A Friday (10 Dec 21) headline in Wired magazine reads ‘The Internet Is on Fire‘. That got a lot of attention and drove me to researching the log4j vulnerability, as it is called.
The Damage
The situation is bad, very bad, but the computer network is probably not in quite as dire straits as the attention-getting headlines and news items imply.
The defect is in a popular open-source library that is used in enterprise applications, the computer programs that support large businesses and government agencies. Log4j is one of the most frequently downloaded open-source modules. The module has even migrated off-planet and is running on Mars. A patched version was posted 10 Dec 21 and was already downloaded over 630,000 times four days later. The vulnerability clearly has the development community’s attention.
The defect is also easy to exploit. I daresay that an experienced enterprise developer could code up a successful exploit in less than an hour. Just messing a system up might only take minutes. The first exploits in the wild were on gaming platforms, no doubt by script kiddies.
The ease of attack and seriousness of the compromise have sent hackers on a mad hunt over the network, seeking vulnerable systems.
Home Computers
In general, home computer users should not worry.
The vulnerability may affect individuals, most likely because a remote commercial service an individual uses was attacked or a work-related application was damaged. All an individual can do is wait for the pros to fix the issues. But these issues are on network servers, not home computers.
An attack on a home computer is possible, but not likely. The vulnerability can only affect home computers that have Java (plain Java, not Java Script) installed. A few user level programs require Java installed, but the vast majority don’t. If you have Java installed, you are probably savvy enough to realize you have it because installing and keeping Java updated is usually annoying. Check your installed Java programs for the log4j modules or uninstall Java and forgo some applications until the fire is out.
The fix will be to the application, rather than the Java installation. Be sure to have auto-update turned on to get fixes as they are developed. If you don’t know how to check module dependencies, contact me in the comments. Enterprise scripts that check for log4j are difficult to write, but spotting log4j on a home system is much easier. Although it’s not hard, it’s too technical to discuss here. If you are a Java programmer, you probably would not have much trouble creating your own patch from the publicly available patched log4j.
Some damage will certainly occur, but, after all those downloads of the patched version, the vulnerability is already much harder to exploit today than it was last Thursday before it was reported. As fixes go, this one is fairly easy and quick, which will turn the vulnerability into history soon, although the ubiquity of the module in enterprise system means a lot of work will have to be done quickly.
How the Vulnerability Works
Log4j is a logging utility. All serious computer programs use some form of logging to record what the program does while it is running. I’ve looked over the programmer’s manual for log4j and some code examples. It’s a nice package: powerful, efficient, and looks easy to work with. A little too powerful for its own good, but I can see why it’s used everywhere.
Enterprise applications are usually widely distributed these days, which means they are made of many separate programs running on different computers distributed through an organization. In addition, most enterprise applications communicate with many other applications in the enterprise and some outside the enterprise.
An example of the power of these complex systems is Amazon’s success in selling such a wide range of products to so many people using so many different warehouses and shipping methods. Keeping all the accounts straight and delivering as predicted most of the time while facing pandemic supply chain disruption is a gargantuan task that requires a huge number of interrelated programs running on millions of networked computers.
When a system like Amazon’s malfunctions, the costs become millions in minutes.
These systems are extremely complex and can be devilish to keep running properly. Large systems change constantly. Equipment is added and replaced. Software added, upgraded, or replaced. Network configurations change as facilities go on and offline. There is no “if ain’t broke, don’t fix it” because everything breaks that is not fixed before the next change breaks it.
One way of managing system-breaking change is to place a sort of map of the system in various places and design applications to consult the map to determine how they should connect with other applications. When a change occurs, the maps are updated, perhaps automatically, and the rest of the system changes to accommodate the change, making the system more resilient and reliable.
Unfortunately, this can also be dangerous. A log that can report the real-time configuration of the system makes proactive reconfiguration and troubleshooting much easier. The log4j developers added this in 2013. But if hackers can get a finger into the map mechanism, they can do great damage.
