In a different sort of way, it is a real tribute to the usability of Log4j. Seems like all popular software/hardware suffers from vulnerability eventually.
And a reminder not to be too trusting of software. Rob On Wed, Jan 26, 2022 at 2:41 PM Gibney, Dave < [email protected]> wrote: > If I was a long term bad actor, or perhaps a nation/state, I might > consider evaluating open source for useful/popular components. Then, > contribute to their development, spread, and usefulness, while inserting > subtle exploitable defects. > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > > Behalf Of Kirk Wolf > > Sent: Wednesday, January 26, 2022 11:25 AM > > To: [email protected] > > Subject: Re: More of LOG4J > > > > Phil, > > > > Sorry, I agree that the entirety of what you wrote was more balanced. I > > reacted (poorly) to this part: > > > > "Same with open source: using random code from an unknown author > > would have been unthinkable; now it's common." > > > > I don't think that this is common. Mostly projects use popular open > source > > projects. Most of these have a history, many contributors, test suites, > etc. > > What was shocking about the LOG4J vulnerability was that is was one of > > these. > > > > -- Kirk Wolf > > > > On Wed, Jan 26, 2022, at 12:34 PM, Phil Smith III wrote: > > > Kirk Wolf wrote: > > > > > > >Is that really what you think is going on? > > > >The economics of open source are about *reuse*. The overwhelming > > majority > > > of software these days is built with it for that reason. Good > developers > > > are very careful about what open source that they use. Good > companies > > > have policies and processes for approving any open source used > internally. > > > What's the alternative, write everything from scratch? Surely there > will > > > be no vulnerabilities there :-) There are complex trade-offs here > that > > > haven't been touched as yet on ibm-main. > > > > > > > > > > > > I guess I didn't make myself clear, because what you wrote is > precisely how > > > I think. Not sure what you took from what I wrote that was > different-not > > > being pissy, just noting that we seem to be in violent agreement! > > > > > > > > > > > > Yes, in days of yore, you'd write it all from scratch. And I was > trying to > > > say that that was NOT necessarily more secure: it was a different > > > environment, so things didn't matter as much. There weren't a million > > > monkeys banging on the door with typewriters. > > > > > > > > > > > > > What's shocking about the LOG4J vulnerability is that it has been a > > > quality component used by thousands of projects for so long (20 years?, > > not > > > sure exactly). People armed with no understanding of the > vulnerability or > > > even Java immediately began contacting all of their software vendors, > even > > > products that clearly don't even use java. This only made the problem > > > worse. > > > > > > > > > > > > Yes. I think I've noted before that the ""given enough eyeballs, all > bugs > > > are shallow" line, while not intended as a justification for blind use > of > > > open source, seems to have been used as such. The log4j debacle should > > (but > > > won't) convince folks that it should not be. > > > > > > > > > > > > And what may be a repeat, but something I wrote elsewhere and perhaps > > here: > > > > > > It's also worth noting that a feature conceptually very, very similar > to the > > > log4j thing existed almost 40 years ago, in PROFS. DCF included a .sy > > > command that would execute a system command. So, as a friend realized, > > you > > > could send someone a document that did something nasty, like erase all > > their > > > files or log them off (or send the CEO a message saying "You're a > ****"), > > > simply by reading it. IBM took this as a SEV1 and fixed it; decades > later, > > > we've spent the last while dealing with essentially the same dumb > feechur. > > > > > > > > > > > > So over how many years, how many people saw this feature and didn't say > > > "Hey, you could do Very Bad Things with that"??! Amazing. > > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > > > Kirk Wolf > > Dovetailed Technologies > > https://urldefense.com/v3/__http://dovetail.com__;!!JmPEgBY0HMszNaDT > > !4QAd_Gz4WlKwY3Xu-zffi26-SQxI_MDJSMh- > > eemXy6IZm39SDMCzfDOJiuzfqQ$ > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
