WEBVTT

00:00:00.000 --> 00:00:06.520
Eight characters. That's all that stands

00:00:03.920 --> 00:00:11.920
between you and your entire digital world being absolutely wiped out. It's a

00:00:09.520 --> 00:00:15.960
command so destructive that it's caused hundreds of millions of dollars in

00:00:13.520 --> 00:00:20.200
damages, data loss, bankruptcies, and almost caused Toy Story 2 to be lost

00:00:17.920 --> 00:00:26.560
forever. The command we're talking about is rm hyphen rf forward slash. So, what

00:00:23.400 --> 00:00:28.640
does rm hyphen rf forward slash actually

00:00:26.560 --> 00:00:33.720
do? Let's break it down like we're diffusing a bomb.

00:00:30.520 --> 00:00:36.040
Which honestly we kind of are.

00:00:33.720 --> 00:00:41.800
UNIX commands follow a simple structure. First, the command name. Then, flags

00:00:38.960 --> 00:00:47.520
that modify how it behaves, followed by arguments that tell it what to act on.

00:00:44.520 --> 00:00:48.960
So, let's diffuse this bomb piece by

00:00:47.520 --> 00:00:54.240
piece. RM is an abbreviation of remove. It's

00:00:52.080 --> 00:00:58.240
the UNIX command for deleting files, which means it works on Linux, macOS,

00:00:56.360 --> 00:01:03.080
and other UNIX-based systems. [music] Although, on Windows, rm is also the

00:01:00.640 --> 00:01:08.160
alias for the remove item command in PowerShell, which does similar things.

00:01:05.640 --> 00:01:12.080
Hyphen r is what's called a flag in a UNIX command. It's an option for how you

00:01:10.480 --> 00:01:16.600
want the command to behave. In this case, the r stands for recursive, which

00:01:14.800 --> 00:01:21.400
means instead of just deleting files in one folder, it descends into every

00:01:19.360 --> 00:01:26.080
subdirectory and deletes everything inside them, too. All the way down the

00:01:23.560 --> 00:01:32.080
tree. yeah, I accidentally executed it.

00:01:29.600 --> 00:01:35.880
Okay, so there's no way to reverse it. Yeah, it was my personal computer.

00:01:34.880 --> 00:01:41.360
I I wedding photos, baby pictures, Bitcoin

00:01:38.840 --> 00:01:45.960
wallet passphrase. Oh, I'm going to be in so much trouble.

00:01:45.280 --> 00:01:51.800
Um so, uh so, after the r flag is the f

00:01:48.960 --> 00:01:56.000
flag, which stands for force. This means it deletes files even if they're marked

00:01:54.000 --> 00:02:01.160
do not delete, and it doesn't ask for confirmation or stop for errors. It just

00:01:58.600 --> 00:02:05.640
goes, like you just saw on my personal computer. It didn't even ask if I was

00:02:03.320 --> 00:02:09.240
sure. It was Then comes the argument part of the command, which tells it what

00:02:07.560 --> 00:02:13.400
you want deleted. Now, in this case, we're putting a slash, which means the

00:02:11.160 --> 00:02:17.440
root directory. In Linux, that's the very top of your file system, where

00:02:15.560 --> 00:02:20.959
everything on your computer lives and every other directory stems from. If

00:02:19.560 --> 00:02:26.440
you're a Windows person, your closest equivalent is C, but it's actually worse

00:02:23.640 --> 00:02:30.400
than that. Linux mounts everything under root, including other drives and

00:02:28.240 --> 00:02:35.480
devices. There's no escaping to a D drive here. Then, once you hit enter,

00:02:36.520 --> 00:02:44.560
Yeah, so, see, the new machine we set up for you,

00:02:40.800 --> 00:02:44.560
you deleted the whole file system.

00:02:44.760 --> 00:02:52.080
And there's no way to get it back? No. No way to get it back. Okay. All right.

