The biggest story in cybersecurity—and perhaps in the whole of tech—this week has been the Log4j vulnerability. As Wired summarised:
A vulnerability in the open source Apache logging library Log4j sent system administrators and security professionals scrambling over the weekend. Known as Log4Shell, the flaw is exposing some of the world’s most popular applications and services to attack, and the outlook hasn’t improved since the vulnerability came to light on Thursday. If anything, it’s now excruciatingly clear that Log4Shell will continue to wreak havoc across the internet for years to come.
Hackers have been exploiting the bug since the beginning of the month, according to researchers from Cisco
. But attacks ramped up dramatically following Apache’s disclosure on Thursday.
As Ars Technica reported
yesterday, “hackers around the world have launched more than 840,000 attacks on companies globally since last Friday.” Cloudflare founder Matthew Prince tweeted
yesterday that “We’re seeing >1,000 attempted exploits per second. And payloads getting scarier. Ransomware payloads started in force in last 24 hours.”
In short: 😬😬😬
This is big. In the US, Cybersecurity and Infrastructure Security Agency Director Jen Easterly described
Log4Shell as “one of the most serious [vulnerabilities] I’ve seen in my entire career, if not the most serious.”
Because Log4j is so widely used by developers to build logs of events in software, it’s easy for hackers to attack millions of apps and devices. Wired again:
To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code. From there they can load arbitrary code on the targeted server and install malware or launch other attacks. Notably, hackers can introduce the snippet in seemingly benign ways, like by sending the string in an email or setting it as an account username.
While big companies and organisations have been scrambling to patch their software over the past few days, the many less well-resourced companies and less well-maintained apps out there mean that this could be a serious issue for a long time to come.
Shockingly, Log4j is the latest example of a key piece of code, relied on by developers (and therefore end users) around the world, that is maintained by unpaid volunteers. When building software, developers often rely on open source code to save them having to reinvent the wheel for each project. But when the code they use is being maintained as an unpaid passion project, it can lead to massive problems down the line.
As Filippo Valsorda pointed out at the weekend
, there’s a big opportunity for large tech companies to pay people to maintain the open source code on which they rely. Then maintainers can start to build careers around the software they love to work on, rather than doing it in a spare hour here and there or abandoning a key piece of code relied on by millions because their life circumstances change.
It’s a common observation that the internet is held together with bubble gum and string (or a variation on the analogy), and situations like this are exactly what that saying is all about. Isn’t it time we invested in some proper bricks and mortar?