1 00:00:00,000 --> 00:00:06,520 Eight characters. That's all that stands 2 00:00:03,920 --> 00:00:11,920 between you and your entire digital world being absolutely wiped out. It's a 3 00:00:09,520 --> 00:00:15,960 command so destructive that it's caused hundreds of millions of dollars in 4 00:00:13,520 --> 00:00:20,200 damages, data loss, bankruptcies, and almost caused Toy Story 2 to be lost 5 00:00:17,920 --> 00:00:26,560 forever. The command we're talking about is rm hyphen rf forward slash. So, what 6 00:00:23,400 --> 00:00:28,640 does rm hyphen rf forward slash actually 7 00:00:26,560 --> 00:00:33,720 do? Let's break it down like we're diffusing a bomb. 8 00:00:30,520 --> 00:00:36,040 Which honestly we kind of are. 9 00:00:33,720 --> 00:00:41,800 UNIX commands follow a simple structure. First, the command name. Then, flags 10 00:00:38,960 --> 00:00:47,520 that modify how it behaves, followed by arguments that tell it what to act on. 11 00:00:44,520 --> 00:00:48,960 So, let's diffuse this bomb piece by 12 00:00:47,520 --> 00:00:54,240 piece. RM is an abbreviation of remove. It's 13 00:00:52,080 --> 00:00:58,240 the UNIX command for deleting files, which means it works on Linux, macOS, 14 00:00:56,360 --> 00:01:03,080 and other UNIX-based systems. [music] Although, on Windows, rm is also the 15 00:01:00,640 --> 00:01:08,160 alias for the remove item command in PowerShell, which does similar things. 16 00:01:05,640 --> 00:01:12,080 Hyphen r is what's called a flag in a UNIX command. It's an option for how you 17 00:01:10,480 --> 00:01:16,600 want the command to behave. In this case, the r stands for recursive, which 18 00:01:14,800 --> 00:01:21,400 means instead of just deleting files in one folder, it descends into every 19 00:01:19,360 --> 00:01:26,080 subdirectory and deletes everything inside them, too. All the way down the 20 00:01:23,560 --> 00:01:32,080 tree. yeah, I accidentally executed it. 21 00:01:29,600 --> 00:01:35,880 Okay, so there's no way to reverse it. Yeah, it was my personal computer. 22 00:01:34,880 --> 00:01:41,360 I I wedding photos, baby pictures, Bitcoin 23 00:01:38,840 --> 00:01:45,960 wallet passphrase. Oh, I'm going to be in so much trouble. 24 00:01:45,280 --> 00:01:51,800 Um so, uh so, after the r flag is the f 25 00:01:48,960 --> 00:01:56,000 flag, which stands for force. This means it deletes files even if they're marked 26 00:01:54,000 --> 00:02:01,160 do not delete, and it doesn't ask for confirmation or stop for errors. It just 27 00:01:58,600 --> 00:02:05,640 goes, like you just saw on my personal computer. It didn't even ask if I was 28 00:02:03,320 --> 00:02:09,240 sure. It was Then comes the argument part of the command, which tells it what 29 00:02:07,560 --> 00:02:13,400 you want deleted. Now, in this case, we're putting a slash, which means the 30 00:02:11,160 --> 00:02:17,440 root directory. In Linux, that's the very top of your file system, where 31 00:02:15,560 --> 00:02:20,959 everything on your computer lives and every other directory stems from. If 32 00:02:19,560 --> 00:02:26,440 you're a Windows person, your closest equivalent is C, but it's actually worse 33 00:02:23,640 --> 00:02:30,400 than that. Linux mounts everything under root, including other drives and 34 00:02:28,240 --> 00:02:35,480 devices. There's no escaping to a D drive here. Then, once you hit enter, 35 00:02:36,520 --> 00:02:44,560 Yeah, so, see, the new machine we set up for you, 36 00:02:40,800 --> 00:02:44,560 you deleted the whole file system. 37 00:02:44,760 --> 00:02:52,080 And there's no way to get it back? No. No way to get it back. Okay. All right. 