On 16/2/22 4:04 am, Radoslaw Skorupka wrote:
W dniu 14.02.2022 o 20:58, David Crayford pisze:
On 15/2/22 3:48 am, Phil Smith III wrote:
While clearly closed source is no more likely to be randomly secure
than
open source, the fact that the source is available for open source (by
definition!) d
That is a nice sentiment but my experience in open source is that in-depth
security evaluation is not done that frequently; it should be but sadly it is
not. Log4j has been sitting there for a while and even though people saw the
ability to execute remote code locally it didn’t have an aha mo
W dniu 14.02.2022 o 20:58, David Crayford pisze:
On 15/2/22 3:48 am, Phil Smith III wrote:
While clearly closed source is no more likely to be randomly secure than
open source, the fact that the source is available for open source (by
definition!) does perhaps change the equation a bit. The ques
I'm old enough to remember reading the source code for VM on microfiche.
Eventually, IBM got smart and went with OCO.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu wi
On 15/2/22 3:48 am, Phil Smith III wrote:
While clearly closed source is no more likely to be randomly secure than
open source, the fact that the source is available for open source (by
definition!) does perhaps change the equation a bit. The question I have
ZERO data to answer is:
If a hacker
While clearly closed source is no more likely to be randomly secure than
open source, the fact that the source is available for open source (by
definition!) does perhaps change the equation a bit. The question I have
ZERO data to answer is:
Are more vulnerabilities found by attacking the execut
With log4j there's a public blog page with two lists: #1 shows products
not affected, and #2 shows products remediated (with links to more info).
If something is not in either list, that could mean it's still being
evaluated, or (more likely?) in the category you mentioned - never
published p
On 2/13/2022 7:18 AM, Seymour J Metz wrote:
The (somewhat simplified) way that IBM handles this for z/OS is via hold data
and customer notification of security fixes. IMHO that works well.
Disclosed to customers only via a secure channel that limits exposure to
a select list of vetted employe
From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of
Itschak Mugzach [0305158ad67d-dmarc-requ...@listserv.ua.edu]
Sent: Sunday, February 13, 2022 2:22 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem&#
A.EDU
Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem'
This is the old problem: Do you publicize what the problems are, so that the
bad guys will find out? Or do you not detail the vulnerabilities, so that the
good guys don't know how to protect themselves?
+1 for Bob.
I don't know who knows what. The bad guys do not check what you have, they
try their tools and ce sera sera.
Best,
ITschak
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **|
This is the old problem: Do you publicize what the problems are, so that the
bad guys will find out? Or do you not detail the vulnerabilities, so that the
good guys don't know how to protect themselves?
I come down on Cliff Stoll's side. The bad guys out there already know; in his
book he gi
February 12, 2022 6:17 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem'
>
> On 13/2/22 3:38 am, Itschak Mugzach wrote:
> > If someone develops code that is vulnerable, only the organization he
> works
> > for is (po
[dcrayf...@gmail.com]
Sent: Saturday, February 12, 2022 6:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem'
On 13/2/22 3:38 am, Itschak Mugzach wrote:
> If someone develops code that is vulnerable, only the organization he works
> for
: Log4j hearing: 'Open source is not the problem'
If someone develops code that is vulnerable, only the organization he works
for is (potentially) affected and the attacker does not have access to the
code to play with. With open source, the code is accessible to everyone,
and the pr
On 13/2/22 1:03 am, Charles Mills wrote:
Nobody asked me, but I think David buried the most important point in the middle. I have
seen lots of TERRIBLE code written by "engineers from big tech." That's not the
key point. The key point is
the code is in the open and can be scrutinized by milli
y
software. I have never contributed to an open source project.
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of David Crayford
Sent: Friday, February 11, 2022 11:39 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Fwd: Log4j heari
39 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem'
If someone develops code that is vulnerable, only the organization he works
for is (potentially) affected and the attacker does not have access to the
code to play with. With open sour
re guy. I made my money writing conventionally-licensed proprietary
> software. I have never contributed to an open source project.
>
> Charles
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of David Cr
Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of David Crayford
Sent: Friday, February 11, 2022 11:39 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem'
On 12/2/22 4:56 am, Radoslaw Skorupka wrote:
&g
On 12/2/22 4:56 am, Radoslaw Skorupka wrote:
Well, who said it is not a problem???
I do. I maintain that proprietary code has just as many vulnerabilities
as open source. In fact, I would suggest that open source code is better
as the standard of engineer tends to be much higher than your ave
Well, who said it is not a problem???
It sounds like "open source is free of bugs". However I have never heard
such claim.
More: companies use some kind of whitelisting open source software. In
many cases software developer is not allowed to use "fancy, shining
code" just because there some req
https://www.networkworld.com/article/3649003/log4j-hearing-open-source-is-not-the-problem.html
marktre...@gmail.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with th
23 matches
Mail list logo
