Hacker News new | ask | show | jobs
by softwarebeware 1605 days ago
"...The level of ignorance and incompetence shown in this single email is mind-boggling...no code I’ve ever been involved with or have my copyright use log4j and any rookie or better engineer could easily verify that..."

Yeah, well, I've been quite shocked how rookie some F500 devs can be and how dysfunctional large corporations can also be. Probably what happened here is someone wrote a script that compiled the dependencies of all projects they have and they sent this same email to all of them (!) regardless of any actual or potential use of log4j.
2 comments
dagw 1605 days ago
When I worked at a large, but not F500, company I had to once every 6-12 month or so fill in a spreadsheet with all third-party dependencies, with their licenses and some other info, the project I was working on used. I then emailed this to a mystery person and never heard anything back ever. I can easily see someone pulling out these spreadsheets and just emailing away without any developer, rookie or otherwise, being aware of what was happening.
link
tgv 1605 days ago
Yeah, but that's still a dumb thing to do. They're basically delegating their IT infrastructure's security status to some low-level help in the legal department. What could possibly go wrong?
link
softwarebeware 1605 days ago
Your story is all too common. Have you ever seen that old TV show Lost? I think these kinds of stories are the reason why pointlessly pushing the button in that show was such a popular and memorable trope. Things that people "have to do" but no one knows why, and they just keep doing it over and over...because what if? I feel your pain
link
boring_twenties 1605 days ago
Let's hope they apply a similar amount of due diligence when the author responds with an offer to look into it for $800/hr with a 20 hour minimum.
link
hotpotamus 1605 days ago
You're thinking small potatoes

https://www.ign.com/articles/2019/03/26/man-steals-122-milli...

link
rootusrootus 1605 days ago
We used to joke about doing this at my last company. We knew for a fact that our accounts payable folks frequently paid invoices without doing any verification that they were valid.

I'm willing to guess this happens a lot more than people realize. I doubt we were the only people joking about it. People joke, other people hear, some of those follow up with action. The smart ones keep quiet and stop well before getting to $122M.

link
boring_twenties 1605 days ago
I'm not even mad.
link