LogJ4 Security Inquiry – Response Required

&gt;&gt;I answered the email very briefly and said I will be happy to answer with details as soon as we have a support contract signed.<p>This made my day. If a wealthy individual takes your tools and then calls for help while fixing-up their shed with said tools, do not move a muscle until you agree on the fee.

I think it is pretty easy to see how this sort of thing happens:<p>1. Someone decides that we need inventory of all the libraries used (iirc requirement for some certifications and generally not a bad practice)<p>2. A system (&#x2F;excel sheet) is enrolled where you have fields like $our_product, $library_used, $vendor_email<p>3. A dev, not quite understanding the point, dutifully fills in the data for the project they are working on<p>4. No-one reviews the data<p>5. Crisis strikes, so mass-send email to all vendors how they are handling it<p>Problem here is around point 4.; for the process to work, someone should have reviewed the data to check that the used libraries are from vendors with some sort of support arrangement.<p>I think the reply they provided is pretty promising, it makes it sound like they wanted to be a customer but are not only due an oversight.

For everyone boggling at the tone of the email, stop for a moment and have a guess at how many different sources of software they think the average large corp has on their books let alone on their infra. It can literally be hundreds or thousands of different sources. And each of those will have their own topology.<p>This is clearly a scatter-gun survey because they&#x27;re realised they really have no idea of their exposure. (And before you re-boggle at <i>that</i>, there&#x27;s a whole business ecosystem in just being able to <i>answer that question</i> let alone do anything about security issues.)

&quot;...The level of ignorance and incompetence shown in this single email is mind-boggling...no code I’ve ever been involved with or have my copyright use log4j and any rookie or better engineer could easily verify that...&quot;<p>Yeah, well, I&#x27;ve been quite shocked how rookie some F500 devs can be and how dysfunctional large corporations can also be. Probably what happened here is someone wrote a script that compiled the dependencies of all projects they have and they sent this same email to all of them (!) regardless of any actual or potential use of log4j.

I don&#x27;t want to defend this company, but my company (a dev tool used by many other companies) receives a handful of these a day. It&#x27;s almost the exact same email, and they&#x27;re just mass-sending them. It&#x27;s not personal, and it&#x27;s pretty standard.<p>The tone feels off if you assume a human wrote it. But that&#x27;s only because it&#x27;s a form letter their legal department wrote for them to send off. They probably collected &quot;dependencies&quot; from the entire company (and someone wrote &quot;curl&quot;), and sent a mass email.<p>If you just reply with a simple &quot;We&#x27;re unaffected!&quot; (or ignore them), you&#x27;ll never hear from them again.

Many organizations document their 3rd party vendors and libraries and it doesn&#x27;t surprise me that an automated email reached Daniel. Most likely someone mis-documented using one of Daniel&#x27;s projects in a spreadsheet.<p>I am personally a bit surprised about the responses here. It is completely reasonable for this email to reach Daniel and is most likely an artifact of bad documentation by engineers in the company. At the scale this company is running the person&#x2F;team sending out these emails do not have time to dig in and understand each dependency they are sending emails on.<p>The response is as simple as &quot;What library&#x2F;product does this email pertain to?&quot;, &quot;Please see the licenses for the libraries or products in question.&quot;, and what Daniel responded with as well: &quot;I would be willing the dig in further for specific questions with a support contract.&quot;.

Reminds me a bit of &quot;Attack of the repo man&quot;, a classic case of this behavior <a href="http:&#x2F;&#x2F;acme.com&#x2F;software&#x2F;thttpd&#x2F;repo.html" rel="nofollow">http:&#x2F;&#x2F;acme.com&#x2F;software&#x2F;thttpd&#x2F;repo.html</a>

As far as I learned, a couple of big companies are sending this kind of mail to every provider, partner or copyright owner of code that they could find.<p>I assume some developer&#x2F;supplier used curl and provided a list of third party code and licenses they use.<p>In the aftermath of the log4j incident, companies now target everyone about this issue partly to learn about potential exposure that they are not aware yet, eg exploited infrastructure of depending services like newsletter or analytics services.<p>Yes, it&#x27;s annoying and pointless to spam this mails to open source projects. But at least someone is now behind auditing the supply chain.

