Re: cURL author receives rude LogJ4 security inquiry

[Kaz Kylheku (gnu-misc-discuss)]

On 2022-01-30 20:32, Akira Urushibata wrote:
> LogJ4 Security Inquiry - Response Required
> https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquiry-response-required/
>
>   On Friday January 21, 2022 I received this email. I tweeted about it
>   and it took off like crazy.
>
>   The email comes from a fortune-500 multi-billion dollar company that
>   apparently might be using a product that contains my code, or maybe
>   they have customers who do. Who knows?

It really looks to me like the "Information Security" people of that
company are just ignorant. It seems they really thought they are
sending this inquiry (which is just a questionnaire) to a supplier
company. Someone handed them a list of contacts to which they were
instructed to send some spam letter about the issue (perhaps the
composition of that letter being left up to them). Somehow Haxx contact
info was in the list.

The number one rule of Internet participation these days is, perhaps:
refuse to be outraged.

Never attribute to malice what can be easily explained by ignorance.

Do not feed the internet outrage machine, on any topic.

The letter doesn't ask anyone to work on any fix; NNNN is simply
asking whether the recipients use Log4j in anything that ends
up in NNNN products and such, or whether the supplier had any
incidents revealing info about NNNN. Additionally, what steps NNNN 
should
take in addition to what had been done on the supplier's side.

The assumption is that there is a relationship; that Haxxe are
suppliers who have customer management people who would know all that
stuff: like which NNNN products use what pieces supplied by Haxxe.

The letter more or less makes sense if sent to that type of vendor.