00:02:49.880 --> 00:02:52.080
Okay.

00:02:59.920 --> 00:03:07.239
So, all together, this is basically telling your computer to delete

00:03:04.360 --> 00:03:10.920
everything everywhere and not to stop or ask questions while it's doing it.

00:03:08.920 --> 00:03:15.640
That's a key point. The command starts at the top of your file system and works

00:03:13.200 --> 00:03:19.800
its way down, deleting system files, user data, configurations, everything.

00:03:18.200 --> 00:03:23.760
And here's the eerie part. While you might think your computer would

00:03:21.600 --> 00:03:27.920
immediately become unusable, it actually keeps running for a while, because the

00:03:25.519 --> 00:03:32.080
programs in memory still work until they need to access something that's been

00:03:29.600 --> 00:03:36.519
deleted, and then stuff starts to fall apart. Now, you might be wondering,

00:03:33.959 --> 00:03:41.160
reasonably, why does such a dangerous command even exist? To find out, we

00:03:38.800 --> 00:03:45.200
talked to Matthew Garrett, a Linux kernel developer who spent years working

00:03:43.400 --> 00:03:48.720
on firmware security. He's one of the people who's actually had to deal with

00:03:46.760 --> 00:03:53.280
the fallout when this command goes wrong. >> It's not really a deliberate design

00:03:51.160 --> 00:03:58.200
choice. Everything in Unix is a file. Slash is just the root of your entire

00:03:56.320 --> 00:04:02.240
file system. RM doesn't care. It just sees, "Oh, you gave me a directory."

00:04:00.000 --> 00:04:05.360
Sometimes you make a chainsaw, you don't really think of this as a "Someone could

00:04:04.120 --> 00:04:08.880
destroy their house with this if they tried." You think, "I made a thing to

00:04:07.120 --> 00:04:13.280
cut down a tree." Matthew's right. System administrators need a way to

00:04:10.880 --> 00:04:17.359
quickly clean up entire directory trees when managing servers, removing old

00:04:15.280 --> 00:04:20.680
installations, or wiping test environments. And we know what you're

00:04:18.519 --> 00:04:27.000
thinking here. Riley, you practice backup best practices, of course.

00:04:23.960 --> 00:04:28.560
>> Just restore. Well, sometimes backups

00:04:27.000 --> 00:04:31.960
fail. In fact, let me tell you about the time Pixar almost lost Toy Story 2. It

00:04:30.960 --> 00:04:36.400
happens to everybody. >> In 1998, someone at the studio ran a

00:04:34.520 --> 00:04:39.720
variation of this command on their animation servers. The associate

00:04:38.280 --> 00:04:44.120
technical director, who had been reviewing the character assets at the

00:04:41.400 --> 00:04:47.200
time, watched in horror as in a matter of seconds the entire file system

00:04:46.440 --> 00:04:53.160
disappeared. >> When they tried to restore the files from backup, they realized their

00:04:50.640 --> 00:04:59.993
magnetic tape-based backup system had reached its 4 GB size limit. And since

00:04:56.960 --> 00:05:00.200
Toy Story 2 was a whopping 10 GB,

00:04:59.993 --> 00:05:06.040
>> [snorts] >> the backups were overriding themselves without anyone knowing. So, how did Toy

00:05:04.240 --> 00:05:09.360
Story 2 survive? Did they have to remake the whole thing? I'll tell you that

00:05:07.640 --> 00:05:13.240
after I tell you about today's sponsor, Odoo. They make it easy to wrangle up

00:05:11.440 --> 00:05:17.840
all the aspects of business management into one platform. Whether that's CRM,

00:05:15.880 --> 00:05:22.960
project management tools, invoicing, running a forum, it can be all done with

00:05:20.919 --> 00:05:26.240
Odoo. It has a user-friendly and customizable

00:05:24.760 --> 00:05:30.800
interface, so you can make sure it suits your needs best. And if you only end up

00:05:28.600 --> 00:05:34.080
needing a single application, Odoo's free.

