If I was a long term bad actor, or perhaps a nation/state, I might consider evaluating open source for useful/popular components. Then, contribute to their development, spread, and usefulness, while inserting subtle exploitable defects.
> -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Kirk Wolf > Sent: Wednesday, January 26, 2022 11:25 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: More of LOG4J > > Phil, > > Sorry, I agree that the entirety of what you wrote was more balanced. I > reacted (poorly) to this part: > > "Same with open source: using random code from an unknown author > would have been unthinkable; now it's common." > > I don't think that this is common. Mostly projects use popular open source > projects. Most of these have a history, many contributors, test suites, etc. > What was shocking about the LOG4J vulnerability was that is was one of > these. > > -- Kirk Wolf > > On Wed, Jan 26, 2022, at 12:34 PM, Phil Smith III wrote: > > Kirk Wolf wrote: > > > > >Is that really what you think is going on? > > >The economics of open source are about *reuse*. The overwhelming > majority > > of software these days is built with it for that reason. Good developers > > are very careful about what open source that they use. Good companies > > have policies and processes for approving any open source used internally. > > What's the alternative, write everything from scratch? Surely there will > > be no vulnerabilities there :-) There are complex trade-offs here that > > haven't been touched as yet on ibm-main. > > > > > > > > I guess I didn't make myself clear, because what you wrote is precisely how > > I think. Not sure what you took from what I wrote that was different-not > > being pissy, just noting that we seem to be in violent agreement! > > > > > > > > Yes, in days of yore, you'd write it all from scratch. And I was trying to > > say that that was NOT necessarily more secure: it was a different > > environment, so things didn't matter as much. There weren't a million > > monkeys banging on the door with typewriters. > > > > > > > > > What's shocking about the LOG4J vulnerability is that it has been a > > quality component used by thousands of projects for so long (20 years?, > not > > sure exactly). People armed with no understanding of the vulnerability or > > even Java immediately began contacting all of their software vendors, even > > products that clearly don't even use java. This only made the problem > > worse. > > > > > > > > Yes. I think I've noted before that the ""given enough eyeballs, all bugs > > are shallow" line, while not intended as a justification for blind use of > > open source, seems to have been used as such. The log4j debacle should > (but > > won't) convince folks that it should not be. > > > > > > > > And what may be a repeat, but something I wrote elsewhere and perhaps > here: > > > > It's also worth noting that a feature conceptually very, very similar to the > > log4j thing existed almost 40 years ago, in PROFS. DCF included a .sy > > command that would execute a system command. So, as a friend realized, > you > > could send someone a document that did something nasty, like erase all > their > > files or log them off (or send the CEO a message saying "You're a ****"), > > simply by reading it. IBM took this as a SEV1 and fixed it; decades later, > > we've spent the last while dealing with essentially the same dumb feechur. > > > > > > > > So over how many years, how many people saw this feature and didn't say > > "Hey, you could do Very Bad Things with that"??! Amazing. > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > Kirk Wolf > Dovetailed Technologies > https://urldefense.com/v3/__http://dovetail.com__;!!JmPEgBY0HMszNaDT > !4QAd_Gz4WlKwY3Xu-zffi26-SQxI_MDJSMh- > eemXy6IZm39SDMCzfDOJiuzfqQ$ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN