We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Log4Shell - The Open Source World on Fire

00:00
subtitles
off
playback rate
1
quality
1080p
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
1080p
720p
480p
360p
240p
1
 Cite
 Share
 Related Material
 Download Purchase
No logo availablePlain Schwarz
 Fricke, Thomas

Formal Metadata

Title
Log4Shell - The Open Source World on Fire
Title of Series
Number of Parts
39
Author
Contributors
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The German government has a proposal on it's desk, written by Adriana Groh, Katharina Meyer, Fiona Krakenbürger, Eileen Wagner and with some contribution by Thomas Fricke. It contains the setup of a fund, starting with 10 Mio € per year to organize the support of Open Source projects, which are well staffed in coding, however, need support in security and all the accompanying processes. When the proposal was written, it was very soon clear that many Open Source projects were needing support. Security Audits, when done not regularly, produce a lot of findings. Maintenance of older versions still in production, developers supporting 435.000 packages as a part time job are quite common. Malicious packages need to be filtered. Maintainers are sometimes close to a burn out. Therefore, it was no surprise that something would happen, but it was not clear when and where the point of impact would be. In December 2021 the Log4Shell bug caused major damages nearly everywhere, and the first time the blast radius of a bug reached Mars, causing damages of several 1000 Millions. How can we prevent events like this in the future? How can we leverage the amount of 10 Mio € to the substantial sum. What needs to change?
FOSS Backstage 202235 / 39
1
Thumbnail
18:05
Strategic Alignment of Open Source Contributions with Corporate Strategies
2
Thumbnail
23:47
How I Help Fedora R.I.S.E
3
Thumbnail
35:20
Funding is not the (only) solution
4
Thumbnail
31:26
Update on licensing - "not really" open source licenses
5
Thumbnail
31:54
Practical Trademark Law For FOSS Projects
6
Thumbnail
26:31
How to Grow and Mentor an Open Source Community
7
Thumbnail
34:58
Keeping an open source project going for 27 years
8
Thumbnail
44:55
InnerSource and OSPOs: Institutionalizing Open Source Culture Change
9
Thumbnail
24:35
Pull Request your government
10
Thumbnail
29:19
1 billion for open source, challenges to funding digital public goods
11
Thumbnail
27:06
On the importance of leaving
12
Thumbnail
34:17
Relicensing: When Your Open Source Tool Turns to the Dark Side
13
Thumbnail
26:35
Frenemies in FOSS: How to deal with Charter Conflicts & competing efforts
14
Thumbnail
27:41
The five stages of corporate open source adoption
15
Thumbnail
32:42
Demystifying Open Standards
16
Thumbnail
29:10
Surviving large online communities with conciseness and clarity
17
Thumbnail
05:19
The Flywheel Theory of Community Engagement
18
Thumbnail
36:33
You keep using that word Governance
19
Thumbnail
30:05
Demystifying OSPOs: What InnerSource can bring to emerging Open Source Initiatives
20
Thumbnail
25:47
Practice Makes Perfect: Write Accessible Documentation
21
Thumbnail
43:50
Preparing for Zero-Day: Vulnerability Disclosure in Open Source Software
22
Thumbnail
45:36
Embracing Accessibility in Open source
23
Thumbnail
41:28
Invest In The Software That Powers Your World
24
Thumbnail
23:25
Managing the unmanageable: community driven projects at Eclipse Foundation
25
Thumbnail
29:19
Understanding Corporate Open Source Strategy
26
Thumbnail
23:42
It takes a Village
27
Thumbnail
33:10
Let's make this the year of the contributor experience!
28
Thumbnail
26:10
Are we being inclusive with our community recognitions?
29
Thumbnail
28:24
Building a business on open-source applications
30
Thumbnail
31:40
OSPOs in the public sector
31
Thumbnail
37:36
Growing your Career in Tech through Mentorship
32
Thumbnail
27:59
Project Ownership & Project Enforcement: The Rules, They Are A-Changing
33
Thumbnail
25:23
How Open Source can benefit the Sustainable Development Goals
34
Thumbnail
30:23
Does open source need its own Priority of Constituencies?
