Log4j Open Source Bug Created “Endemic” Risk for “a Decade or Longer”

Continuing worries about the Log4j software bug are consistent with my skepticism of open source software, Openness to Creative Destruction. You can find a brief discussion in the chapter defending patents.

(p. A6) WASHINGTON—A major cybersecurity bug detected last year in a widely used piece of software is an “endemic vulnerability” that could persist for more than a decade as an avenue for hackers to infiltrate computer networks, a U.S. government review has concluded.

. . .

“The Log4j event is not over,” the report said. “The board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”

. . .

Security researchers uncovered last December a major flaw in Log4j, an open-source software logging tool. It is a widely used piece of free code that logs activity in computer networks and applications.

For the full story, see:

Dustin Volz. “‘Endemic’ Risk Seen In Log4j Cyber Bug.” The Wall Street Journal (Friday, July 15, 2022): A6.

(Note: ellipses added.)

(Note: the online version of the story has the date July 14, 2022, and has the title “Major Cyber Bug in Log4j to Persist as ‘Endemic’ Risk for Years to Come, U.S. Board Finds.”)

My book, mentioned above, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

Scientists Should Not Censor Contrarian Conjectures from Outsiders

On Nov. 3, 2021 I presented my paper “Galilean Science: The Impediment to Progress When Science as Doctrine Wins Over Science as Process” at Day 3 of the Organisation [sic] for Economic Co-operation and Development (OECD) “Workshop on AI and the Productivity of Science.” The OECD has 38, mainly European, governments as members and has the objective of finding policies to advance the economic progress of the world.

The link above is to OECD’s recently posted YouTube Zoom recording of all of Day 3. My presentation starts at about 1:23.

In the session where I presented my paper, we were asked to answer one of a couple of questions. I chose to focus on the question: “What is the most important impediment to raising the productivity of science, and why?” My answer, in brief, was that science is impeded when authorities require adherence to the dominant doctrines, censoring rather than permitting the contrarian conjectures from outsiders who advance us toward truth.

Galilean science is also discussed on p. 129 of my Openness book:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

“Overwhelmed” Volunteers Struggle to Fix Log4j Bug in Open Source Software

In Openness to Creative Destruction, I argue that open source software has severe drawbacks, compared to a system where firms receive higher profits for selling better software. The severe Log4j bug, discussed in the quoted passages below, is an example that strongly supports my argument. Blog entries posted on Dec. 17 and on Dec. 25 also discussed the Log4j bug.

(p. B6) Gary Gregory, a volunteer for the Apache Software Foundation, is spending time off from his day job glued to his computer, striving to help contain the harm from a security flaw in the Log4j tool underpinning much of the digital economy.

. . .

Mr. Gregory, who works from the dining-room table in his Ocala, Fla., home, fueled by black coffee and accompanied by his hound-pit-bull mix, Bella, said he is overwhelmed with hundreds of requests for help from businesses. While Apache is trying to assist companies in updating their systems, he said, the nonprofit’s resources are limited.

“This puts to the forefront the whole issue with open-source [software] and commercial users,” said Mr. Gregory, who is on the Apache Logging Services Project Management Committee of 16 elected members who vote on changes to the software. “The expectations are somewhat out of whack.”

. . .

Many developers rely on the free Log4j framework to help record data such as users’ behavior and applications’ activity in software built with the Java programming language. Cybersecurity experts say the inclusion of the open-source logging tool within so much interconnected software—often embedded without developers’ knowledge—yields a threat that spans economic sectors and national borders.

. . .

Cybersecurity firm Mandiant Inc. said it has observed Chinese government hackers trying to exploit the flaw.

After Apache released its planned patch on Friday, Mr. Gregory said he worked through the weekend on a new update along with other volunteer software developers in Japan, New Zealand, Virginia and Arizona. Unveiled Monday, the new version disabled a problematic software module by default and removed a message-lookup feature that could be used to exploit the flaw.

The Apache volunteers are designing another update to Log4j for users who rely on an older version of the Java programming language, meaning more work for Mr. Gregory while he is on vacation from his day job.

“That translates to me getting five hours of sleep last night,” he said of his time off. “Some of the other guys got two or three.”

