Juha Saarinen: Ghost of IT mistakes past visits again

Photo / 123RF

OPINION:

A catastrophic cyber security incident causing panic everywhere has become the new Christmas tradition and 2021 is no exception.

This time it's a doozy, a piece of logging software for the very popular Java programming language. The utility writes information into log files on computers so that developers and power users know what's going on.

Unfortunately, a feature added in 2013 inadvertently made it possible for anyone to easily run whatever code they like on other people's computers, a hair-raising prospect on today's very hostile internet. It's a spectacular mis-feature and not a bug per se.

We have been lucky, as it took eight years for intrepid Minecraft gamers and Alibaba security experts to blow the Log4j/Log4Shell vulnerability wide open.

How bad is the vulnerability? Security experts such as CyberCx executive director of cyber security and assurance testing Adam Boileau were taken aback by the severity of Log4Shell. It couldn't really be any worse.

There are vulnerable versions of the Log4js Java code running on countless business systems everywhere.

"It is pretty unprecedented; I am struggling to think of anything quite like this in my career," Boileau said.

The situation is serious as they come, but explaining what it means to laypeople who have no idea what "remote code execution" is, or how it lets attackers take full control over a computer, is very difficult. That in turn means it's hard for people to grasp the impact of the vulnerability, Boileau added.

Boileau might be a tad too pessimistic here. This is 2021, and Log4Shell/Log4j hit front pages in general media. While few would delve into the deep geek details, there's now a need to know because of the economic hit the flaw could lead to if our IT systems are attacked.

IT systems are in fact already under attack. Ransomware and cryptocurrency miners are being planted through Log4Shell, and there's worse to come. The experience of the past few years shows that this kind of disruption can kill businesses and cost millions for remediation and recovery.

If you understand what's happening, take heart in the tech community's fast and exemplary response. Log4Shell is fixable.

That is, if you know the vulnerable component is there. It's not unusual for applications to be developed with unlisted components that nobody pays much attention to, security-wise.

Not knowing how an application is cobbled together makes life harder for security professionals, but this may be sorted out soon, Boileau noted.

In response to earlier security breaches, the Biden administration has published a requirement for companies that wish to sell software or devices to the United States government to provide a Software Bill of Materials (SBOM). This lists the components used for applications, and all dependencies (other code) they might require.

"With this, we could identify everything with log4j in it in an environment, and rapidly make good decisions about isolation, or remediation, or patching, or even who to talk to," Boileau said.

Clearly, it's not a good thing to have these regular cataclysmic vulnerabilities. Despite increased awareness of them, and small but important improvements in how we code, security for devices that we happily outsource our cognitive capability and information storage to remains elusive.

Suggestions have popped up that open source developers whose unpaid work trillion-dollar tech titans exploit should become professionalised. Instead of relying on donations, developers should send out big invoices to ensure their clearly valuable work is properly funded.

That, Boileau points out, misses the psychology behind open source: for many developers, publishing code is a social thing, allowing them to connect with users. Increased popularity for the code, and new features that are well-received is the reward rather than money.

Besides, when even Big Invoice software houses get it wrong and ship code with security holes large enough to drive a horse and carriage through, it suggests the problem lies elsewhere.

Despite what "the market will sort it out" ideologues say, just like with burning enormous amounts of fossil fuels without a care, our entire economy is predicated on not paying the real cost of anything, Boileau said.

Software is no different for kicking it down the line when it comes to the cost of maintenance, security or privacy. Now we're paying for that faulty thinking and there's no easy solution on the horizon. It's deemed easier to patch nigh-inscrutable application code rather than deleting the lot and starting again with a clean slate.

Case in point: Java has a very chequered history when it comes to security, but still operates something like three billion devices. Many of those won't ever receive updates because nobody knows quite what the code does, or it's simply not feasible to patch it due to lack of access, or an important feature ceasing to work.

"I think there's probably no practical way to have prevented this from happening," Boileau suggests, and he's right. The IT revolution has run away with us, and we're in for a wild ride.