Tech Brew Ride Home - Mon. 12/13 – Why the Log4j Bug Is Such A Big Deal

Episode Date: December 13, 2021

A huge bug in Apache servers is causing chaos around the Internet. What to expect, and what we’re still waiting on from iOS 15.2. Why did Instagram steal the @metaverse handle from a woman in Austra...lia, and the story of the fat finger fire sale of a Board Ape Yacht Club NFT. Sponsors: Grammarly.com/techmeme Tovala.com/ride Links: Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet (ArsTechnica) The Internet’s biggest players are all affected by critical Log4Shell 0-day (ArsTechnica) PROFESSIONAL MAINTAINERS: A WAKE-UP CALL (Filippo.io) Apple Set to Release Nudity Detection in Texting, But Other Features Remain on Hold (Bloomberg) Her Instagram Handle Was ‘Metaverse.’ Last Month, It Vanished. (NYTimes) Bored Ape Yacht Club: Someone accidentally sold a $300,000 NFT for $3,000 (CNET) Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco. Hey, who did this to you? What happened next turned the story into a political firestorm. Reports have identified the victim as Bob Lee, the founder of Cash App. From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16. Welcome to the Tech Meme Right Home for Monday, December 13th, 2021. I'm Brian McCalla today. A huge bug in Apache servers is causing chaos around the internet, what to expect and what we're still waiting on from iOS 15.2. Why did Instagram steal the at Metaverse handle from a woman in Australia and the story of the fat finger fire sale of a bored ape yacht club NFT? Here's what you miss today in the world of tech. Really bad news over the weekend. A vulnerable. in the Apache Log 4J Java logging library was discovered that allows for remote code execution and impacting everything from Steam to ICloud to Minecraft and all sorts of services. In fact,
Starting point is 00:01:21 this was first discovered by Minecraft users, and look, it basically affects everything. I've even heard tour servers are being unmasked, quoting R's Technica. Word of the vulnerability first came to light on sites catering to users of Minecraft. The best-selling game of all time. The sites warned that hackers could execute malicious code on servers or clients running the Java version of Minecraft by manipulating log messages, including from things typed in chat messages. The picture became more dire still, as Log 4J was identified as the source of the vulnerability and exploit code was discovered posted online. Log4J is incorporated into a host of popular frameworks, including Apache Struts 2, Apache Solar, Apache Druid, and
Starting point is 00:02:05 Apache Flink. That means a dizzying number of third-party apps may also be vulnerable to exploits of the same high severity as those threatening Minecraft users. Researchers said the Java deserialization bug stems from Log 4J making network requests through the J-N-D-I to an L-D-A-P server and executing any code that's returned. The bug is triggered inside of log messages with the use of a specific syntax. Additional reporting from security firm Lunasek said that certain Java versions are less affected by this attack vector, at least in theory, because the JNDI can't load remote code using LDAP. Hackers may still be able to work around this by leveraging classes already present in the target application.
Starting point is 00:02:52 Success would depend on whether there are any dangerous gadgets in the process, meaning newer versions of Java may still prevent code execution, but only depending on the specifics of each application, end quote. the Apache Software Foundation quickly released a security fix for this zero day. But over the weekend, waves of attacks were spotted targeting unpatched Apache servers and exfiltrating data, spreading botnets, installing crypto miners, all sorts of nasty stuff. The amount of attacks was described as massive. Again, from Ars Technica. A compilation of screenshots posted online documents how some of the world's most popular
Starting point is 00:03:31 and trusted cloud-based services react when they are fed parameters. used in the attack. To wit, and then they posted a screenshot of an Apple ID login, quoting again, the images above use a domain name system leak detection service called DNSlog.cN to see if the target cloud service is performing a DNS lookup. Each image shows that service is accepting connections from an attacker-controlled machine, as evidenced by the IP connection log. Normally, typing something into a username box should never be making any external network connections, so the fact that it does proves that Log 4J is being used here and therefore that the server may be vulnerable to the remote code execution attack.
