Episode 233: Unpacking Log4Shell’s Un-coordinated Disclosure Chaos

In this episode of the podcast (#233) Mark Stanislav, a Vice President at the firm Gemini, joins Paul to talk about what went wrong with disclosure of Log4Shell, the critical, remote code execution flaw in the Log4j open source library. Mark talks about how the Internet community can come together ahead of the next vulnerability to make sure the mistakes that are evident in the response to Log4j aren’t repeated.  As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.  [MP3] Back in 2008, the late, great security researcher Dan Kaminsky discovered a serious security flaw in a ubiquitous Internet technology: the domain name system, or DNS. If widely disclosed and exploited, the flaw – which affected many of the most common DNS name servers – could have facilitated a wide range of attacks, including website impersonation, email interception, and authentication bypass hacks. Mark Stanislav is a VP of Information Security at Gemini Aware of the risks, Kaminsky worked quietly for months with the Department of Homeland Security, major tech firms like Cisco and Microsoft as well as DNS providers to get patches written and distributed – all before details of the vulnerability were made public. Vendors worldwide were able to take steps that largely mitigated the risk of attack before any details of the flaw became publicly known.  Log4j Disclosure Chaos That’s not how it happened this month with another ubiquitous security vulnerability emerged: Log4Shell, a flaw in the open source logging library Log4j that is a common element of thousands of on premises and cloud applications used by enterprises, governments, critical infrastructure operators and individuals.  Rather than coordinated disclosure along the lines of Kaminsky’s DNS flaw, the world experienced something akin to coordinated chaos with Log4j, which first came to light via a patch by the video game maker Mojang Studios t...