As opposed to helping the criminals to attack him before he has time to develop and test that protection? All options are bad: the issue is which is least bad, and going for the least bad option *is* responsible.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [[email protected]] on behalf of Itschak Mugzach [[email protected]] Sent: Sunday, February 13, 2022 2:22 AM To: [email protected] Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' very responsible. Meanwhile, the client is open for attacks. However, he can't protect himself since no one reported it affects his MF. בתאריך יום א׳, 13 בפבר׳ 2022 ב-3:42 מאת Seymour J Metz <[email protected]>: > I believe that developing a fix before you disclose the vulnerability is > the responsible thing to do. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List [[email protected]] on behalf > of David Crayford [[email protected]] > Sent: Saturday, February 12, 2022 6:17 PM > To: [email protected] > Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' > > On 13/2/22 3:38 am, Itschak Mugzach wrote: > > If someone develops code that is vulnerable, only the organization he > works > > for is (potentially) affected and the attacker does not have access to > the > > code to play with. With open source, the code is accessible to everyone, > > and the problem hits millions of organizations. > > Are you sure the attacker doesn't have the code? A huge percentage of > hacks come from insider threats. In the case of Solar Winds the attackers > had the code and access to the build pipeline. > > > > > > The problem is not the vendor that makes use of open source, it is the > fact > > that when the vulnerability is discovered, there is a time window until > it > > is patched. And this is only if it was discovered by an ethical bug > hunter. > > Log4Shell was discovered by a security researcher at Ali-Baba. > Shellshock, Heartbleed, Meltdown etc were discovered by security > researchers at Google. > The difference with IBM or companies is that they don't disclose > vulnerabilities. You probably think that's a good idea. In truth, if > those vulnerabilities are there, especially > on public facing networks there is just as much chance of a breach. > > > > > > This is why I am not impressed (but do appreciate the effort) by the > tools > > David and his company uses. They do their best, > > They do find vulnerabilities. They are amazingly smart and can detect > when you open a secure TCP connection and don't authenticate the > hostname which could result in a MITM attack. That could be considered > a 0-day. > > > > but it will not help in > > case of a zero date and the scale of an open source vulnerability is > > unlimited compared to a specific local code, bad as it is. > > What about the scale of a vendor product, such as IBM Data Risk Manager? > A security research found 4 0-days and a sackful of other > vulnerabilities and IBM refused to accept the report until > the researcher went public. IBMs customers are enterprises such as banks > and insurance companies. > > > https://www.ibm.com/support/pages/security-bulletin-ibm-data-risk-manager-affected-multiple-vulnerabilities-4 > > The security researcher in this video > https://www.youtube.com/watch?v=q8mFhDmBEIc claims to have found > 10 > 0-days on z/OS by exploiting buffer overflows in APF-authorized C programs > by overlaying R14 with his exploit code. I can't verify the veracity of > this claim but it seems plausible. It's the same technique used in the > Logica breach. Last time you scoffed at that and asked > if there had been a breach. So I guess that 0-days are acceptable unless > there has been a breach, or did I misunderstand you? > > > > > > The funny thing is that although millions of eyes look at "open source" > (as > > Chrles mentioned) they rarely find the vulnerability in a very > > common, highly used code (such as log4jv2 that has been here since > > 2012...). > > > > Saying that, open source is here to stay. Just don't wait for the vendor > to > > report on vulnerabilities. Scan it yourself frequently. > > > > My two israeli shekels cents (Actually called "agorot"). > > > > ITschak > > > > *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > > Platform* *|* *Information Security Continuous Monitoring for Z/OS, > zLinux > > and IBM I **| * > > > > *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 > **|* > > *Skype**: ItschakMugzach **|* *Web**: > http://secure-web.cisco.com/1oH69EmxiPM3D-pi2iMI3amWVgRxjlVjSqd5lhVhG7MlHXIO3a9pNfhJfn-tUCZVQcd2Te-X0rG1t8gj0oKs6fUS1UlG-IyF3G2Q79IcTAByERK-1lba3FjVMT0yVQAqALG-S8HF4TEajq2_HlNh_KCHDDApGXFN5-5UK3ycRgY2t8GAxFALp73R55kIfn7fXCwKsIBuC9pMdVeYQsgdSm28BhrHCnLoE3lzSY78wEaji-Vx_tBUnLbHk6P92sGrIiLA23ICrZQFmoXT5wQhKZghc1leKXK5evoTHq88BAgFJ4t5emIO-uWU5d76CXJzaOexwk12RrG2XPL65hQpZESW-jLugueCtN7MGBF5ph2S3wM7WNEk8zbLJ0NJfBCSdJIkx1WWPcAK6dsoWIeiASmUmeLRm7U4sZC2ToS65mTdasXOZtkvZSCupvhDgoTj0/http%3A%2F%2Fwww.Securiteam.co.il > **|* > > > > > > > > > > > > On Sat, Feb 12, 2022 at 7:04 PM Charles Mills <[email protected]> wrote: > > > >> Nobody asked me, but I think David buried the most important point in > the > >> middle. I have seen lots of TERRIBLE code written by "engineers from big > >> tech." That's not the key point. The key point is > >> > >>> the code is in the open and can be scrutinized by millions of people > >> There are thousands (if not millions) of people, ranging from high > school > >> code nerds to professional security consulting firms, hoping to make a > name > >> for themselves by being the first to spot some vulnerability in Apache, > the > >> Linux kernel, etc. That is an incredible free code inspection service. > That > >> is the key to the security of open source (IMHO). > >> > >> You can't say that for most in-house software. You all know what > corporate > >> culture is like. #1 your boss is not paying you to scrutinize other > >> peoples' code. And #2 if you spot some flaw in Bob's code you keep your > >> head down, because Bob is such a grump and does not take criticism well. > >> > >> And BTW this is coming from someone (me) who is basically a proprietary > >> software guy. I made my money writing conventionally-licensed > proprietary > >> software. I have never contributed to an open source project. > >> > >> Charles > >> > >> > >> -----Original Message----- > >> From: IBM Mainframe Discussion List [mailto:[email protected]] > On > >> Behalf Of David Crayford > >> Sent: Friday, February 11, 2022 11:39 PM > >> To: [email protected] > >> Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' > >> > >> On 12/2/22 4:56 am, Radoslaw Skorupka wrote: > >>> Well, who said it is not a problem??? > >> I do. I maintain that proprietary code has just as many vulnerabilities > >> as open source. In fact, I would suggest that open source code is better > >> as the standard of engineer tends to be much higher than your average > >> Joe coder working for a bank. Also, the code is in the open and can be > >> scrutinized by millions of people. Who do you think develops open source > >> software? Is it hobbyists, enthusiasts, students, academics etc? The > >> truth is it's mostly engineers from big tech who are getting paid to > >> develop open source. Check out the authors of Apache Commons components > >> and it's IBMers > >> > https://secure-web.cisco.com/1lbB9sB7wJhWU-mIfSNV1RM-S2h0uK6bdtjKYlMDGbqAWebSUwkP02UyEfeQvPvSo4WzgLwE76BmWoOKBNZeZP9fKKc-DBs0dkGHnYfUnZY_2-E5Ok-D9z-sC3UYvFHPGO2_40ugJf-khGelgCpIRqq2qEIoX1sBJR5BG2vGAZv55uiU8Uz8Jp5e4X5I9Hd6f2Bwb2bXF_LTuXZupO5EWiWQ1Lb7i3ijwFRUCn3tHonyahj6zm6UWs31sqa_kSJGJJWq_rKd0ZQ_fqBJLmXElRlyyoHm0iBXCQwTBfLJOa3oJy6zTl6scW0FBoJCtC1ytuSkSBqY82R0SBEtQasTzAIU2UmVW8yhEbbOgPB3AI5HS5EEJBWBhqENh264Gc9qsznHg14uneaq0wsJmTn3z2ye23nHtDHr6WeulgnpbWpJP0ve7kPB0rg30Y_j5eRjB/https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-bsf%2Fblob%2Fmaster%2FAUTHORS.txt. > IBM were > >> the organization that stumped up the cash and resources to develop > >> Eclipse. A huge amount of Apache open source code is written and > >> maintained by IBM and it's used extensively in their products. > >> > >> > >>> It sounds like "open source is free of bugs". However I have never > >>> heard such claim. > >> Nobody is saying that. That would be ignorant and stupid. All software > >> has bugs. > >> > >> > >>> More: companies use some kind of whitelisting open source software. In > >>> many cases software developer is not allowed to use "fancy, shining > >>> code" just because there some requirements are on met. It can be > >>> community, reputation, maturity, etc. > >> How can a company whitelist open source software if they purchase a > >> product from a vendor or IBM that uses open source? As our products are > >> sold and marketed by IBM we provide them with a Certificate of > >> Originality which is a bill of materials that lists all of the open > >> source software (with versions) that we use. We scan all of our products > >> as part of our DevOps pipeline. There are three types of scans: > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to [email protected] with the message: INFO IBM-MAIN > >> > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