Starting point is 00:04:11 Ars Reader Skizzards explained in the comments. While the images show the services responding in unintended and potentially dangerous ways to user input, the services aren't automatically vulnerable to the types of code execution attacks that compromise Minecraft servers. That's because these services typically have multiple layers of defense. If one layer fails, additional layers are often available to lessen or completely eliminate any real damage. Then again, the images demonstrate that unauthorized people can exploit Log 4 shell to access the servers of some of the world's most powerful corporations in ways they never intended. Asked about the access to Apple servers, Malwarebytes, director of Mac offerings Thomas Reed, said,
Starting point is 00:04:51 quote, this is far worse than if individual devices were vulnerable. And I think it's an open question at this point exactly what kind of data attackers are probably pulling. pooling from Apple services as we speak, end quote. Apple representatives didn't respond to an email seeking comment. Cloudflare, meanwhile, said in a post that it has taken steps to block attacks on its network and against its customers, end quote. Now, one big takeaway from all of this is a reminder that the entire internet is built on the back of open source stuff like Apache, and yet there was apparently a mere handful of maintainers of the logging library exploited in this case. It only had three sponsors on GitHub as of this weekend, and those handful of folks were
Starting point is 00:05:36 maintaining this key infrastructure in their part-time. In an essay on his blog, Filippo Valcorda says, quote, open source software runs the internet and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of open source maintainer has failed to mature from a hobby into a proper profession. Volunteers are doing their best in their spare time, of passion or because they are or were having fun. They feel tremendous responsibility, but ultimately can't be expected to persevere in the face of burnout, a change in life circumstances like having a kid or changing jobs, or even shifting priorities. They also can't be expected to provide professional levels of performance because, again, no one is paying them, and they are
Starting point is 00:06:19 well within their rights to only do the fun parts of the job. Professionals are expensive for a reason. GitHub sponsors and Patreon are a nice way to show gratitude, but they are an extremely unsurious compensation structure. The average maintainer of a successful project would qualify as a senior software engineer, and those can easily make more than $150,000 to $300,000 a year. When is the last time you've seen a GitHub sponsor's recipient making more than $1,000 a month? That's at least 12 times less than the alternative. Even more importantly, there isn't a career path. You can't start as a junior maintainer, get training and experience, and expect to eventually grow into a better paid senior maintainer. That's not how any of it works today. Being employed as a
Starting point is 00:07:02 full-time maintainer by a big company does pay better, but it is not much healthier, both organizationally and individually. Executives and promotion committees start asking, what is it that we pay you for exactly? And suddenly, you're spending more and more time proving your work is important and less and less time doing it. The workload increases as the project grows, but the team struggles to get more resources, no one gets promoted, and people burnout and leave or change roles. I've seen this play out across multiple companies and ecosystems over and over. This is what I hope to see happen more and more. Open source maintainers graduating to sophisticated counterparties who send invoices for support and sponsorship on letterhead and big
Starting point is 00:07:42 companies developing procedures to assess, approve, and pay them as a matter of routine so that they can get what they need from the whole ecosystem. This is what I hope to see happen more and more. Open source maintainers graduating to sophisticated counterparties who send invoices for support and sponsorship on letterhead and big companies developing procedures to assess, approve, and pay them as a matter of routine so that they can get what they need from the ecosystem. Eventually, a whole career path with an on-ramp for junior maintainers, including training, like, you know, a real profession. Now is the perfect time for open source maintainers to become legible to the big companies that depend on them and that want to get more out of them and send them five.
