TNS
VOXPOP
Will JavaScript type annotations kill TypeScript?
The creators of Svelte and Turbo 8 both dropped TS recently saying that "it's not worth it".
Yes: If JavaScript gets type annotations then there's no reason for TypeScript to exist.
0%
No: TypeScript remains the best language for structuring large enterprise applications.
0%
TBD: The existing user base and its corpensource owner means that TypeScript isn’t likely to reach EOL without a putting up a fight.
0%
I hope they both die. I mean, if you really need strong types in the browser then you could leverage WASM and use a real programming language.
0%
I don’t know and I don’t care.
0%
Open Source / Security

FTC Says Fix Log4j Security Vulnerability or Face Its Wrath

The US Federal Trade Commission (FTC) has issued a warning that it will punish companies that don't fix the Java logging package Log4j security problems.
Jan 10th, 2022 7:00am by
Featued image for: FTC Says Fix Log4j Security Vulnerability or Face Its Wrath

It’s not like the four — count ’em, four — Log4j security vulnerabilities aren’t more than just trouble in and of themselves. Just check in with the Belgian defense ministry to see what they have to say about it. Now, the U.S. Federal Trade Commission (FTC) has issued a warning that it will punish companies that don’t fix the Java logging package Log4j security problems.

Specifically, if the Log4j (CVE-2021-44228) security hole leads to a “loss or breach of personal information, financial loss, and other irreversible harms,” the FTC may take legal action against your company. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

No pressure!

The FTC wants to make sure there’s not a repeat of the Equifax fiasco. In this security disaster, credit-giant Equifax lost over 100-million names, social security numbers, birthdates, and home addresses to a hack. The reason? Equifax hadn’t bothered to keep Apache Struts up-to-date with the latest security patches. As security expert SwiftOnSecurity said at the time it was a classic case of “Pretty much 99.99% of computer security incidents are oversights of solved problems.

Log4j Is a Different Animal

Log4j is different. While the patches came out in time, finding Log4j libraries in our source code or binaries isn’t trivial. There are scanning tools to find unpatched Log4j libraries, but none of them can spot all such insecure instances.

In the Equifax and Struts case, the blame was correctly put on the company. They simply did a crappy job of maintaining their software and got caught out by a nasty, but patched, security bug. In the end, this cost Equifax $700-million in fines.

With Log4j companies really can say they didn’t know that the problem existed until it was too late. Now, whether the FTC will listen to such an excuse is another question entirely.

Start Logging

If you aren’t already logging all your Log4j remediation efforts, now’s the time to start. Even if the FTC doesn’t come knocking on your door, it’s all too possible that if a customer gets burned by your software having an unfixed Log4j problem, their lawyers will come after your scalp.

What’s more concerning is that the FTC is also casting doubt on open source software itself. The Commission concluded:

“The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open source services that are used across a near-innumerable variety of internet companies. These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy. This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”

Support Your Local Open Source Software

That vital open source software needs more support is no news. If you’re a developer, you know the xkcd cartoon about the tiny, but vital program is being maintained by a person in Nebraska who’s been thanklessly maintaining it since 2003. To take care of such issues, the Linux Foundation‘s Open Source Security Foundation (OpenSSF) job is to find those little under-supported projects and make sure they get the help they need to keep the lights on and the code safe.

While this is a real problem, the reason why Log4j is such a big deal is that thanks to how Java packages its code it’s very difficult to find the vulnerable library to patch it.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.