Posted on

Cyber War In Ukraine

I’ve added an update for May 9th below.

The hacktivist war against Russia has been dismissed as ineffective, but my own reading indicates that it is unprecedented and formidable. The final results are not yet visible, but something exciting is happening.

History

Russia has been a center of excellence for cybercrime since the dissolution of the Soviet Union in 1991 when the centrally planned and controlled Soviet economy shattered and became a kleptocracy. The accepted story is that trained software and computer engineers lost their jobs in the broken system. In desperation, they turned to cybercrime. The narrative goes on to say that the line between cybercrime and government sanctioned intelligence operations is vague in the former Soviet Union. Rumors abound that Russian cybercriminals have a free hand to demand ransom and steal data and cash in return for cooperation with Russian intelligence services. The truth of this narrative is hard to evaluate, but it’s the backdrop for the current cyber war in the Ukraine.

Scope

I went on alert for a major Russian cyber attack on February 24, 2022 when the war in Ukraine started. When I wake up in the morning on the Pacific Coast, it’s mid-afternoon in Moscow and Kyiv. The workday has barely started in New York. By the time I finish my first cup of coffee, I’ve checked for cyber attacks, assuring myself that the European and North American power grid is intact, European and U.S. oil refineries are not burning, and the international financial system is still functional.

The Ukraine war has brought many surprises. I, among many others, thought a precision blitzkrieg invasion would engulf and obliterate key targets bringing down the Ukraine in days. Ten weeks later, the Ukrainians have halted the assault on Kyiv, taken back territory, sunk a Russian naval flagship, killed several high-ranking Russian generals, and hit targets inside Russia. The damage to Ukraine is huge, but the Russian attack has faltered. We now know that the Russian army is not as war-ready as we thought.

The Russian cyber war is harder to measure. Microsoft has provided an extensive report on cyber attacks against Microsoft software in Ukraine. There have been attacks, but not the smoking mess I anticipated. The cyber war is not over and could still intensify, but it is not the dismal defeat of Ukraine that I expected.

What Happened?

I had not thought much about hacks against Russia until I read a piece in the Washington Post about the Ukraine IT Army recently. Russian computing culture is notoriously vicious. Prudent folks have shied away from hacking a such a formidable foe, but the Washington Post Article reports that since the Ukrainian invasion, more hacked Russian credentials have released on the open web than from any other country.

Usually, the U.S. is the helpless victim bleeding hacked data and Russia is presumed to be the biggest and ugliest culprit. The tables have turned. Russian businesses and institutions have been hacked and doxed— their credentials, private messages, and data have been accessed and published. Even pro-Putin Russian criminal hacking organizations are victims. If you’d like to peruse some stolen Russian data and creds from Russian residential electrical contractors, banks, the Ministry of Culture, the State Nuclear Energy Corporation, and tons more, look here. Russian cybersecurity is weak, not the impenetrable citadel we thought it was.

Some analysts downplay the significance of these attacks. I don’t, if only because they deflate the reputation of Russian cybersecurity.

Hacking Russia from Home

U.S. and European state actors, government agencies like the National Security Agency and the European Union Agency for Cybersecurity, are undoubtedly at work, but we probably won’t know their role until long after the war is over.

The great hack of Russia is a “working from home” operation.

Cyber war is not kinetic war. Launching kinetic weapons— missiles, bombers, tanks, and troops— is costly and requires large and well-established organizations at the right time and place.

But kids with smartphones can launch cyber attacks from anywhere, if they know how, and many of them do.

Professional cyber attacks use more sophisticated equipment and methods, but large organizations are not necessary and the equipment is not hard to get. Computer professionals with all the knowledge they need have adequate equipment and connections in their home offices. Nothing like the cash, trained experts, and on the ground presence required to launch a $200K Javelin missile or even a cheap $6K Switchblade drone.

For example, here is an interview with a group called AgainstTheWest. The group is secret and the assertions in the interview are unverified, but I find them plausible. They say their goal is to collect intelligence on threat actors (security jargon for instigators of risks with the capability to do harm) from Russia, Belarus, and North Korea. The group says they are five people who are certified information security professionals who work together. They have an impressive list of data on their targets that they have acquired. They say they work with various official agencies, but they are independent.

To support groups like these, the Ukrainian government has set up a Telegram list with information on potential hacking targets and the progress of the cyber war. The list has close to 280,000 members.

