A story popped up on Ars recently about a vulnerability in an image compression tool. A thing that takes uploads and reduces them from, whatever, you upload a 20megapixel RAW file and it squeezes it to, like, a few hundred Kb so that it can be served out without chewing up bandwidth. Apparently, by embedding a source url that is trailed by a semicolon, terminal commands following the semicolon could be caused to run, allowing the server to be commandeered.
So, what the ever-loving-fuck???
What is wrong with these dumbshits? Why in the hell do they expose a simple embedded url to the terminal? To save twenty minutes of coding? That they will end up having to write anyway? Because there is a one in a million chance that someone will discover their sloppiness – across an internet will hundreds of millions of users?
Do these “developers” even have the slightest idea what they are doing?
In 1980, we (the public) had very small computers that required a lot of tricks and short-cuts to be functional. One computer of today has more processing power than was available to everyone combined 35 years ago, we no longer need to rely on super-elegant code to make them function well – in fact, that kind of code is worse on a bigger machine. And yet, those old habits seem to persist.
Most of the exploits that plague us are due to bad coding. Buffer overflows? Who the fuck puts a buffer on the call stack. That shit should have been gone before it even started. The notorious malformed IIS command that caused a predicable crash, allowing the sender to take control of the server? That is inexcusable. A bad command should be failed-out by the parser, not cause a crash.
Then there are JavaScripts that can directly root a nice, tight iOS device, dangerous Office scripting and worms that can crawl out of pdfs, for fuck sake: what the hell is going on that scripts have to run deeply enough in the system that they become a broad attack surface?
Microsoft tried to fix the lump of havarti that was Windows XP, but it is not clear that they have succeeded. Apparently, decades of poor coding hygiene have never been fully overcome, but now Windows is a pain in the ass to use, at least off the shelf (days of tinkering and adapting may help, I had not the patience to find out).
Sorry, but IT is broken. This is the most prominent example of when the “invisible hand” of the market has wrapped itself into a fist, eager to pound on us all. If ever there was a need for regulation, the software development community desperately needs to have their asses kicked and their dirty laundry (source code) aired out for all to see. This bullshit just has to stop.