The first email looks like someone who had zero idea of what they were doing, just did some dependency scanning and got your name&#x2F;email there, probably these emails were sent to everything that they could find.<p>Quite well handled, not arrogant, not bending over and doing whatever they say, but being honest.<p>If curl is impacted or not, may not really matters for them, usually these companies go after compliance and someone who they can blame when things go wrong.

It&#x27;s actually fantastic to receive such email. You can answer:<p>&quot;We are happy to provide you with support regarding this issue for $5000&#x2F;day&quot;<p>Then if they accept, proceed to do nothing for 10 days, then reply you find none of your code is impacted and they are safe then bill them $50k.

&gt;<i>&quot;Thank you for your reply. Are you saying that we are not a customer of your organization?&quot;</i><p>Isn&#x27;t this the sort of question you&#x27;d ask your own side, first?

OK, a large corporation legal team doesn&#x27;t understand the nuance of ownership of open-source software.<p>Do we mock every single open source guy who displays the same amount of cluelessness about the inner workings of a business because I see plenty of that displayed here and everywhere else.

Welcome to Corporate Life. Somebody at the top says &quot;Make sure we find out from all vendors what their log4j impact is&quot;, and that trickles down until some poor sap in InfoSec is told to do it. And of course &quot;all vendors&quot; includes &quot;open source vendors&quot;, aka some dude named Carl in Uzbekistan who wrote a Node.js module. Since InfoSec sap shouldn&#x27;t even have been tasked with this ridiculous ask, and he&#x27;s got 10,000 of them to send, he sends a form letter.

I haven&#x27;t seen anyone here comment on this, but I loved &quot;Hi David&quot; in response to Daniel&#x27;s reply.

Not every open source project is run by the little guy. I want to see a a security vulnerability in something like AES. Then the complaint emails demanding answers in 24 hours would be going to nsa.gov addresses.<p>Anyone leading a shareholder action would love to see these emails. They are basic admissions that the company doesn&#x27;t know how or from where it gets essential software.

This is golden and characterises a surprising amount of my experience of communications with large corporations:<p>&gt;&gt; Thank you for your reply. Are you saying that we are not a customer of your organization?<p>It&#x27;s just so beautifully orthogonal. Oh, and they got his name wrong in the salutation.

&gt; Are you saying that we are not a customer of your organization?<p>LOL.

I find it a bit sad that a tech literate group is bashing a non-literate group fo people. The entire reason your salary is much larger than many other career paths is because of your ability to deal with technology. The premise that when the less educated and informed try to question something they don&#x27;t understand only to be left with pandering and jabs is disingenuous. The questions although perhaps better phrased by someone with a more tech focused background are fine questions for a business to ask. Stop being douchebags and grow up.

It reads like this was a form letter that was to be sent out to all their actual paid partners, and after the massive game of telephone that is corporate hierarchy, it somehow became all dependencies they had contacts for. And somewhere someone filled out a form, probably years ago, with his email on it as the maintainer of a dependency they use (because leaving it blank isn&#x27;t allowed). And he got caught up in that mass email, totally dumb, but also could easily see how it can happen.

I think daniel&#x27;s reaction is appropriate and well thought. One can suppose thousands of these emails asking for free work have been sent. There is close to zero chance his demand for a support contract would get past the first filter. Whereas making a blog post about it makes for a good story and also has more chances to get the attention of the right people at this company. Even if it&#x27;s slightly aggressive.

