Alibaba researchers went rogue and disclosed Log4j now CCP is making Alibaba pay
twitter.comTo save you a click: https://www.scmp.com/tech/big-tech/article/3160670/apache-lo...
The HN link links to a twitter post that links to the above link.
Yes, and that original source already had a major thread:
Apache Log4j bug: China’s industry ministry pulls support from Alibaba Cloud - https://news.ycombinator.com/item?id=29658342 - Dec 2021 (187 comments)
Submitters: "Please submit the original source. If a post reports on something found on another site, submit the latter." https://news.ycombinator.com/newsguidelines.html
A misleading and inflammatory dupe of https://news.ycombinator.com/item?id=29658342.
> Notifying vendors first about security flaws is a cybersecurity industry norm, but a new law encourages Chinese companies to first notify the government
There is nothing misleading or inflammatory
It was already discussed yesterday[1] that there's nothing in the new law (full text at [2]) that "encourages Chinese companies to first notify the government", so that article is already misleading, without further details.
This NYTimes reporter only added inflammatory spins like "right of first refusal", "researchers went rogue" that are nowhere to be found in the linked article.
[1] https://news.ycombinator.com/item?id=29658977
[2] http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Submitted previously as https://news.ycombinator.com/item?id=29646949 but didn't get traction. Clearly it needed a punchier title.
There's no suggestion that China gets any first say on 0-days. The law in question re reporting is at http://www.gov.cn/gongbao/content/2021/content_5641351.htm and states that you must immediately notify vendors of security flaws, and then the MIIT within 2 days.
> Clearly it needed a punchier title.
and it's fitting that Mdm. Perlroth is the one to provide that "punchier title".
She's _the_ definition of an unhinged talking head of infosec. Her book on 0days ("this is how they tell me the world ends") is full of logical fallacies, jumping to conclusions, lacks technical understanding, etc., yet somehow she manages to now speak about cyber on behalf of all of us and everyone is applauding her shit takes whenever some news drop. There are plenty of capable women in cyber who we could amplify. But no! We have to give a podium to this carrion.
I read recently Chinese law required them to disclose the bug to the government within two days of disclosing it to vendor and that's why Alibaba was punished.
Now I read they have to give it to the government first.
Big difference. Which is the truth and how do we know?
This raises my trust in Chinese security researchers. Log4j bug is one of the biggest security loopholes ever and these researchers knew exactly what they were doing when they made the announcement - avoiding a potential catastrophic comprise via Chinese state hackers. I totally admire the guts of these people.
I wonder if this was due to engineers releasing it on their own or if management had their back.
Hey, at least they didn't hurt the feelings of the Chinese people!
Putting Alibaba in the corner for 6 months is an incredibly petty response, but no surprise at all.