MV Journal December 13 - January 10

I have to be honest. The last weeks of 2021 weren’t great since I had to isolate myself after being caught by the bug of the decade. With the first week of this year still at home, I avoided a massive list of news that probably already went through the feeds of everyone. So this edition is short, only sporting the News.ceil of the last weeks. How’s your end of the year? And how did the new one begun? I hope that everything went well because twenty twenty-two might augur a twenty-twenty too.

  1. News.ceil


SSH via Log4J

November 24th 2021, Mr Chen Zhaojun from Alibaba’s Cloud Security Team reported a bug at Apache Foundation Log4j project page, urging them to patch it as soon as possible since it was too critical. The conversation about the issue can be tracked on the project GitHub page. with a developer pointing out that the problem was raised many months before the 0-day came into effect. You’ve probably got some words about it even if you don’t work in the development space. Log4J is a widely used library in many JVM based applications, and it’s almost seen as the default logging library to the extent that even videogames such as Minecraft were affected. I personally know product and library developers that toiled almost 24/7 during the next three days to ship patches and updated binaries with the recommended mitigations. It is very likely that even now, you’ll find many applications that cannot be easily upgraded or updated to fix the issue, leaving companies, jobs and data at risk. Are you patched? You better hurry.

Theranos. One down, one to go.

Thursday, July 23th 2015, the United States vice president at the time, Mr Joe Biden, visited Theranos labs and described the facility as the laboratory of the future. Mr John Ioannidis, physician-scientist, writer and Standford University professor, later pointed out many issues with the lab and the company promises that were a mix of sensationalism with corporate propaganda. Nevertheless, Mr Biden visit and his statements pushed the company to a stellar status, effectively legitimizing one of the biggest startup frauds in the United States.

Two days after the beginning of 2022, Ms Elizabeth Holmes left San Jose Califórnia federal court with her verdict. Ms Holmes was found guilty of one count of conspiracy to defraud investors, as well as three wire fraud counts tied to specific investors, and now faces up to twenty years of jail time. Many other accusations have fallen during the trial, and jury deadlock cleared a few others, but even with the alleged sexual abuse of her ex-partner and co-founder, Ms Holmes faces a dire future. Mr Sunny Balwani is next in line for the accusation chair. Prospects are also ominous for Mr Balwani, facing a Ms Holmes facsimile list of counts.

It is a shame that Theranos technologies were failed or merely faked. Many incremental improvements of rapid testing are clear during a pandemic, so one has to imagine a world where diseases are dealt with, years before the first symptom. Can someone pick up the work?

PS: Check this CNN piece with more details about the trial.

“Get off my lawn”, says an old aeroplane to a 5G tower

At Multivision, it’s almost mandatory that some telco subjects show up. First, let me add that 5G doesn’t cause Covid or any type of satanic plan to take over the world order. So, keeping the previous statement in mind, there might be a few kinks with 5G waves and older equipment that still operate in the same radio spectrum.

The American Federal Aviation Administration, or just FAA, asked telecoms to delay their 5G C-Band equipment activation around some airports. The move comes after several reports that old aircraft are affected by the waves, making altimeters reporting out of range values when ascending and descending from airports.

Problems between air vehicles and mobile telecommunications aren’t new, of course, but it’s hard to understand how such critical systems don’t go through proximity tests in the equipment development phase. Let add a bit more fuel on those 5G conspiracies, shall we?

2022 Peak Engineering - The Webb

Don’t get confused with the title. There isn’t a typo.