00:05:31.840 --> 00:05:38.240
You can even book a demo with them before you decide to try it. So, use our

00:05:35.919 --> 00:05:43.000
link for a free 15-day trial with no credit card required. Now, back to

00:05:40.520 --> 00:05:48.160
Pixar's nightmare. One of the only things that saved Toy Story 2 was this.

00:05:46.080 --> 00:05:52.440
Supervising technical director Galyn Susman had just given birth and had a

00:05:50.240 --> 00:05:57.320
copy of the film she had been working on during her maternity leave on her home

00:05:54.560 --> 00:06:01.760
workstation. So, thanks to her diligence and America's horrible maternity leave

00:05:59.200 --> 00:06:06.760
laws, the world got Toy Story 2. Now, you might think, "Okay, well, I just

00:06:04.000 --> 00:06:11.240
won't back up to magnetic tape anymore. I'll try one of these experimental

00:06:08.840 --> 00:06:15.720
newfangled backup methods, like the cloud or hard drives. Then, I can just

00:06:13.880 --> 00:06:21.840
reinstall my operating system and restore, right? Wrong, potentially. In

00:06:19.280 --> 00:06:26.440
2016, users discovered that on some systems with UEFI firmware, the

00:06:24.240 --> 00:06:32.760
successor to BIOS firmware that became popular in 2012, running rm -rf/ could

00:06:30.640 --> 00:06:37.400
permanently brick your motherboard. And you can't install Linux on a brick. I

00:06:35.480 --> 00:06:42.600
mean, look at this thing. It doesn't even have any ports. So, how did this

00:06:40.080 --> 00:06:47.360
happen? Some Linux systems expose your firmware settings as files in a special

00:06:45.000 --> 00:06:51.720
folder. Things like which drive to boot from, your security keys, and even what

00:06:49.840 --> 00:06:56.120
hardware your motherboard thinks is plugged in. In the old days, your

00:06:53.720 --> 00:07:00.600
firmware settings were stored in a small amount of non-volatile RAM EFI

00:06:58.240 --> 00:07:07.040
variables. They're stored in the same flash chip that your firmware is stored

00:07:03.800 --> 00:07:09.280
in. When rm -rf runs, it deletes these

00:07:07.040 --> 00:07:13.120
firmware variables, too. On poorly designed motherboards, this literally

00:07:11.320 --> 00:07:17.400
destroys the motherboard's ability to start up. Vendors, it turns out, had had

00:07:15.200 --> 00:07:22.520
in some cases used runtime variables for critical data, and they would not have

00:07:20.760 --> 00:07:26.880
error checking codes. They would assume that that was there. And if the if the

00:07:24.560 --> 00:07:30.520
variable wasn't there, instead of recreating it with default values, the

00:07:28.919 --> 00:07:36.480
firmware was either just stop, or it crash. A user ran the

00:07:33.680 --> 00:07:41.520
command on their MSI notebook in 2016, which led to a deletion of the EFI vars

00:07:39.280 --> 00:07:45.680
directory, which contained the secure boot keys for the system. As a result,

00:07:44.120 --> 00:07:50.960
the user couldn't even boot into the BIOS. All from typing eight characters.

00:07:48.760 --> 00:07:56.320
And before you freak out and flee the Linux Republic to supplicate at the

00:07:53.000 --> 00:07:58.600
altar of Gates or Jobs, modern Linux

00:07:56.320 --> 00:08:03.440
systems have put protections in place to avoid accidental deletion of your entire

00:08:01.080 --> 00:08:06.960
computer. Linux has the concept of immutable files, files that can't be

00:08:05.440 --> 00:08:12.560
modified. Even if you have write permission, you can't change an