38 00:02:49,880 --> 00:02:52,080 Okay. 39 00:02:59,920 --> 00:03:07,239 So, all together, this is basically telling your computer to delete 40 00:03:04,360 --> 00:03:10,920 everything everywhere and not to stop or ask questions while it's doing it. 41 00:03:08,920 --> 00:03:15,640 That's a key point. The command starts at the top of your file system and works 42 00:03:13,200 --> 00:03:19,800 its way down, deleting system files, user data, configurations, everything. 43 00:03:18,200 --> 00:03:23,760 And here's the eerie part. While you might think your computer would 44 00:03:21,600 --> 00:03:27,920 immediately become unusable, it actually keeps running for a while, because the 45 00:03:25,519 --> 00:03:32,080 programs in memory still work until they need to access something that's been 46 00:03:29,600 --> 00:03:36,519 deleted, and then stuff starts to fall apart. Now, you might be wondering, 47 00:03:33,959 --> 00:03:41,160 reasonably, why does such a dangerous command even exist? To find out, we 48 00:03:38,800 --> 00:03:45,200 talked to Matthew Garrett, a Linux kernel developer who spent years working 49 00:03:43,400 --> 00:03:48,720 on firmware security. He's one of the people who's actually had to deal with 50 00:03:46,760 --> 00:03:53,280 the fallout when this command goes wrong. >> It's not really a deliberate design 51 00:03:51,160 --> 00:03:58,200 choice. Everything in Unix is a file. Slash is just the root of your entire 52 00:03:56,320 --> 00:04:02,240 file system. RM doesn't care. It just sees, "Oh, you gave me a directory." 53 00:04:00,000 --> 00:04:05,360 Sometimes you make a chainsaw, you don't really think of this as a "Someone could 54 00:04:04,120 --> 00:04:08,880 destroy their house with this if they tried." You think, "I made a thing to 55 00:04:07,120 --> 00:04:13,280 cut down a tree." Matthew's right. System administrators need a way to 56 00:04:10,880 --> 00:04:17,359 quickly clean up entire directory trees when managing servers, removing old 57 00:04:15,280 --> 00:04:20,680 installations, or wiping test environments. And we know what you're 58 00:04:18,519 --> 00:04:27,000 thinking here. Riley, you practice backup best practices, of course. 59 00:04:23,960 --> 00:04:28,560 >> Just restore. Well, sometimes backups 60 00:04:27,000 --> 00:04:31,960 fail. In fact, let me tell you about the time Pixar almost lost Toy Story 2. It 61 00:04:30,960 --> 00:04:36,400 happens to everybody. >> In 1998, someone at the studio ran a 62 00:04:34,520 --> 00:04:39,720 variation of this command on their animation servers. The associate 63 00:04:38,280 --> 00:04:44,120 technical director, who had been reviewing the character assets at the 64 00:04:41,400 --> 00:04:47,200 time, watched in horror as in a matter of seconds the entire file system 65 00:04:46,440 --> 00:04:53,160 disappeared. >> When they tried to restore the files from backup, they realized their 66 00:04:50,640 --> 00:04:59,993 magnetic tape-based backup system had reached its 4 GB size limit. And since 67 00:04:56,960 --> 00:05:00,200 Toy Story 2 was a whopping 10 GB, 68 00:04:59,993 --> 00:05:06,040 >> [snorts] >> the backups were overriding themselves without anyone knowing. So, how did Toy 69 00:05:04,240 --> 00:05:09,360 Story 2 survive? Did they have to remake the whole thing? I'll tell you that 70 00:05:07,640 --> 00:05:13,240 after I tell you about today's sponsor, Odoo. They make it easy to wrangle up 71 00:05:11,440 --> 00:05:17,840 all the aspects of business management into one platform. Whether that's CRM, 72 00:05:15,880 --> 00:05:22,960 project management tools, invoicing, running a forum, it can be all done with 73 00:05:20,919 --> 00:05:26,240 Odoo. It has a user-friendly and customizable 74 00:05:24,760 --> 00:05:30,800 interface, so you can make sure it suits your needs best. And if you only end up 75 00:05:28,600 --> 00:05:34,080 