Impacts

The Ukrainian volunteer cyberwar is unprecedented and startling. I’ve feared a cyberwar for several years, but I anticipated a war between state actors like the U.S. Cyber Command leading the action, nothing like Ukraine’s leaderless foreign volunteer army, which is akin to guerilla warfare, but the partisans are far from the kinetic battle. Is the IT Army a spontaneous gush of altruistic support for democratic institutions? Or a destructive, undisciplined, and chaotic mob without a chain of command? Or some ungovernable mixture that will challenge order for decades to come?

We will see.

Update for May 9th

May 9th is a major holiday in Russia, commemorating the triumph of Russian troops over Nazi Germany in 1945. Both Russia and Ukraine celebrate that victory. The U.S. used to celebrate May 8 as VE Day (Victory in Europe Day) although it is no longer a national holiday. In Moscow, military parades and exhibitions of weaponry are May 9 staples.

Many experts were expecting trouble, perhaps a doubled down bombardment in eastern Ukraine or the long awaited Russian cyber attack on the West. I was up early, doom-scrolling for trouble. Nothing much happened. Reports say that the Moscow parades were, perhaps, a bit subdued but typical.

Putin attempted to connect attacking Ukraine with defeating Nazi Germany. The war in Ukraine was business-as-usual, but Russian social media platforms were hacked, according to the Washington Post. “The blood of thousands of Ukrainians and hundreds of murdered children is on your hands,” appeared on Russian television and computer screens. Internal propaganda convincing the Russian people that Putin is fighting a just war is critical if the Russian is ever to succeed. If today’s hack can be repeated and amplified, the hacktivists, whom I assume were behind the hack, will strike a powerful blow for the Ukraine.

Posted on

Stop Using Software Built in Russia

The war in Ukraine that broke out in late February 2022 forces me to tell you to shut down, uninstall, and replace any software built in Russia that is on any computer you control. I am not the only one saying this. The caution applies especially to anti-virus and malware utilities and Virtual Private Network (VPN) tools.

Anti-virus and malware tools must have access to everything on a computer and they are remotely updated almost every day, which makes them dangerous if they are subject to unscrupulous interference. Virtual Private Networks are used to make network traffic harder to snoop on and more secure. They can be dangerous because their manufacturer may have access to all your network traffic. Most apps only access their own network traffic.

If you are sympathetic to the plight of the Ukraine, getting rid of Russian software is a way to place your own economic sanction on the invaders. Giving up Russian vodka and caviar is another way.

If you don’t care about Ukraine, you have still have another critical reason to act.

You must understand that your computing systems depend on the honesty and integrity of the manufacturers of the software running on your computer. Vulnerabilities, security weaknesses, are discovered in software from reputable software houses all the time. Most of these are mistakes, but some are software features, functionality that makes us want to buy software. But some of these features give manufacturers extraordinary power over systems.

This is not all bad. Software design frequently trades off between security and efficiency or convenience. A classic book on software design, Design Patterns, describes building blocks for designing reusable software modules, including patterns for making data and processes accessible throughout a system. These accessibility building blocks make a system more efficient, but less secure because a tiny breach can open up an entire system. The security of well-designed systems depends on the integrity and care taken by their manufacturers to strike the right balance. A careless or unscrupulous manufacturer can release scandalously insecure applications that the market will lap up, until the disastrous insecurity is discovered and a crisis ensues.

For example, a password reset provision in an application is a great convenience, and nearly a requirement for any commercial product. Yet password reset is a gaping security hole when the wrong hands are able to invite unauthorized actors into a system by changing passwords. Remote access for support is another required feature for most systems that becomes a weapon when a criminal uses it to take over.

Backdoors—routes into an application known only to developers—used to be common. Backdoors are now considered extremely bad practice, but some developers still use them to save time during development. But the last few weeks before release are often the most hectic of the entire software development cycle. Unless management insists, removing backdoors can be neglected by busy developers working long hours. The software user’s only protection from secret backdoor access is the integrity and honesty of the software manufacturer.

This is why I continually tell folks to be careful about what they install on their computers. Only install apps from reputable vendors. Don’t just assume a vendor is reputable; actively check them out.

Some, perhaps most, Russian software companies are honest and do not intend to exploit their customers. However, all businesses operating in Russia are subject to coercion by their government. That’s the way business now works in that country. If the Russian government wants a backdoor into an application, they can compel a Russian company to put one in. Since the war in Ukraine started, the pressures can only have increased.

