Axios Login

A smartphone with different colored buttons floating above its surface.
December 15, 2021

Security researcher Dan Kaminsky has been posthumously inducted into Internet Hall Of Fame for, among other things, his 2008 discovery and repair of a massive flaw in the net's Domain Name System (DNS).

Today's newsletter is 1,172 words, a 4-minute read.

1 big thing: The scramble to patch a massive open-source flaw

Illustration of a cursor hand covering a cracked wall with leaking water droplets
Illustration: Annelise Capossela/Axios

The computing world is struggling this week to contain a significant vulnerability in Log4j, an extremely common piece of open-source code.

Why it matters: Experts say the flaw leaves hundreds of millions of systems vulnerable to attack, with the head of the U.S. government's cybersecurity agency calling it among the biggest threats she has seen in her career.

How it works: An attacker could use the flaw to force an affected system to accept commands from a malicious remote server. According to Sean Gallagher, senior threat researcher at Sophos, that could include commands to download and install all manner of code in vulnerable systems, including cryptocurrency miners or other malicious software.

  • Given the flawed code's prevalence, experts say that, for most large businesses and government agencies, it is not a question of whether they are affected, but rather how many different systems have been affected.

Catch-up quick: Log4j is an open-source library included in a range of software, services and hardware, such as networking gear from companies including Amazon, Broadcom and Cisco. It tracks what activities are taking place in the code, as well as keep tabs on various communications, requests and errors, according to Gallagher.

  • Like many pieces of open-source code, Log4j is maintained by a relatively small team but, thanks to its broad license, has been widely adopted by developers, Gallagher said.
  • As Bloomberg details, the flaw was discovered last month by workers at Alibaba, who reported it to the team at the nonprofit Apache Software Foundation, whose volunteers maintain Log4j. That set off a race to close the vulnerability and a patch was released earlier this month.

Between the lines: The key now is identifying and patching all the systems at risk. Complicating the task is the fact many governments, businesses and consumers probably are unaware if they own products using the code.

  • The Cybersecurity and Infrastructure Security Agency (CISA) is working to develop a comprehensive list of all the products that include the affected code and encouraging security researchers to share details on any products they believe are infected.

The big picture: In a call with reporters on Tuesday, CISA deputy director Eric Goldstein said that the flaw is "extremely concerning" due to how widely Log4j is used, how easy it is to exploit and that it can allow information to be taken off of targeted systems.

  • So far the visible impact from the flaw has been modest, but experts don't expect that to stay the case.
  • "With the exception of cryptomining, there's a lull before the storm," Gallagher said. "We expect adversaries are likely grabbing as much access to whatever they can right now with the view to monetize and capitalize on it later."
  • There have already been hundreds of thousands of individual attacks, with more expected, per CheckPoint. Wall Street Journal has reported that hackers backed by China have been observed exploiting the flaw.

Go deeper: CISA has more information on the flaw here, including known vulnerable products and mitigation guidance.

2. Internet Association to dissolve

The Internet Association (IA), once the tech industry's top lobbying shop in Washington, representing companies such as Google, Facebook, Amazon and Microsoft, will dissolve as soon as today, Axios' Ashley Gold reports.

Driving the news: IA's board will meet this morning for a vote to dissolve the organization, something a source described as a formality, with the decision already made.

The source said Microsoft's departure, first reported by Axios, made the decision imminent, and put the organization in a precarious financial position. Uber recently left the organization as well.

  • The news that IA would dissolve was first reported by Politico.

Why it matters: IA was once a highly influential group, fighting for policy to help internet companies grow with limited government regulation. It described itself as the "unified voice of the internet economy." That unified voice simply doesn't exist anymore.

  • While the IA has historically avoided working in the areas of antitrust and competition, many of its top members are now in the crosshairs of antitrust investigations and proposed bills around the world.
  • The organization has long worked to promote the importance of Section 230 of the Communications Decency Act, the law that shields tech from most liability from third-party posts, but members were increasingly at odds over that policy and legislative paths forward.

What they're saying: "What was once a leading voice for tech companies is fading into obscurity with barely a whimper and hardly anything to show for itself," one former employee told Axios.

  • The Internet Association didn't immediately return a request for comment.

3. More people want to see social media regulated

Animated illustration of a neon sign cycling between a thumbs up and a thumbs down.
Illustration: Aïda Amer/Axios

A new poll from Morning Consult finds 56% of U.S. adults support government regulation of social media companies, up 4 percentage points from an October survey. The poll also found that roughly three-in-five adults say social media platforms do not do enough to keep users safe.

Why it matters: Poll results like this could bolster legislative and regulatory efforts to make social media companies more accountable for the content on their services.

Yes, but: There is a significant divide, often along party lines, of what exactly is wrong with social media and what should be done about it.

Between the lines: That disagreement, combined with a general struggle to pass any federal legislation, makes it tougher to find a course of tech regulatory action that can make it through Congress.

  • "I think if there is legislation, it's going to be very broad, in order to try to compromise and break this really large gap between the two parties," Ashley Johnson, a senior policy analyst at the Information Technology and Innovation Foundation, says in a report accompanying the survey results.

4. Charted: Instagram hits 2B monthly users

Data: Axios research; Chart: Will Chase/Axios
Data: Axios research; Chart: Will Chase/Axios

Instagram hit 2 billion monthly active users worldwide earlier this fall, CNBC reports, citing unnamed sources, writes Axios' Sara Fischer.

Why it matters: Instagram joins an exclusive club of just four social apps that have hit that milestone. Meta owns three of the four.

The intrigue: Instagram may have opted to keep the achievement a secret in an effort to avoid conflating its already messy public image.

  • The company has been dragged by lawmakers over whistleblower allegations that it doesn't do enough to protect the mental health of young users.
  • Last week, Instagram CEO Adam Mosseri testified before Congress about the matter for the first time.

What to watch: In hitting 2 billion users, Instagram has proven that its app still has room to grow, despite increased competition from apps like TikTok.

5. Take note

On Tap

  • The Senate Judiciary antitrust subcommittee is holding a hearing on consolidation, monopoly power and innovation at 2:30pm ET.

Trading Places

  • Discord has hired Elizabeth Hamren, a former executive in Microsoft's Xbox unit as its new chief operating officer.

ICYMI

  • In a move likely to anger the U.S. and large tech companies, Canada says it is still prepared to implement a digital services tax. (Reuters)
  • Companies are rushing to build for the metaverse — even as consumers are still trying to understand the concept. (Axios)

6. After you Login

I can't say you have to watch this video of a bear attacking an inflatable reindeer, but I know you want to.