The log4j vulnerability implements a powerful feature, but it also opened a wide-open door to hacking. I can easily imagine excited and giddy log4j developers neglecting to consider the dangerous consequences of their neat feature. I won’t go into the details of the mechanism, but the vulnerability can trick applications into importing malicious code from a bogus server controlled by hackers instead of a legitimate repository. When executed, bogus code can eventually hand control to the hackers.
The Fix
Fixes are available. The 10 Dec patched version of log4j ends the problem. A change to the configuration of log4j will also fix it, although the reconfigured old version of log4j probably does not work as well as the patched version. A quick change to network firewalls can block the problem also, although not all network firewalls have the capability. Unfortunately, deep packet inspection firewall rules that will stop the log4j vulnerability have a reputation for compromising performance. However, short term instant fixes are often a godsend in crises like this one.
The Prognosis
As I said beginning this post, the log4j vulnerability is bad. However, I am heartened by the vigor of the reaction in the development community. The problem was found, reported promptly, and fixes generated in days, not weeks or months. The industry is maturing and becoming more responsible.
The NSA mobile device best practices contains the easiest and best tip for cellphone cybersafety I have heard in years. I’m surprised I had not thought of mentioning it. I regularly tell folks to turn off their computers when they are not using them because it discourages hackers. The same applies to cellphones.
The NSA suggests powering down once a week. I say, more often is better if you can swing it.
Here’s why. Everyone, including criminal hackers, likes a regular work week and hates to waste effort. Just like the rest of us, criminals want a regular, productive five-day, nine-to-five work week. When law enforcement tries to discover the source of a hack, they often identify the time zone of the hacker by looking at file and event dates and times. They know when hackers in China, for one example, like to start and end their day, even when they knock off for lunch.
Now, suppose some ordinary nine-to-five criminal has succeeded in pwning (taken over) your computer or cellphone. They come back from their borsch, pelmeni, and sour cream, raring to resume stripping you bare. They discover your computer has disappeared. Nasty words follow in foreign languages. Do you suppose they will wait patiently for you to power up? Not a chance. Most likely, after having lost a morning’s work getting ready to knock you over, they will not make the same mistake twice. They will move on to easier pickings. If you are lucky, your unreliable habits will annoy the hinks to the point that they throw you on their private “do not hack list.”
Recent trends in hacking make shutting down and restarting even more desirable. For decades, anti-virus and malware tools have relied on file signatures for detecting attacks. The tools scan computer file systems for files with characteristics (names, sizes, time stamps, and embedded sequences of characters) that signify infection. Having identified an infection, the tool moves or removes files and takes other steps to kill the infection.
Hackers know all about the way these tools work and they have responded with more subtle ways of infecting computers. Most of these involve avoiding detectable file changes by injecting nasty stuff into memory— the high-speed short-term information storage that disappears when a computer is rebooted.
And there you have it: power down a computer or phone with that kind of infection and the infection is gone. All that lovely hacking work destroyed. What a shame. Not.
I have regular irregular habits. I have a tablet in our living room that I use occasionally. I regularly shut it off when I’m not using it. Some days, it’s up all day and until late at night. Other days, it’s never up. I have several computers in my office. When the witching hour arrives and I decide to turn in for the night, I power them off. My last act of the day is to shut down and restart my phone. Midnight on the U.S. west coast is 10am in Moscow, a location where a lot of hacking goes on.
The next day, I power up the computers in my office as needed. On days I spend working in the yard or running errands, they may be up only for an hour or two. The point is to include irregularity for hackers into your regular habits.
I’ll end this post with a few other good habits for using smart cellphones:
Enable automatic updates whenever possible. Operating system and app vendors discover security vulnerabilities and fix them all the time. Let them help you be safe.
Going through the Google, Apple, and Microsoft app stores decreases vulnerability, but does not guarantee that an app will be safe. Frequently installed and favorably reviewed apps are the safest. If you must go outside the app store walled garden, be very very careful.