35
Thumbnail
27:16
Log4Shell - The Open Source World on Fire
36
Thumbnail
23:56
Calling all UX Designers!
37
Thumbnail
09:45
A Better DEI Badge: Made By You
38
Thumbnail
36:19
Delivering Bad News: Helping your community through a rough patch
39
Thumbnail
14:22
Mentorship as a Pathway to Open-Source Project Sustainability
00:00
Open sourceDigital image correlationMoment (mathematics)Point cloudInformation securityCartesian coordinate systemData structureDifferent (Kate Ryan album)Musical ensembleSoftware developerProjective planeOpen sourceForm (programming)Lecture/ConferenceComputer animation
01:14
Physical systemAsynchronous Transfer ModeControl systemData managementInformation securityConnected spaceAttribute grammarModemSatellitePower (physics)Computer animation
03:31
Computer networkData transmissionPhysical systemOpen sourceDependent and independent variablesElectric power transmissionComputer configurationComputer animation
04:07
Convex hullJames Waddell Alexander IIGastropod shellWorkloadConnected spaceObservational studyCodeMoment (mathematics)Insertion lossSoftware bugSoftwareStaff (military)Open sourceSystem administratorSelf-organizationSoftware developerOnline helpPhysical systemPatch (Unix)Process (computing)James Waddell Alexander IIOpen setTrojanisches Pferd <Informatik>Physical lawComputer animation
07:10
HookingDigital signalDisk read-and-write headOpen sourceComputer iconComa Berenices
07:41
Data miningProduct (business)Moment (mathematics)Different (Kate Ryan album)Kernel (computing)Library (computing)Physical system
08:26
System administratorVideoconferencingScaling (geometry)Physical systemLink (knot theory)GoogolComputer animation
08:56
Digital signalDirectory serviceProcess (computing)Data structureGoodness of fitPhysical systemMoment (mathematics)Information securityMultiplication signNumberType theoryLevel (video gaming)Revision controlProgramming languageArtificial neural networkGame controllerComputer animation
10:32
Gamma functionData modelInformation privacySoftwareEncryptionAndroid (robot)Projective planeCodeCryptosystemMultiplication signEncryptionGroup actionDistribution (mathematics)Physical systemStaff (military)Principle of maximum entropyEmailGoogolData storage deviceOrder (biology)Computer animation
12:00
BitCodeElectronic mailing listJava appletOracleComputer animation
12:43
Physical lawApache MavenRevision controlOpen sourceJava appletSoftware developerSoftwareDigital signalSupercomputerProcess (computing)TelecommunicationProjective planeData structureMicrocontrollerSupercomputerSoftware developerScaling (geometry)Virtual machineSoftware maintenanceNumberCodeComputer architectureProgramming languageElectronic signatureInformation securityDomain nameService (economics)Perspective (visual)Physical systemSoftware testingRevision controlComputer programmingComputer animation
15:00
Sign (mathematics)ChainInternetworkingCodeCycle (graph theory)Musical ensembleEncryptionData storage deviceProjective planeVideo gameKey (cryptography)BitComputer animation
15:50
Process (computing)Projective planeInformation securityOpen sourceCuboidForm (programming)Software maintenanceSoftwareDependent and independent variablesScaling (geometry)Enterprise architectureComputer animation
17:20
Digital signalFeasibility studyOpen setComputer programObservational studyRevision controlOpen setProjective planeComputer programmingDigitizingForm (programming)Computer animation
17:47
Standard deviationBasis <Mathematik>Digital signalSoftwareComponent-based software engineeringInformation securityVector potentialTerm (mathematics)FrequencyExecution unitStatement (computer science)Software maintenanceOpen sourceSpacetimeFocus (optics)Open setCASE <Informatik>Open sourceSoftware maintenanceFocus (optics)Statement (computer science)Information securitySoftware developerComputer animation
18:25
Traffic reportingImplementationThresholding (image processing)FeedbackOpen setMathematical analysisSoftwareDatabaseComponent-based software engineeringMatching (graph theory)Online helpAdditionProduct (business)Projective planeComponent-based software engineeringProcess (computing)DatabaseSingle-precision floating-point formatSelectivity (electronic)Data structureComputer animation
19:28
Point (geometry)NumberFreewareOpen setProjective planeMoment (mathematics)Source code
20:15
Information privacyCommunications protocolCryptographyContext awarenessComputer animation
