Today marks one year since the Apache Software Foundation unveiled a critical vulnerability in Log4j, its popular open-source logging tool, which left millions of devices open to hackers.

The big picture: A year after one of the most widespread security vulnerabilities in recent history was exposed, companies are still wrestling with how to patch the flaw — or with determining if they were affected at all.

• Log4j, which was created by a group of volunteer coders, tracks user movements across software and online services so developers can easily spot issues and unusual behaviors. It can be found both on products and third-party tools used to build products.
• Once exploited, the vulnerability in Log4j could give hackers remote control to whatever system is running the code, allowing them to download malicious code or enact other controls.

Threat level: The Log4j vulnerability continues to pose a high risk to the vast majority to affected companies, according to recent reports.

• Ransomware actors and state-sponsored actors have targeted the flaw throughout the year. The Cybersecurity and Infrastructure Security Agency warned last month that Iranian hackers had used the Log4j vulnerability to attack a federal agency earlier this year.
• Cybersecurity firm Tenable estimates that 72% of organizations are likely still vulnerable. And 29% of those that remediated the flaw ended up vulnerable again.
• Arctic Wolf Labs said this week that Log4j exploitations made up 11% of its incident response cases in 2022, with the average cost for incident response amounting to $90,000.

Between the lines: Many companies don't keep detailed inventory lists of every product and supplier that's in their networks, software supply chain or hardware components — making identifying something as small as Log4j difficult, if not impossible.

• "There were multiple very large device manufacturers who actually said, 'Hey, we don't have the Log4j vulnerability,' and in fact, they did," said Thomas Pace, co-founder and CEO of firmware security firm NetRise.
• "I don't think that they were lying; they just didn't know because it's a really hard problem to identify," Pace added.

The intrigue: In the last year, organizations and government officials have poured plenty of resources into strengthening open-source security to prevent future widespread critical security flaws.

• The White House and leading open-source software security nonprofits have hosted two summits on the issue in the past year.
• The Open Source Security Foundation unveiled the Alpha-Omega Project, with funding from Microsoft and Google, to provide more security tools to open-source software developers, who often run their projects in their spare time and lack the resources to stay on top of security flaws.

Yes, but: It's up to companies to put in the work to determine which systems are still running a vulnerable version of Log4j, Mark J. Cox, Apache Software Foundation vice president of security, told Axios.

• Synack CEO Jay Kaplan told Axios that while some organizations continue to invest resources in sifting through their products to determine where vulnerable versions of Log4j could be, others aren't "taking it seriously."
• "This reinforces that certain software is critical and ubiquitous enough that it's everywhere and in places that people don't know about," said Dan Lorenc, founder and CEO of supply chain security firm Chainguard. "The unknown unknowns are the ones that are problematic here."

Reality check: Log4j is an "endemic" problem, per a report from the Cyber Safety Review Board at the Department of Homeland Security.

• "Unfortunately, we're still in a pretty bad place," Kaplan said. "These vulnerabilities are being taken advantage of all over the world. We have to do better."

The FBI is pushing back against Apple's new plans to offer end-to-end encryption on iCloud backups, arguing it would impede its investigations into terrorist acts, organized crime, child abuse and more.

Driving the news: Earlier this week, Apple unveiled a suite of new security tools that would better protect iOS users' data, including plans to expand end-to-end encryption to iCloud backups of users' messages, location data and other sensitive personal data.

• Several years ago, Apple dropped plans to provide this level of encryption of backups following FBI complaints, per Reuters.

What they're saying: "The FBI continues to be deeply concerned with the threat end-to-end and user-only-access encryption pose," the bureau said in a statement to Axios.

• "This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism," the bureau added. "End-to-end and user-only-access erodes law enforcement's ability to combat these threats and administer justice for the American public."
• The Wall Street Journal first reported the FBI's response Wednesday.

The big picture: Apple and the FBI have long gone toe-to-toe on the right level of encryption for iOS data.

• In 2016, the FBI dropped a legal case against Apple after the tech company refused to unlock phone data of the gunman in the San Bernardino terror attacks.

Between the lines: Apple is pushing hard to be the tech company users see as the most secure and private, as seen in its privacy requirements for apps and new initiative rollouts.

• In October, Apple launched Lockdown Mode to give those who believe they could be under surveillance the ability to block message attachments, certain web functions and video calls that could spread malware.

The only cybersecurity company to go public in 2022 is already beating analysts' revenue expectations — and it's doing so at a weird time for public cyber markets.

Why it matters: Cybersecurity is typically seen as a recession-proof market since customers still need to keep their networks secured even in a downturn.

• However, recent stock price changes suggest some cyber companies are adapting to the current market conditions better than others.

Driving the news: Earlier this week, ZeroFox reported its first-ever quarterly earnings after becoming the only cybersecurity company to go public this year via a SPAC deal with L&F Acquisition Corp. in August.

• The company reported third-quarter revenue of $43 million, while analysts expected $40.6 million.

The big picture: ZeroFox CEO James Foster told Axios that going public gives the company a financial cushion to navigate whatever the economy has in store heading into 2023.

• Meanwhile, major cyber companies are seeing double-digit percentage drops in their stock prices and are revising guidance for the upcoming year in anticipation of an economic downturn.

Between the lines: Foster argues that ZeroFox is lean enough to survive the upcoming economic downturn, yet large enough to support a wide product range that can accommodate customers' changing needs.

• "We are at the scale where most companies dream of being, and it's up to us to make sure that we can continue to move forward at a rapid pace," Foster said.

Yes, but: Foster is still watching global inflation rates and jobs reports closely to guide his company strategy.

• "When you lose jobs, people stop spending money. People stop spending money and businesses make less money," he said. "The question is when that happens."

@ D.C.

☁️ The Pentagon awarded a major cloud computing contract to four companies: Amazon, Google, Microsoft and Oracle. (Axios)

📲 Texas joined South Dakota, South Carolina and Maryland in banning TikTok on government-issued devices. (Axios)

🇯🇵 National Cyber Director Chris Inglis is expected to travel to Japan later this month to improve cooperation in the region amid tensions with China. (CyberScoop)

@ Industry

👀 Companies helping to defend Ukraine during the Russian war could end up being considered participants in the conflict, experts warn. (Zero Day)

🌎 Privacy and security executives are worried about how they'll comply with contradicting incident reporting rules across countries. (Wall Street Journal)

@ Hackers and hacks

🇰🇵 North Korean hackers are exploiting a critical vulnerability in Internet Explorer to spread malware across South Korean organizations. (TechCrunch)

📧 Customers are fleeing email hosting service Rackspace as the company struggles to bring Exchange servers back online amid a ransomware attack. (Axios)

🗂 Sequoia, a popular HR management tool used by hundreds of startups, experienced a breach in one of its cloud storage repositories. (Wired)

We're heading into "White Lotus" finale weekend, and there are many questions to answer.

• The Codebook reader fan theories are seriously piling up. There is a theory in my inbox explaining why each character will either die or be the murderer. It's chaos.

Several of you believe what's probably the most popular internet theory right now: Tanya's husband paid someone to kill her to get out of their prenup.

• There's a theory that youngster Albie is actually the murderer. Who does he kill? Y'all don't know ... but he definitely did it!
• One person predicted that Dominic would have a "redemption arc" and sacrifice himself to protect someone else.
• And my favorite: "I wouldn’t be opposed to a storyline in which Harper plots the demise of Ethan and leaves with all his money," one reader wrote.