Share this page!

Robᵉʳᵗ Graham Profile picture
Twitter logo
26 Dec, 8 tweets, 2 min read
So many misconceptions in this story:
1. log4j wasn't a software development issue
2. CEOs aren't going to help you solve the problem
3. the problem doesn't need government help
cnn.com/2021/12/23/pol…
The log4j vulnerability wasn't an accidental bug, but a deliberate feature. Trying to apply heavy-weight secure software development practices would require 10x as many engineers and still would let problems like this slip through.
It's not "process" but "clue" that was missing. You could bring your engineers together for weeks of "threat modeling", but unless an engineer had a clue about how injection vulnerabilities work, or how JNDI works, you aren't going to get anywhere.
Secure software development is like "Agile": it works if you've got skilled talent, but 90% of the time you don't, so people are wasting a lot of time going through the motions pretending they are doing it without getting the benefits.
Now let's talk CEOs: they are useless. Their sole job is to further the interests of their company. When you bring them together in order to ask what to do about the log4j, each CEO is trying to exploit the situation to the advantage of their company.
No, they aren't bad people. It's the same reason you don't put your lovely fluffy cat inside the bird cage. It's simply about recognizing their nature.
Whenever there is a major cyber event, the government tries to help. But most of these things resolve themselves on their own. We haven't seen a repeat of Mirai, for example.
Essentially, log4j met those security standards. Such executive orders raise the price of products while doing little to solve the problem. Such standards mean the government makes itself worse of a threat than the hackers, comply or else!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robᵉʳᵗ Graham

Robᵉʳᵗ Graham Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ErrataRob

Robᵉʳᵗ Graham Profile picture
27 Dec
Visiting my parents over the holidays, I of course hid an Apple AirTag in their car to track their movements. My parents are frequently the targets of my various hacking experiments, in this case, AirTag stalking.
I'm trying to estimate how well Apple's anti-stalking features will work, such as the AirTag beeping when it's out of range, or iPhone owners getting a notification on their phones that a suspicious AirTag is nearby.
So far, no conclusions. However, I did have to tell them they are being stalked, so that they don't get surprised and swerve off the road when a strange beeping starts in the backseat of their car.
Read 4 tweets
Robᵉʳᵗ Graham Profile picture
22 Dec
Well, yes, because web3 proponents are wrong so of course people who are right are going to repeat the same things, like “not actually decentralized”.
You keep saying things like “owning NFTS”. Uh there no ownership involved, at least not without the involvement of real work governments and real world police.
Most NFTs point to URLs on a website and not to anything decentralized. Opeansea NFTs are basic fraud, for example, which is why they are regularly censored.
Read 10 tweets
Robᵉʳᵗ Graham Profile picture
21 Dec
Yet again, this is trending from Twitter's fact checkers, and yet again, it's "false", or at least, "misleading".

It's a US thing, where authorities are demanding only vaccination.

In Europe, experts, studies, and political authorities have reached different conclusions.
In Europe, government policy in most major countries treat "proof of vaccination" and "proof of recovery" the same. They don't have this political pressure to force provably recovered patients into getting vaccinated.
There's good scientific reasons to get vaccinated even if you've acquired some immunity by having recovered from an infection. Vaccination after recovery is still clearly in your OWN BEST INTEREST. It's not clear they are the best public policy, though.
Read 4 tweets
Robᵉʳᵗ Graham Profile picture
20 Dec
I doubt whether the Omicron variant causes a milder illness. I suspect it's just people's wishful thinking and cherry picking data.
Newer variants will appear, on average, to cause milder illness because they are infecting greater numbers of vaccinated or recovered populations, and younger people who aren't vaxxed yet.
Thus, the early data is likely to show it's not severe -- and people are already jumping on that because they desperately want to believe.

But we really have to wait for mature data before we start believing that.
Read 4 tweets
Robᵉʳᵗ Graham Profile picture
19 Dec
People ask me how I can stand being around all those anti-patriot Republicans at Lindell's cybersymposium. The answer is that they aren't uniquely the problem, that their opponents suffer the same corrupt thinking.
When George Washington was leaving office, he warned about political parties that put party before country. That's what Trumpists are doing when contesting the last election with unsubstantiated claims of election fraud.
But then the left-wing has the same problem. It's as if both parties have thrown basic civics at the window. In this case, there are two basic issues. First of all, the President is the Executive branch, it's the Legislative branch who passes laws.
Read 4 tweets
Robᵉʳᵗ Graham Profile picture
19 Dec
One thing I'm proud of is that I refuse to "chin bra" my mask. It's either completely on (including covering the nose) or completely off, folded neatly in my pocket.
I know you guys hate the "other side" who has taken a pro-mask or anti-mask stand. I don't, I think both make strong arguments and are reasonable people. Instead, I hate the in-betweeners, who passive-aggressively wear masks halfway.
Sure, there's reasons to briefly take off your mask, such as to take a drink, so you might be tempted to "chin bra" it for a moment. And then you forget and leave it there. This is bad.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ErrataRob has new unrolls!

Check out other threads from @ErrataRob!

Read all threads by @ErrataRob

:(