Summary:
The online retailer Alibaba reported a security problem in November of 2021. The commonly used Java logger, called Log4j, could be corrupted via carefully crafted web accesses, and as a result, any kind of software could be downloaded and manipulated by remote parties. Exploits emerged immediately after the discovery of the problem. Log4j is an open source module used with Apache servers. Not all versions of the module are susceptible, but the long-standing and ubiquitous use of it affects a huge swathe of software. Major hosting sites were able to rid themselves of the problem during December.

Summary:
The scope of the Log4j problem can be understood by doing a survey of the open source software that depends on the module. Tens of thousands of packages are affected.

Summary:
While much of the world has scrambled to upgrade their web servers to use the non-vulnerable version of Log4j, older versions are widespread. Malicious parties like "Aquatic Panda" are on the lookout for it. Any web accessible versions are likely to be hit in the coming months.

Summary:
One of the reported exploits associated with the remote code execution problem is "installing a cryptominer." The problem with cryptominers is that it's the bad guys who steal your computing power for their own good. Why should you lose out? Norton decided to remedy this inequity by giving users their own cryptominers. Usage is optional (of course, Norton takes 15% of the gross), but the idea of bundling unrelated software with a security product is startling. Perhaps it is meant to help the world, as if your roofer automatically installed solar panels for free. You might need those if you get into serious cryptomining.

Summary:
In addition to the element of surprise and controlling the high ground, perhaps "confuse their web servers" should be added to common military tactics. As troops menace Ukraine, malicious software has disrupted some of its web servers at government agencies and non-profits. The software is disguised as ransomware, but it seems to have no criminal purpose. Ukraine said that Belarusian intelligence was behind the disruptive attacks via a hacking group that they control. The hacking might be a precursor to a military attack, or it might the "normal" sort of cyber harrassment that characterizes poor international relations.

Summary:
National Security Advisor Jake Sullivan conducted a timely "constructive discussion" about improving the security of open source software. The Log4j problems illustrated that open source is an important part of software ecology, but greater security is a necessity. That security will come at a price, one that the tech sector would like to see funded by the Federal government. "Akamai Technologies called for the government and industry to prioritize investment in new technologies that will increase visibility into the use of open source, ideally using automated tools." One presumes these automated tools will themselves be open source and recursively subject to such visibility?