Minimize the number of apps you have installed. If you don’t use an app, remove it. Every app you have installed is a potential security vulnerability. If you don’t use it, why let an app increase the possibility that you will be hacked?
Secure your phone. Entering a PIN is a pain but leaving your unsecured phone next to a coffee shop cream pitcher or among the half inch copper elbow fittings at Home Depot could be the prelude to a disaster. I have concerns with biometrics like facial and fingerprint scans, but they are better than nothing if you can’t be bothered with anything more secure. Some phones will unlock your phone when it is at certain locations, like home and work. Consider using that feature.
Periodically restarting your phone is the simplest step you can take. Do it. Wait a day or two. Do it again.
Folks have gotten used to Windows 10. Now Microsoft is pulling out the rug with a new version of Windows. When I heard of Windows 11, my first thought was that the disbanded Vista product team had staged an armed coup in Bill Gates’ old office and regained control of Windows. I haven’t installed Windows 11, although grandson Christopher has. He doesn’t like it.
I think Microsoft has something cooking in Windows 11.
Microsoft releases
New releases of Windows are always fraught. Actually, new releases of anything from Microsoft get loads of pushback. Ribbon menu anxiety in Office, the endless handwringing over start menus moving and disappearing in Windows. Buggy releases. It goes on and on.
Having released a few products myself, I sympathize with Microsoft.
Developers versus users
A typical IT system administrator says “Change is evil. What’s not broke, don’t fix. If I can live with a product, it’s not broke.” Most computer users think the same way: “I’ve learned to work with your run down, buggy product. Now, I’m busy working. Quit bothering me.”
Those positions are understandable, but designers and builders see products differently. They continuously scrutinize customers using a product, and then ask how it might work more effectively, what users might want to do that they can’t, how they could become more productive and add new tasks and ways of working to their repertoire.
Designers and builders also are attentive to advances in technology. In computing, we’ve seen yearly near-doubling of available computing resources, instruction execution capacity, storage volume, and network bandwidth. In a word, speed. 2021’s smartphones dwarf super computers from the era when Windows, and its predecessor, DOS, were invented.
No one ever likes a new release
At its birth, Windows was condemned as a flashy eye candy that required then expensive bit-mapped displays and sapped performance with intensive graphics processing. In other words, Windows was a productivity killer and an all-round horrible idea, especially to virtuoso users who had laboriously internalized all the command line tricks of text interfaces. Some developers, including me, for some tasks, still prefer a DOS-like command line to a graphic interface like Windows.
However, Windows, and other graphic interfaces such as X on Unix/Linux, were rapidly adopted as bit-mapped displays proliferated and processing power rose. Today, character-based command line interface are almost always simulated in a graphical interface when paleolithic relics like me use them. Pure character interfaces still are around, but mostly in the tiny LCD screens on printers and kitchen appliances.
Designers and builders envisioned the benefits from newly available hardware and computing capacity and pushed the rest of us forward.
Success comes from building for the future, not doubling down on the past. But until folks share in the vision, they think progress is a step backwards.
Is the Windows 11 start menu a fiasco? Could be. No development team gets everything right, but I’ll give Windows 11 a spin and try not to be prejudiced by my habits.
Weird Windows 11 requirements
Something more is going on with Windows 11. Microsoft is placing hardware requirements on Windows 11 that will prevent a large share of existing Windows 10 installations from upgrading. I always expect to be nudged toward upgraded hardware. Customers who buy new hardware expect to benefit from newer more powerful devices. Requirements to support legacy hardware are an obstacle to exploiting new hardware. Eventually, you have to turn your back on old hardware and move on, leaving some irate customers behind. No developer likes to do this, but eventually, they must or the competition eats them alive.
Microsoft forces Windows 11 installations to be more secure by requiring a higher level of Trusted Platform Module (TPM) support. A TPM is microcontroller that supports several cryptographic security functions that help verify that users and computers are what they appear to be and are not spoofed or tampered with. TPMs are usually implemented as a small physical chip, although they can be implemented virtually with software. Requiring high level TPM support makes sense in our increasing cybersecurity compromised world.
