FutureFive New Zealand logo
Consumer technology news from the future
Story image

The aftermath of Log4j - What can be done to protect businesses?

By Shannon Williams
Mon 24 Jan 2022

Last year's Apache Log4j vulnerability created a lot of chaos, so what can be done to protect companies from the security implications?

Tim Mackey, principal security strategist with Synopsys Cybersecurity Research Centre, says that while it might be tempting to view a major vulnerability as an indication of open source somehow being deficient, the reality is far from that. 

"Open source software is not more or less secure than commercial software, and in reality most commercial software either includes or runs on open source technologies," he says,. 

"Open source simply means that the software is developed in a manner where the source code is available to anyone who wants it."

Mackey says, "What we are seeing with the Log4J response from the Apache Log4J team is exactly what we'd expect to see a team that is taking the software they produce seriously and being responsive to the needs of their install base. 

"Considering that they are volunteers, such a response is indicative of the pride of ownership we often see within open source communities," he says.

"In reality, an incident like Log4J is likely to improve open source development as a whole much in the same way that Heartbleed improved development practices of both open and closed source development teams."

Mackey says common thought pattern is that there should be a commercial replacement to protect companies from security implications after Log4j, but one that misunderstands how software development really works. 

"Every software component has what is known as an interface. That interface might be in the form of an API if its a web service, or it might represent the functions that can be called when the component is loaded into an application," he says. 

"What that interface looks like, how it behaves, what types of data it takes and in what format, are all examples of decisions the development team creating the component make as they write the component. 

"Those decisions can also change as new features are implemented or as the code evolves. Log4J has an interface for each of its major versions, and they are not the same," Mackey says.

"For a commercial replacement of any component to exist, there must be an available market for it. In the case of Log4J, the component logs message data to a log file. There is nothing sexy about it, and there are many other ways of logging data than just Log4J."

He says that means there is not much of a commercial software market for a replacement. 

"But, lets assume someone was willing to make that investment to have a commercial replacement for Log4J. In that case, they would need to both re-implement the current Log4J interface and then write what is presumed to be more secure code," Mackey says. 

"The concept of open source somehow being less secure than commercial software may have been true decades ago, but that is far from true today, but let's assume that our fictitious company was able to create a perfect logging utility that faithfully reproduced the Log4J interface. 

"Once they've created that replacement, they need to market it and ensure that it doesn't break any software using Log4J."

Mackey says detection of vulnerabilities in open source isn't a problem, but detection of software defects representing a weakness that could be exploited is an important topic. 

"This distinction is important as vulnerabilities might not represent flaws in code, but instead flaws in deployment configuration or changes in hardware," Mackey says.

"It is important to note that open source and closed source software have an equal potential for security issues, but with open source it is possible for anyone to identify those issues," he explains.

Since its possible for anyone to identify issues, Mackey says the question really is one of how many people are actually attempting to identify issues in open source and how diligent those efforts are. 

"Part of the problem is a sentiment that has consumers or users of open source projects behaving as if they expect the open source project to behave like a commercial software vendor," he says.

"If you look at the issues list of any reasonably popular open source project on GitHub, you'll see feature requests and comments about when certain problems might be resolved. The modern open source movement was founded on the principle that if you didn't like the way the code was working, then you were free to modify it and address whatever gaps in functionality that were perceived to exist. Feature requests in GitHub issues and complaints about serviceability have an implicit expectation that a product manager is on the receiving end of those requests and that they will be added to a roadmap and eventually be released all for free."

Mackey says that in reality, gaps in functionality and even in perceived bugs represent opportunities not to request free programming services but instead to contribute to the future success of code that is significantly important to the person complaining for them to complain. 

"Yes, some people wont know the programming language used by the project, but to expect other people to prioritise a complaint from an unknown third party over changes that solve problems for active contributors isn't realistic. As much as anything, open source functions through the altruism of contributors," he says.

"Over recent years, we've heard core contributors for popular open source projects express frustration about the profits made by large businesses from the use of their software. While its easy to relate to someone putting their energy into a project only to have a third party profit from the efforts, the reality is that if that third party is profiting from the efforts of an open source development team, then they should be contributing to its future success. 

"If they don't then they run not only the risk that the code in question might change in ways they didn't expect, but also that when security issues are identified and resolved that they might have delays in applying those fixes," Mackey says.

After all, if a business isnt taking the time to engage with teams creating the software that powers their business, then its likely they don't know where all the software powering their business originates and cant reliably patch it."