needing a single application, Odoo's free. 76 00:05:31,840 --> 00:05:38,240 You can even book a demo with them before you decide to try it. So, use our 77 00:05:35,919 --> 00:05:43,000 link for a free 15-day trial with no credit card required. Now, back to 78 00:05:40,520 --> 00:05:48,160 Pixar's nightmare. One of the only things that saved Toy Story 2 was this. 79 00:05:46,080 --> 00:05:52,440 Supervising technical director Galyn Susman had just given birth and had a 80 00:05:50,240 --> 00:05:57,320 copy of the film she had been working on during her maternity leave on her home 81 00:05:54,560 --> 00:06:01,760 workstation. So, thanks to her diligence and America's horrible maternity leave 82 00:05:59,200 --> 00:06:06,760 laws, the world got Toy Story 2. Now, you might think, "Okay, well, I just 83 00:06:04,000 --> 00:06:11,240 won't back up to magnetic tape anymore. I'll try one of these experimental 84 00:06:08,840 --> 00:06:15,720 newfangled backup methods, like the cloud or hard drives. Then, I can just 85 00:06:13,880 --> 00:06:21,840 reinstall my operating system and restore, right? Wrong, potentially. In 86 00:06:19,280 --> 00:06:26,440 2016, users discovered that on some systems with UEFI firmware, the 87 00:06:24,240 --> 00:06:32,760 successor to BIOS firmware that became popular in 2012, running rm -rf/ could 88 00:06:30,640 --> 00:06:37,400 permanently brick your motherboard. And you can't install Linux on a brick. I 89 00:06:35,480 --> 00:06:42,600 mean, look at this thing. It doesn't even have any ports. So, how did this 90 00:06:40,080 --> 00:06:47,360 happen? Some Linux systems expose your firmware settings as files in a special 91 00:06:45,000 --> 00:06:51,720 folder. Things like which drive to boot from, your security keys, and even what 92 00:06:49,840 --> 00:06:56,120 hardware your motherboard thinks is plugged in. In the old days, your 93 00:06:53,720 --> 00:07:00,600 firmware settings were stored in a small amount of non-volatile RAM EFI 94 00:06:58,240 --> 00:07:07,040 variables. They're stored in the same flash chip that your firmware is stored 95 00:07:03,800 --> 00:07:09,280 in. When rm -rf runs, it deletes these 96 00:07:07,040 --> 00:07:13,120 firmware variables, too. On poorly designed motherboards, this literally 97 00:07:11,320 --> 00:07:17,400 destroys the motherboard's ability to start up. Vendors, it turns out, had had 98 00:07:15,200 --> 00:07:22,520 in some cases used runtime variables for critical data, and they would not have 99 00:07:20,760 --> 00:07:26,880 error checking codes. They would assume that that was there. And if the if the 100 00:07:24,560 --> 00:07:30,520 variable wasn't there, instead of recreating it with default values, the 101 00:07:28,919 --> 00:07:36,480 firmware was either just stop, or it crash. A user ran the 102 00:07:33,680 --> 00:07:41,520 command on their MSI notebook in 2016, which led to a deletion of the EFI vars 103 00:07:39,280 --> 00:07:45,680 directory, which contained the secure boot keys for the system. As a result, 104 00:07:44,120 --> 00:07:50,960 the user couldn't even boot into the BIOS. All from typing eight characters. 105 00:07:48,760 --> 00:07:56,320 And before you freak out and flee the Linux Republic to supplicate at the 106 00:07:53,000 --> 00:07:58,600 altar of Gates or Jobs, modern Linux 107 00:07:56,320 --> 00:08:03,440 systems have put protections in place to avoid accidental deletion of your entire 108 00:08:01,080 --> 00:08:06,960 computer. Linux has the concept of immutable files, files that can't be 109 00:08:05,440 --> 00:08:12,560 modified. Even if you have write permission, you can't change an 110 00:08:08,960 --> 00:08:15,800 immutable file. And what we did was 111 00:08:12,560 --> 00:08:17,200 set most EFI