"...The level of ignorance and incompetence shown in this single email is mind-boggling...no code I’ve ever been involved with or have my copyright use log4j and any rookie or better engineer could easily verify that..."
Yeah, well, I've been quite shocked how rookie some F500 devs can be and how dysfunctional large corporations can also be. Probably what happened here is someone wrote a script that compiled the dependencies of all projects they have and they sent this same email to all of them (!) regardless of any actual or potential use of log4j.
We used to joke about doing this at my last company. We knew for a fact that our accounts payable folks frequently paid invoices without doing any verification that they were valid.
I'm willing to guess this happens a lot more than people realize. I doubt we were the only people joking about it. People joke, other people hear, some of those follow up with action. The smart ones keep quiet and stop well before getting to $122M.
When I worked at a large, but not F500, company I had to once every 6-12 month or so fill in a spreadsheet with all third-party dependencies, with their licenses and some other info, the project I was working on used. I then emailed this to a mystery person and never heard anything back ever. I can easily see someone pulling out these spreadsheets and just emailing away without any developer, rookie or otherwise, being aware of what was happening.
Yeah, but that's still a dumb thing to do. They're basically delegating their IT infrastructure's security status to some low-level help in the legal department. What could possibly go wrong?
Your story is all too common. Have you ever seen that old TV show Lost? I think these kinds of stories are the reason why pointlessly pushing the button in that show was such a popular and memorable trope. Things that people "have to do" but no one knows why, and they just keep doing it over and over...because what if? I feel your pain
It's a reply to David/Daniels email to the F500 org. The dev didn't post a screenshot of their reply, but they mentioned this - "I answered the email very briefly and said I will be happy to answer with details as soon as we have a support contract signed."
well said, and these companies have way too many lawyers with free time to keep suing you, even if you are right and the judge solves the case in your favour, not always it is required to cover legal expenses and the amount of legal fees burned on it won't worth.
Fixed fee or monthly "support contract", with minimum of 1year.
That would be fraud. No, start grep on the source code and a few things like that, then provide the results: "a detailed audit found no reference to log4js, so another audit was started which found no reference to any java code in the C source; it was repeated 5 times to confirm these promising results. Another audit followed the Boltzman brain hypothesis to check if the affected log4js binary code could not be spontaneously generated during compilation, by following a Monte Carlo simulation to check for various length of binary data that would match the log4j binary code. (...)
Finally, to avoid this extremely remote risk, the code changed to switch to reproducible builts, which can guarantee this will not happen"
There's no need to have actual interns read it, that would be unnecessarily cruel. Service fees don't need to be based on actual billable hours. You can charge 400% of the time it would take interns to read it without actually doing that, as long as your grep one-liner delivers the same value.
There was a HN post about selling to the Enterprise market. Doing it the way that was described there would be. Also, to not perform a scam as other posts here would be.
1. Insist that you need to talk to upper management until you get to the CEO.
2. Once there you need to sell them on a Fixed fee contract for five engineers so let’s say $1MM or more
3. Actually create a few scripts that run the log4j scanner from Google.
4. Have an extended support contract by doing this yearly at $1MM.
You'd probably need all of the 10 days to fight through all of their supplier management forms, answer pointless questions about security certifications, people involved and if you do business with iran.
>Just because F500 companies are big, stupid, slow and greedy, doesn't exactly make stealing right.
That is precisely why it's right. These capitalists have stolen our labour, and corrupted our politics for centuries. `Stealing` it BACK is the ONLY way history has shown us works.
As far as I learned, a couple of big companies are sending this kind of mail to every provider, partner or copyright owner of code that they could find.
I assume some developer/supplier used curl and provided a list of third party code and licenses they use.
In the aftermath of the log4j incident, companies now target everyone about this issue partly to learn about potential exposure that they are not aware yet, eg exploited infrastructure of depending services like newsletter or analytics services.
Yes, it's annoying and pointless to spam this mails to open source projects. But at least someone is now behind auditing the supply chain.
It's a really dumb approach to vulnerability management for CYA. Spray and pray that the regulators are assuaged. It might even work as far as that goes.
But obviously, it's not a sound approach to actual vulnerability management.
The first email looks like someone who had zero idea of what they were doing, just did some dependency scanning and got your name/email there, probably these emails were sent to everything that they could find.
Quite well handled, not arrogant, not bending over and doing whatever they say, but being honest.
If curl is impacted or not, may not really matters for them, usually these companies go after compliance and someone who they can blame when things go wrong.
