How copy-paste programming puts the Internet and society at risk | John naughton
In one of those delightful coincidences that warm the hearts of every tech columnist, the same week the entire internet community struggled to fix a blatant vulnerability affecting countless millions of web servers around the world, the UK government announced a big new National Cyber Security Strategy which, even if effectively implemented, would have been largely unrelated to the current crisis.
At first it looked like a farce in the very popular Minecraft Game. If someone inserted a seemingly meaningless string of characters into a game chat conversation, it would effectively take control of the server it was running on and download malware that could then have the effect. ability to do all kinds of bad things. Because Minecraft (now owned by Microsoft) is the best-selling video game of all time (over 238 million copies sold and 140 million monthly active users), this vulnerability was obviously worrisome, but hey, that’s only ‘a video game…
This slightly heartwarming thought was exploded on December 9 with a tweet from Chen Zhaojun of Alibaba’s cloud security team. He posted sample code for the vulnerability, which exists in a subroutine library called Log4j of the Java programming language. The implications of this – that any software using Log4j is potentially vulnerable – were startling, as countless numbers of programs in the IT infrastructure of our networked world are written in Java. To make matters worse, the nature of Java makes it very easy to exploit the vulnerability – and there was evidence that a lot of bad actors were already doing just that.
At this point, a short gobbledegook break may be in order. Java is a very popular high-level programming language that is especially useful for client-server web applications – which basically describes all of the applications most of us use. “The first rule of thumb to be a good programmer,” says Berkeley computer scientist Nicholas Weaver, “is not to reinvent things. Instead, we reuse code libraries, packages of previously written code that we can simply use in our own programs to accomplish particular tasks. And let’s face it, computer systems are finicky beasts, and mistakes happen all the time. One of the most common ways to find problems is to simply log everything that is going on. When programmers do, we call it “logging”. And good programmers use a library to do this rather than just using a bunch of print () – which means onscreen print instructions scattered throughout their code. Log4j is one such incredibly popular library for Java programmers.
There are something like 9 million Java programmers in the world, and since most network applications are written in the language, an unimaginable number of these programs use the Log4j library. At the moment, we have no real idea how many of these vulnerabilities. It is as if one suddenly discovered a hitherto unknown weakness in the mortar used by masons around the world which could be liquefied by spraying it with a specific liquid. A better question, says Mr. Weaver, is what is not affected? “For example, it turns out that at least somewhere in Apple’s infrastructure there is a Java program that will register a user’s iPhone name, so a few hours ago you could use to tap iCloud! The Minecraft and Steam gaming platforms are both written in Java and end up having code paths that log chat messages, which means they’re vulnerable as well.
It is a global mess, in other words, that will take a long time to dissipate. And the question of who is responsible for it is, in a way, unanswered. Writing software is a collaborative activity. Reusing code libraries is the rational thing to do when building something complex – why start from scratch when you can borrow? But the most compelling review from the software community I’ve seen this week says that if you’re going to reuse someone else’s wheel, shouldn’t you first check that it’s reliable? “Developers are lazy (yes, ALL),” wrote an angry respondent to Bruce Schneier’s succinct summary of the vulnerability. “They’ll be using a tool like Log4j because it’s an easy way to deal with the logging routines and someone else has already done the job, so why reinvent the wheel, right?” Unfortunately, most of them won’t be RTFM, so they have no idea if it can actually do the things it was designed to do and therefore, [they] do not take any precaution against it. It’s a bit of a Dunning-Kruger effect where developers overestimate their abilities (because they have l337 coding skills!). “
Well he could say that but as an unqualified programmer I couldn’t comment.
What i read
It gets meta all the time
Novelist Neal Stephenson designed the Metaverse in the 90s. He’s not impressed with Mark Zuckerberg’s version. Read the transcript of her conversation with Kara Swisher on the New York Times website.
Words to live
This Is Water is the title of David Foster Wallace’s opening speech. The only one he’s ever given – in 2005 to graduates of Kenyon College, Ohio.
Doom and sadness
Visualizing the end of the American republic is a grim essay by George Packer in the Atlantic.