But the Windows 11 requirements seem extreme. As I type this, I am using a ten-year-old laptop running Windows 10. For researching and writing, it’s more than adequate, but it does not meet Microsoft’s stated requirements for Windows 11. I’m disgruntled and I’m not unique in this opinion. Our grandson Christopher has figured out a way to install Windows 11 on some legacy hardware, which is impressive, but way beyond most users and Microsoft could easily cut off this route.
I have an idea where Redmond is going with this. It may be surprising.
Today, the biggest and most general technical step forward in computing is the near universal availability of high capacity network communications channels. Universal high bandwidth Internet access became a widely accepted national necessity when work went online through the pandemic. High capacity 5G cellular wireless network are beginning to roll out. (What passes for 5G now is far beneath the full 5G capacity we will see in the future.) Low earth orbit satellite networks promise to link isolated areas to the network. Ever faster Wi-Fi local area networks offer connectivity anywhere.
This is not fully real. Yet. But it’s close enough that designers and developers must assume it is already present, just like we had to assume bit-mapped displays were everywhere while they were still luxuries.
What does ubiquitous high bandwidth connection mean for the future? More streaming movies? Doubtless, but that’s not news: neighborhood Blockbuster Video stores are already closed.
Thinking it through
In a few years, every computer will have a reliable, high capacity connection to the network. All the time. Phones are already close. In a few years, the connection will be both faster and more reliable than today. That includes every desktop, laptop, tablet, phone, home appliance, vehicle, industrial machine, lamp post, traffic light, and sewer sluice gate. The network will also be populated with computing centers with capacities that will dwarf the already gargantuan capacities available today. Your front door latch may already have access to more data and computing capacity than all of IBM and NASA in 1980.
At the same time, ransomware and other cybercrimes are sucking the life blood from business and threatening national security.
Microsoft lost the war for the smartphone to Google and Apple. How will Windows fit in the hyperconnected world of 2025? Will it even exist? What does Satya Nadella think about when he wakes late in the night?
Windows business plan
The Windows operating system (OS) business plan is already a hold out from the past. IBM, practically the inventor of the operating system, de-emphasized building and selling OSs decades ago. Digital Equipment, DEC, a stellar OS builder, is gone, sunk into HP. Sun Microsystems, another OS innovator, is buried in the murky depths of Oracle. Apple’s operating system is built on Free BSD, an open source Unix variant. Google’s Android is a Linux. Why have all these companies gotten out of or never entered the proprietary OS development business?
Corporate economics
The answer is simple corporate economics: there’s no money in it. Whoa! you say. Microsoft made tons of money off its flagship product, Windows. The key word is “made” not “makes.” Making money building and selling operating systems was a money machine for Gates and company back in the day, but no longer. Twenty years ago, when Windows ruled, the only competing consumer OS was Apple, which was a niche product in education and some creative sectors. Microsoft pwned the personal desktop in homes and businesses. Every non-Apple computer was another kick to the Microsoft bottom line. No longer. Now, Microsoft’s Windows division has to struggle on many fronts.
Open source OSs— Android, Apple’s BSD, and the many flavors of Linux— are all fully competitive in ease of installation and use. They weren’t in 2000. Now, they are slick, polished systems with features comparable to Windows.
To stay on top, Windows has to out-perform, out-feature, and out secure these formidable competitors. In addition, unlike Apple, part of the Windows business plan is to run on generic hardware. Developing on hardware you don’t control is difficult. The burden of coding to and testing on varying equipment is horrendous. Microsoft can make rules that the hardware is supposed to follow, but in the end, if Windows does not shine on Lenovo, HP, Dell, Acer, and Asus, the Windows business plunges into arctic winter.
With all that, Microsoft is at another tremendous disadvantage. It relies on in house developers cutting proprietary code to advance Windows. Microsoft’s competitors rely on foundations that coordinate independent contributors to opensource code bases. Many of these contributors are on the payrolls of big outfits like IBM, Google, Apple, Oracle, and Facebook.