The document uses a monospace font, and the redacted name can be seen to be 10 characters long.<p>Based on the 2019 Fortune 500 list, that gives these possible candidates: Activision, Alaska Air, Albertsons, Altice USA, Amazon.com, Ameriprise, AutoNation, BB&amp;T Corp., Bed Bath &amp;, Blackstone, Booz Allen, BorgWarner, Burlington, CBRE Group, Chesapeake, CMS Energy, CVS Health, Dean Foods, DTE Energy, Enterprise, Eversource, Expeditors, Fannie Mae, First Data, Ford Motor, Home Depot, Huntington, JM Smucker, Jones Lang, Laboratory, Mastercard, McDonald&#x27;s, Murphy USA, Nationwide, News Corp., NGL Energy, NRG Energy, Occidental, PBF Energy, Prudential, PulteGroup, S&amp;P Global, State Farm, Unum Group, US Bancorp, WEC Energy, Windstream, World Fuel, WR Berkley, Yum Brands

Tangent:<p>Wasn&#x27;t Java&#x27;s SecurityManager stuff supposed to prevent these kinds of exploits?<p>I haven&#x27;t used log4j for ages, so I didn&#x27;t know offhand. Somewhat curious, I gleened that none of the enterprisey stacks use SecurityManager. I guess I kinda understand; SecurityManager was fashioned and pitched for an ecosystem of applets, agents, and sandboxes.<p>Further, I then gleened there&#x27;s a JSR to outright remove SecurityManager. With no apparent replacement, just some vague advice to roll your own capabilities based system.<p>So, however we got here, what&#x27;s then plan? Run JVMs on top of something like OpenBSD&#x27;s pledge?

More accurately &quot;a clueless IT lackey at a Fortune 500 company&quot; sent the mail. I doubt the chairman was pounding the board table and barking &quot;We demand answers from Haxx!&quot;

I wonder what their reply is about. They probably have no idea what&#x2F;who they are really talking to, and it&#x27;s probably not some kind of legal trap.

Reads like an automated email they sent to many people.

Is there a product out there that makes it easy for open source maintainers to offer enterprise support services?<p>I think support is probably the best way of making money from open source, but a lot of maintainers are unlikely to have everything set up to do so (business entities, contracts, ways to receive payment, probably a dozen other things that you&#x27;d never think of, etc.).<p>Like Stripe Atlas for open source consulting?

Versus asking for a support contract because I don&#x27;t really want to support anyone like this long term, I would have sent an invoice... If it gets paid, I answer the questions, if it doesn&#x27;t everyone knows where everyone stands. I also think it&#x27;s easier to get an invoice paid versus trying to negotiate a support contract.

A tangential point, and granted it&#x27;s been around and rightly ridiculed since probably the 90s, but how &#x27;bout that classic signature about CONFIDENTIALity? It&#x27;s like the icing on the don&#x27;t-know-how-computers-work cake!

You can learn a lot from this. This is how efficient companies operate. No one who knows the difference between C and Java was involved in the sending of this letter. If they were, that would be a waste of resources.

If you want a company to change their behavior, give them a reason to do so. Daniel has quite a platform being a well known maintainer, but instead of using that platform to shame the company in question, he politely emails back to the person sitting with an outdated excel sheet of 500 suppliers. That person didn&#x27;t decide that the &quot;email everyone on this list demanding info&quot; strategy was a good idea.<p>To actually make a difference when you have a platform, use it. Tweet-shame them so that the fallout actually reaches the manager in question. This is just complaining about a behahavior while at the same time more or less doing everything possible to encourage that behavior.

seems like it&#x27;s automated, they must be aware it&#x27;s oss

<a href="https:&#x2F;&#x2F;xkcd.com&#x2F;2347&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;2347&#x2F;</a>

I have a feeling that some security automaton at a major corporation is about to have their mind blown when they discover the world of Open Source Software. They had absolutely no idea that non-commercial software was even a thing.

Why black out the company name? Confidentiality notices at the bottom of emails aren&#x27;t legally binding, especially when it&#x27;s an unsolicited email from a company you have no relationship with.