For the full story, see:

David Uberti. “Fight Against Bug Relies on Volunteers.” The Wall Street Journal (Thursday, December 16, 2021): B6.

(Note: ellipses added.)

(Note: the online version of the story was updated Dec. 15, 2021, and has the title “Global Fight Against Log4j Vulnerability Relies on Apache Volunteers.”)

My book, mentioned above, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

Open Source Log4j Software Bug “Poses a Severe Risk”

In Openness to Creative Destruction, I argue that open source software has severe drawbacks, compared to a system where firms receive higher profits for selling better software. The severe Log4j bug, discussed in the quoted passages below, is an example that strongly supports my argument.

(p. B1) The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an urgent alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly said on Saturday, “To be clear, this vulnerability poses a severe risk.”  . . .  Germany’s cybersecurity organization over the weekend issued a “red alert” about the bug. Australia called the issue “critical.”

Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched.

“It is one of the most significant vulnerabilities that I’ve seen in a long time,” said Aaron Portnoy, principal scientist with the security firm Randori.

. . .

(p. B2) The software flaw was reported late last month to the Log4j development team, a group of volunteer coders who distribute their software free-of-charge as part of the Apache Software Foundation, according to Ralph Goers, a volunteer with the project. The foundation, a nonprofit group that helps oversee the development of many open-source programs, alerted its user community about the vulnerability on Dec. 9 [2021].

“It’s a very critical issue,” Mr. Goers said. “People need to upgrade to get the fix,” he said. Log4j is used on servers to keep records of users’ activities so they can be reviewed later on by security or software development teams.

Because Log4j is distributed free, it is unclear how many servers are affected by the bug, but the logging software has been downloaded millions of times, Mr. Goers said.

For the full story, see:

Robert McMillan. “Software Flaw Spurs Race to Patch Bug.” The Wall Street Journal (Monday, December 13, 2021): B1-B2.

(Note: ellipses, and bracketed year, added.)

(Note: the online version of the story was updated Dec. 12, 2021, and has the title “Software Flaw Sparks Global Race to Patch Bug.”)

My book, mentioned above, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

Solve Future Crises by Allowing the Nimble to Innovate

Donald Boudreaux, on his Café Hayek blog, quotes a passage from my Openness book, saying that the best way to prepare for unknown future crises is to sustain a society where nimble innovators are allowed to nimbly innovate. Donald posted the quote on Mon., Dec. 6, 2021.

My book is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

Pandemic Results in “Historic” Increase in Free-Agent Entrepreneurs

In my book Openness to Creative Destruction, I distinguish between free-agent entrepreneurs and innovative entrepreneurs. Free-agent entrepreneurs work for themselves mostly doing what has been done before. Innovative entrepreneurs work for themselves mostly doing something new. (The dividing line is not sharp.) During the pandemic we have seen a large increase in free-agent entrepreneurs. The number of innovative entrepreneurs is hard to measure, but I believe that the loss of health capital, the increase in transaction costs, and the growth of government regulations and lockdowns has reduced their number.

(p. A1) The pandemic has unleashed a historic burst in entrepreneurship and self-employment. Hundreds of thousands of Americans are striking out on their own as consultants, retailers and small-business owners.

The move helps explain the ongoing shake-up in the world of work, with more people looking for flexibility, anxious about covid exposure, upset about vaccine mandates or simply disenchanted with pre-pandemic office life. It is also aggravating labor shortages in some industries and adding pressure on companies to revamp their employment policies.

The number of unincorporated self-employed workers has risen by 500,000 since the start of the pandemic, Labor Department data show, to 9.44 million. That is the highest total since the financial-crisis year 2008, except for this summer. The total amounts to an increase of 6% in the self-employed, while the overall U.S. employment total remains nearly 3% lower than before the pandemic.

Entrepreneurs applied for federal tax-identification numbers to register 4.54 million new businesses from January through October this year, up 56% from the same period of 2019, Census Bureau data show. That was the largest number on records that date back to 2004. Two-thirds were for businesses that aren’t expected to hire employees.