In a Fortune 500 company, I'd imagine it could be quite difficult to definitively prove that they are not a customer of any one organization.
The company I work for is not Fortune 500, but we have several Fortune 500 customers. The amount of inane bullshit we have to deal with as a result is mind-boggling.
I recall an incident of large company paying whatever bill they receive and only to find out that they never had a contract with some of the companies and never receiving any service.
If it makes you feel better, it goes both ways; I once signed up for a utility, got service, and discovered months later that they somehow completed the paperwork to give me service but not to actually bill me.
I would bet this was sent out to a list that was put together that contained all of their "partners" which was in turn compiled from various other spreadsheets. Including one that had a 'support contact' column, or something like that and they assumed any that had that value was a partner. Over the course of the 6 years that the sheet has been cut and paste in various formats, they completely lost where any of it came from in the first place.
I think it is pretty easy to see how this sort of thing happens:
1. Someone decides that we need inventory of all the libraries used (iirc requirement for some certifications and generally not a bad practice)
2. A system (/excel sheet) is enrolled where you have fields like $our_product, $library_used, $vendor_email
3. A dev, not quite understanding the point, dutifully fills in the data for the project they are working on
4. No-one reviews the data
5. Crisis strikes, so mass-send email to all vendors how they are handling it
Problem here is around point 4.; for the process to work, someone should have reviewed the data to check that the used libraries are from vendors with some sort of support arrangement.
I think the reply they provided is pretty promising, it makes it sound like they wanted to be a customer but are not only due an oversight.
For everyone boggling at the tone of the email, stop for a moment and have a guess at how many different sources of software they think the average large corp has on their books let alone on their infra. It can literally be hundreds or thousands of different sources. And each of those will have their own topology.
This is clearly a scatter-gun survey because they're realised they really have no idea of their exposure. (And before you re-boggle at that, there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues.)
Generally this is an accurate take. I'd add two things:
> ...because they're realised they really have no idea of their exposure.
This is partially because it is often non-engineers being asked to figure this out. The "information security analysts" at F500s are asked to do a lot of unfair work, such as analyze risks related to decades-old software they didn't build.
> ...there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues.
The first part (answering "what dependencies does my software have") isn't inherently bad. I'd emphasize the underinvestment in the second part more.
>> The "information security analysts" at F500s are asked to do a lot of unfair work, such as analyze risks related to decades-old software they didn't build.
I think that's putting it mildly. When it comes to responding, they'll look around and find that they only have a small number of full-time employees with the skills to partake in a response. Most of the IT organization will be dependent on vendors who struggle during the best times while their leadership has the ear of the CIO because IT is only viewed as cost.
The full-time employees will frequently be the real heroes, but when the incident passes this won't be recognized. Things will repeat themselves with the next major vulnerability discovered, but the organization may find that they have even fewer employees at that point to lead a response.
Also, for any FOSS author who gets one or more of these inquiries don't laugh it off or write blog posts mocking the sender. Take it as the business opportunity it is and send a professional response indicating your willingness to help them navigate through this, at least as it relates to your bit of code, for customers with paid support plans. You want money, they have money and you can trivially provide them something at least some of them are willing to pay up for with a potential opportunity for a non-trivial longer term relationship.
This is the best kind of sales call: they are coming to you.
I find it a bit sad that a tech literate group is bashing a non-literate group fo people. The entire reason your salary is much larger than many other career paths is because of your ability to deal with technology. The premise that when the less educated and informed try to question something they don't understand only to be left with pandering and jabs is disingenuous. The questions although perhaps better phrased by someone with a more tech focused background are fine questions for a business to ask. Stop being douchebags and grow up.
I had the same thought - the e-mail really wasn't that unreasonable, coming from the perspective of somebody who didn't realize there was no support contract in place (and maybe didn't even understand how that could happen). Haxx's response seems similarly reasonable - we don't have a support contract, let's get one in place and then move forward from there. This really seems to be an object lesson that if you're depending on somebody for business-critical infrastructure, make sure they have a reason to support your business.
I agree, the response was reasonable. My frustration is with this hackernews thread and the constant judgement and snarky attitude we give to less tech literate folks. If everyone understood tech, we wouldn't be paid nearly the salaries we are for what we do.
I find it sad that the security department of a Fortune 500 company is sending out emails demanding OSS maintainers respond within 24 hours or else.