20:37
Point cloudAutomationExpert systemLocal GroupInformation securityOpen sourceIdentity managementProcess (computing)Sign (mathematics)ImplementationAlpha (investment)Core dumpInclusion mapService (economics)Process modelingProgrammable read-only memoryView (database)EmpennageShared memoryOpen sourceState of matterProjective planeOpen setInformation securityCybersexDirection (geometry)Computer animationSource codeXML
21:18
Maxima and minimaInformation privacyOffice suiteData managementInformation securityComputer programmingCybersexDirection (geometry)Default (computer science)Computer animation
21:46
Address spaceGoodness of fitOpen setOpen sourceInformation securityComputer animation
22:22
TwitterMIDIComputer iconWritingProjective planeRule of inferenceMultiplication signCASE <Informatik>CodeMoment (mathematics)MereologySoftware developerSoftwareInformation securityLibrary (computing)WindowBitData conversionSoftware maintenanceRevision controlConnectivity (graph theory)Self-organizationTerm (mathematics)ChainPhysical systemRootSign (mathematics)Software testingCompilation albumDirection (geometry)Open sourceIntrusion detection systemOpen setDeciphermentStatistical hypothesis testingLecture/Conference
27:06
Open sourceComputer animation
Transcript: English(auto-generated)
00:04
When Paul attended me to give a talk here, this was our biggest problem in December about me, but this is not really interesting. So what I consider me at the moment is a cloud security architect, so I give advice how to create applications in the cloud in a secure way.
00:27
The other things don't really matter, so I'm involved in a project at the moment for vaccinations, this is going live now, but that's not important. My motivation of this is I want to show you for example
00:42
projects which have completely different approaches from project structure and on community side. I want to show you some flaws of the open source development which nobody is to blame for, but we definitely have flaws if it comes to security.
01:06
Then I want to introduce the sovereign tech fund and talk about other things which are in my opinion important at the moment for security. Unfortunately we have no other problems, so there is a war a few hundred
01:22
kilometers away here and last week it happened that some modems have been bricked. So we had half gigawatts of wind turbine power not controlled anymore, which was not a big deal, but bricking and replacing this modem is something really important.
01:47
What nobody really noticed is that the European crisis management had the same satellite connections as this wind turbine, so if we would have an emergency in Europe which needed to be coordinated we would have been without connection.
02:05
Everybody is downplaying this, especially the military, so this is good news. This is not something they consider as appropriate for an article 5, but some other people jumped in, especially anonymous.
02:22
They pretend to take over gas control systems or they hacked Rosneft and just a remark in the beginning this is a total stupid idea, because especially attribution of these things is really hard.
02:42
Everybody who is doing this, everybody who is attacking infrastructure in a foreign country is a legitimate target of war and attacking civil infrastructure and even if you attack something, a gas pipeline in Russia it's a war crime.
03:01
So please stay defensive if you do this, protect your own system and don't go into a foreign country, because everybody is really nervous. There was a conference in 2020 about defensive cons, so simply IT security in a defensive way. Please follow the
03:24
advice on this conference that you definitely try to protect your systems first and not go into an attack mode. What my business is, this is a Wikipedia picture, I'm responsible for deploying systems
03:41
controlling the transmission grid, the high voltage grid which is below, beyond 110 kilovolts. So this is critical infrastructure, it's highly regulated, failure is not really an option, we would have a blackout or even a partial blackout which is causing problems. But this is something which also is starting to use open source heavily. This is my personal motivation.
04:08
And then what really happened to log4j shell, it's not even a bug. What I have looked up has been specified in 1997 and the actual flaw is buried under many layers of code.
