhere.

Czechs surely count as those making fun of everything, not avoiding national stereotypes etc. But I am sure that burning the puppet of any active leader with tons of children would be a problem.

Hohols - can Russians actually pronounce the H sound, or do they end up being Gogols? ;-) Or Khokhols?

reader Oleg said...

I'd say it's closer to "hohol" (plural= "hohly") if you pronounce the h. Not quite as hard as "khokhol".

reader Pavel Bažant said...

As a former Linux missionary, I cannot resist sharing my opinion. There is a huge irrational component in the culture associated with Linux and, to a lesser extent, open source. It took me 10 years to wake up.

Yes, with the help of several big companies, Linux evolved into a system that is sort of usable. It is free and it is not too expensive to hire a couple of teenagers who will set up a Linux box for you that is sufficient for many applications. Linux as a phenomenon is fueled by both economic and ideological considerations. I appreciate it for what it is. What irritates me is the mythology around all that stuff.

Any claims regarding its superior security by design are pure BS. It uses a monolithic kernel written in C, so any memory error in any module affects non-locally (!) the whole kernel. The whole ecosystem uses the C stack with its fragile and primitive linking process. It uses bash which is an anti-language and Perl which is defined by its implementation, so every bug is a feature.

Linux has roots in Unix, which is a simple environment that treats everything as bunch of unstructured bytes. This is not bad in itself, but there should be several well engineered layers of abstraction on top of that. This is unfortunately not the case. Everything is de-parsed into text and people are expected to use sed or perl to actually parse the data again. The need for extensive text processing is hailed as a strength (while it is a symptom of the simplistic design) and the need to learn many random "linuxfacts" is presented as an opportunity to "learn something".

The community never actually invented anything. 99 % of the projects are copies of systems that were developed elsewhere. You need a very professional and progressive culture to invent things like .NET and C#. The GNU/Linux community lacks this.

It also pollutes the social environment by sticking too much emotional content to technical stuff. Not that penguins aren't cute.

Open source in general is fine, however. There are some very innovative OS projects like Mozilla's Rust or Jetbrains' MPS.

reader Tilo said...

"This is, of course, comical because such an U.S.-organized "export of democracy" has always been a complete failure"
Germany, Japan, and South Korea being great examples.
You really need to read Masha Gessen's book about Putin called, "The Man Without A Face", because your take on Putin's Russia is about as stupid as you have ever been.
Putin's Russia is simply a dictatorship and kleptocracy with no human rights. It is near the bottom of political freedom. It is near the bottom in the world for freedom of press. It is the fourth most dangerous place in the world for a reporter to work. All major media outlets are either owned by the government or by a company that is owned by the government. Find me a story in a major Russian media outlet in the last 6 months that has been critical of Putin. Nothing like that exists anywhere in the free world where reporters routinely attack the leaders of their own country. The court system is a joke that serves as an extension of Putin's political will.

reader Tilo said...

The problem that you fail to consider is, do they want to be in their sphere of influence.

reader Tilo said...

"Have you seen how kids in Ukraine are being educated to view Putin?"
Only an idiot would make such statements without regard to the brutalization of Ukraine that Putin has undertaken.
Have you seen how the Russian public is propagandized about Putin by every Russian media source, and by thousands of internet trolls that are on the government payroll? Do you have any clue about the criminal history of Putin. I guess you love Putin because he is a homophobe, a sexist, and a bigot. Your kind of guy. And you could care less that he is a tyrannical kleptocrat.

reader Tilo said...

"Could you please explain to me why and in what sense Canada's belonging to the U.S. sphere of influence is different from the USSR successors states' (e.g. Belarus') belonging to the Russian sphere of influence?"
When the Canadians elect someone we don't like, we don't use it as an excuse to invade them and steal their land. We don't tell them that they must retain corrupt leaders that are robbing them blind. We don't run around Canada passing out US passports so that we can use it as an excuse to invade Canada for the "protection" of US citizens. We don't run TV programs in Canada to scare them into believing that some of their political parties are Nazis and fascists that are coming to kill them.
Sphere of influence does not mean sphere of control and domination, microbrain.

reader Tilo said...

" and your claim about the other successor states' being fearful of Russia is self-evidently bullšit."
It is self evident that your definition of "self evident" is any piece of idiocy that you have rationalized for yourself.

reader Tilo said...

Sorry if your favorite dictators are being abused.

reader Tilo said...

ROFL. The Russians killed 7 million Ukrainians. They steal their land. Russian tanks have run through all the former USSR countries to enforce the Russian will and you are drawing parallels. Get real.

reader Luboš Motl said...

Germany etc. didn't "import" democracy, they were just forced to restore democracy that they had known.

This is something completely different than attempts to export democracy to nations that have never had anything to do with a similar regime. You're missing this point, aren't you? That's why we have all this constant mess in the Middle East and elsewhere, nonsensical fantasies about Arab Springs and tons of other delusions and suffering.

reader Luboš Motl said...

It's not fully up to them. One is in someone's sphere of influence if it is a larger and stronger country that has special tools and motivation to include the smaller country into its strategic, long-term military and related planning.

This is unavoidable and claims that some other large countries haven't been doing such things or may survive without that are pure hippie fantasies.

reader Luboš Motl said...

Hi fascist idiot. The 7 million Ukrainians were killed by a Georgian leader of the USSR, not by Russians.

reader TomVonk said...