variables immutable by 112 00:08:15,800 --> 00:08:20,880 default. This is a pretty elegant solution. I did not come up with it. I I 113 00:08:19,000 --> 00:08:25,720 don't really do elegance. So far, we've been talking about accidental executions 114 00:08:23,120 --> 00:08:31,280 of rm -rf, but this command is also prone to malicious deletions. In 2013, 115 00:08:28,880 --> 00:08:35,760 there was a 4chan campaign where trolls were telling Mac users that this command 116 00:08:33,400 --> 00:08:40,039 would activate hidden Bitcoin features on their machines. Who would have 117 00:08:37,400 --> 00:08:43,640 possibly guessed that 4chan, the wholesome community that innocently 118 00:08:41,680 --> 00:08:47,440 popularized Pepe the Frog, would be the source of malicious trolling? 119 00:08:45,520 --> 00:08:51,839 Fortunately, the Linux community takes this kind of trolling seriously. Most 120 00:08:49,480 --> 00:08:56,720 help forums ban users immediately and permanently for trying to trick 121 00:08:53,480 --> 00:08:58,480 vulnerable users into executing rm -rf. 122 00:08:56,720 --> 00:09:03,960 Hell yeah, Linux community, that's the spirit. Not like those trolls over on 123 00:09:00,640 --> 00:09:05,880 4chan. It's also harder than before to 124 00:09:03,960 --> 00:09:10,400 accidentally execute this command without knowing you're doing it. Since 125 00:09:07,839 --> 00:09:14,960 2006, the command won't work on the root directory without adding the no preserve 126 00:09:13,120 --> 00:09:22,880 root flag. [music] Think of it like a safety on a gun. But, rm -rf forward 127 00:09:19,320 --> 00:09:25,040 slash asterisk still nukes your system. 128 00:09:22,880 --> 00:09:30,520 That little asterisk makes the command execute on each directory individually, 129 00:09:27,760 --> 00:09:35,040 bypassing the root directory protection. Which, extending our earlier metaphor, 130 00:09:32,839 --> 00:09:41,560 is like if your gun also had a second trigger with no safety on it. And, as 131 00:09:38,000 --> 00:09:44,400 cool as a double trigger, no safety gun 132 00:09:41,560 --> 00:09:48,196 might be, it's not ideal for a command that could destroy all of your wife's 133 00:09:46,320 --> 00:09:52,640 pictures of her niece. >> [clears throat] >> Which is why you want to make sure 134 00:09:50,080 --> 00:09:57,760 you're using backups, and ideally using file system snapshots with something 135 00:09:54,600 --> 00:10:00,320 like ZFS or BTRFS, which lets you roll 136 00:09:57,760 --> 00:10:04,640 back changes like nothing happened. So, how do you actually protect yourself 137 00:10:02,040 --> 00:10:05,240 from this nightmare? First, if you use Linux, 138 00:10:05,226 --> 00:10:12,200 >> [music] >> there's a tool called safe rm that maintains a deny list of directories 139 00:10:09,800 --> 00:10:17,920 that can never be deleted. You can also set up aliases to make rm always ask for 140 00:10:15,000 --> 00:10:22,440 confirmation before deleting, and keep good backups. Follow the 3-2-1 rule. 141 00:10:20,760 --> 00:10:27,560 Three copies of your data in two different types of media, with one copy 142 00:10:24,480 --> 00:10:30,600 stored offsite. And maybe, 143 00:10:27,560 --> 00:10:32,480 just maybe, double-check your commands 144 00:10:30,600 --> 00:10:39,000 before hitting enter. Because the difference between rm {hyphen} rf/folder 145 00:10:35,760 --> 00:10:41,160 and rm {hyphen} rf/space folder 146 00:10:39,000 --> 00:10:44,080 could be your entire digital life. And speaking of backups, if you want to 147 00:10:42,680 --> 00:10:48,000 learn more about how to protect your data, our video on RAID file systems 148 00:10:46,600 --> 00:10:52,760 will teach you everything you need to know. I am going to go buy a new laptop.