Open source can be open door for hackers
This article is an on-site version of our #techFT newsletter. Sign up here to get the complete newsletter sent straight to your inbox every weekday
As the UK and other countries expect a “tidal wave” of Omicron Covid cases, cyber security firms fear a similar tsunami threatens the computer networks of millions of businesses around the world.
The Log4Shell vulnerability discovered at the beginning of this month is “probably the worst security vulnerability in at least the last 10 years — maybe longer,” according to Charles Carmakal, the chief technology officer for cyber security firm Mandiant. It’s the “worst bug impacting the internet in the last 5 years, at least”, said Matthew Prince, CEO of Cloudflare. “This is probably the most significant vul [vulnerability] in a decade. When all is said and done we may find it was the most significant ever,” said Amit Yoran, CEO of Tenable.
Sounds serious, huh? And yet we have no reports so far of major compromises of systems, other than Minecraft servers being affected last Thursday and reports of others being shanghaied and repurposed for crypto mining and denial of service cyber attacks.
Rather like serious Covid cases, it can take a while for the full extent of the problem to be revealed though, and how much it spreads depends on prompt mass action now to install patches to fix it.
The Log4Shell vulnerability is a weakness found in Log4j, an open-source software library for logging data in Java applications, which can allow a hacker to upload malware and take control of a server. Log4j has been downloaded millions of times and accompanies open-source Apache software installed on almost a third of all web servers globally.
There is a cure, in the form of a patch developed, but now that the flaw is exposed, it is a race between hackers trying to exploit it and system administrators trying to fix it.
The bigger danger exposed is how dependent the world’s networks are on open source software that is often maintained only by volunteers in their spare time. There is obviously a need for a more professional approach in both maintaining and reviewing critical software. Log4j suffered from “a design failure of catastrophic proportions”, Free Wortley, CEO of the open source data security platform LunaSec, told Wired. As with all security breaches, we’ve just been made aware of our newest weakest link.
The Internet of (Five) Things
1. SenseTime postpones IPO
Chinese artificial intelligence company SenseTime has said it will postpone its $767m initial public offering in Hong Kong after being placed on a US investment blacklist. SenseTime said it would refund application money paid by investors and issue a revised prospectus before completing the offering and listing “soon”.
2. SoftBank’s first of its kind Spac
SoftBank is set to complete its first Spac merger by taking public a Walmart-backed artificial intelligence robotics company in a deal valued at $5.5bn. Symbotic, an AI start-up that focuses on improving supply chains for retailers, will merge with SVF Investment Corp 3, a Spac sponsored by SoftBank, the two companies said on Monday.
Daily newsletter
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.
3. Alibaba fires #MeToo employee
Chinese ecommerce group Alibaba has fired a female employee who accused her superior of sexual assault on a business trip, in the latest setback for the country’s #MeToo movement. The company founded by billionaire Jack Ma accused the employee of “spreading false information” and “creating a negative impact”, according to a copy of the dismissal letter seen by the FT.
4. Gig economy workers protest at secret algos
Like many gig economy companies, Uber manages its tens of thousands of UK drivers with artificial intelligence programs, which handle everything from using facial recognition to check identities, to pairing drivers with customers, to spotting fraud when drivers cheat passengers or share accounts. But gig economy workers complain there is little redress when the computer makes a wrong decision, and that the companies do not tell them how algorithms will assess them, reports Madhumita Murgia.
5. Adobe gets creative with non-professionals
Adobe unveiled its first comprehensive package of design software for non-professionals on Monday, taking direct aim at a booming market that has turned Australian start-up Canva into one of the world’s most valuable private tech companies. The new Adobe service includes versions of widely used professional design tools such as the Photoshop picture editor, Illustrator graphics tool and video-editing service Premiere, behind a simpler interface that analysts said bore a striking resemblance to Canva.
Tech week ahead
Tuesday: Oppo hosts its annual INNO Day event on Dec. 14-15. The world’s fourth-largest smartphone maker will introduce its first foldable phone, its first in-house designed neural processing units, as well as an augmented reality device.
Wednesday: Samsara, an Internet of Things company, stages its IPO, hoping for a valuation of around $12bn. Lex says its high net retention, growing demand for data analysis and high gross margins mean it should be successful in hitting its target.
Thursday: Alibaba will host a virtual Investor Day with CEO Daniel Zhang and chief financial officer Maggie Wu, who will be replaced by current deputy CFO Toby Xu in April next year. Creative software maker Adobe reports quarterly earnings.
Tech tools — Panasonic’s Sound Slayer
If you’re not a particular fan of earbuds, over the ear headphones, or even headsets with microphone wands on video calls, these neckband speakers resting lightly on the shoulder can be a more comfortable, almost unnoticeable option.
Panasonic’s Sound Slayer is aimed squarely at PC and console gamers. Its four speakers can create surround sound and sound fields for first-person shooters or role-playing games, while its dual microphones allow chats with your fellow gamers. It connects through a long USB or audio cable, there are mute buttons for the punchy sound and the microphones, along with noise and echo cancelling features.
I used it to watch video streaming services, choosing the Cinema sound field and switched to Voice for a Zoom call. There is also a Music option, but the speakers were no match for a good pair of headphones or full-size speakers for true music enjoyment.
Other neckband options include Sony’s wireless speaker with Dolby Atmos (£269, $300) and Bose’s Soundwear Companion (£250, $300). Panasonic’s option slays both on price, at £160.