Lubos you said You just can't eliminate an ideology by bombs.
I beg to differ.
The contrary is true and has been true for some 3 000 of years (unsufficient data for a longer period but it was probably true even before that).
The key question is indeed one you didn't ask and which is "How many bombs ?".
The human being is made in such a way that a large majority of any sample of any population doesn't orient its behaviour according to ideologies even if a minority does.
Other motivation factors are infinitely more powerful - safety, power and wealth. In that order.
A winning army with few casualties never had difficulty to attract volunteers. a loosing army with huge casualties always showed the contrary - desertions.
The Wehrmacht had no problems with volunteers and morals in 1941. The situation was reversed in 1945.
What was the difference ? Well the amount of bombs.
You may consider that as an universal law of (human) nature : "When you increase the amount of bombs, you decrease the willingness of the vast majority of a population to die under one of them"
So while it is true that there is always a very small part of the population that is not impressed by bombs and is eventually governed by ideologies, it is relatively easy to bring this fraction to a small number.
And once you are there, it becomes possible to decrease the last residual to 0 by hand.
The IS army was around 10 000 a few months ago (equivalent of only one standard poorly armed Division). Today they are 30 000 + and the difference are people who were impressed by the millions looted, the power and especially by nearly 0 casualties.
It's easy to recruit with an argument "0 risk, 100 reward".
Well bombs have the interesting property that they radically increase casualties and quite fast bring the 30 000 + back to 5 000 or so which can be farther reduced if wished.
The conclusion would be that while bombs cannot eliminate some ideology totally, they can make it pretty much irrelevant for all practical purposes when the amount of bombs is right.
Of course a global solution is also possible as the Romans already knew 2500 years ago - salt on Carthago ground finished by eliminating totally and forever the last remains of carthaginian power and ideology.

reader Luboš Motl said...

Dear Tom, agreed, with a sufficient number of bombs, you may destroy anything - including an ideology or mankind.

But I think that the numbers are so overwhelming that they make my claim right in practice.

A bomb attack only kills dozens of people linked to ISIS. Chances are that only O(1) of these casualties is counted among those 30,000 you mentioned. You would need to bomb them for many many years.

At the end, it's not really about some ludicrous tiny numbers such as 30,000. There are clearly millions of people on the territory who prefer the ISIS arrangement of the region. More globally, it's clearly an ideology that captures hundreds of millions of people in the world. Do you want to kill the bulk of those people?

There's even no chance to kill the bulk of the EU citizens who are fighting with ISIS, which is a few thousand. Killing such a large number of EU citizens would probably cause a backlash over the EU.

But none of it is still solving the problem. When Nazi Germany was defeated, it was really an empire built around Berlin and one particular nutcase living over there - from whom the power structure propagated. But ISIS, while it has a boss, is something else. It is a distributed idea that more or less has significant body of backers across the Muslim world and beyond.

You seem to be vastly underestimating the territories that ISIS already control - something like 1/3 of Syria+Iraq. This isn't taken care of by the bomb attacks at all. Baghdad is many many orders of magnitude smaller area and much more important but the allies aren't even able to defend Baghdad reliably. There are huge fights for Baghdad ongoing today.

This fact from the real world of the Middle East has nothing to do with a bomb that kills a dozen of ISIS members, perhaps, and convinces 100 other Muslims to join ISIS because they get really pissed off. All these attacks are just a silly makeup that Obama and Cameron are using to keep their image but that don't fundamentally improve anything about the situation over there. If something, it makes the situation worse. I just listened to Ron Paul

who said the same things. A coincidence.

reader Oleg said...

I feel sorry for you, Luboš, that you have to waste your time replying to this. A clear case of a paid brain-dead troll.

reader Benni said...

Hostility towards russia? Well then they should better have stopped doing excersises simulating a nuke strike on Poland in 2009: or against Latvia or perhaps Putin should not have walked out unilateraly on the treaty of conventional armed forces in europe, or he should not have developed new missiles violating the INF treaty. And russia should better stop to threaten to invade kiev and Kazakhstan and Putin should stop threatening to annex Poland, Romania and the Baltics: and Putin has no right to order Finland what to do and threaten it with sentences like "If Finland wants to join NATO, they should think first. Will you join and start World War III?" Threats like these have no place in foreign politics. And also russia should not send soldiers into Ukraine who post photos of themselves together with gps coordinates: The russians should stop beating bbc journalists who investigate the fate of russian soldiers sent to Ukraine: and one should note that the separatists in Ukraine announced 1000 soldiers trained in russia were coming for help this must be viewed together with the fact that russian military men have to get official permission of the russian secret service fsb if they want to spend their holidays abroad. Furthermore, if they voluntarily take up arms during their holidays, then this is a crime according to russian law. By the way, this here is a map of ukrainian shale gas ressources: and this is a map where the rebels are: after they were driven out of the gas field, they are now fighting their way back in Ukraine is Putin's Iraq. Once the european union develops this shale gas field and finds that fracking does not poison drinking water, every eu state will join the fracking frenzy, and gasprom will sit on much gas with nobody to sell it. That is why Putin is sending rebels. Furthermore, Russian nuclear missiles are created in Ukraine: Putin wants these companies too under his control. There is a former advisor of Putin, who says since years that Putin wants these countries back under his control: a more intense cooperation with the EU was dismissed by Russia, since the EU asked for things like "reduction of corruption" or "rule of law" or "stop forging elections"....

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//','ga'); ga('create', 'UA-1828728-1', 'auto'); ga('send', 'pageview');