Log4Shell Aftermath Should Big Tech Pay to Secure Open Source?

hey everybody it’s la inside but it’s time once again for your weekly wrap-up and this week we’re going to talk about the log 4j security vulnerability this is one of the worst vulnerabilities in the history of vulnerabilities and the impact of this is still yet to be seen the media hasn’t been talking about it all that much but the u.s government is getting very aggressive in making sure that people who are running this software patch it and we’re going to look today at this vulnerability but also discuss some other things like whether or not big tech is doing enough to support open source software nearly every single tech company is using log4j in some way and nearly every tech company was vulnerable to it we’ve got a lot to discuss so let’s get to it now before we jump into the big question of the day let’s take a look at what log 4j is this is an open source software package that runs in java and it’s designed for software developers to get a very easy way to log things going on within their applications it could be logging errors it could be logging user behavior to try to find ways to enhance things it is used universally and developers like this package because it is already written they can just plug their software into what was already done there and of course it is free and so it speeds the development time and also makes it easier for them to keep track of what their users are doing now the vulnerability in log 4j has been called log for shell because as you’ll see in a minute what happens here when people exploit this is that they can insert some code into anything that gets logged and therefore allow software to run on the server without any kind of authentication or even any user intervention and it’s very easy to exploit which is why this is such a big deal and of course you could use this to install software that can burrow its way into a network and make things really bad for not only the company hosting that network but the consumers that use it now the timeline on this was that it was first discovered by someone working for alibaba back in november 24th of 2021 they disclosed it privately to apache which is the usual process for this sort of thing apache issued a patch on december 6th but people didn’t really start talking about it until december 9th and the following day nist here in the u.s issued a level 10 threat warning about this because this vulnerability was so severe and they wanted to make sure

people started patching immediately but you can see here there was a pretty long stretch of time in which people weren’t patching and hackers were out there looking for ways to pierce the armor of many popular services and even some of the companies that we think of as the most highly secure were vulnerable take a look at this tweet from cass van kooten who was able to actually have apple servers do things under his control this is a very simple example but it is something that i think kind of shows you the severity of it so what this guy did is he went into his iphone and inserted this code into the name of his phone and it looks like apple using log4j logs anytime that somebody changes their phone’s name but because he inserted code that server the log4j server running at apple was able to execute code from inside of their firewalls and what he had it do was essentially ping a server with a dns request and he was able to verify that these two ip addresses after he changed his phone name came from inside of apple now this was a very benign kind of hack if you will but just imagine if somebody instead had some software get installed that would burrow its way into apple’s network and you can see just how bad this is because it’s so easy to execute now here in the united states the federal trade commission about a week and a half ago issued a very stern warning to companies that haven’t gotten their act together yet on patching this vulnerability and i would say that by now if they haven’t patched they should assume their systems are completely infested and they should

probably just reformat and start from scratch what the ftc is saying here that if these companies have data that leaks as a result of this they will be seeking financial penalties and they cite the example of equifax which is a credit agency here in the u.s that did not keep their server software up to date and over 147 million consumers had their data leaked including mine and they were able to collect a lot of money but i didn’t get much of that 700 million dollar settlement but what they are saying here is that they intend to use their full legal authority to pursue these companies and it looks like that will be something they are going to do however here in the us we don’t have a broad privacy protection law for your data which is why these companies can just sell your information willy-nilly as long as they tell you that they’re doing it now there are two mechanisms the ftc can use here one is the ftc act but this law mostly involves unfair and deceptive acts and practices not direct consumer privacy protection and the way the ftc has interpreted this is for instances where a company publishes a notice to their customers saying we will protect your data yet they don’t patch their servers to actually protect the data and that leaves them vulnerable to fines or a civil suit from the ftc but if the company never promises to protect your data there’s not many legs here for the ftc to stand on which is why a lot of companies get away with leaking your information out with very little consequence from the government because we just don’t have a regulation in place but recently the federal trade commission was granted additional authority to protect consumer financial information and the updated

