Tech Hammer

Alberta Lynn really wants to be tough. In fact, he has been very tough in the past. Even if a security expert discovers Java and wants to get the bonus, the foundation can be tough.

For example, he discussed with Ning Wei that if he wanted bonuses, the vulnerabilities could not be exposed in this way; for example, he wanted to tell Ning Wei that he should have enough respect for open source workers like them, who have millions of customers around the world. , there are tens of millions of programmers living on the free programs they provide...

But I finally managed to hold back these words.

There are actually many reasons, maybe because he really doesn't know whether Ning Wei has a lot of loopholes in his hands, and he can't be sure whether Ning Wei is using the problem to his advantage. He can't even be sure whether Ning Wei wants to launch a brand new computer language, so Let’s start with Java.

The young academic opposite had such brilliant achievements in the past that he couldn't be tough. After being speechless, he could only follow Ning Wei's wishes. After all, if he could spend some money to buy peace, it might be the best solution. good result.

The only problem was that the professor at Yanbei University didn't seem to understand what he meant, and seemed to be asking for the bounty from the Log4j2 vulnerability.

To be honest, Alberta Lynn would definitely be willing to pay bounties for other vulnerabilities. As long as Ning Wei is willing to submit the vulnerability to them, he doesn't even have to pay attention to whether the format of the material submitted by Ning Wei is standardized, but this vulnerability...

"Professor Ning, donating money is easy to say, but what I want to be sure of is whether you have any other vulnerabilities related to Java..."

"What? Do you still want to donate more money to our Ningban? Don't worry, there must be some. Really, I didn't expect that there are still many loopholes in Java. If you are really willing to help us selflessly China is building education, and I can also provide you with some more." Ning Wei said cheerfully.

As soon as this happened, I would rather go directly to March. Naturally, I know that March has collected vulnerabilities in almost all current mainstream computer languages ​​and software, including mainstream operating systems. It's just that this matter has been left to be collected in March, and Ning Wei has not taken it out and used it.

The purpose of collecting these vulnerabilities at that time was to better promote the March Intelligent Platform. At that time, Ning Wei’s idea was actually very simple. Let those large enterprises join in the preparation of the March Intelligent Platform, and they would provide the data that is most needed in March. Of course, the platform must also return something of equal value to these companies.

Helping these companies find loopholes hidden in the code is also a benefit of joining the platform, but who knows that Ning Wei thinks this is a win-win situation, but others don't appreciate it, so they collected these things in March, but they were all Didn't come in handy.

How should I put it, in the era of strong artificial intelligence, everyone seems to underestimate the ability of strong artificial intelligence, which makes Ning Wei feel helpless. In this current situation, it is probably waste utilization.

With Ning Wei's current identity and status, it is naturally impossible for him to do something like using a bunch of loopholes to make profits. That is to say, this incident happened to happen, otherwise Ning Wei himself would have almost forgotten that there is such a problem.

Ning Wei's words completely destroyed Alberta Lynn.

If the foundation is willing to donate, it means providing more bugs. In his understanding, the foundation needs to donate to Yanbei University first, and then Ning Wei will tell them some bugs in Java. But this is inconsistent with the process. The general process should be that Ningwei submits the bug first, then has professional security personnel review the bug, and then determines the level of the bonus in accordance with internal regulations, and then pays the money to the provider of the bug.

Let’s donate money first…how much is appropriate?

She wanted to talk to Ning Wei about the rules, but when she thought that her opponent didn't seem to be a big boss who liked to play his cards in an orderly manner, and the loopholes he casually exposed were indeed too terrifying, Alberta Lynn hesitated again.

After thinking carefully for a while, Alberta Lynn finally decided to compromise and said: "I am willing to donate 5 million US dollars to Yanbei University on behalf of the foundation. What does Professor Ning think?"

"Five million dollars? Oh, I understand, what you mean is that I will give you the loophole first, and then you will decide how much to donate, right? These five million US dollars are the rewards I gave you for this loophole before? Right? Then I will send you the details of the vulnerability later. You can see how much you can donate, so I have an idea." Ning Wei asked.

Alberta Lynn was speechless... He really didn't expect Ning Wei to have such a big appetite. He felt like he was being blackmailed. But in fact, he really misunderstood Ning Wei. If he communicated more with some big guys in the industry, he would know that when many of his compatriots big guys come to Ning Wei to give money, they always ask for it in hundreds of millions. He said five million here, but he really didn't bring much interest in Ning Wei.

To put it bluntly, this is simply because the appetite has been raised, or that there is no concept of money anymore. The compatriots of Alberta Lynn have successfully made Ningwei a kind of person who is extremely rich in the big companies on the other side. When giving money, one person is more generous than the other.

