Security: A software backdoor left open for years
Cybersecurity experts have spent this month racing to patch “one of the worst vulnerabilities in the history of modern computing,” said Frank Bajak in the Associated Press. A flaw in a widely used snippet of software with the cryptic name Log4j could let “internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics.” The data-logging tool was designed by the nonprofit Apache Software Foundation, a group of volunteers who create opensource (or free) software. Developers use it in applications for the mundane purpose of simply recording users’ activity, later allowing programmers to retrace steps to improve the code. The flaw, which some researchers say has existed since 2013, was first reported in November by Chinese tech giant Alibaba. It then took “two weeks to develop and release a fix.”
You probably haven’t heard of Log4j, but it’s everywhere, said Brian Barrett in Wired.com. “Plugging in Log4j instead of building your own logging library from scratch has become standard practice.” And all hackers must do to exploit it is “send a malicious piece of code and wait for it to get logged.” As companies work to patch the code, bad actors are storming in with “100 new hacking attempts every minute,” said Joe Tidy in BBC .com. One cybersecurity expert compared the ease with which hackers could exploit this vulnerability to “someone figuring out that mailing a letter with your specific address written on it could allow them to open all your doors in your house.”
Apache is now the focus of both praise and scrutiny, said William Turton in Bloomberg.com. The group has contributed “crucial components of global commerce” through its open-source projects, which are produced by programmers who share their code and are not paid for their contributions. When the flaw was reported, several volunteers worked around the clock to fix it. But researchers say Apache should have heeded “warning signs that Log4j may be vulnerable” beginning in 2016. The average application today “includes more than 500 open-source components,” said Richard Waters in the Financial Times. Code designed by Apache is “bundled together with many other components to make the apps that customers buy,” and many organizations that use programs like Log4j “probably don’t even realize it.” This isn’t Apache’s first crisis—another project, called Struts, figured in the breach at Equifax that “led to one of the biggest thefts of personal records.” Open-source software began as a “crazy-sounding experiment” to bring fairness and independence to technology. But groups like Apache have become too influential to exist without more focus on secure coding techniques.