Rough times
Effectively, these dogs are ganging up on Microsoft. Through the foundations— Linux, Apache, Eclipse, etc.—these corporations cooperate to build basic utilities, like the Linux OS, instead of building them for themselves. This saves a ton of development costs. And, since the code is controlled by the foundation in which they own a stake, they don’t have to worry about a competitor pulling the rug out from under them.
Certainly, many altruistic independent developers contribute to opensource code, but not a line they write gets into key utilities without the scrutiny of the big dogs. From some angles, the opensource foundations are the biggest monopolies in the tech industry. And Windows is out in the cold.
What will Microsoft do? I have no knowledge, but I have a good guess that Microsoft is contemplating a tectonic shift.
Windows will be transformed into a service.
Nope, you say. They’ve tried that. I disagree. I read an article the other day declaring Windows 11 to be the end of Windows As A Service, something that Windows 10 was supposed to be, but failed because Windows 11 is projected for yearly instead of biannual or more frequent updates. Windows 11 has annoyed a lot of early adopters and requires hardware upgrades that a lot of people think are unnecessary. What’s going on?
Windows 10 as a service
The whole idea of Windows 10 as a service was lame. Windows 10 was (and is) an operating system installed on a customer’s box, running on the customer’s processor. The customer retains control of the hardware infrastructure. Microsoft took some additional responsibility for software maintenance with monthly patches, cumulative patches, and regular drops of new features, but that is nowhere near what I call a service.
When I installed Windows 10 on my ancient T410 ThinkPad, I remained responsible for installing applications and adding or removing memory and storage. If I wanted, I could rename the Program Files directory to Slagheap and reconfigure the system to make it work. I moved the Windows system directory to an SSD for a faster boot. And I hit the power switch whenever I feel like it.
Those features may be good or bad.
As a computer and software engineer by choice, I enjoy fiddling with and controlling my own device. Some of the time. My partner Rebecca can tell you what I am like when a machine goes south while I’m on a project that I am hurrying to complete with no time for troubleshooting and fixing. Or my mood when I tried to install a new app six months after I had forgotten the late and sporty night when I renamed the Program Files directory to Slagheap.
At times like those, I wish I had a remote desktop setup, like we had in the antediluvian age when users had dumb terminals on their desks and logged into a multi-user computer like a DEC VAX. A dumb terminal was little more than a remote keyboard with a screen that showed keystrokes as they were entered interlaced with a text stream from the central computer. The old systems had many limitations, but a clear virtue: a user at a terminal was only responsible for what they entered. The sysadmin took care of everything else. Performance, security, backups, and configuration, in theory at least, were system problems, not user concerns.
Twenty-first century
Fast forward to the mid twenty-first century. The modern equivalent of the old multi-user computer is a user with a virtual computer desktop service running in a data center in the cloud, a common set up for remote workers that works remarkably well. For a user, it looks and feels like a personal desktop, except it exists in a data center, not on a private local device. All data and configuration (the way a computer is set up) is stored in the cloud. An employee can access his remote desktop from practically any computing device attached to the network, if they can prove their identity. After they log on, they have access to all their files, documents, processes, and other resources in the state they left them, or in the case of an ongoing process, in the state their process has attained.
What’s a desktop service
From the employees point of view, they can switch devices with abandon. Start working at your kitchen table with a laptop, log out in the midst of composing a document without bothering to save. Not saving is a little risky, but virtual desktops run in data centers where events that might lose a document are much rarer than tripping on a cord, spilling a can of Coke, or the puppy doing the unmentionable at home. In data centers, whole teams of big heads scramble to find ways to shave off a minute of down time a month.
Grab a tablet and head to the barbershop. Continue working on that same document in the state you left it instead of thumbing through old Playboys or Cosmos. Pick up again in the kitchen at home with fancy hair.