04:28
There was a talk at Black Hat 2016, nobody noticed this and it's actually easy to exploit, you see new variants every day, for example in Apache Chainsaw or in connection with JDBC, so this is really a serious bug.
04:48
And what if you are only a developer, in a way that you should be concerned, but if you are a developer and not an IT admin, you don't notice how busy admins are at the moment, they are close to burnout and they are not always able to patch systems.
05:10
We have abandoned organizations, for example in a very well known Berlin hospital which has ongoing data loss because there is no staff who can fix this log4j flaws.
05:24
I estimated that even in the first weeks you have a 100 million euro loss of money just in workload according to this log4j shell bug. This is a normal thing at the moment.
05:43
So then Adriana Groulx approached me and this was a study about the sovereign tech4j, I will explain later what it is. And the study is based on the work of Adriana, Eileen Wagner, Fiona Krattenberger, Felix Rieder, Katarina Meyer. Felix Rieder gave
06:03
a keynote last year with a little help from Marco Alexander Breit and Tara Kiehl from OpenSFF and Suzanne Probacht and myself. So, personal disclaimer, I have been paid for this, a few days of consulting work. This was a side
06:27
job, end of August, beginning of September last year and the examples are not representative but on my daily experience.
06:40
And what I noticed is digital sovereignty is not well defined. I always would start with digital competence. There is governmental versus individual sovereignty, so the government understands something completely different than you as a person.
07:00
I personally see it also a label for Trojan Horse to get free and open source software into the government organizations. Here you have this iconic picture and nobody knows where actually the person is on which the entire world relies.
07:22
So this is Adriana Connell claiming it last October and she is not from Nebraska, she is from Oklahoma and she has made major contributions to open source since 2003 or something like this.
07:42
What Adriana does now, I did an interview with her, she does a lot of things in embedded Linux. For Alpine Linux there is no GLPC, so this is effectively GNU-less Linux. They are basing on a completely different library, not GNU library and it's effectively very small, it's 8 megabytes on top of the kernel.
08:08
It's a fork of an embedded appliance, it has a different start-up system, it's very container friendly, there are more than 1 billion containers using this at the moment running in production and it is easy to harden.
08:28
Container hardening is important because everybody is using containers, especially the German administration will roll out containers on scale. Containers are starting to run in critical infrastructure, so German Critis, there is a video of
08:44
my last link there, how I hack into container systems if they are not well prepared. There is a lot of support for example by Google and so on. Another example is Ernest Durbin, he is not the person but he is doing a very important job because he runs the PyP directory.
09:08
So he is effectively responsible for 435,000 packages on PyP and he runs this entire ecosystem on a side job.
09:21
He has a lot of good ideas but he does not have the time to execute all these ideas in a structured manner. PyP or Python as a programming language is the number one at the moment, it runs nearly everywhere from controllers to artificial intelligence systems and there is some initiative to get this into critical infrastructure.
09:46
Therefore if it runs in critical infrastructure it is important and needs a high level of security. Attacking Python is easy, we had several typo-squatting attacks, people just uploading packages with typos in it.
10:06
We had dependency confusion, somebody is uploading packages with a very high version number and there are lots of security checks necessary. This could also attack Ruby, gems and NPM. The mitigation Ernest proposes, you use virtual trusted and audited sub-propositories.
10:30
Python runs in structured exchange systems, critical infrastructure and so on. Next example I've interviewed is Werner Koch. He is the main person behind GPG, so the encryption system which works everywhere.
10:47
And in 2015 he announced they are running out of funds. This is some project which is really important because all the crypto systems in every distribution are based on GPG.
11:02
He now got a funding by Roder and Schwartz, but effectively he told me that they get audits paid by Red Hat, but they don't have the staff and the time to fix the code and the flaws detected in audit and the documentation is two or three years behind.
11:24
So this is something which is really concerning. Next thing is, I think it was yesterday in the online conference, Christian Ketti, he created K9 Mail, which is a mailer using encryption for Android.
