Tag Archive for: Runs

The internet runs on free open-source software. Who pays to fix it?


To support MIT Technology Review’s journalism, please consider becoming a subscriber.

For something so important, you might expect that the world’s biggest tech firms and governments would have contracted hundreds of highly paid experts to quickly patch the flaw.  

The truth is different: Log4J, which has long been a critical piece of core internet infrastructure, was founded as a volunteer project and is still run largely for free, even though many million- and billion-dollar companies rely on it and profit from it every single day. Yazici and his team are trying to fix it for next to nothing.

This strange situation is routine in the world of open-source software, programs that allow anyone to inspect, modify, and use their code. It’s a decades-old idea that has become critical to the functioning of the internet. When it goes right, open-source is a collaborative triumph. When it goes wrong, it’s a far-reaching danger.

“Open-source runs the internet and, by extension, the economy,” says Filippo Valsorda, a developer who works on open-source projects at Google. And yet, he explains, “it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”

No recognition

“The team is working around the clock,” Yazici told me by email when I first reached out to him. “And my 6 a.m. to 4 a.m. (no, there is no typo in time) shift has just ended.”

In the middle of his long days, Yazici took time to point a finger at critics, tweeting that “Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren’t paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.” 

Before the Log4J vulnerability made this obscure but ubiquitous software into headline news, project lead Ralph Goers had a grand total of three minor sponsors backing his work. Goers, who works on Log4J on top of a full-time job, is in charge of fixing the flawed code and extinguishing the fire that’s causing millions of dollars in…

Source…

Security Alert in Coronado After Driver Runs Gate at Base – NBC 7 San Diego


Officials at Naval Base Coronado said an investigation is underway after a man in a vehicle failed to stop for base security.

The incident occurred at about 2:15 p.m. Thursday, said Navy spokesman Kevin Dixon , who added that the base was locked down for short time while a search was conducted for the missing man.

The driver was located about 20-30 minutes after he passed through the gate and was taken into custody, according to Dixon.

It’s not yet known if the driver will face criminal charges, though Dixon said that, insofar at the preliminary investigation is concerned, nothing more serious than accessing the base was intended by the driver.

Normal operations at the base have resumed, Dixon said.

Source…

Researcher enters servers of 35 tech companies, runs code


According to Bleeping Computer, security researcher Alex Birsan found a security vulnerability that allowed him to run code on those servers in what is touted as a novel software supply chain attack.

New Delhi: A cyber security researcher has utilised a security vulnerability to run code on servers owned by over 35 major tech companies, including Apple, Microsoft, Netflix, Tesla, Uber, Shopify, Yelp and PayPal, the media reported.

According to Bleeping Computer, security researcher Alex Birsan found a security vulnerability that allowed him to run code on those servers in what is touted as a novel software supply chain attack.

Birsan has earned over $130,000 in rewards through bug bounty programmes and pre-approved penetration testing arrangements with these companies.

“I feel that it is important to make it clear that every single organisation targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorisation,” Birsan was quoted as saying in the report.

Microsoft awarded him their highest bug bounty amount of $40,000 and released a white paper on this security issue.

The tech giant identified the issue as CVE-2021-24105 for their Azure Artifactory product.

The novel software supply chain attack comprised uploading malware to open source repositories, “which then got distributed downstream automatically into the company’s internal applications”.

The supply chain attack was more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

Apple told Bleeping Computer that Birsan will get a reward via its Security Bounty programme for responsibly disclosing this issue.

PayPal has publicly disclosed Birsan’s HackerOne report mentioning the $30,000 bounty amount.

The possibility remains for such attacks to resurface and grow, especially on open-source platforms with no easy solution for dependency confusion, according to the researcher.

“I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate…

Source…

Smashing Security #142: Mercedes secret sensors, smart cities, and ransomware runs riot

Darknet Diaries host Jack Rhysider joins us to discuss how cities in Texas are being hit by a wave of ransomware, how Mercedes Benz has installed a tracker in your car (but not for the reason you think), the security threats impacting smart cities, and a new feature coming to your Facebook app.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast, hosted by computer security veterans Graham Cluley and Carole Theriault.

Graham Cluley