Doing business in Russia differs from business in western countries like the United States, Canada, and the European Union. Government and private abuses do occur here, but we have a free press, whistle blower protection, and a tradition of following laws that are scrutinized by the public and changed when enough people oppose them. Maybe not fast enough, often enough, or exactly the way each of us might agree with, but the public eventually is heard in western governments.

With the Ukraine war, public oversight and rule of law in Russia has disappeared. You may argue that it was never present, but your computer is still in jeopardy if you are running Russia-built software. Your home computer could conceivably become an instrument in a cyberattack on western or Ukrainian infrastructure. Compromised home computers have played roles in criminal attempts to shut down servers by overwhelming them with traffic.

I don’t like blacklists and I will not publish a Russia blacklist here. I urge everyone to add checking for Russian involvement as part of their due diligence for installing software on their computer. As much as I admire Chinese traditional culture, I have also added the People’s Republic of China to my due diligence list. North Korea goes without saying, but I’ve never seen a North Korean software product.

For example, Kaspersky Internet Security is a popular and powerful anti-virus tool. Run a Google Search on “Kaspersky Internet Security Russia” and see dozens of items on the dangers of Kaspersky. Wikipedia has a “Software companies of Russia” page. These provide useful hints.

Ultimately, in this age of misinformation, you have to rely on research and judgement.

I am a cautious person by nature and do a lot of research. Along with reading software reviews, I go to the website of software houses I suspect and check their corporate pages.

Is their stock publicly traded? I tend to be less suspicious of companies traded on the Nasdaq or New York stock exchanges. The Securities and Exchange Commission (SEC) and the Federal Trade Commission help keep them honest, although foreign investment is allowed. Privately held corporations and those on foreign exchanges get more scrutiny from me.

Where is their company headquarters? Where do their officers and members of their board of directors live? Where are their development labs? Most large software companies now have labs all over the world, but a company with most of their developers in Russia attracts my suspicion. Check their jobs listing. Where are they recruiting? What does the trade press say about the company?

Triangulate multiple sources. The fact-checker’s rule of thumb is that any point not supported by three independent sources requires more examination. Be extra cautious when a piece “just sounds right.” That may be your preconceived bias speaking to you, a frequent source of bad decisions.

When my suspicions are aroused, I must have a good reason to install or continue to use the company’s software on my systems.

Be careful, folks.

A note of thanks to my friend from the Whatcom County Library System, Neil McKay, for edits and useful comments.

Posted on

Malware On Apple

Toto, I’ve a feeling we’re not in Kansas anymore

Mac fans and Apple marketing used to say Macs were immune to computer viruses. That was never entirely true, but it was mostly true. Users of Apple products really had fewer virus and malware issues.

But the landscape has evolved. Apple security incidents have gradually increased. In early February this year, 2022, the Microsoft 365 Defender Threat Intelligence Team, Microsoft’s crack computer security group, posted an analysis of a Mac trojan, a malicious software that looks innocent. The malware is surprisingly sophisticated. As it has grown in the wild, it has continually grown more malicious. This report on the Mac trojan signals the new world of Apple security.

Don’t be naïve. Everything in tech is touched by marketing. Microsoft fired this shot to convince system administrators that connecting Apple devices to Microsoft server systems can make Apples safer. You can take that claim for whatever a competitor’s claim is ever worth. The report is reliable, but it goes down best with a grain of salt.

Apple has left the farm in Kansas. It’s time to take Apple viruses and malware seriously.

History and Relationship with the Past

From the late 1980s on, Apple equipment was strong in niches like education and graphic design, but Microsoft was orders of magnitude more popular in typical homes and businesses, mostly because tons of Windows compatible software ran on cheap generic PCs from competing hardware manufacturers like Lenovo, Dell, and HP.

Apple focuses on user-friendly, high-end, premium products. They released the first commercial graphic all-in-on computer, the Macintosh, and followed it up with a string of top-shelf innovative products like the iPod, iPhone, and iPad as they continually improved their line of premium desk and laptop computers. This winning strategy eventually made them the most profitable company on earth.

Microsoft, on the other hand, has striven for a wide variety and high volume of useful products on competitive generic hardware. Clearly not a losing strategy: they became the second most profitable company on earth.

Security Through Obscurity

For years, choosing quality over quantity indirectly improved Apple’s reputation for security. Until recently, breaking into an Apple product was not an attractive project for most hackers.

