In one of those delicious coincidences that warm the cockles of every tech columnist’s heart, in the same week that the entire internet community was scrambling to patch a glaring vulnerability that affects countless millions of web servers across the world, the UK government announced a grand new National Cyber Security Strategy that, even if actually implemented, would have been largely irrelevant to the crisis at hand.
Initially, it looked like a prank in the amazingly popular Minecraft game. If someone inserted an apparently meaningless string of characters into a conversation in the game’s chat, it would have the effect of taking over the server on which it was running and download some malware that could then have the capacity to do all kinds of nefarious things. Since Minecraft (now owned by Microsoft) is the best-selling video game of all time (more than 238m copies sold and 140 million monthly active users), this vulnerability was obviously worrying, but hey, it’s only a video game…
This slightly comforting thought was exploded on 9 December by a tweet from Chen Zhaojun of Alibaba’s Cloud Security Team. He released sample code for the vulnerability, which exists in a subroutine library called Log4j of the Java programming language. The implications of this – that any software using Log4j is potentially vulnerable – were stunning, because an uncountable number of programs in the computing infrastructure of our networked world are written in Java. To make things worse, the nature of Java makes it very easy to exploit the vulnerability – and there was some evidence that a lot of bad actors were already doing just that.
It’s as if we had suddenly discovered a hitherto unknown weakness in the mortar used by bricklayers all over the world
At this point a short gobbledegook-break may be in order. Java is a very popular high-level programming language that is particularly useful for client-server web applications – which basically describes all the apps that most of us use. “The first rule of being a good programmer,” the Berkeley computer scientist Nicholas Weaver explains, “is don’t reinvent things. Instead we re-use code libraries, packages of previously written code that we can just use in our own programs to accomplish particular tasks. And let’s face it, computer systems are finicky beasts, and errors happen all the time. One of the most common ways to find problems is to simply record everything that happens. When programmers do it we call it ‘logging’. And good programmers use a library to do so rather than just using a bunch of print() – meaning print-to-screen statements scattered through their code. Log4j is one such library, an incredibly popular one for Java programmers.”
There are something like 9 million Java programmers in the world, and since most networking apps are written in the language, an unimaginable number of those programs use the Log4j library. At the moment we have no real idea of how many such vulnerabilities exist. It’s as if we had suddenly discovered a hitherto unknown weakness in the mortar used by bricklayers all over the world which could be liquefied by spraying it with a specific liquid. A better question, says Mr Weaver, is what is not affected? “For example, it turns out at least someplace in Apple’s infrastructure is a Java program that will log the name of a user’s iPhone, so, as of a few hours ago, one could use this to exploit iCloud! Minecraft and Steam gaming platforms are both written in Java and both end up having code paths that log chat messages, which means that they are also vulnerable.”
It’s a global-scale mess, in other words, which will take a long time to clear up. And the question of who is responsible for it is, in a way, unanswerable. Writing software is a collaborative activity. Re-using code libraries is the rational thing to do when you’re building something complex – why start from scratch when you can borrow? But the most persuasive critique from the software community I’ve seen this week says that if you’re going to re-use someone else’s wheel, shouldn’t you check that it’s reliable first? “Developers are lazy (yes, ALL of them),” wrote one irate respondent to Bruce Schneier’s succinct summary of the vulnerability. “They will grab a tool like Log4j because it’s an easy way to handle logging routines and someone else has already done the work, so why reinvent the wheel, right? Unfortunately most of them will not RTFM, so they have no idea if it can actually do the things it was designed to do and thus, [they] don’t take any precautions against that. It’s a bit of a Dunning-Kruger effect where devs overestimate their abilities (’cuz they have l337 coding skillz!).”
Well, he might say that, but as an unskilled programmer I couldn’t possibly comment.
What I’ve been reading
It’s getting meta all the time
Novelist Neal Stephenson conceived of the metaverse in the 90s. He’s unimpressed with Mark Zuckerberg’s version. Read the transcript of his conversation with Kara Swisher on the New York Times website.
Words to live by
This Is Water is the title of David Foster Wallace’s commencement address. The only one he ever gave – in 2005 to graduates of Kenyon College, Ohio.
Doom and gloom
Visualising the end of the American republic is a sombre essay by George Packer in the Atlantic.