Starting point is 00:08:24 to six-figure invoices. Big companies can either lead or play catch-up, end quote. iOS 15.2 is coming any day now and will bring a bunch of things, including nudity detection in the Messages app, part of Apple's continued attempt to protect kids, also a macro lens toggle for iPhone cameras, which I never really understood why they didn't have that to begin with. Also better privacy controls and more, but no digital IDs in wallet and no universal. controls for MacOS yet. Quoting Bloomberg. The image detection works like this. Child-owned iPhones, iPads, and Macs will analyze incoming and outgoing images received and sent through the Messages app to detect nudity. If the system finds a nude image, the picture will appear blurred,
Starting point is 00:09:17 and the child will be warned before viewing it. If children attempt to send a nude image themselves, they will be warned as well. In both instances, the child will have the ability to contact a parent through the messages app about the situation, but parents won't automatically receive a notification. That's a change from the initial approach announced earlier this year. In order for the feature to work, parents need to enable it on a family sharing account. The camera app is also getting an addition, a button that lets you disable the iPhone from triggering the macro lens automatically when you get close to an object. And a new privacy report shows which features like location, camera, and microphone were accessed by each of your apps.
Starting point is 00:09:54 The report also reveals network activity from individual websites. You can also now designate a digital legacy contact to receive your data if you die, and the TV app will gain a new store tab for buying movies and shows from iTunes, while CarPlay finally adds the long-promised richer version of maps found on the iPhone, iPad, and Mac apps. Here are two updates that you'll still have to wait for. Universal Control. This feature will let you use one Mac keyboard and mouse slash trackpad across iPads and multiple Macs. It's not in the update at this time. And also ID cards. This option will let you store a digital version of your driver's license in the iPhone wallet app for daily use or showing to the TSA at airports. But that's another feature that we're waiting on, end quote. Another reminder today, this time that in the current web 2.0 world, you don't own anything. You're just renting until some big platform or rights holder decides that you don't deserve to have what you have anymore.
Starting point is 00:11:03 Case in point, an Australian artist who had been using the At Metaverse Instagram handle for a decade, and then recently found herself being blocked from using her account after Facebook changed its name to Meta, quoting the New York Times. In October, D.M.A. Bauman, an Australian artist and technologist found herself sitting on prime internet real estate. In 2012, she had started an Instagram account with a handle at Metaverse, a name she used in her creative work. On the account, she documented her life in Brisbane, where she studied fine art and her travels to Shanghai, where she built an augmented reality company called Metaverse Makeovers. She had fewer than a thousand followers
Starting point is 00:11:43 when Facebook, the parent company of Instagram, announced on October 28 that it was changing its name. In the days before, as word leaked out, Ms. Bauman began receiving messages from strangers offering to buy her Instagram handle. You are now a millionaire, one person wrote on her account. Another warned, Facebook isn't going to buy it, they're going to take it. And on November 2nd, exactly that happened. Early that morning when she tried to log into Instagram, she found that the account had been disabled. A message on the screen read, your account has been blocked for pretending to be someone else. Whom, she wondered, was she now supposedly impersonating after nine years? She tried to verify her identity with Instagram, but weeks passed with no response, she said.
Starting point is 00:12:24 She talked to an intellectual property lawyer, but could afford only a review. of Instagram's terms of service. On December 2nd, a month after Ms. Bauman first appealed to Instagram to restore her account, the New York Times contacted Mehta to ask why it had been shut down. An Instagram spokesman said that the account had been, quote, incorrectly removed for impersonation and would be restored. We are sorry this error occurred, he wrote. Two days later, the account was back online. The spokesman did not explain why it had been flagged for impersonation or who it might have been impersonating. The company did not respond to further questions about whether the blocking had been linked to Facebook's rebranding, end quote. So the moral of the story here is,
Starting point is 00:13:03 again, if a platform takes something from you, better hope that you can get someone with a big enough megaphone like The New York Times to raise a stink. Otherwise, you're probably not going to get it back. Now, as I hinted at in that previous segment by mentioning Web 2.0 as the world we're still living in, one of the ideas of Web 3, of course, is that it allows tangible ownership of digital goods, and that should fix situations like we just discussed, right? Like when things go wrong, we're unfortunately now used to the idea that a huge faceless mega corporation isn't going to hear out our pleas. There is likely to be no recourse, no court of appeals when something goes wrong. But if in the future, there's not even a
Starting point is 00:13:54 faceless corporation. If there's no there there, because everything is at least in theory decentralized now? What then? Consider the case of the Web3 user who is blaming a fat finger error for accidentally selling a Bored Ape Yacht Club NFT for a mere 0.75-Eath, which is around $3,000, not the 75th that he intended to sell for. The NFT was then immediately relisted for more than 60th, quoting C-NET. The Bored Ape Yacht Club is one of the most prestigious NFT collections in the world. You may scoff at the words prestigious and NFT being used so close together, but among its star-studded members are Jimmy Fallon, Steph Curry, and Post Malone.