You can feel sorry for the poor sap that was forced to embarrass himself, but it doesn't change the fact that everyone here feels like that company can get bent.
Why should the company get bent? Because some executive caught wind of a critical zero day and decided to have their company mitigate damage the same as any other company.
Do you really think the security department in this specific company would not find this email dumb? In many cases, when things are reacted to hastily and in parallel its easy to take one action and generalize it to the whole company and not realize this is one of many actions the company took. No need to get bent out of shape over this and say this entire fortune 500 company is equally incompetent. If you think that you are not living in reality.
> I find it a bit sad that a tech literate group is bashing a non-literate group fo people.
Creating a software bill of materials is a technical task. Managing software security risk is a technical task. These need to be performed by a technically literate person.
A Fortune-500 company has the resources to pay for such technical competence. They are not a mom-and-pop shop.
No Fortune-500 CEO would get their teeth done by a fly-by-night "dentist", nor would they hire "builders" who can't nail two planks together. They would pay for the expertise. If they don't know how to find the expert they would pay for the expertise of finding the expert first and then they would pay for the expertise.
But this is not what they did. They found someone who is both lacking the necessary technical common sense and is terribly arrogant. That is worthy of ridicule. And I'm not ridiculing the individual employee but the whole company.
> The premise that when the less educated and informed try to question something they don't understand only to be left with pandering and jabs is disingenuous.
That idea flies when a student is lost in the woods. When an economic juggernaut combines technical illiteracy with a lack of tack they can get the sharp ends of our tongues.
> The entire reason your salary is much larger than many other career paths is because of your ability to deal with technology.
Won't be for long if we silently support huge companies to employ muppets. Which is why asking for a support contract is the right answer here.
OK, a large corporation legal team doesn't understand the nuance of ownership of open-source software.
Do we mock every single open source guy who displays the same amount of cluelessness about the inner workings of a business because I see plenty of that displayed here and everywhere else.
Exactly, everything is a Search problem. Most organizations (recruiters, sales) have their own efficient Search algorithms. Unless you know the intricacies of that, you deserve to be mocked for displaying ignorance.
It's as dumb as mocking scammers for their methods. They are effective in their own way. Just because it didn't apply for you, doesn't mean they aren't making money out of this -- which is their ultimate goal. Their goal is not to satisfy your ego and custom tailor a message to you
Yes, the idea that this company paid a lawyer to go through its tech stack and figure out who owns the code relied upon by the company is fairly ridiculous. Either a lawyer drafted a template email for the company to send to its suppliers, or a lawyer (read: intern) was given a list of suppliers to email on behalf of the company, or a lawyer wasn't involved at all.
But in software communities (and particularly in FOSS communities) tech people can do no wrong; every time a tech company does an aggressive or foolish or otherwise objectionable thing, there must be a dastardly lawyer somewhere pulling the strings.
Nuance is, you don't even know what the end goal of the communication is.
It's as dumb as mocking a scam email/phone call telling "You are so wrong about me". The end goal of the scammer is to make money for the total time he put.
Sure, the scammer can go in great detail about your life and tailor the scamming for you, but that's not his best ROI. His best ROI is a generic message sent to everyone.
Welcome to Corporate Life. Somebody at the top says "Make sure we find out from all vendors what their log4j impact is", and that trickles down until some poor sap in InfoSec is told to do it. And of course "all vendors" includes "open source vendors", aka some dude named Carl in Uzbekistan who wrote a Node.js module. Since InfoSec sap shouldn't even have been tasked with this ridiculous ask, and he's got 10,000 of them to send, he sends a form letter.
I have a feeling that some security automaton at a major corporation is about to have their mind blown when they discover the world of Open Source Software. They had absolutely no idea that non-commercial software was even a thing.
Not every open source project is run by the little guy. I want to see a a security vulnerability in something like AES. Then the complaint emails demanding answers in 24 hours would be going to nsa.gov addresses.
Anyone leading a shareholder action would love to see these emails. They are basic admissions that the company doesn't know how or from where it gets essential software.
Many organizations document their 3rd party vendors and libraries and it doesn't surprise me that an automated email reached Daniel. Most likely someone mis-documented using one of Daniel's projects in a spreadsheet.
I am personally a bit surprised about the responses here. It is completely reasonable for this email to reach Daniel and is most likely an artifact of bad documentation by engineers in the company. At the scale this company is running the person/team sending out these emails do not have time to dig in and understand each dependency they are sending emails on.
