How cut-and-pasted programming is putting the internet and society at risk | John Naughton

A vulnerability has been exposed in Minecraft, the bestselling video game of all time – and the security implications outside the world of gaming are vast

In one of those delicious coincidences that warm the cockles of every tech columnist’s heart, in the same week that the entire internet community was scrambling to patch a glaring vulnerability that affects countless millions of web servers across the world, the UK government announced a grand new National Cyber Security Strategy that, even if actually implemented, would have been largely irrelevant to the crisis at hand.

Initially, it looked like a prank in the amazingly popular Minecraft game. If someone inserted an apparently meaningless string of characters into a conversation in the game’s chat, it would have the effect of taking over the server on which it was running and download some malware that could then have the capacity to do all kinds of nefarious things. Since Minecraft (now owned by Microsoft) is the best-selling video game of all time (more than 238m copies sold and 140 million monthly active users), this vulnerability was obviously worrying, but hey, it’s only a video game…

This slightly comforting thought was exploded on 9 December by a tweet from Chen Zhaojun of Alibaba’s Cloud Security Team. He released sample code for the vulnerability, which exists in a subroutine library called Log4j of the Java programming language. The implications of this – that any software using Log4j is potentially vulnerable – were stunning, because an uncountable number of programs in the computing infrastructure of our networked world are written in Java. To make things worse, the nature of Java makes it very easy to exploit the vulnerability – and there was some evidence that a lot of bad actors were already doing just that.

At this point a short gobbledegook-break may be in order. Java is a very popular high-level programming language that is particularly useful for client-server web applications – which basically describes all the apps that most of us use. “The first rule of being a good programmer,” the Berkeley computer scientist Nicholas Weaver explains, “is don’t reinvent things. Instead we re-use code libraries, packages of previously written code that we can just use in our own programs to accomplish particular tasks. And let’s face it, computer systems are finicky beasts, and errors happen all the time. One of the most common ways to find problems is to simply record everything that happens. When programmers do it we call it ‘logging’. And good programmers use a library to do so rather than just using a bunch of print() – meaning print-to-screen statements scattered through their code. Log4j is one such library, an incredibly popular one for Java programmers.”

There are something like 9 million Java programmers in the world, and since most networking apps are written in the language, an unimaginable number of those programs use the Log4j library. At the moment we have no real idea of how many such vulnerabilities exist. It’s as if we had suddenly discovered a hitherto unknown weakness in the mortar used by bricklayers all over the world which could be liquefied by spraying it with a specific liquid. A better question, says Mr Weaver, is what is not affected? “For example, it turns out at least someplace in Apple’s infrastructure is a Java program that will log the name of a user’s iPhone, so, as of a few hours ago, one could use this to exploit iCloud! Minecraft and Steam gaming platforms are both written in Java and both end up having code paths that log chat messages, which means that they are also vulnerable.”

It’s a global-scale mess, in other words, which will take a long time to clear up. And the question of who is responsible for it is, in a way, unanswerable. Writing software is a collaborative activity. Re-using code libraries is the rational thing to do when you’re building something complex – why start from scratch when you can borrow? But the most persuasive critique from the software community I’ve seen this week says that if you’re going to re-use someone else’s wheel, shouldn’t you check that it’s reliable first? “Developers are lazy (yes, ALL of them),” wrote one irate respondent to Bruce Schneier’s succinct summary of the vulnerability. “They will grab a tool like Log4j because it’s an easy way to handle logging routines and someone else has already done the work, so why reinvent the wheel, right? Unfortunately most of them will not RTFM, so they have no idea if it can actually do the things it was designed to do and thus, [they] don’t take any precautions against that. It’s a bit of a Dunning-Kruger effect where devs overestimate their abilities (’cuz they have l337 coding skillz!).”

Well, he might say that, but as an unskilled programmer I couldn’t possibly comment.

What I’ve been reading

It’s getting meta all the time
Novelist Neal Stephenson conceived of the metaverse in the 90s. He’s unimpressed with Mark Zuckerberg’s version. Read the transcript of his conversation with Kara Swisher on the New York Times website.

Words to live by
This Is Water is the title of David Foster Wallace’s commencement address. The only one he ever gave – in 2005 to graduates of Kenyon College, Ohio.

Doom and gloom
Visualising the end of the American republic is a sombre essay by George Packer in the Atlantic.


John Naughton

The GuardianTramp

Related Content

Article image
Microsoft surely takes the prize for buck-passing | John Naughton
The operating system maker’s implication that its own customers were to blame for leaving themselves open to hacking was rich indeed

John Naughton

21, May, 2017 @6:00 AM

Article image
'Heartbleed' bug can't be simply blamed on coders

Human error is behind the latest threat to website security but giant corporations need to take their share of the blame, writes John Naughton

John Naughton

12, Apr, 2014 @11:05 PM

Article image
Stuxnet: the worm that turned Obama into a hypocrite?

The president who made a stirring declaration about internet freedom authorised a wave of cyber-attacks on Iran, writes John Naughton

John Naughton

09, Jun, 2012 @11:01 PM

Article image
Cyberwarfare takes Heidegger's ideas to their logical end
Cyberwarfare offers governments the prospect of waging casualty-free wars, writes John Naughton

John Naughton

31, Mar, 2012 @11:04 PM

Article image
How Flame has changed everything for online security firms
The Flame virus went undetected for two years by every online security firm. Now they need to find a new way to protect the world's PCs from malware, writes John Naughton

John Naughton

16, Jun, 2012 @11:05 PM

Article image
Don’t let WhatsApp nudge you into sharing your data with Facebook | John Naughton
The popular messaging app built its reputation on putting users first. Now its corporate owners are looking for payback at our expense

John Naughton

18, Sep, 2016 @6:28 PM

Article image
Your WhatsApp secrets are safe. But Big Brother is still watching you… | John Naughton
One billion users of the messaging service are now promised full encryption. Which can only mean the spooks will retaliate elsewhere

John Naughton

10, Apr, 2016 @8:00 AM

Article image
It’s one rule for big data, another for its victims | John Naughton
The massive – and avoidable – data breach at credit agency Equifax has left millions of consumers at risk, but don’t expect anyone to be held to account

John Naughton

17, Sep, 2017 @6:00 AM

Article image
How FarmVille and Facebook helped to cultivate a new audience for gaming | John Naughton
The Flash-based title, now put to rest alongside Adobe’s animation tool, was much derided, but broadened the appeal of computer games

John Naughton

09, Jan, 2021 @4:00 PM

Article image
Growth of internet porn tells us more about ourselves than technology | John Naughton
The actual size of the sex industry online is difficult to estimate, but it is sophisticated and, in some senses, more honest than Google or Facebook

John Naughton

30, Dec, 2018 @7:00 AM