(p. A14) This year, the share of U.S. workers who work for a company with at least 1,000 employees has fallen for the first time since 2004, Labor Department data show. Meanwhile, the percentage of U.S. workers who are self-employed has risen to the highest in 11 years. In October, they represented 5.9% of U.S. workers, versus 5.4% in February 2020.

The self-employment increase coincides with complaints by many U.S. companies of difficulties—in some cases extreme—in finding and retaining enough employees. In September, U.S. workers resigned from a record 4.4 million jobs, Labor Department data show.

Kimberly Friddle, 50 years old, quit her job as head of marketing for a regional mortgage company near Dallas in September 2020.

. . .

. . . when a friend contacted her the next month, she saw an opportunity.

The friend sold home décor items on Amazon.com from his home in Canada, and Covid-related border restrictions were making it difficult to process returns. When he explained what he needed—primarily, someone to examine returned items for damage and ship them back to Amazon—Ms. Friddle felt the work could be a good challenge and a chance for her older daughter, Samantha, to gain some work experience.

They began processing returns for him steadily. When other Amazon sellers he knew needed help with warehouse-related tasks that were also made harder by the pandemic, he referred them to Ms. Friddle.

. . .

Now she runs an Amazon logistics, warehousing and fulfillment business full time from the family’s home outside Houston and rented warehouse space nearby.

. . .

Though the decision to leave that job was an emotional one, she said, a change after 27 years has given her new energy and confidence in addition to the flexibility.

“I didn’t have a plan when I left,” she said. “I wasn’t giving enough attention to the needs of my family. I wasn’t giving enough attention to the job that needed to be done. I felt like I was failing everywhere.”

Now, “I feel so successful and I wake up every day like, ‘I wonder what’s going to happen today.’ ”

. . .

Through the late 19th century, a large share of Americans worked for themselves, as farmers or artisans. With new technology such as electric lighting, manufacturing expanded, and many people left the field for the factory floor. They landed in an environment of strictly defined work hours and hierarchies—workers overseen by managers overseen by executives.

By the time Covid-19 arrived in the U.S., the advent of apps, websites and companies catering to entrepreneurs and freelancers was already giving employees options.

. . .

Marcus Grimm, a 50-year-old in Lancaster, Pa., worked at advertising agencies from the time he finished college. For years, he toyed with freelancing. “I had always considered it, but literally just never had the guts to make the move,” he said. “I was scared I would lose sleep every night worrying about my next dollar.”

Early in the pandemic, Mr. Grimm, a married father of two grown children, was laid off. He logged onto Upwork, a website that connects freelance workers from a wide range of industries with potential clients. He fielded several assignments doing ad campaigns for big companies, charging a low hourly rate.

Business flowed in. He has steadily raised his rate, to $150 an hour. Mr. Grimm said he now earns more than in his old job, which paid $130,000 a year.

His favorite part is not having to deal with corporate politics or any bureaucracy. He can go kayaking in the middle of the day.

“I’m the one who finds the client, I’m the one who does the work, and I’m the one who deals with any of the problems that come up,” he said.

. . .

Part of the current shift to self-employment might prove temporary. The boom in self-employed day traders during the dot-com hoopla of the late 1990s deflated along with the stock bubble.

A sharp rise in savings—boosted by a federal supplement to unemployment benefits, most recently $300 a week, that was paid for as long as 18 months of the pandemic—provides some individuals a financial cushion to pursue self-employment. As they run down those savings, some might again want a regular paycheck, economists say.

In addition, if labor shortages ease, freelancers could face stiffer competition from companies in landing clients. Finally, if the pandemic recedes, so might one piece of the impetus to leave regular work in favor of self-employment. Five percent of unvaccinated adults say they left a job because of a vaccine requirement they opposed, according to a Kaiser Family Foundation survey in October [2021].

For the full story, see:

Josh Mitchell and Kathryn Dill. “Workers Quit Jobs in Droves to Become Their Own Bosses.” The Wall Street Journal (Tuesday, Nov. 30, 2021): A1 & A14.

(Note: ellipses, and bracketed year, added.)

(Note: the online version of the story has the date November 29, 2021, and has the same title as the print version.)

My book, mentioned at the top, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.