Security
Cyber security officers have nightmares about employees storing sensitive information on personal devices that fall into the hands of a competitor or hacker. Employees are easily prohibited from saving anything from their virtual desktop to the local machine where they are working. With reliable and fast network connections everywhere, employees have no reason to save anything privately.
Nor do security officers need to worry about patching vulnerabilities on employee gear. As long as the employee’s credentials are not stored on the employee’s device, which is relatively easy to prevent, there is nothing for a hacker to steal.
The downside
What’s the downside? The network. You have to be connected to work and you don’t want to see swirlies when you are in the middle of something important while data is buffering and rerouted somewhere north of nowhere.
However. All the tea leaves say those issues are on the way to becoming as isolated as the character interface on your electric teapot.
Now think about this for a moment: why not a personal Windows virtual desktop? Would that not solve a ton of problems for Microsoft? With complete control of the Windows operating environment, their testing is greatly simplified. A virtual desktop local client approaches the simplicity of a dumb terminal and could run on embarrassingly modest hardware. Security soars. A process running in a secured data center is not easy to hack. The big hacks of recent months have all been on lackadaisically secured corporate systems, not data centers.
It also solves a problem for me. Do I have to replace my ancient, but beloved, T410? No, provided Microsoft prices personal Windows 365 reasonably, I can switch to Windows 365 and continue on my good old favorite device.
Marv’s note: I made a few tweeks to the post based on Steve Stroh’s comment.
In addition, I know from other social media that folks are wondering about things that happen on their computers. Some issues are annoying, like spam in your email, others are scary, like activity that suggests you’ve been hacked, to just plain terrifying, like extortionary fraudulent emails.
Computer questions answered at the Ferndale Public Library
Until the pandemic lockdown began in March of 2020, my grandson, Christopher, and I held one hour public sessions at the Ferndale Public Library twice a month to answer computer questions. During these sessions we offered to try to help folks with any kind of computer problem. The problems ranged from annoying but minor email settings issues to high level discussions of XML data structuring for application interfaces. Both Christopher and I miss these sessions. We both like to help people, and, I’ll be frank, I think we both get pleasure out of showing off the knowledge of computing that we have accumulated.
Now that the grip of the pandemic is beginning to loosen a little, the possibility of reopening those computer questions sessions arises. My wife and I have each gotten our first vaccine injection and expect, following CDC guidelines, to begin mixing more in April.
Most likely not until Fall 2021
However, I don’t think it is realistic to expect sessions at least until fall of 2021. The vaccine statistics so far show the vaccines are effective at protecting people who are vaccinated, but there is not yet strong evidence that the vaccines stop the spread of the virus. The folks who study the course of the virus don’t know how many people have to be vaccinated to prevent unvaccinated people from continuing to get sick at high rates.
Having all that hurt condensed into a single year is difficult to comprehend.
The big question is when will vaccination prevent the virus from continuing to trouble our nation and the world? We have been troubled. More people are dead in one year of covid than from WWII, the Korean War, and Vietnam combined. I’m old enough to know that those wars were hard on us. Having all that hurt condensed into a single year is difficult to comprehend.
For me, stopping the spread of the virus is as important as protecting myself. Until the spread is stopped, our economy will only limp along and none of us will live the lives we want and deserve. Therefore, I plan to do everything I can to stop the spread, not just keep myself and loved ones alive. That’s selfishness, not altruism!
On top of that, hands-on help with computer problems in a small conference room is probably one of the more hazardous things a person can do in the presence a deadly and contagious airborne virus. So we won’t be restarting in person sessions at the library until covid cases are down. Way down.
A new Computer Questions page
But I don’t want to leave folks in the lurch.
But I don’t want to leave folks in the lurch. Therefore, I’ve opened a “Computer Questions” page on this site. Just enter your questions in the Reply section of the page. I’ll get back to you in a comment or write a post if I think enough people will be interested.
I really hope this can become as lively, helpful, and as much fun as our sessions at the Ferndale Library.