Phil, 

Sorry, I agree that the entirety of what you wrote was more balanced.   I 
reacted (poorly) to this part:

"Same with open source: using random code from an  unknown author would have 
been unthinkable; now it's common."

I don't think that this is common.   Mostly projects use popular open source 
projects.  Most of these have a history, many contributors, test suites, etc.   
 What was shocking about the LOG4J vulnerability was that is was one of these.  
 

-- Kirk Wolf

On Wed, Jan 26, 2022, at 12:34 PM, Phil Smith III wrote:
> Kirk Wolf wrote:
> 
> >Is that really what you think is going on?
> >The economics of open source are about *reuse*.   The overwhelming majority
> of software these days is built with it for that reason.   Good developers
> are very careful about what open source that they use.    Good companies
> have policies and processes for approving any open source used internally.
> What's the alternative, write everything from scratch?   Surely there will
> be no vulnerabilities there :-)   There are complex trade-offs here that
> haven't been touched as yet on ibm-main.
> 
>  
> 
> I guess I didn't make myself clear, because what you wrote is precisely how
> I think. Not sure what you took from what I wrote that was different-not
> being pissy, just noting that we seem to be in violent agreement!
> 
>  
> 
> Yes, in days of yore, you'd write it all from scratch. And I was trying to
> say that that was NOT necessarily more secure: it was a different
> environment, so things didn't matter as much. There weren't a million
> monkeys banging on the door with typewriters.
> 
>  
> 
> > What's shocking about the LOG4J vulnerability is that it has been a
> quality component used by thousands of projects for so long (20 years?, not
> sure exactly).  People armed with no understanding of the vulnerability or
> even Java immediately began contacting all of their software vendors, even
> products that clearly don't even use java.   This only made the problem
> worse.
> 
>  
> 
> Yes. I think I've noted before that the ""given enough eyeballs, all bugs
> are shallow" line, while not intended as a justification for blind use of
> open source, seems to have been used as such. The log4j debacle should (but
> won't) convince folks that it should not be.
> 
>  
> 
> And what may be a repeat, but something I wrote elsewhere and perhaps here:
> 
> It's also worth noting that a feature conceptually very, very similar to the
> log4j thing existed almost 40 years ago, in PROFS. DCF included a .sy
> command that would execute a system command. So, as a friend realized, you
> could send someone a document that did something nasty, like erase all their
> files or log them off (or send the CEO a message saying "You're a ****"),
> simply by reading it. IBM took this as a SEV1 and fixed it; decades later,
> we've spent the last while dealing with essentially the same dumb feechur.
> 
>  
> 
> So over how many years, how many people saw this feature and didn't say
> "Hey, you could do Very Bad Things with that"??! Amazing.
> 
> 
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to