11:42
He is one of the early members of the Android sandwich, which is now a Google Android user group or something like that. C base member, so local, I know him very well and he is one of the persons who are maintaining a package more or less alone.
12:01
What is missing here is the Apache foundation because you would imagine if you have this impressive list of features, then everything is fine. So most of the code is Java code. You think Java, IBM, Red Hat, Oracle are behind this, so this is everything you need and everything is fine.
12:26
Everything is clear. No, log4j has surprised us a little bit that even if you have this impressive list of references, you are not safe from fatal flaws.
12:46
And effectively the three people behind this are maintaining log4j as a side job, which is surprising but it works and I think they don't want to do this in a different way.
13:05
So the scale is from project size from nearly a single developer to a number one programming language, everything in between, machine size from microcontrollers to supercomputers. Criticality is from front projects to, yeah, it's front in critical
13:23
infrastructure and the payment is somewhere between unpaid hobbyists and fully employed. So we have a lot of diversity in size and structure of projects. And if you talk to these people, yes, we are well funded. Nobody says, no, we are not well funded.
13:43
But effectively, no, you are not well funded if your code runs in critical infrastructure because what you need is in security relevant systems, you will need a long-term financial perspective. You need code reviews, you need a lot of resources beyond coding, maintenance, maintenance of older versions especially.
14:07
You need a lot of documentation, testing and somebody should care about architecture fixes. So JNDI in my domain, Kubernetes, you have this service account token which is notoriously insecure.
14:21
You need communication. What I've learned in the vaccination project is communication is a full-time project, a full-time job in a project. Here are some other architecture flaws. I found in Kubernetes mostly you see a
14:42
lot of things are running somehow code from somewhere else without checking, without signature. And this is a real problem. You can rewrite it or replace it. For example
15:07
you could, this H which is a related project signing things or rage in Rust. We always have this key lifecycle problems which in the internet have been a little bit solved by Let's Encrypt.
15:25
And the proposal is to do this with Six Store which is a way of doing Let's Encrypt for supply chains. This is something new and this is what I promote to my customers as a default. So please if you run a supply chain, be sure that you know what you are running, sign everything and run only signed code somehow.
15:48
And the signing must be meaningful. When I talk to the industry, then I hear enterprise companies don't have a problem to invest 5% of the project cost in open source maintenance.
16:05
But what they then ask me, but how do we know what we are actually using? And then I ask them, so this is in your software bill of materials in your S form, but they don't have any. So this is one of the outcomes we need to enforce that everybody who is in critical infrastructure
16:24
is running open source projects on scale and needs this kind of bills of material and must be aware. And then you could just give money to the projects which are announced in your S form.
16:41
Another thing is what we see is we need to handle this security box carefully. This must be a responsible disclosure process. There is no other way of doing things, but if you look into China, China has a completely different approach to sovereignty.
17:00
Alibaba was punished because they reported the flower not to the government first. So this is a real problem. The communities must be aware that they are able to set up responsible disclosure process.
17:21
Now to the sovereign tech form. This is the English version, the German version is also. This is a study how to fund, to create a funding program for open digital base technology. So these are base technologies like the open SSF does for open SSL and we need this for a lot of other projects.
17:47
The mission statement is here, development, improvement and maintenance of base technologies. And the goal is to strengthen the open source ecosystem, not to create something new, but to help the open source ecosystem to reach these goals.
18:09
Focus here is on security, resilience and technological diversity that we are not only rely on single technology, but have a replacement in the case the first technology fails.
18:27
And this is the structure of the process. So you have in the center, you have a database of software components. The database is filled by scouting and monitoring so people will go around and look for a project which in critical infrastructure and need help.
18:48
And then other people can apply for this. So if you see here that you have this additional selection process there, you can simply say okay,
19:01
I consider my project as critical and if they agree, you get also into this database of software components. And get kind of funny. The problem was on the one side you need to support big projects like the Apache project, on the other side you might have single person projects which could also be important in this ecosystem.