safeguards rule now applies to non-banking institutions and this can include everything from a mortgage broker to a car dealer for example basically anyone that’s storing a credit card number might fall under this but a lot of websites use stripe or some other service to not store that information so still the authority here is rather limited although greatly expanded and this would also include websites that help you manage your finances so for example that website mint that goes in and downloads all of your banking information to consolidate your personal finances even though they don’t actually hold your money they do hold your financial data and if they were not to patch the ftc would be able to go after them but again the guy running the message board or the software company that leaked out all of your passwords and other things are not really subject to this unless they specifically guarantee to you that they would keep your data safe now in addition to threatening legal action against companies that don’t patch the ftc at the end of their press release also issued a warning about open source software that i think raises a very important question let me read what they wrote here the log4j vulnerability is part of a broader set of structural issues it is one of thousands of unheralded but critically important open source services that are used across a near innumerable variety of internet companies these projects are often created and maintained by volunteers who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their products are

critical to the internet economy and what’s crazy about this particular vulnerability is that it’s likely been in the code for 20 years and nobody noticed it this happens all the time but the question is if there were more resources coming in from these multi-billion dollar companies to support the open source movement would these packages be more secure and would we be having less of these blockbuster vulnerabilities as a result take a look at this this is the apache foundation’s 990 form here in the united states this is their most recent report to the irs about their financial activities now one might think with all these multi-billion dollar corporations relying upon apache software to run their web servers that they might be contributing a little bit more to the effort but check out how much money flowed into the apache foundation in their last fiscal year just over two million dollars that is it a literal drop in the bucket of the trillion dollar plus industry that the modern internet is and this past year they actually ran at an operating loss because their expenses exceeded what they brought in meanwhile apaches web server runs a bulk of the internet that these companies profit from now in fairness a lot of these companies have their developers contribute code back to the project but still one might think uh shoring up the finances of this institution might allow people to be focused on looking at security full time as opposed to relying on volunteers to keep these projects up to date and i think that’s the big question here the ftc is asking and i think it’s a very good question because clearly these companies are making a fortune and apache here is barely

able to scrape by now i would love to hear what you all think of this because clearly there’s a need to keep these open source foundations independent and separate from corporate influence but at the same time people’s privacy and their personal finances and even national security depends on this software being secure and how do we balance that uh and do you think these companies should be contributing more to these foundations to make sure this software is safer to operate let me know down in the comments below now this week’s wrap-up as always is being brought to you by all of you and i want to thank some super chatters first who contributed during one of my live streams chris allegretta now chris is important to talk about for this topic because he was the original author of nano which is a very simple text editor that runs on linux and on the mac and many other unix-based systems so definitely check out nano if you ever need a text editor because chris was the original author of that which is pretty cool and we also want to thank tech time with eric who was formerly known as eric’s variety channel for his contribution during one of our live streams we also have some supporters to thank including my buddy matt zagaya who went with me to my very first ces back in 2015 i believe he made a gold level contribution i also want to thank john palema who signed up via our donor box page now if you want to support the channel you can you can go to lawn dot tv support and make a monthly or a one time contribution to the channel we have my donor box page at that link but you can also contribute via the youtube membership program with that join button you’ll see down below we’re now on floatplane and we’re still on patreon so whatever works for you works for me we have a bunch of other channels to check out including my podcast which is now in video form on

spotify it’s basically this show that i upload every week so you can listen to it in audio form on your favorite podcatcher but if you’re using spotify you can actually watch it ad free up there at least for now and if you want to watch my other content ad free you can go to my amazon page at lawn dot tv amazon shop where most of my reviews are posted without any ads and if you want to engage with the channel you can sign up for my very infrequent email list at lawn dot tv slash email we also have the discord and the facebook group the discord has been growing quite a bit i got to spend a little bit more time in there but mark dell and brian parker have been great at keeping things up to date there and then we also have my store at lawn dot tv store where you can buy the items that i purchased to review here on the channel and i’m now getting rid of i’ll have some more stuff going up throughout the month and if you want to get notified whenever something gets added you can sign up at store alert to get an email whenever we add something to the store that is going to do it for this week’s weekly wrap-up i would love to hear your thoughts on today’s topic and anything else that we’ve talked about over the last week i am feeling a lot better pretty much 100 at this point from my holiday coronavirus experience so thankfully we are on the mend there and we’ll be back with more tech in the coming week here until next time this is lon seidman thanks for watching this channel is brought to you by the london tv supporters including gold level supporters jim tannis and tom albrecht hot sauce and video games and eric’s variety channel brian parker and frank goldman amda brown and matt zagaya and chris allegretta if you want to help the channel you can by contributing as little as a dollar a month head over to lawn dot tv support to learn more and don’t forget to subscribe

Read More: Chrome OS Flex Turn Old Computers into Chromebooks and Chromeboxes! How to Install It

Leave a Reply

Your email address will not be published.