Phil, Sorry, I agree that the entirety of what you wrote was more balanced. I reacted (poorly) to this part:
"Same with open source: using random code from an unknown author would have been unthinkable; now it's common." I don't think that this is common. Mostly projects use popular open source projects. Most of these have a history, many contributors, test suites, etc. What was shocking about the LOG4J vulnerability was that is was one of these. -- Kirk Wolf On Wed, Jan 26, 2022, at 12:34 PM, Phil Smith III wrote: > Kirk Wolf wrote: > > >Is that really what you think is going on? > >The economics of open source are about *reuse*. The overwhelming majority > of software these days is built with it for that reason. Good developers > are very careful about what open source that they use. Good companies > have policies and processes for approving any open source used internally. > What's the alternative, write everything from scratch? Surely there will > be no vulnerabilities there :-) There are complex trade-offs here that > haven't been touched as yet on ibm-main. > > > > I guess I didn't make myself clear, because what you wrote is precisely how > I think. Not sure what you took from what I wrote that was different-not > being pissy, just noting that we seem to be in violent agreement! > > > > Yes, in days of yore, you'd write it all from scratch. And I was trying to > say that that was NOT necessarily more secure: it was a different > environment, so things didn't matter as much. There weren't a million > monkeys banging on the door with typewriters. > > > > > What's shocking about the LOG4J vulnerability is that it has been a > quality component used by thousands of projects for so long (20 years?, not > sure exactly). People armed with no understanding of the vulnerability or > even Java immediately began contacting all of their software vendors, even > products that clearly don't even use java. This only made the problem > worse. > > > > Yes. I think I've noted before that the ""given enough eyeballs, all bugs > are shallow" line, while not intended as a justification for blind use of > open source, seems to have been used as such. The log4j debacle should (but > won't) convince folks that it should not be. > > > > And what may be a repeat, but something I wrote elsewhere and perhaps here: > > It's also worth noting that a feature conceptually very, very similar to the > log4j thing existed almost 40 years ago, in PROFS. DCF included a .sy > command that would execute a system command. So, as a friend realized, you > could send someone a document that did something nasty, like erase all their > files or log them off (or send the CEO a message saying "You're a ****"), > simply by reading it. IBM took this as a SEV1 and fixed it; decades later, > we've spent the last while dealing with essentially the same dumb feechur. > > > > So over how many years, how many people saw this feature and didn't say > "Hey, you could do Very Bad Things with that"??! Amazing. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > Kirk Wolf Dovetailed Technologies http://dovetail.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
