About this blog

'Going Spatial' is my personal blog, the views on this site are entirely my own and should in no way be attributed to anyone else or as the opinion of any organisation.

My tweets on GIS, Humanitarian, Tech, Games and Randomness

Tuesday 10 February 2015

Mom, this is what I do...

I have always said that one should be able to tell your mother what you do for a living, because if you cannot - then it leads to all sorts of awkward questions around the dinner table and when your parents are chatting away to friends and other family.

Being a doctor, teacher, policeman, soldier and (gulp) banker are relatively easy to communicate and digest.

However, a GIS specialist? What is that...? Who do you work for?


So, finally Esri has released a pretty good video that says more or less what I have been trying to say all these years. Now all I need to do is to get my mum to click on the link I send her....

Friday 26 September 2014

Shellshock or SHELLSHOCKED!

Oh no, here we go again

Well, there's plenty of fast paced news and updates about the latest vulnerability to assail the internet (and OpenSource / Linux in particular it would seem) - hot on the heels of the 'Heartbleed' bug we now have a new vulnerability dubbed 'Shellshock', additional good articles from The Register and one from TroyHunt all include a lot of decent background material. Mr. Hunt was top of my search list - am sure there are others out there. 

It is a weakness with the well-known 'nix shell called 'Bash' - a shell is one of a number of interpreters that use command line to interact with the system as well as parse scripts and other things. It has been around for ages (I remember using it in university) and is the default shell for Linux and Mac OS X. So it is everywhere and everyone is more or less affected. 

The bug allows the processing of additional shell commands after a function definition - this means that someone can add extra commands to the end of an existing legitimate one, and there's a chance that it will get executed. Basically, a command over-run. 

What is even more scary and from what everyone has been saying: it probably has already been exploited and that the security community has just caught on. Christ, how long? 

Let me check to see if MY pants are down

So. I just carried out a ‘before’ and ‘after’ on one of our Centos boxes:

1.      Fire up a shell (make sure it is Bash)
2.      Enter the follow (no need to SUDO)
   env x=’() { :;}; echo vulnerable’ bash –c “echo this is a test”
3.      If you execute the script and you get: ‘vulnerable, this is a test’ – then patch immediately

4.      If you execute the script and you get: ‘this is a test’ – then the patch worked or you haven’t been vulnerable

So how do I patch for this? 

Quite easy actually. 

Using yum or apt-get will allow you to easily update Bash and fix the vulnerability.


sudo yum-update


sudo yum update bash


sudo apt-get update


sudo apt-get install --only-upgrade bash