The response is as simple as "What library/product does this email pertain to?", "Please see the licenses for the libraries or products in question.", and what Daniel responded with as well: "I would be willing the dig in further for specific questions with a support contract.".
> At the scale this company is running the person/team sending out these emails do not have time to dig in and understand each dependency they are sending emails on.
That alone is extremely disrespectful, it means they couldn't care less about the time of open source software maintainers. To say nothing of their "request" for review.
It's not about open source maintainers. This isn't an "open source" problem further than the fact that Daniel's software is used in a product they are using. Daniel could take a couple of seconds to ignore this email and there was very little time wasted.
The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails. Someone didn't do their job and is checking a box. How is the (possibly non-technical) person that is required for managing 100s of vendors and thousands of open source libraries supposed to verify all of that information?
I'm personally happy to hear that this company is trying to do SOMETHING to make sure that Log4j is patched even if it's a bit incompetent in it's implementation. There is not malice here.
Yep, it can/will happen. My assumption is that this is related to Curl, which has a pretty well documented license. Responding to emails like this with an automated email pointing to the license at https://github.com/curl/curl/blob/master/COPYING seems like an obvious thing to have setup.
Namely: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
> The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails.
Agree 100%. Any engineer that got far enough to put this email address into a spreadsheet knew damn well it was inappropriate to do so. They should have put their own email address, as they made the choice to use downloaded software in their project and become responsible for that decision.
Not in this context. This wasn't spam, this was a person with the information they had trying to close the loop on some information an engineer put into a a spreadsheet. This message was not "irrelevant" in the context that the person sending it had. This was not a robocall trying to extort money.
As I noted in another thread: A simple response pointing to the license should be the default response to requests like this which can be automated.
More accurately "a clueless IT lackey at a Fortune 500 company" sent the mail. I doubt the chairman was pounding the board table and barking "We demand answers from Haxx!"
It's signed off "Information Security". The template email might have been drafted by legal/compliance, but it is surely for the IT guys to figure out what code they use in their tech stack and lead those discussions.
Why black out the company name? Confidentiality notices at the bottom of emails aren't legally binding, especially when it's an unsolicited email from a company you have no relationship with.
>Why black out the company name? Confidentiality notices at the bottom of emails aren't legally binding, especially when it's an unsolicited email from a company you have no relationship with.
This was addressed directly within the linked blog post:
> In my tweet and here in my blog post I redact the name of the company. I most probably have the right to tell you who they are, but I still prefer to not. (Especially if I manage to land a profitable business contract with them.)
You can learn a lot from this. This is how efficient companies operate. No one who knows the difference between C and Java was involved in the sending of this letter. If they were, that would be a waste of resources.
>>I answered the email very briefly and said I will be happy to answer with details as soon as we have a support contract signed.
This made my day. If a wealthy individual takes your tools and then calls for help while fixing-up their shed with said tools, do not move a muscle until you agree on the fee.
I expect they'll gladly sign a support contract with Daniel.
As a commercial SaaS vendor we received these same emails from all of the major banks / insurance companies. It's interesting to see that we got some on the Monday after the issue was discovered and some a few weeks later, with some showing a clear understanding of the risk in the context of our product and some looking like a standard copy/paste. Gives you a rare behind-the-scenes view of the information security practices of these companies.
127 comments
[ 2.9 ms ] story [ 207 ms ] threadYeah, well, I've been quite shocked how rookie some F500 devs can be and how dysfunctional large corporations can also be. Probably what happened here is someone wrote a script that compiled the dependencies of all projects they have and they sent this same email to all of them (!) regardless of any actual or potential use of log4j.
https://www.ign.com/articles/2019/03/26/man-steals-122-milli...
I'm willing to guess this happens a lot more than people realize. I doubt we were the only people joking about it. People joke, other people hear, some of those follow up with action. The smart ones keep quiet and stop well before getting to $122M.
"We are happy to provide you with support regarding this issue for $5000/day"
Then if they accept, proceed to do nothing for 10 days, then reply you find none of your code is impacted and they are safe then bill them $50k.
Fixed fee or monthly "support contract", with minimum of 1year.
That would be fraud. No, start grep on the source code and a few things like that, then provide the results: "a detailed audit found no reference to log4js, so another audit was started which found no reference to any java code in the C source; it was repeated 5 times to confirm these promising results. Another audit followed the Boltzman brain hypothesis to check if the affected log4js binary code could not be spontaneously generated during compilation, by following a Monte Carlo simulation to check for various length of binary data that would match the log4j binary code. (...)