Related stories
Top stories
Story image
Wireless Nation
Wireless Nation, N4L provide 4G network to remote NZ schools
Wireless Nation and Network for Learning (N4L) have rolled out the Rural Connectivity Group’s (RCG) new 4G network to better connect three Chatham Islands schools.
Story image
First Table
First Table set to revive restaurant commerce in NZ with platform launch
A new restaurant booking platform has launched in New Zealand, giving Kiwi diners the opportunity to save and book at a variety of restaurants around the country.
Story image
Apple
Apple previews new features for users with disabilities
Apple says new software features that offer users with disabilities new tools for navigation, health and communication, are set to come out later this year.
Story image
Gaming
PNY launches XLR8 Gaming EPIX memory products in A/NZ
PNY has launched its XLR8 Gaming EPIC-X RGB™ DDR4 Silver 3200MHz and 3600MHz memory products in Australia and New Zealand.
Story image
Artificial Intelligence
Google to enter the smartwatch market with the Google Pixel Watch
Google has provided a first look at its new Google Pixel Watch, which is set to make an entry into the competitive smartwatch market.
Story image
Jabra
Jabra reveals its latest portable headset Engage 55
Jabra has launched the Engage 55, the newest product in Jabra's Engage series designed for ultimate call security and quality.
Story image
Malware
Vulnerabilities in Lenovo laptops expose users to UEFI malware
Researchers at ESET have discovered three vulnerabilities affecting various Lenovo consumer laptop models.
Story image
E-waste
NZ’s first and only e-waste sorting machine launched
Computer Recycling launches e-waste shredder and MSS optical sorting machine BLUBOX, which is able to sort out a tonne of e-waste per hour
Story image
Gaming
Game review: MLB The Show 22 (PS5)
Historically the MLB The Show series has been exclusive to PlayStation consoles, but now the franchise is expanding.
Story image
Sustainability
Can bots succeed where humans have failed in sustainability?
People want businesses to turn talk into action, and believe technology can help businesses succeed where people have failed.  
Story image
Gaming
Hands-on review: The A500 Mini Retro Gaming Console
Retro Games, the UK outfit responsible for a range of retro gaming devices from joystick to full-sized Vic-20s and C64 emulators, have launched their A500 Mini Retro Gaming Console.
Story image
i-PRO
i-Pro announces newest solutions as rebranded enterprise
i-PRO APAC Oceania has introduced its newest high-resolution mid-range cameras, with combined edge AI analytics and resolutions of up to 4K.
Story image
Gaming
Game review: Lego Star Wars: The Skywalker Saga (Xbox Series X)
The Lego Star Wars games have always been popular with both kids and adults as they are a cute way to relive the famous movies.
Story image
Wireless
Sony to bring new 1000X series WH-1000XM5 headphones to the market
Sony has announced the newest edition of its award-winning wireless headphones, with the 1000X series WH-1000XM5 noise-cancelling model.
Story image
Review
Hands-on review: MSI MPG Z690 Carbon WIFI motherboard
It’s all change with Intel’s 12th generation CPUs. We have a new chipset in the 600-series, a new socket with the LGA 1700, and new DDR5 memory.
Story image
Sustainability
The AI Forum helps NZ pave the way with AI sustainability practices
Non-profit organisation The AI Forum is helping Kiwis learn about addressing climate change issues through the use of AI technology.
Story image
Cybersecurity
Significant spike in consumer fraud, new report finds
Reported cases of consumer fraud more than tripled in the years 2020-2021 from prior years, according to a new report by Accenture.
Booster
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
D-Link
D-Link launches new G415 Smart Router as part of EAGLE PRO AI range
D-Link A/NZ has announced the launch of its new G415 AX1500 4G Smart Router as part of the new EAGLE PRO AI Series.
Story image
Review
Hands-on-review: Creative Outlier Air V3
Creative is back with the third version of its affordable Outlier Air wireless earbuds range - aptly named the ‘V3’. And this time, they come boasting ambient mode and active noise reduction.
Story image
Review
Hands-on-review: GoPro Hero 10
I have a long history with GoPro; I still remember getting my first camera when I was 16, using it to film Parkour and the day I lost it down a dingey crag. 
Story image
Norton
Hands-on review: Norton Anti Track 19 software
We get hands on with Norton's new privacy tool that was introduced in March 2022.
Story image
Gaming
Mastercard users can now use rewards points in gaming
Mastercard has launched Mastercard Gamer Xchange (MGX), allowing APAC consumers to convert their rewards points into gaming currency.
