Comment by dylan604
1 month ago
How long did the log4j exist?
https://www.csoonline.com/article/571797/the-apache-log4j-vu...
What was the other package that had the mysterious .?
1 month ago
How long did the log4j exist?
https://www.csoonline.com/article/571797/the-apache-log4j-vu...
What was the other package that had the mysterious .?
And yet they were found. How many such exploits lurk unexamined in proprietary codebases?
yet you say this like Apple or Google or Microsoft has never released an update to address a security vuln
Apple[1], Google[2], and Microsoft[3] you say?
You say this as if being shamed into patching the occasional vuln is equivalent to security best practices.
Open code which can be independently audited is only a baseline for trustworthy code. A baseline none of those three meet. And one which by itself is insufficient to counter a reflections on trusting trust style attack. For that you need open code, diverse open build toolchains, and reproducible builds. None of which is being done by those three.
Are you getting your ideas about security from the marketing department?
1: https://arstechnica.com/security/2024/03/hackers-can-extract... 2: https://www.wired.com/story/google-android-pixel-showcase-vu... 3: https://blog.morphisec.com/5-ntlm-vulnerabilities-unpatched-...
2 replies →