Finally, to avoid this extremely remote risk, the code changed to switch to reproducible builts, which can guarantee this will not happen"
Or print it out on hard copy, make interns read it line by line, then charge 400% of their labor as your management fee.
What's the purpose of using regexps here? You're optimizing away your own revenue!
1. Insist that you need to talk to upper management until you get to the CEO.
2. Once there you need to sell them on a Fixed fee contract for five engineers so let’s say $1MM or more
3. Actually create a few scripts that run the log4j scanner from Google.
4. Have an extended support contract by doing this yearly at $1MM.
Hopefully you don't do that or encourage others to. Just because F500 companies are big, stupid, slow and greedy, doesn't exactly make stealing right.
That is precisely why it's right. These capitalists have stolen our labour, and corrupted our politics for centuries. `Stealing` it BACK is the ONLY way history has shown us works.
I assume some developer/supplier used curl and provided a list of third party code and licenses they use.
In the aftermath of the log4j incident, companies now target everyone about this issue partly to learn about potential exposure that they are not aware yet, eg exploited infrastructure of depending services like newsletter or analytics services.
Yes, it's annoying and pointless to spam this mails to open source projects. But at least someone is now behind auditing the supply chain.
But obviously, it's not a sound approach to actual vulnerability management.
Quite well handled, not arrogant, not bending over and doing whatever they say, but being honest.
If curl is impacted or not, may not really matters for them, usually these companies go after compliance and someone who they can blame when things go wrong.
Isn't this the sort of question you'd ask your own side, first?
The company I work for is not Fortune 500, but we have several Fortune 500 customers. The amount of inane bullshit we have to deal with as a result is mind-boggling.
LOL.
1. Someone decides that we need inventory of all the libraries used (iirc requirement for some certifications and generally not a bad practice)
2. A system (/excel sheet) is enrolled where you have fields like $our_product, $library_used, $vendor_email
3. A dev, not quite understanding the point, dutifully fills in the data for the project they are working on
4. No-one reviews the data
5. Crisis strikes, so mass-send email to all vendors how they are handling it
Problem here is around point 4.; for the process to work, someone should have reviewed the data to check that the used libraries are from vendors with some sort of support arrangement.
I think the reply they provided is pretty promising, it makes it sound like they wanted to be a customer but are not only due an oversight.
There is a large time gap between 4 and 5 - and it seems everyone forgets who they hired for that supply chain "analysis" many moons ago.
This is clearly a scatter-gun survey because they're realised they really have no idea of their exposure. (And before you re-boggle at that, there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues.)
> ...because they're realised they really have no idea of their exposure.
This is partially because it is often non-engineers being asked to figure this out. The "information security analysts" at F500s are asked to do a lot of unfair work, such as analyze risks related to decades-old software they didn't build.
> ...there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues.
The first part (answering "what dependencies does my software have") isn't inherently bad. I'd emphasize the underinvestment in the second part more.
I think that's putting it mildly. When it comes to responding, they'll look around and find that they only have a small number of full-time employees with the skills to partake in a response. Most of the IT organization will be dependent on vendors who struggle during the best times while their leadership has the ear of the CIO because IT is only viewed as cost.
The full-time employees will frequently be the real heroes, but when the incident passes this won't be recognized. Things will repeat themselves with the next major vulnerability discovered, but the organization may find that they have even fewer employees at that point to lead a response.
This is the best kind of sales call: they are coming to you.
You can feel sorry for the poor sap that was forced to embarrass himself, but it doesn't change the fact that everyone here feels like that company can get bent.
Do you really think the security department in this specific company would not find this email dumb? In many cases, when things are reacted to hastily and in parallel its easy to take one action and generalize it to the whole company and not realize this is one of many actions the company took. No need to get bent out of shape over this and say this entire fortune 500 company is equally incompetent. If you think that you are not living in reality.
Creating a software bill of materials is a technical task. Managing software security risk is a technical task. These need to be performed by a technically literate person.
A Fortune-500 company has the resources to pay for such technical competence. They are not a mom-and-pop shop.
No Fortune-500 CEO would get their teeth done by a fly-by-night "dentist", nor would they hire "builders" who can't nail two planks together. They would pay for the expertise. If they don't know how to find the expert they would pay for the expertise of finding the expert first and then they would pay for the expertise.
