
The recent discovery of Log4Shell, a vulnerability that can affect practically all computer systems, should come as no surprise and much less seek to blame anybody, and instead encourage us to develop the skills needed to quickly solve the problems it will likely generate.
As Marc Andreessen said years ago, “software is eating the world”. More and more of the things we do on a daily basis are in one way or another based on software, on code execution that is subject to periodic vulnerabilities, compromising its security and offering opportunities to criminals of all sorts to carry out all kinds of mischief.
Log4Shell affects a software module, a log message generator or logging framework in Java called Log4j, created by the Apache Software Foundation and later implemented in a multitude of languages, which happens to be extremely popular and used everywhere. What such a module basically does is to log transaction activity at runtime, and then allow the developer to filter it according to their criticality.
Why is this software everywhere? Very simple: because what it does, it does reasonably well, and because one of the basic rules of software development is that if it ain’t broke, don’t fix it. This approach, which on many occasions generates systems with dependencies of all kinds that rely on components that nobody has looked at in years, has led some people to define Log4Shell as “the most important and most critical vulnerability of the last decade, and possibly the largest in the history of modern computing”, not only because it affects countless systems and devices, but because the Alibaba developer who discovered the vulnerability decided, in addition, to tell the world about it on Twitter.
This has generated a security nightmare, because in addition to being widespread, the speed with which cybercriminals have set about exploiting the vulnerability is unprecedented. Since that tweet was published on December 9, and then deleted, System managers all over the world have spent their time looking for a way to fix the problem, locating a patch for it, and installing it everywhere.
What happens if you don’t install the update that fixes the vulnerability? Quite simply, all a potential attacker has to do is manage to send a message for the system’s logging module to record containing instructions to access a site managed by the attacker and the system will execute whatever it tells it to, be it steal data, run programs to mine cryptocurrencies, or whatever. This means virtually effortless access to virtually any system without the need for a password.
Should we despair? No. These kinds of problems are common in software, always have been, and always will be, probably until software is no longer made by humans — and possibly after that, too. The only thing to do is to follow Linus’ Law: the more eyes that can examine the software, the better, because “given enough eyeballs, all bugs are shallow.” It is always better for such bugs to appear in an open source software module, an environment in which anyone can detect and correct them quickly, than for them to appear in proprietary code that only a company, depending on its interests and its estimate of the criticality of the problem, can correct.
What’s important here is not the vulnerability itself, but for all those affected to get up to speed and correct the potential problem. This means not only being well informed and aware of the problem, but having all their systems properly registered, inventoried and with all their dependencies correctly documented so as to be able to correct the problem quickly wherever it is found.
This is what separates responsible companies from the rest. There will be those whose systems are watertight because they applied the corresponding patches and stayed at work over the weekend of December 9 and 10, immediately after the vulnerability was tweeted, while others will do nothing for months or years, simply waiting for a cybercriminal to walk through an open door into their system and to help themselves to whatever they want.
Software is eating the world, yes, but software has its certainties, and every now and then, a vulnerability appears that needs to be fixed. Instead of railing against the nature of software, which is simply what it has always been, let’s turn our attention to those who do not understand it and who do not take the appropriate measures to control problems in time.
—
This post was previously published on Enrique Dans’ blog.
***
You may also like these posts on The Good Men Project:
White Fragility: Talking to White People About Racism |
Escape the “Act Like a Man” Box |
![]() |
![]() |
Join The Good Men Project as a Premium Member today.
All Premium Members get to view The Good Men Project with NO ADS.
A $50 annual membership gives you an all access pass. You can be a part of every call, group, class and community.
A $25 annual membership gives you access to one class, one Social Interest group and our online communities.
A $12 annual membership gives you access to our Friday calls with the publisher, our online community.
Register New Account
Need more info? A complete list of benefits is here.
—
Photo credit: iStock
White Fragility: Talking to White People About Racism
Escape the “Act Like a Man” Box