Breaking into a computer system is easier than it ought to be, but it still requires time, effort, and risk. Given a choice between developing a technique for penetrating a Microsoft Windows system and an Apple system, hackers regularly chose Microsoft because the large Microsoft user base increased the chance of finding a juicy victim.

Security types call this “security by obscurity.” However, avoiding attention to avoid attack no longer helps after the victim engages an attacker’s attention.

In the last decade, Apple’s enormous success has blown away its obscurity. Now hackers see juicy Apple targets and are out to snag them.

Unix Roots

Microsoft has cleaned up its act considerably in the last decade, but early on, they had a dismissive attitude toward security. Windows developers and their predecessor DOS developers assumed that a personal computer was a standalone appliance like a toaster or a steam iron.

Securing a standalone PC meant locking the door to the office, chaining PCs to desks, and locking their cases. In those days, a physical hard drive was thought more valuable than the data it contained.

Microsoft took a long time to recognize that a PC connected to a network requires a different kind of security.

Meanwhile, the rising tide of hackers grew into a dark industry devoted to raping and pillaging Windows installations. Eventually, Microsoft realized they had to do something, and they have, but they’ve played a lot of catch-up.

Apple developers may have been slightly more aware of the dangers, but their “security by obscurity” cloak obscured impending threats.

Even so, Apple made a sound engineering decision a few years ago: instead of continuing to develop their proprietary standalone operating system, they adopted a variant of Unix, the open-source operating system long favored by academic, engineering, and enterprise developers. The popular open-source operating system, Linux, is also a Unix variant.

Disclosure: I am a dyed-in-wool and unreconstructed Unix programmer.

Unlike Windows, whose roots are in stand-alone PCs, Unix was designed for multiuser computers, and, more significantly, heavily used in colleges and universities as a teaching tool. AT&T developed Unix and then offered it as a royalty-free product to educational institutions for a small administrative fee. In those days, almost all software included source code. Universities were not allowed to distribute the source code or their work built on Unix, but they retained rights. Consequently, Unix was widely adopted by university computer science departments. This was a boon to Unix security.

I was one of the computer rats who hung out in the Western Washington University computer center in the middle of the night studying Unix and trying to break into the university multiuser system. We weren’t criminals, just inquisitive and rambunctious college students. While Windows and DOS basked in single user isolation, my cohort in university computer science programs all over the world pored over source code and beat the hell out of Unix. We learned a lot, and our archenemies, the sys admins, often other students, also learned. The upshot was Unix security systems, both code and administrative practices, were scrutinized and hardened.

When Apple made the momentous decision to replace their proprietary operating system, they became the beneficiary of all the prodding and testing my friends did in the 1980s and 90s. By adopting Unix, Apple acquired an operating system that had security pounded into its foundations—a much better position than the Windows security features bolted onto a gradually hardening insecure foundation.

So. Yes. Apple products are inherently more secure than Windows. But not much. And possibly not any longer. Microsoft, by no means a cluster of idiots, has worked hard to secure their products.

Keep in mind that secure is always a relative statement. When a professional says a system is secure, it’s a form of bluster that braces their self-confidence. A system may be more secure than others, but it’s only harder to break, not unbreakable.

Apple’s operating system is harder to hack into than older versions of Windows, but Windows today is orders of magnitude more secure than Windows of a few years ago. At the same time, Apple’s sharp engineers have only recently stepped into the target zone. They have their own catch-up game to play.

Scope

The Mac trojan Microsoft reported on began as a basic data theft exploit in late 2020. Apparently, the exploit begins like most hacking ventures: with an email that tricks an insider into letting a miscreant in. The exploit became more sophisticated over time. When the malware was first installed, it only transmitted basic system information to a master server. Over the next year, new capabilities were gradually added to the basic exploit and the malicious bot (the trojan acting as a robot under hacker remote control) started downloading installable applications.

Macs have mechanisms for preventing installation of untrusted software. The bot gained the capability to circumvent the protection. Then it began collecting and exporting more information and running code with root privilege, which is the highest level of privilege in a Unix system. For self-defense, the bot began removing and renaming the files it installed to thwart antimalware utilities that search for characteristic files to detect malware. It also started injecting ads into webpages.

I’m not going further into the details of the Mac trojan. Go to the Microsoft site, or take a look at this list of macOS malwares.