But this is not what they did. They found someone who is both lacking the necessary technical common sense and is terribly arrogant. That is worthy of ridicule. And I'm not ridiculing the individual employee but the whole company.
> The premise that when the less educated and informed try to question something they don't understand only to be left with pandering and jabs is disingenuous.
That idea flies when a student is lost in the woods. When an economic juggernaut combines technical illiteracy with a lack of tack they can get the sharp ends of our tongues.
> The entire reason your salary is much larger than many other career paths is because of your ability to deal with technology.
Won't be for long if we silently support huge companies to employ muppets. Which is why asking for a support contract is the right answer here.
Do we mock every single open source guy who displays the same amount of cluelessness about the inner workings of a business because I see plenty of that displayed here and everywhere else.
You are all are supposed to be smart software engineers. Probably know about pre-mature optimization and efficient path.
Here's a secret about communications -- Mass emailing works and is very efficient.
I'm sure you are the same person who rants about a recruiter reaching out to you even though you are the creator of Python.
Reading through everyone's resume and tailoring a message is a waste of time and has the worst ROI for any salesperson.
"But Ha Ha Ha, you guys are clueless about not knowing operational efficiency of an mass communications. Ha Ha Ha"
Yeah, that's exactly how this sounds if the other side mocks HN/Engineers the same way you mock Sales and other "mass-outreach programs"
Especially for the sender.
I also bet that the list of dependencies they used for this mass email was probably not generated by a lawyer.
It's as dumb as mocking scammers for their methods. They are effective in their own way. Just because it didn't apply for you, doesn't mean they aren't making money out of this -- which is their ultimate goal. Their goal is not to satisfy your ego and custom tailor a message to you
But in software communities (and particularly in FOSS communities) tech people can do no wrong; every time a tech company does an aggressive or foolish or otherwise objectionable thing, there must be a dastardly lawyer somewhere pulling the strings.
And "Ha Ha Ha You, for not knowing that"
It's as dumb as mocking a scam email/phone call telling "You are so wrong about me". The end goal of the scammer is to make money for the total time he put. Sure, the scammer can go in great detail about your life and tailor the scamming for you, but that's not his best ROI. His best ROI is a generic message sent to everyone.
Oh and "Ha Ha Ha, that you don't know that"
Anyone leading a shareholder action would love to see these emails. They are basic admissions that the company doesn't know how or from where it gets essential software.
I am personally a bit surprised about the responses here. It is completely reasonable for this email to reach Daniel and is most likely an artifact of bad documentation by engineers in the company. At the scale this company is running the person/team sending out these emails do not have time to dig in and understand each dependency they are sending emails on.
The response is as simple as "What library/product does this email pertain to?", "Please see the licenses for the libraries or products in question.", and what Daniel responded with as well: "I would be willing the dig in further for specific questions with a support contract.".
That alone is extremely disrespectful, it means they couldn't care less about the time of open source software maintainers. To say nothing of their "request" for review.
The real "disrespect" should be whatever engineer put Daniel's name into the spreadsheet that blasted out these emails. Someone didn't do their job and is checking a box. How is the (possibly non-technical) person that is required for managing 100s of vendors and thousands of open source libraries supposed to verify all of that information?
I'm personally happy to hear that this company is trying to do SOMETHING to make sure that Log4j is patched even if it's a bit incompetent in it's implementation. There is not malice here.
That's how a log4j security audit becomes an Oracle licensing debacle.
Namely: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Agree 100%. Any engineer that got far enough to put this email address into a spreadsheet knew damn well it was inappropriate to do so. They should have put their own email address, as they made the choice to use downloaded software in their project and become responsible for that decision.
So, in your opinion, sending spam or robocalls is not in the least bit disrespectful to whomever is on the receiving end?
As I noted in another thread: A simple response pointing to the license should be the default response to requests like this which can be automated.
It's explained in the article.
> In my tweet and here in my blog post I redact the name of the company. I most probably have the right to tell you who they are, but I still prefer to not. (Especially if I manage to land a profitable business contract with them.)
This made my day. If a wealthy individual takes your tools and then calls for help while fixing-up their shed with said tools, do not move a muscle until you agree on the fee.
As a commercial SaaS vendor we received these same emails from all of the major banks / insurance companies. It's interesting to see that we got some on the Monday after the issue was discovered and some a few weeks later, with some showing a clear understanding of the risk in the context of our product and some looking like a standard copy/paste. Gives you a rare behind-the-scenes view of the information security practices of these companies.