Starting point is 00:14:37 Right now, the price of entry, that is, the cheapest you can buy a board ape yacht club NFT for is 52 ether or $2,000, or $210,000. Which is why it's so painful to see that someone accidentally sold their board ape NFT on Saturday for $3,066. Here, the owner, real name Max, or username Maxnot, meant to list his board ape for $75 ether or around $300,000, but accidentally listed it for $1.75, $1,100th the intended price. It was bought instantaneously. The buyer paid an extra $34,000 to speed up the transaction, ensuring no one could snap it up before them. The board ape was then promptly
Starting point is 00:15:19 listed for $248,000. The transaction appears to have been done by a bot, which can be coded to immediately buy NFTs listed below a certain price on behalf of their owners in order to take advantage of these exact situations. How'd it happen? A lapse of concentration, I guess, Max told me. I list a lot of items every day and just wasn't paying attention properly. I instantly saw the error as my finger clicked the mouse, but a bot sent a transaction over with eight eth or $34,000 of gas fees, so it was instantly sniped before I could click cancel, and just like that, $250,000 was gone, end quote. Fat-Finger trades happen sporadically in traditional finance, like the Japanese trader who
Starting point is 00:16:00 almost bought 57% of Toyota's stock in 2014, but most financial institutions will stop those transactions if alerted quickly enough. Since cryptocurrency and NFTs are designed to be decentralized, you essentially have to rely on the goodwill of the buyer to reverse the transaction. Fat-Finger errors in cryptocurrency trades have made many a headline over the past few years. Back in 2019, the company behind Tether, a cryptocurrency pegged to the U.S. dollar, nearly doubled its own coin supply when it accidentally created $5 billion worth of new coins. In March, BlockFi meant to send $700 Gemini to a set of customers worth worth $1 each, but mistakenly sent out millions of dollars worth of Bitcoin instead. Last month, a company erroneously paid $24 million in fees on a $100,000 transaction. similar incidents are increasingly being seen in NFTs now that many collections have accumulated in market value over the past year.
Starting point is 00:16:55 The industry is so new, bad things are going to happen, whether it's your fault or the tech, Max said. Once you no longer have control of the outcome, forget it and move on, end quote. Which is good advice, but also a reminder, our third one today, that one of the reasons marketplaces especially have had middlemen is not just so that they can, you know, do rent-taking, make things inefficient. Middlemen also provide a service, which is often recourse and accountability. Completely believing in decentralization as a force for good is one thing and a thing that I buy into, but also being blind to small things that could make even decentralized operations work better is another thing. I'm not saying we need middlemen. I'm not saying decentralization can't happen. I'm just saying that things have been done a
Starting point is 00:17:46 certain way in markets for 5,000 years. And sometimes, just sometimes, there's been a kernel of strong logic behind it. In honor of the brilliant final episode of the season on Succession last night, can anyone get me on the lackey slack channel, the lackey slack? Probably could get some good insider information early if you're on that slack. And like Greg, maybe this will allow me to move from the endless middle toward the bottom of the top. Talk to you tomorrow.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.