Story image
Review
Hands-on review: Amazon Kindle Paperwhite Signature Edition
In almost every respect it works like a book, apart from the fact that it weighs next to nothing, fits in my hand perfectly, and is soothing on my eyes.
Story image
Microsoft
Microsoft backing Māori and Pacific wāhine in tech industry
A new initiative focused on getting Māori and Pacific wāhine into the tech industry and backed by Microsoft, NZTech and the government is calling for tech companies to get involved.
Story image
Online shopping
A/NZ shoppers plan to spend less, be more selective
For retailers, 2022 is set to be a year of introspection as shoppers across Australia and New Zealand indicate they plan to spend less.
Story image
Design
Dynabook launches new Tecra A40-K and A50-K models
Dynabook has announced two new additions to its Tecra range, with both said to help promote flexible working solutions while also reducing the strain on IT managers.
Story image
Gaming
Hands-on review: Ghostwire Tokyo (PS5)
Although a bit of a tonal departure for Bethesda, Ghostwire Toyko is a good-looking and eerie action game that is aimed at a very select audience.
Story image
Collaboration
TikTok launches community-inspired effect capability
TikTok has announced the launch of its Effect House feature to allow its users to create and share Community Effects.
Story image
PaaS
New digital traffic light system to tackle construction defects
Smarter Defects Management launches its PaaS digital system and says it will revolutionise managing defects in the construction industry.
Story image
Wireless
Hands-on review: Technics EAH-A800 Noise Cancelling Wireless Headphones
Designed in Osaka, Japan, these headphones just exude quality. They aren’t heavy, but they feel well built and solid.
Story image
IDC
IDC finds 3.9% decline in worldwide tablet shipments
Preliminary data from IDC's Worldwide Quarterly Personal Computing Device Tracker has found tablet shipments reached 38.4 million units during Q1 2022, a year-over-year decline of 3.9%.
Story image
WolfVision
WolfVision announces new range of visualisers
WolfVision has announced a new range of visualisers to help meet multiple industry demands for remote learning and educational solutions.
Story image
Poly
Poly introduces new smart devices and announces Amazon e-store in Australia
Poly is introducing two new pro-grade devices to the market and announcing its first official Australian e-store on Amazon.
Story image
NFT
Emirates to launch NFTs and experiences in the metaverse
"Emirates has embraced advanced technologies to improve business processes, enhance our customer offering, and enrich our employees' skills and experiences."
Story image
Gaming
Game review: Weird West (PlayStation 4)
There have been many games released over the years based on the wild west era, but Weird West is one of the most unique.
Story image
Microsoft
Microsoft unveils adaptive accessories for disability access
Microsoft is introducing an expansive Inclusive Tech Lab to give people with disabilities greater access to technology through new software features and adaptive accessories.
Story image
Dynabook
Dynabook A/NZ announces new Portégé X40L-K hyperlight laptop
Dynabook A/NZ has unveiled the all-new Portégé X40L-K, a hyperlight 14.0" modern laptop utilising cutting-edge, high-performance computing power.
Story image
Logitech
Logitech releases new mouse with ergonomic and sustainable focus
Logitech has announced the Logitech Signature M650 Mouse and the Signature M650 for Business Wireless Mouse, both with new ergonomic features and capabilities.
Story image
Corsair
Hands-on review: Corsair 32GB Vengeance 5200MHz DDR5 DRAM kit
Corsair’s Vengeance 5200MHz DDR5 DRAM offers PC users an entry-level upgrade to the new memory standard allowing them to get a little bit more out of their new Alder Lake CPUs.
Story image
Gaming
Hands-on review: 32GB PNY XLR8 Gaming MAKO 6000MHz DDR5 memory kit
PNY’s XLR8 Gaming MAKO DDR5 memory modules are designed to get the most out of systems based on Intel’s 12th generation Alder Lake CPUs.
Story image
Artificial Intelligence
Tell-tale hints before volcanic eruptions found using AI
Researchers have pinpointed precursors to volcanic eruptions, in data collected before explosions including the deadly 2019 Whakaari surge that killed 22 people.
Story image
Wireless
Hands-on review: Steelseries Aerox 9 Wireless and Aerox 5 gaming mice
Steelseries offered two interesting mice for review, the Aerox 9 Wireless, aimed at MMO/MOBA players, and the Aerox 5, a wired mouse for multi-genre use.
Story image
Gaming
Hands-on review: Intel Core i7-12700 CPU
Intel’s middle-of-the-road 12th generation Core i7-12700 offers performance at a lower price than the pricey Core i9 for users that are not fussed by overclocking.