Counter Moves

I recommend that all Apple users begin to follow the basic rules of computer hygiene if they don’t already. Follow them carefully and the chances that you will run into trouble will shrink drastically. These are the rules I follow for myself. The last time I was hacked, knock on wood, I was running Windows XP.

The Rules

One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way with the skills of a con artist, not computer skills or knowledge. For example, some clever hacker impersonates your boss on the phone and asks you to email a list of employee usernames and passwords to an odd address. Clearly a dangerous request. Check it out before you comply.

Or someone claiming to be your favorite niece calls from Waco asking you to give her access to your Amazon account because she’s in a jam. Or you get a phone call from Apple asking for your account password. Don’t get rooked by liars and imposters.

These cons are called “social engineering.” Their intent is to trick you into opening the door to a hacker.

Two

Avoid dodgy websites. You know which sites. The ones that appeal to base instincts or offer something too good to be true. Super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Click on one of those kind of web sites and you can lose more than your time and money; you could also infect your computer with nasty malware that will hurt for months to come if the infection is not promptly detected and removed.

Three

Be careful with downloads and installs. The simplest and most effective way to compromise your computer, laptop, tablet, or phone is to install an application that promises to entertain or perform useful work, but also opens your device to exploitation. During an install, your computer is a patient on the operating table whose heart is in the hands of a surgeon. If the surgeon is a crook, your computer is defenseless.

To protect yourself, get your apps from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. Before you install, check the reviews and the reputation of the developer on the network. Avoid being the first to install a new app. Always download from secure (HTTPS) sites.

Get your hardware drivers directly from your operating system and device manufacturer sites. If you can’t avoid a third party site, research them thoroughly. I often go to Toms Hardware for driver information.

Four

Scan regularly for malware. Apple now has malware scanning (antivirus) built in. In addition, third party anti-malware tools are available for Apple. Almost all are effective when used properly.

Anti-malware tools are fiercely competitive, and the malware landscape changes daily. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans.

Choose a malware scanner with a solid reputation. These scanners are uniquely well-positioned to mess with your device and steal data. Choose a well-reviewed scanner from a reliable source. Some popular scanners have been accused of questionable practices.

When you have chosen a scanner you trust, accept updates and run scans often.

Five

Keep your operating system and apps patched. Hackers are always looking for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Turn away the invaders before they get in.

Automatic updates may be annoying, but the benefits outweigh the trouble. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that happens less as the sources get better at patching, and a botched patch is usually far less damaging than a successful attack.

Six

Use strong passwords. Password cracking is more sophisticated today than when the old rules were written. Long (sixteen characters or more) random passwords are still difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. I like memorable nonsense phrases like ‘MyPetRockSaysHi!’.

A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the worst breaches in recent years have been based on duplicated passwords.

Current opinion is now that changing passwords frequently is counterproductive because it leads to weaker and duplicated passwords. A strong password that has never been revealed or compromised does not ever need to be changed.

Multi-factor authentication (MFA) is now common. Use it in addition to a password. Multi-factor authentication is harder to hack than the strongest password. For example, sites and devices that request a fingerprint or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low.

The strongest multi-factor systems use an app generated token, like a 5-character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

The Future

More secure platforms are possible in the future because the many platforms of today were naively designed without much thought to the potential for abuse.

Bitter experience has burned off the naiveté. Computer security will always be a challenge because computing systems are maddeningly complex. Developers and designers will never be able to foresee every security flaw.

In the early days of our current computing platforms, software developers did not think much about security. The goal was to build a network to interconnect systems and make them reachable, not put up barriers to access. In retrospect, that was jaw-droppingly naive. The hackers of today still take advantage of that naiveté.

Fortunately, the industry is wiser now.  With new attitudes, improvement is possible.

I must credit my Whatcom County Library System friend, Neil McKay and computer communications expert, Steve Stroh, for their substantial help.

Posted on

Burning Down the Internet

A Friday (10 Dec 21) headline in Wired magazine reads ‘The Internet Is on Fire‘. That got a lot of attention and drove me to researching the log4j vulnerability, as it is called.

The Damage

The situation is bad, very bad, but the computer network is probably not in quite as dire straits as the attention-getting headlines and news items imply.

The defect is in a popular open-source library that is used in enterprise applications, the computer programs that support large businesses and government agencies. Log4j is one of the most frequently downloaded open-source modules. The module has even migrated off-planet and is running on Mars. A patched version was posted 10 Dec 21 and was already downloaded over 630,000 times four days later. The vulnerability clearly has the development community’s attention.

