Hacker News new | ask | show | jobs
by netwo233gur 1649 days ago
I don't know how you can say this... a closed source vuln of this severity would be patched almost immediately. See: any vuln of this severity on iOS or Windows.

On the contrary, log4j incident is an excellent example of how relying on open source for security completely failed. This vuln existed for years, all while being open to security researchers to find it. They didn't. Instead, there is evidence that black hats found the vuln first (perhaps because log4j is open source?).
2 comments
fragmede 1649 days ago
There's no clear winner between open and closed source, but that's just wrong. Vendors have and will continue to bury (under threat of violation of the CFAA or civil lawsuit) vulnerabilities to prevent hackers from disclosing said vulnerability, rather than fix them. That's also why Google's Project Zero gives a hard 90-day deadline to vendors for patching found vulnerabilities, and they got a lot of flack early on for disclosure.
link
jrm4 1649 days ago
I literally have not heard a more naive statement on this site, ever. If you work in IT, please educate yourself on this. I'm serious.
link
netwo233gur 1648 days ago
I'm a senior security engineer at a FAANG. You're completely oblivious to the state of security today you think anything in my comment was naive.

Please, let's continue this back-and-forth of condescension. It's really productive. /s

link
jrm4 1648 days ago
Apologies for the tone, but the content of my point 100% stands. For what its worth, I have dear friends at multiple FAANGS who I'd die for -- who nonetheless strongly appear to have a wildly overinflated sense of their own cybersec, in a big picture "missing the Black Swans" sort of way -- if the past is any indicator.

Maybe it's not, maybe you guys have drastically improved things. What makes me strongly doubt it is that we still haven't seen substantial liability or other consequences for bad or negligent actors in this space.

link
lucideer 1648 days ago
> maybe you guys have drastically improved things.

FAANG security is just like everywhere else: mixed. There are mixed levels of knowledge & experience, and mixed views: i.e. even though there's a lot of consensus on high-level tenets and frameworks, like e.g. Google's Beyondcorp stuff (along with some certain security 101 stuff that's been discussed for the past 138 years), you'll always get engineers who don't like X or Y. Just like anywhere else.

Nothing is a continuum.

link