00:08:08.960 --> 00:08:15.800
immutable file. And what we did was

00:08:12.560 --> 00:08:17.200
set most EFI variables immutable by

00:08:15.800 --> 00:08:20.880
default. This is a pretty elegant solution. I did not come up with it. I I

00:08:19.000 --> 00:08:25.720
don't really do elegance. So far, we've been talking about accidental executions

00:08:23.120 --> 00:08:31.280
of rm -rf, but this command is also prone to malicious deletions. In 2013,

00:08:28.880 --> 00:08:35.760
there was a 4chan campaign where trolls were telling Mac users that this command

00:08:33.400 --> 00:08:40.039
would activate hidden Bitcoin features on their machines. Who would have

00:08:37.400 --> 00:08:43.640
possibly guessed that 4chan, the wholesome community that innocently

00:08:41.680 --> 00:08:47.440
popularized Pepe the Frog, would be the source of malicious trolling?

00:08:45.520 --> 00:08:51.839
Fortunately, the Linux community takes this kind of trolling seriously. Most

00:08:49.480 --> 00:08:56.720
help forums ban users immediately and permanently for trying to trick

00:08:53.480 --> 00:08:58.480
vulnerable users into executing rm -rf.

00:08:56.720 --> 00:09:03.960
Hell yeah, Linux community, that's the spirit. Not like those trolls over on

00:09:00.640 --> 00:09:05.880
4chan. It's also harder than before to

00:09:03.960 --> 00:09:10.400
accidentally execute this command without knowing you're doing it. Since

00:09:07.839 --> 00:09:14.960
2006, the command won't work on the root directory without adding the no preserve

00:09:13.120 --> 00:09:22.880
root flag. [music] Think of it like a safety on a gun. But, rm -rf forward

00:09:19.320 --> 00:09:25.040
slash asterisk still nukes your system.

00:09:22.880 --> 00:09:30.520
That little asterisk makes the command execute on each directory individually,

00:09:27.760 --> 00:09:35.040
bypassing the root directory protection. Which, extending our earlier metaphor,

00:09:32.839 --> 00:09:41.560
is like if your gun also had a second trigger with no safety on it. And, as

00:09:38.000 --> 00:09:44.400
cool as a double trigger, no safety gun

00:09:41.560 --> 00:09:48.196
might be, it's not ideal for a command that could destroy all of your wife's

00:09:46.320 --> 00:09:52.640
pictures of her niece. >> [clears throat] >> Which is why you want to make sure

00:09:50.080 --> 00:09:57.760
you're using backups, and ideally using file system snapshots with something

00:09:54.600 --> 00:10:00.320
like ZFS or BTRFS, which lets you roll

00:09:57.760 --> 00:10:04.640
back changes like nothing happened. So, how do you actually protect yourself

00:10:02.040 --> 00:10:05.240
from this nightmare? First, if you use Linux,

00:10:05.226 --> 00:10:12.200
>> [music] >> there's a tool called safe rm that maintains a deny list of directories

00:10:09.800 --> 00:10:17.920
that can never be deleted. You can also set up aliases to make rm always ask for

00:10:15.000 --> 00:10:22.440
confirmation before deleting, and keep good backups. Follow the 3-2-1 rule.

00:10:20.760 --> 00:10:27.560
Three copies of your data in two different types of media, with one copy

00:10:24.480 --> 00:10:30.600
stored offsite. And maybe,

00:10:27.560 --> 00:10:32.480
just maybe, double-check your commands

00:10:30.600 --> 00:10:39.000
before hitting enter. Because the difference between rm {hyphen} rf/folder

00:10:35.760 --> 00:10:41.160
and rm {hyphen} rf/space folder

00:10:39.000 --> 00:10:44.080
could be your entire digital life. And speaking of backups, if you want to

00:10:42.680 --> 00:10:48.000
learn more about how to protect your data, our video on RAID file systems

00:10:46.600 --> 00:10:52.760
will teach you everything you need to know. I am going to go buy a new laptop.