The defect is also easy to exploit. I daresay that an experienced enterprise developer could code up a successful exploit in less than an hour. Just messing a system up might only take minutes. The first exploits in the wild were on gaming platforms, no doubt by script kiddies.

The ease of attack and seriousness of the compromise have sent hackers on a mad hunt over the network, seeking vulnerable systems.

Home Computers

In general, home computer users should not worry.

The vulnerability may affect individuals, most likely because a remote commercial service an individual uses was attacked or a work-related application was damaged. All an individual can do is wait for the pros to fix the issues. But these issues are on network servers, not home computers.

An attack on a home computer is possible, but not likely. The vulnerability can only affect home computers that have Java (plain Java, not Java Script) installed. A few user level programs require Java installed, but the vast majority don’t. If you have Java installed, you are probably savvy enough to realize you have it because installing and keeping Java updated is usually annoying. Check your installed Java programs for the log4j modules or uninstall Java and forgo some applications until the fire is out.

The fix will be to the application, rather than the Java installation. Be sure to have auto-update turned on to get fixes as they are developed. If you don’t know how to check module dependencies, contact me in the comments. Enterprise scripts that check for log4j are difficult to write, but spotting log4j on a home system is much easier. Although it’s not hard, it’s too technical to discuss here. If you are a Java programmer, you probably would not have much trouble creating your own patch from the publicly available patched log4j.

Some damage will certainly occur, but, after all those downloads of the patched version, the vulnerability is already much harder to exploit today than it was last Thursday before it was reported. As fixes go, this one is fairly easy and quick, which will turn the vulnerability into history soon, although the ubiquity of the module in enterprise system means a lot of work will have to be done quickly.

How the Vulnerability Works

Log4j is a logging utility. All serious computer programs use some form of logging to record what the program does while it is running. I’ve looked over the programmer’s manual for log4j and some code examples. It’s a nice package: powerful, efficient, and looks easy to work with. A little too powerful for its own good, but I can see why it’s used everywhere.

Enterprise applications are usually widely distributed these days, which means they are made of many separate programs running on different computers distributed through an organization. In addition, most enterprise applications communicate with many other applications in the enterprise and some outside the enterprise.

An example of the power of these complex systems is Amazon’s success in selling such a wide range of products to so many people using so many different warehouses and shipping methods. Keeping all the accounts straight and delivering as predicted most of the time while facing pandemic supply chain disruption is a gargantuan task that requires a huge number of interrelated programs running on millions of networked computers.

When a system like Amazon’s malfunctions, the costs become millions in minutes.

These systems are extremely complex and can be devilish to keep running properly. Large systems change constantly. Equipment is added and replaced. Software added, upgraded, or replaced. Network configurations change as facilities go on and offline. There is no “if ain’t broke, don’t fix it” because everything breaks that is not fixed before the next change breaks it.

One way of managing system-breaking change is to place a sort of map of the system in various places and design applications to consult the map to determine how they should connect with other applications. When a change occurs, the maps are updated, perhaps automatically, and the rest of the system changes to accommodate the change, making the system more resilient and reliable.

Unfortunately, this can also be dangerous. A log that can report the real-time configuration of the system makes proactive reconfiguration and troubleshooting much easier. The log4j developers added this in 2013. But if hackers can get a finger into the map mechanism, they can do great damage.

The log4j vulnerability implements a powerful feature, but it also opened a wide-open door to hacking. I can easily imagine excited and giddy log4j developers neglecting to consider the dangerous consequences of their neat feature. I won’t go into the details of the mechanism, but the vulnerability can trick applications into importing malicious code from a bogus server controlled by hackers instead of a legitimate repository. When executed, bogus code can eventually hand control to the hackers.

The Fix

Fixes are available. The 10 Dec patched version of log4j ends the problem. A change to the configuration of log4j will also fix it, although the reconfigured old version of log4j probably does not work as well as the patched version. A quick change to network firewalls can block the problem also, although not all network firewalls have the capability. Unfortunately, deep packet inspection firewall rules that will stop the log4j vulnerability have a reputation for compromising performance. However, short term instant fixes are often a godsend in crises like this one.

The Prognosis

As I said beginning this post, the log4j vulnerability is bad. However, I am heartened by the vigor of the reaction in the development community. The problem was found, reported promptly, and fixes generated in days, not weeks or months. The industry is maturing and becoming more responsible.