19:30
My comment is effectively it's a good starting point. We are not focusing on innovation, there are other fundings. Leveraging is not included, but 10 million at the beginning is quite a number.
19:46
If I compare this to the log4j damage, okay we could do more, but the industry is ready to support this funding in that moment that they are knowing what they are doing. If you compare this with other projects, it's not the biggest number you can have.
20:05
It's comparable to the OpenSSF funding or half of the OpenTec funding which also includes Radio Free Asia, so it's not exactly comparable, so this is a good starting point. What is missing? Innovation, this is intended.
20:21
We don't support here new crypto. We don't have privacy aware things like privacy preserving protocols or something like this, but this is also intended. Just before Christmas the new government confirmed, yes we want to support this.
20:46
And this is one of the Secretary of State, Franziska Brandner of the new government and they want to support these open source based technologies. This is the good news and we should align with the OpenSSF counterpart that we simply share
21:06
the work that the OpenSSF supported projects are complementary to the projects we do here in Germany. There are new initiatives which make totally sense and we should have some directives like this US government zero trust cyber security
21:27
memorandum just to get things like zero trust out of the experimental stages and make it the default in the next years. So this looks like a program for years, I would say at least 10 years.
21:50
Hopefully this will start this year and in a good way address open source security. It has reasonable budgets, details need to be defined, what we see or what will come out hopefully as soon as possible.
22:10
And yes, I think this is the end of the talk and I'm open for questions.
22:22
So thank you Thomas, are there any questions from the audience? Okay, so particularly on the sovereign tech fund, what is the story and how was the reception of the topic of tools? Because most of the time there's a lot of talk about components and making sure that libraries
22:45
are secure but there's not that much of a conversation about how do we build these things. Actually this was a little bit hidden so I mentioned it shortly, this is a six-door project. It is a completely new initiative of doing secure supply chains, mainly driven by people who created startups like Chain Guard for example.
23:15
So you have already allies in the open source community and interestingly a lot of people from Alpine Linux are here in Germany and even in Berlin.
23:26
So we have people very close to us and at the moment it's in my opinion the tools are an example. It's too early to talk about final tooling but the mindset is going into the right direction.
23:44
Just to be clear when I was talking about tools, I was talking about compilers and IDEs and less supply chain tooling. So it doesn't matter if you sign a container with Scorpio or with Cosign but it should be signed and it should only be run if it is signed to be clear.
24:03
Are there any more questions? Do you think that the roots of the foundations might be part of the problem? I have an example, I'm part of an Apache project and we got a dedicated donation for money for our project
24:22
but Apache didn't allow us to spend it on development work but more just on test devices, infrastructure and stuff like this. This is part of the problem so that the communities must be able to receive money and this is not the case in the moment but as far as I understood Miller and Isabelle, they are changing the rules at the moment but I've not seen a final conclusion on that.
24:49
So the communities must receive money and if you look into the Apache foundation, who should audit all this code of the Apache foundation? This can only be done on a project by project base so another project has to review a code of a different project.
25:09
Otherwise it would not work. If we would audit all the code externally then it would take years and nobody can actually do the work. The community must be able to improve itself so the community must be able to review it internally.
25:30
And the security audit is never something you will like but if it is done smoothly and by colleagues you know or a neighbor project, it's better than you have an external auditor every 2 or 5 years. It doesn't really make sense.
25:49
Are there any more questions from the audience? So I see this like OpenSSF and the sovereign tech fund and also there was this UN fund they discussed earlier.
26:06
But it's very hard for me to decipher how much of this money would actually go into paying maintainers for their work so it's actually sustainable for them to do this work. This is not completely defined because you also need to do audits. The maintainers must be paid especially if you have a long
26:24
term version or a version which is not actively developed anymore but it might be very active in some parts of the critical infrastructure. Critical infrastructure has sometimes software which is run 20 years or 30 years so I've seen Windows 95
26:42
systems recently which is not what I want to see but this means you need to organize long time maintenance and you have to pay somebody preferred from the community but it can also be external support. Whoever can deliver this work.