Episode 108: The Biggest Security Vulnerability of All Time

Log4Shell, a vulnerability in the Java application logging framework Log4J has been called the worst security vulnerability ever. Is that just the usual hype, though? Or why haven’t we seen the forecast large scale exploitation of this bug? Is there something more sinister at play here?

Before taking a bit of a hiatus, today’s episode of The Private Citizen looks at December’s big security news and tries to figure out whatever came of it.

Note: I will take the month of February off work to try and finish my novel – that includes this podcast. Please do not expect any podcast episodes during February. I will, however, make up the lost episodes to you later on, as I usually do.

What is Log4Shell?

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in the Java application logging framework Log4J that was discovered on 24 November 2021 by the Alibaba Cloud security team and reported to the Apache Software Foundation. It was publicly disclosed on 9 December 2021 and received a maximum CVSS rating of 10.

When it was disclosed, it was called “the most severe vulnerability ever”. The Washington Post even ratcheted the hyperbole up to say that is “borders on the apocalyptic”. There was talk in infosec circles on Twitter (which ironically was vulnerable at the time) of “the internet being on fire”.

If it was really that bad, why didn’t we see huge outages and major high-profile hacks? Sure, there were a lot of ransomware attacks, some crypto miners and the Belgian ministry of defence got hacked, but nothing to justify the over the top panic. To answer the question, I must first explain how Log4Shell works and why it’s such a bad vulnerability.

What Does It Mean?

But that doesn’t explain why we haven’t seen half the internet go down because of this vulnerability. Answering that question is a lot harder. And there really aren’t any definite facts to fall back to.

What is probably true is that the widespread panic galvanised everyone who knows what they are doing when it comes to security into action immediately. So the big players fixed their shit.

But what about smaller companies and organisations? How many vulnerable systems are still out there today? And even more worryingly: How many systems were backdoored in the initial attack without anyone even knowing? Will we, for years see hacks that, if they are investigated properly, will lead back to Log4Shell? It’s a tired old cliché, but I fear it is well suited to this situation: Only time will tell.

Producer Feedback

Answering my call on episode 106, we had a number of people chiming in on the forum about the SARS-CoV-2 pandemic and how they see the situation – are they afraid? I found this thread to be full of interesting perspectives.

Bazzawill:

To answer your question, I do not have the fear that others have about SARS-COV-2, I definitely agree there is more fear out their than necessary. What I understand about Omicron is it is more contagious but milder in symptoms; especially as I am vaccinated. I am planning on getting a medical exemption for wearing masks as it is likely to be required during work and it is not something I can cope with all day. I will however, likely wear my mask for as long as I can stand it to appease the fearful.

RedeemerF:

Am I afraid? It’s a good question, especially that till now I’m still unvaccinated (the horror!). So the question might as well be: am I afraid of the vaccine? I’m still unvaccinated because I don’t think that I’m of the risk group, and that most probably I would be able to resist it. But I’m also not 100% sure, as I don’t see that there’s actual information about why do people react differently to it. The only thing that I hear is that I should be afraid and that I should get vaccinate, and that’s it!

Initially I had in mind to wait until there is more data about the vaccine, but now it seems that it’s not just a one time business, now you have to accept the vaccine into your life (as Adam Curry puts it!). From the look of it, I feel that I will be forced to get vaccinated to continue normal life, and I don’t feel particularly happy about it, but it will not be the end of the world! So in the end, I don’t feel particularly driven by fear, but on the other hand, I completely agree that fear is being used as a way to drive people’s behavior.

nekr0z:

I join the others: I’m not afraid, and I felt no need to be afraid too much from the very start. However, mine’s quite a particular situation: first me and my wife didn’t give a damn, but then she got pregnant with our daughter, and got really over-the-top virus-avoiding. She was taking no bloody chance in hell, she would step three meters off the path to avoid the oncoming people while walking in the park; I decided that, all things considered, I wouldn’t blame her, and would comply: for 9 months, we had no guest in our house, we met friends and family only outside and kept our distance, and so on. After our daughter was born, we returned back to sanity. And now, a year later, we’ve all had the infection, and see no reason to be scared at all any more.

