Volkan Yazici currently works 22 hours a day – without seeing a single cent. The programmer is a member of the Log4j project, a widely used open source tool for recording user activities, known as logs, in numerous software packages. Log4j is in infrastructure that is found in large parts of important Internet applications – from iCloud to Amazon services to Twitter. And Yazici and his colleagues are desperately trying to close a massive security hole in their software that is putting millions upon millions of systems at risk.
The vulnerability in Log4j can be exploited extremely easily. After sending a malicious string to a vulnerable server, hackers can run any code on it. Some of the early attackers were scriptkiddies who injected malware into Minecraft servers. Hackers, some of whom have been linked to China and Iran according to government circles, are now trying to exploit the vulnerability on every server on which the faulty code is running.
A security crisis with an open outcome
And there is no end in sight. The Log4j problem represents a long-term security crisis that could last for months or years. Jen Easterly, the director of the US agency for cyber and infrastructure security, spoke of one of the most serious vulnerabilities she has ever seen. At this scale, you’d expect the world’s largest tech companies and governments to hire hundreds of highly paid professionals to fix the problem as quickly as possible.
The truth is different, however: Log4j, which has long been an important part of the central Internet infrastructure, was founded as an open source volunteer project and is still largely unpaid, although many million and billion dollar companies depend on it and everyone Day benefit from the open source software. Yazici and his team are now trying to repair them for free. Sustainability looks different.
This strange situation is routine in the open source world – programs whose code can be viewed, modified and used by anyone. It’s a decade-old idea that is critical to the way the internet works. When things go well, open source is a triumph of volunteer teamwork. If something goes wrong, such software can become a far-reaching danger – not because of the openness of the source, but because of insufficient resources. “Open source controls the Internet and thus also the economy,” says Filippo Valsorda, a developer who works on open source projects at Google. And yet, he explains, it is extremely common, even with core infrastructure projects, to have “a small team of supervisors or even a single supervisor who is not paid to work on their project”.