Author Archives: Michael Froomkin

Shellshock Still Kicking

arghOh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot

Posted in Internet, Software | Leave a comment

It’s Where The Money Is

wage_theft_vs_bank_etc_robberies

Plus, there’s no significant risk of jail.

Posted in Econ & Money, Law: Criminal Law | Leave a comment

Tip of the Iceberg

The NYT has a great story today, Miss a Payment? Good Luck Moving That Car on sub-prime loans for cars requiring that buyer accept installation of an immobilizer that can be operated by remote control by the lender’s agents. The article concentrates on ways in which these are being abused, e.g. immobilizing cars in traffic, far from home, when payments are not in fact late, and more.

It also hints at a group of legal issues, notably privacy (the GPS technology on which the immobilizer relies makes cars trackable by the monitoring company), and whether state laws on repossession — which require more notice, or more time between a missed payment and authorized action by the lender — should apply to a ‘virtual repossession’ or not. (Attention: Student note topic seekers. Doing this analysis in just one state would be a fine topic, and a social good.)

Then there’s the sociological aspects,

Beyond the ability to disable a vehicle, the devices have tracking capabilities that allow lenders and others to know the movements of borrowers, a major concern for privacy advocates. And the warnings the devices emit — beeps that become more persistent as the due date for the loan payment approaches — are seen by some borrowers as more degrading than helpful.

“No middle-class person would ever be hounded for being a day late,” said Robert Swearingen, a lawyer with Legal Services of Eastern Missouri, in St. Louis. “But for poor people, there is a debt collector right there in the car with them.”

Missing, though, is the first thing that occurred to the cypherpunks when this technology first got mooted over a decade ago: How long until it is hacked? What happens when some bad guy starts war driving with a black box immobilizer causing accidents or other harms? And to what extent will the makers of the immobilizer be liable for those harms? Another good student note, at the very least.

[Note: Edited to add italicized line in second paragraph, which mysteriously got cut out before posting.]

Posted in Cryptography, Law: Privacy, Student Note Topics | Leave a comment

Shellshock: It’s as if Flesh-Eating Bacteria Were Poised to Eat Your Server

arghAnd all your linux-embeded devices with any Internet access. From the sound of it, that’s about how bad the “shellshock” bug in Bash is:

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

— Slashdot, Remote Exploit Vulnerability Found In Bash.

Shellshock name spotted on Errata Security (good blog BTW), and the faithful INQ, which shares the cheerful fact that the NIST vulnerability database “rates the flaw 10 out of 10 in terms of severity.”

Update: It looks as if patching severs will be easy – mine is already done. The real problem will be patching devices with embedded linux. To achieve that the consumer needs (1) to know the device exists, is connected to the internet, and is under your control — all sometimes much less obvious than one might imagine; (2) the device has to be patchable; (3) there has to be a patch; (4) the consumer has to know where to go to get the patch; (5) the consumer has to be able to apply it.

Internet of Things considered dangerous?

Update2: This is a nice test for the Shell Shock / shellshock vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it returns something like

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

You are fine. But if it says,

vulnerable
this is a test

Then you have the bash bug.

Posted in Software, Sufficiently Advanced Technology | Leave a comment

Swearing-In Ceremony

Justice R. Fred Lewis, a very loyal alumnus, swore in students from the class of 2014 this evening — recent graduates who learned only yesterday that the passed the bar. They looked pretty happy about it.

The Justice told the graduates that they were starting a new life, “24/7 you’re going to be a lawyer.” He extolled the value of civility in personal and professional life. He reminded the graduates that they had achieved their law license with the help of many others, friends and family. That license he told them, permits many things, but “not to be an ass.”

There was more good advice: keep some perspective, don’t let anyone suck the joy out of your life, do good works, think of life balance.

Then he administered Florida’s highly aspirational oath:

I do solemnly swear:

“I will support the Constitution of the United States and the Constitution of the State of Florida;

“I will maintain the respect due to courts of justice and judicial officers;

“I will not counsel or maintain any suit or proceedings which shall appear to me to be unjust, nor any defense except such as I believe to be honestly debatable under the law of the land;

“I will employ for the purpose of maintaining the causes confided to me such means only as are consistent with truth and honor, and will never seek to mislead the judge or jury by any artifice or false statement of fact or law;

“I will maintain the confidence and preserve inviolate the secrets of my clients, and will accept no compensation in connection with their business except from them or with their knowledge and approval;

“To opposing parties and their counsel, I pledge fairness, integrity, and civility, not only in court, but also in all written and oral communications;

“I will abstain from all offensive personality and advance no fact prejudicial to the honor or reputation of a party or witness, unless required by the justice of the cause with which I am charged;

“I will never reject, from any consideration personal to myself, the cause of the defenseless or oppressed, or delay anyone’s cause for lucre or malice. So help me God.”1

It was a very happy event, but I couldn’t help but think about the almost 18.8% of our Florida test-takers who didn’t pass the bar. Florida overall had an almost 30% failure rate, which is substantially higher than in recent years; FSU’s pass rate was about half a percent higher than ours this year, U.Florida had a 10% better rate. Other law schools in the state did worse, or much worse, than we did. Our results were not by that measure embarrassing, indeed the pass percentage was higher than last year, but I still wish it was better. The administration will crunch the numbers, but we’ve not in the past been able to spot many predictors other than being right near the bottom of the class, and that itself is very imperfect. Oh yes, and some small part of the 18.8% will be long-ago graduates who retired to Florida and decided to take the bar. The Florida Bar counts them as our graduates for this purpose.


  1. I didn’t hear anything about a chance to affirm the oath. I hope this option was made clear to the graduates before the event. []
Posted in Law School, Law: Practice | Leave a comment

FL Bar Results Tomorrow

Wasting no time, we’re having a swearing-in ceremony in Gussman Hall Tuesday evening for members of the Class of 2014 who passed the Florida Bar. Justice R. Fred Lewis of the Florida Supreme Court will be presiding, which is pretty nice.

One of the odd things about teaching law is that unless they turn up at alumni events you don’t necessarily ever learn for sure whether your former students passed the bar; since people don’t advertise their troubles it’s even rarer to learn who among them failed. (Presumably all *my* students passed, right, since they’re the sort of hard workers who self-selected hard courses, right?) We do get a cumulative score for in-state exam takers, but we also have a lot of students who take other states’ bar exams. Indeed, arguably, the ones who go farther away are disproportionately our more motivated students, so it’s always hard to know exactly what to make of the in-state success number. This and other reasons is why I’ve argued time and again that Bar Pass Rates are Over-Rated As A Measure of Law School Quality.

In any event, here’s wishing you good fortune if you’re waiting for your results. In the unlikely event any of my former students from the class of 2014 read this blog, you are invited to email me your results, or better yet, brag in the comments below that you passed.

Posted in Law School, Law: Practice | Leave a comment

Patrick Gudridge ALS Ice Bucket

Patrick Gudridge is our Vice Dean and a really smart legal academic.

Several years ago I suggested we dress up the faculty in Halloween costumes, take a group photo, and publish it online with the caption “A Serious Faculty that Doesn’t Take Itself Too Seriously”. This met with no approval at all.

Posted in Law School, U.Miami | Leave a comment