very responsible. Meanwhile, the client is open for attacks. However, he can't protect himself since no one reported it affects his MF.
בתאריך יום א׳, 13 בפבר׳ 2022 ב-3:42 מאת Seymour J Metz <[email protected]>: > I believe that developing a fix before you disclose the vulnerability is > the responsible thing to do. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List [[email protected]] on behalf > of David Crayford [[email protected]] > Sent: Saturday, February 12, 2022 6:17 PM > To: [email protected] > Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' > > On 13/2/22 3:38 am, Itschak Mugzach wrote: > > If someone develops code that is vulnerable, only the organization he > works > > for is (potentially) affected and the attacker does not have access to > the > > code to play with. With open source, the code is accessible to everyone, > > and the problem hits millions of organizations. > > Are you sure the attacker doesn't have the code? A huge percentage of > hacks come from insider threats. In the case of Solar Winds the attackers > had the code and access to the build pipeline. > > > > > > The problem is not the vendor that makes use of open source, it is the > fact > > that when the vulnerability is discovered, there is a time window until > it > > is patched. And this is only if it was discovered by an ethical bug > hunter. > > Log4Shell was discovered by a security researcher at Ali-Baba. > Shellshock, Heartbleed, Meltdown etc were discovered by security > researchers at Google. > The difference with IBM or companies is that they don't disclose > vulnerabilities. You probably think that's a good idea. In truth, if > those vulnerabilities are there, especially > on public facing networks there is just as much chance of a breach. > > > > > > This is why I am not impressed (but do appreciate the effort) by the > tools > > David and his company uses. They do their best, > > They do find vulnerabilities. They are amazingly smart and can detect > when you open a secure TCP connection and don't authenticate the > hostname which could result in a MITM attack. That could be considered > a 0-day. > > > > but it will not help in > > case of a zero date and the scale of an open source vulnerability is > > unlimited compared to a specific local code, bad as it is. > > What about the scale of a vendor product, such as IBM Data Risk Manager? > A security research found 4 0-days and a sackful of other > vulnerabilities and IBM refused to accept the report until > the researcher went public. IBMs customers are enterprises such as banks > and insurance companies. > > > https://www.ibm.com/support/pages/security-bulletin-ibm-data-risk-manager-affected-multiple-vulnerabilities-4 > > The security researcher in this video > https://www.youtube.com/watch?v=q8mFhDmBEIc claims to have found > 10 > 0-days on z/OS by exploiting buffer overflows in APF-authorized C programs > by overlaying R14 with his exploit code. I can't verify the veracity of > this claim but it seems plausible. It's the same technique used in the > Logica breach. Last time you scoffed at that and asked > if there had been a breach. So I guess that 0-days are acceptable unless > there has been a breach, or did I misunderstand you? > > > > > > The funny thing is that although millions of eyes look at "open source" > (as > > Chrles mentioned) they rarely find the vulnerability in a very > > common, highly used code (such as log4jv2 that has been here since > > 2012...). > > > > Saying that, open source is here to stay. Just don't wait for the vendor > to > > report on vulnerabilities. Scan it yourself frequently. > > > > My two israeli shekels cents (Actually called "agorot"). > > > > ITschak > > > > *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > > Platform* *|* *Information Security Continuous Monitoring for Z/OS, > zLinux > > and IBM I **| * > > > > *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 > **|* > > *Skype**: ItschakMugzach **|* *Web**: > http://secure-web.cisco.com/1oH69EmxiPM3D-pi2iMI3amWVgRxjlVjSqd5lhVhG7MlHXIO3a9pNfhJfn-tUCZVQcd2Te-X0rG1t8gj0oKs6fUS1UlG-IyF3G2Q79IcTAByERK-1lba3FjVMT0yVQAqALG-S8HF4TEajq2_HlNh_KCHDDApGXFN5-5UK3ycRgY2t8GAxFALp73R55kIfn7fXCwKsIBuC9pMdVeYQsgdSm28BhrHCnLoE3lzSY78wEaji-Vx_tBUnLbHk6P92sGrIiLA23ICrZQFmoXT5wQhKZghc1leKXK5evoTHq88BAgFJ4t5emIO-uWU5d76CXJzaOexwk12RrG2XPL65hQpZESW-jLugueCtN7MGBF5ph2S3wM7WNEk8zbLJ0NJfBCSdJIkx1WWPcAK6dsoWIeiASmUmeLRm7U4sZC2ToS65mTdasXOZtkvZSCupvhDgoTj0/http%3A%2F%2Fwww.Securiteam.co.il > **|* > > > > > > > > > > > > On Sat, Feb 12, 2022 at 7:04 PM Charles Mills <[email protected]> wrote: > > > >> Nobody asked me, but I think David buried the most important point in > the > >> middle. I have seen lots of TERRIBLE code written by "engineers from big > >> tech." That's not the key point. The key point is > >> > >>> the code is in the open and can be scrutinized by millions of people > >> There are thousands (if not millions) of people, ranging from high > school > >> code nerds to professional security consulting firms, hoping to make a > name > >> for themselves by being the first to spot some vulnerability in Apache, > the > >> Linux kernel, etc. That is an incredible free code inspection service. > That > >> is the key to the security of open source (IMHO). > >> > >> You can't say that for most in-house software. You all know what > corporate > >> culture is like. #1 your boss is not paying you to scrutinize other > >> peoples' code. And #2 if you spot some flaw in Bob's code you keep your > >> head down, because Bob is such a grump and does not take criticism well. > >> > >> And BTW this is coming from someone (me) who is basically a proprietary > >> software guy. I made my money writing conventionally-licensed > proprietary > >> software. I have never contributed to an open source project. > >> > >> Charles > >> > >> > >> -----Original Message----- > >> From: IBM Mainframe Discussion List [mailto:[email protected]] > On > >> Behalf Of David Crayford > >> Sent: Friday, February 11, 2022 11:39 PM > >> To: [email protected] > >> Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' > >> > >> On 12/2/22 4:56 am, Radoslaw Skorupka wrote: > >>> Well, who said it is not a problem??? > >> I do. I maintain that proprietary code has just as many vulnerabilities > >> as open source. In fact, I would suggest that open source code is better > >> as the standard of engineer tends to be much higher than your average > >> Joe coder working for a bank. Also, the code is in the open and can be > >> scrutinized by millions of people. Who do you think develops open source > >> software? Is it hobbyists, enthusiasts, students, academics etc? The > >> truth is it's mostly engineers from big tech who are getting paid to > >> develop open source. Check out the authors of Apache Commons components > >> and it's IBMers > >> > https://secure-web.cisco.com/1lbB9sB7wJhWU-mIfSNV1RM-S2h0uK6bdtjKYlMDGbqAWebSUwkP02UyEfeQvPvSo4WzgLwE76BmWoOKBNZeZP9fKKc-DBs0dkGHnYfUnZY_2-E5Ok-D9z-sC3UYvFHPGO2_40ugJf-khGelgCpIRqq2qEIoX1sBJR5BG2vGAZv55uiU8Uz8Jp5e4X5I9Hd6f2Bwb2bXF_LTuXZupO5EWiWQ1Lb7i3ijwFRUCn3tHonyahj6zm6UWs31sqa_kSJGJJWq_rKd0ZQ_fqBJLmXElRlyyoHm0iBXCQwTBfLJOa3oJy6zTl6scW0FBoJCtC1ytuSkSBqY82R0SBEtQasTzAIU2UmVW8yhEbbOgPB3AI5HS5EEJBWBhqENh264Gc9qsznHg14uneaq0wsJmTn3z2ye23nHtDHr6WeulgnpbWpJP0ve7kPB0rg30Y_j5eRjB/https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-bsf%2Fblob%2Fmaster%2FAUTHORS.txt. > IBM were > >> the organization that stumped up the cash and resources to develop > >> Eclipse. A huge amount of Apache open source code is written and > >> maintained by IBM and it's used extensively in their products. > >> > >> > >>> It sounds like "open source is free of bugs". However I have never > >>> heard such claim. > >> Nobody is saying that. That would be ignorant and stupid. All software > >> has bugs. > >> > >> > >>> More: companies use some kind of whitelisting open source software. In > >>> many cases software developer is not allowed to use "fancy, shining > >>> code" just because there some requirements are on met. It can be > >>> community, reputation, maturity, etc. > >> How can a company whitelist open source software if they purchase a > >> product from a vendor or IBM that uses open source? As our products are > >> sold and marketed by IBM we provide them with a Certificate of > >> Originality which is a bill of materials that lists all of the open > >> source software (with versions) that we use. We scan all of our products > >> as part of our DevOps pipeline. There are three types of scans: > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to [email protected] with the message: INFO IBM-MAIN > >> > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