As for people around me, Russia seems to be divided into two camps: the absolutely insane pro-vax “how dare you not vaccinate, you’re putting my life at risk” people that are so scared they support mandatory vaccinations and executing the refusers immediately, and the totally bonkers anti-vax “don’t you come near me or my kids, you 5G-chipped scum! even if the thing they injected you with is not contagious (which it is), the radiation you’re emitting can’t be good” people that sincerely believe COVID is a hoax altogether. And, in total accordance with the hundreds-of-years-old Russian tradition, the vast majority of people join neither camp, keep their mouths shut, and only confide to closest friends, so there’s no telling what the masses really think. The government and the press (and independent press doesn’t exist here) do their best to scare people, as seems to be the case in other countries, too.

Personally I think the pandemic is the new terrorism. For 20-odd years (became obvious after 9/11, but has been in action long before that), the global terrorism was the big threat that demanded sacrificing everyone’s rights to privacy, dignity, and self-respect. The threat looked scary enough to a big enough number of people that the sacrifices were made. Looks like that threat is going out of fashion, and we’re having pandemics now – to the same extent. Not as much the current pandemic (judging by the latest WHO communiques, it’s ending in the near future) as the imminent future ones (to which, judging by the same WHO communiques, we should now dedicate all our efforts to prepare for).

RedeemerF:

Me and my family being in a foreign country, with no active social life, it was relatively easy to comply with social distancing.

Now I’m still working mostly from home, my wife is not working, only the daughters are going to school (thank God!). So we didn’t get infected, and I’m still wondering how it would go.

But what infuriates me, is the attitude that I (being unvaccinated)is a threat to the vaccinated. One friend argued that the issue is the risk to overload the medical system if people refuse to get vaccinated, and for this he’s with mandating it.

SteveB:

I think the whole thing is starting to unravel. Countries such as England, Ireland, and the Czech Republic are walking back their mandates.

Canada on the other hand has ramped up their mandates, which currently appears to be backfiring rather spectacularly. I have commented before on some of the mind blowing lack of logic in Canada, such as you can not work in health care anymore if you are not vaccinated, but you can continue to work in health care if you are vaccinated and have a current positive covid test. Well, just the other weekend they mandated that no unvaccinated truck drivers may cross into Canada, with the USA mandate on the same scheduled to come into play in the next few weeks. Enter the backfires… Mainstream media isn’t reporting much on it, and the news articles I saw actually downplayed it and even tried associating it with other events, but we now have the largest truck convoy in known history headed to our federal government. Their are 2 routes from the western most provinces, I’m not sure how many from the eastern most provinces, and it’s all scheduled to converge at our federal government this coming Saturday. The gofundme that was set up to help cover costs is currently over $4 million, and climbing fast, with companies pledging up to $10k at a time. And current word is that American trucks are headed up to join, coming from as far away as Georgia. Current registration puts the total at over 50,000 trucks and 500,000 people in transit. I think Saturday will be a day worth watching.

If you have any thoughts on the things discussed in this or previous episodes, please join our forum and compare notes with other producers. You can also contact me in several other, more private ways.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I’d like to credit everyone who’s helped with any aspect of this production and thus became a part of the show. I am thankful to the following people, who have supported this episode through Patreon and PayPal and thus keep this show on the air:

Georges, Steve Hoos, Butterbeans, Jonathan M. Hethey, Michael Mullan-Jensen, Dave, Michael Small, 1i11g, Rhodane the Insane, Jaroslav Lichtblau, Jackie Plage, Philip Klostermann, ikn, Vlad, Bennett Piater, tobias, Sandman616, Kai Siers, m0dese7en, Joe Poser, Fadi Mansour, Dirk Dede, Rizele, avis, David Potter, Mika, MrAmish, Cam, Dave Umrysh, RikyM, Barry Williams, Jonathan, RJ Tracey, Rick Bragg, Captain Egghead, Robert Forster, Superuser, astralc, D, Noreply and Iwan Currie.

Many thanks to my Twitch subscribers: Mike_TheDane, jonathanmh_com, Sandman616, BaconThePork, m0dese7en_is_unavailable, Nommed771, waternoose_xyz, mtesauro, l_terrestris_jim and jonathane4747.

I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

Podcast Music

The show’s theme song is Acoustic Routes by Raúl Cabezalí. It is licensed via Jamendo Music. Other music and some sound effects are licensed via Epidemic Sound. This episode’s ending song is Brain Copy Syntax Error by Oh the City.