Just over a week ago, a security vulnerability was discovered in the log4j2 library, used by the vast majority of programs written in the Java programming language. According to publications in the area, such as IEEE Spectrum, Java is the second most used language by programmers .
Although most programs developed in this language run on servers, that is, not on our personal computers, but on the computers we connect to when using the internet, there are exceptions. One of them is the program used to declare our income tax in Brazil. Another is the older version of what is possibly the most popular video game of all time: Minecraft. Interestingly, the vulnerability was discovered in-game.
The failure of the library that only manages to generate records of the activity of the program that uses it – in English, logs – is a boon to the cybercriminals of the world. With some skill, a hacker can gain full access to a computer running a program that depends on log4j2. If the attacker finds out how the program logs its activities it can make it access a malicious hacker server, which gives it access to the victim’s computer.
It’s not the first time that there’s been a flaw like this – it’s been around since the library’s first implementation, but discovered years later. This was the case with Heartbleed. In both situations, the discovery caused untold financial losses for companies and individuals who had their data stolen. Attackers could gain access to servers and databases of banks, large corporations like Amazon, Google; in addition to many small companies with far fewer resources to deal with this type of problem. For the more paranoid, imagine what happened while the knowledge of the vulnerability was not public.
“But if this library is so used, so important, that was a fatality, right? There must be a lot of developers working on the project and they let this one slip away”, thinks an unsuspecting reader. The reality, however, is far from that. log4j2, like a good part of the programs and libraries on which we depend, is a open source. The project is sponsored by the Apache foundation, but that doesn’t mean its developers get paid to work on it. All monopolies that use technology like that don’t even give a dime to developers. Nor do they allocate their programmers’ time to maintain, test, and validate log4j2.
It turns out that records are not a very glamorous area of computing. We can say that they are the accountants of the world of technology. There is little interest from individuals in the area. Furthermore, despite being critical to the operation of several trillion-dollar corporations, capitalists are not responsible as they like to present themselves. They just want to parasitize the work of others to keep the profit.
Allow me to quote the creator of the library, Ralph Goers:
“I currently work as a software architect. I work on log4j and other open source projects in my spare time so I typically work on issues that are of interest to me. I’ve always dreamed of working with open source full-time and would love your support to make that happen“, declared the programmer amidst the confusion over the vulnerability in his project.
The fault is certainly not his as an individual. Goers, like so many others working on open source projects, is a hero who voluntarily creates tools that enable the development of so many other essential products and services for the modern world without asking for a penny in return.
The big information technology entrepreneurs, born in this imperialist era, on the other hand, are complete parasites. They take care of everything that is public and are very creative when it comes to extracting profits from their workers and consumers. Its monopolies are worth trillions and, even after these blunders, continue to grow and be worth more and more. These companies don’t create technology, they just steal what’s publicly available and pay people like me to stick it all into a contraption that might not hand over their customers’ data to criminals.
The vulnerability in log4j2 is a tragedy, but at the same time, it exposes that much of what sustains the world of technology is the result of the work of motivated people with Goers and so many others who create and keeps software projects free. Contrary to what capitalists think, the world does not need them. Workers are not going to waste their time getting drunk if all the bosses disappear. Many are willing to work extra hours just to satisfy their curiosity.
Entrepreneurs don’t pay us to produce efficient and safe programs. They also don’t pay us to create interesting or innovative things. Programmers are mostly paid to build features that don’t add anything to the product, but generate revenue for the capitalists, such as adding ads, blocking features if the user hasn’t paid the license, etc.
The failure of log4j2 does not show the weakness of open source development. It shows the parasitic character of large corporations that do not use their endless resources not to strengthen the public infrastructure they use. It shows how they are a block to the progress not only of technology, but of society.