The James Webb telescope was one of the most anticipated projects for space exploration. It took nearly ten billion dollars and more than two decades from ideation to deployment. January 8th 2022, marked its full deployment in a far earth orbit, specifically in the second Lagrange point, or L2, a whopping 1.5 million kilometres from Earth. For comparison, the Moon is separated from the Earth by 384 400 Kilometres. With an expected shelf life of fifteen years, there are high expectations for the scientific tool ensemble that travelled on top of an Ariane booster on Christmas day last year. Besides replacing the old Hubble telescope, the four shiny instruments within the James Webb telescope shift the current star gazing paradigm reaching new frontiers. The estimated observability improvement is around one hundredfold making it detect fainter signals outside Earth’s reach. More details can be found at the James Webb NASA page, but the Wikipedia page is also a great source of content about the project. Planet X, we are coming for you.

(In)Security ramble

January 9th

On January 2nd, Impresa, a Portuguese media publisher and owner of several online and offline paper publications, was attacked. All of its online papers were defaced by attackers, and cloud accounts were compromised. As presented in one of the Impresa newspapers addresses, Expresso, Lapsus$ Group left a contact address for ransom negotiation. Last year the same group attacked Brazilian governmental institutions, including the Brazilian Health Ministery systems, exposing the private data of many Brasilians.

In News.ceil, I’ve skimmed the surface of Log4Shell, the endearing name that the Log4j vulnerability got while putting the entire world on alert, forcing operation and security teams to spend more than a whole weekend mitigating the issue. At the same time, many Software Development teams had to ship fresh libraries and products with a fix, update or mitigation. Cloudflare CEO, Mr Matthew Prince, posted a tweet showing unusual traffic data flows as circumstantial evidence of data before the 0-day announcement. Since this vulnerability was in the source code since 2013, it’s impossible to know the damage done up to this point.

I believe that most of the patching effort that occurred in companies affected by the issue was paid with back-patting for the action. The same type of payment that Log4j open-source developers got after an urgent patching code sprint. Let me stress that this is my belief supported by my finicky empirical experience. While I can’t prove that most of these teams worked “for free” or in their usual prevention schedules, it is assured that the volunteers in every open source project will tell you that almost no money is made with their hard work.

It is appalling.

What this has to do with Impresa’s situation? The same stinginess and lack of concern with information technology systems lead to attacks that could be prevented. Some of these incidents put jobs, and essential information at risk, sometimes lives when Hospitals or Utilities are involved. I’m not talking about heavyweight investments in tools and services to keep an infrastructure somewhat more safe than the typical site but just the required investment in security basics and developers that support the world with their low-cost code. As mentioned in MV Journal’s second edition, a basic 3-2-1 backup rule would have left Impresa with the complex but predictable work of rebuilding and deploying its content elsewhere. The official site is working at the moment of writing this piece with a “provisional” warning at the top. We still need to wait for an official word about what happened to all company data, but I don’t believe that we will know it.

Paid security bug bounties from companies that rely on open-source technologies could prevent many of these situations. Listening to technologists concerns about security issues and promoting SecOps training should be paramount. But when your teams sacrifice, why would management care? The price is the same unless data is completely destroyed or locked out, probably what happened at Impresa. And guess what, those helpful volunteers already patched the library that everyone uses, so let’s ask developers to crunch a bit more overnight and leave infrastructures pristine.

This piece ending was different when I wrote it the first time. Between yesterday and today, we got the news that Mr Marak Squires, the developer of some well-known Javascript libraries, tainted his code repositories and packages, introducing infinite loops and other problematic code paths, breaking applications that had those dependencies and got updated.

Why? For the same concern that I’m sharing in this piece. No one is paying for this code, but everyone uses it and takes profit from it, most of the time ignoring what it does besides what is promoted. Obviously, this type of “terrorism” doesn’t solve nor help the cause, but it is just another warning.

As in-house technologists, we need to push the word that open-source code needs to be paid and that even small donations make a difference. A budget of even 0.1% dedicated to spreading over Patreon, Flatter, et al. could be enough to motivate some of these talented developers to dedicate their valuable time to improve, stabilize and harden the foundations of what we want to call the 4th industrial revolution. If not, what should we expect with AI and distributed systems taking over the world? Nothing good for sure.

Previous MV Journal Edition