"No, Professor Ning, you may have some misunderstanding about bug bounties. In fact, according to the bug bounty standards announced by Password, generally speaking, the maximum bounty for high-risk 0day vulnerabilities is US$200,000. Take Google as an example. Last year, all In 2017, Google spent only US$7 million on bug bounties, which is already a lot, and Microsoft and Apple spent even less than Google on bug bounties.”

"As a company that provides free software to many companies around the world, the Apache Foundation is actually unlikely to invest much money in providing vulnerability rewards. Taking Java as an example, many vulnerabilities are provided to us for free by our internal members. . This donation of five million US dollars is to hope that you can hand over all the vulnerabilities you know to us in advance, so that we can carry out better and more targeted optimization of Java. This is also what we hope to do for millions of people. Members are responsible.”

Alberta Lynn explained with a wry smile.

Ning Wei suddenly realized.

He really never cared about the so-called bug bounty or anything like that. After all, he didn’t rely on this to make a fortune. But after listening to Alberta Lynn’s words, Ning Wei sighed: “So that’s it! No wonder these companies’ products are so popular. After many years, there are still so many vulnerabilities. Why are these big companies so stingy in spending bug bounties? For vulnerabilities that can bring hackers hundreds of millions in income, the highest bounty is only $200,000? Security experts have found There is no incentive to study these vulnerabilities with those hackers."

Of course, Alberta Lynn would not tell Ning Wei that large companies openly offer a set of vulnerability rewards, and at the same time, there are specialized personnel who will keep an eye on the vulnerabilities that are directly traded on the black market. Even if he wanted to explain, the entire vulnerability industry chain is very complicated. How can he explain it clearly in a few words? He could only patiently tell Ning Wei: "No, no, no, Professor Ning, you can't say that. After all, it is completely legal to find loopholes and get bonuses, and it is worth promoting. Using loopholes to make profits is illegal in any country with a sound legal system. Yes, you have to be hit. The two really cannot be compared together."

Ning Wei said with a lack of interest: "Okay, five million, just five million. Later I will provide a list of questions and send it to your official email. Of course, you only donated this small amount of money, so I will I can only take a random picture and give it to you. It may not be complete, and I won’t give you another demonstration. That’s it. Goodbye, Mr. Lin En. By the way, remember that these five million are donated to Ningban, don’t Mistaken."

Although the market conditions are like this, Ning Wei still finds it boring. It's like useless food, it's a pity to throw it away. However, five million US dollars is still tens of millions of RMB, and it is actually okay to use it to provide benefits to Ning Ban.

But when I think about other rich people who usually donate hundreds of millions to schools, and his donation is only five million US dollars, there is indeed a psychological gap.

"Wait, how about ten million US dollars? Really, Professor Ning, this is our budget for several years of repairing loopholes, and we are ready to use it to contribute to the construction of Ningban in the future. This... should be about the same Right? But one thing is, if your team discovers other vulnerabilities in the future, can you submit them to our Apache Foundation according to the process, and let the official decide when to release them to the outside world? "

"Then if you don't update and fix the loopholes, won't the loopholes continue to exist?"

"This can actually set a date for official response, such as one month. If we have not released an update patch for the vulnerability one month after confirming receipt of the vulnerability information you sent, you can submit these vulnerabilities to other network security companies .”

"Then... okay! Although a month is a bit long, it's better to make things perfect. In this way, after you donate the money to Ningban, I will send some of the vulnerabilities our team has mastered to the official mailbox."

"Don't worry, we will contact Yanbei University soon to learn about the donation channels. The ten million should be specially approved today, but we are not sure when it will be transferred to the designated donation account. As you know, large transfers require It will take some review time. However, we can announce the news simultaneously on the official website to ensure that the money will be received."

"Okay, I'll send you a list later. That's it, I'll hang up now."

Hearing the word "list", Alberta Lynn couldn't help twitching her eyebrows, and suddenly felt that the ten million dollars was probably worth it.

"Okay, goodbye, Professor Ning."

"Goodbye, Mr. Lynn."

…

After a not-so-pleasant phone call, Ning asked March to call up the Java vulnerability library list again, read five full pages of content, and simply asked March to select half of the vulnerability details in the list in proportion to their risk. Sent to the official email address provided by Apache.

This number is very appropriate. It is based on the price that Alberta Lynn just said. At least in Ning Wei's opinion, it is worthy of the US$10 million donated by the other party. It took March a lot of computing power to find and sort out these loopholes. Since we are not friends, it is certainly impossible for him to volunteer for the foundation.

An exchange of equal value is good, and no one takes advantage of anyone else.

But even so, when the other party received the email, a group of technicians were stunned.

Is this a joke?

There are actually 13 undiscovered high-risk vulnerabilities in the list? 21 medium-severity vulnerabilities and 49 low-severity vulnerabilities?

Leaving aside the low-risk vulnerabilities, the impact is not very big, but these more than 30 medium- and high-risk vulnerabilities really scared everyone into a cold sweat.

In fact, any software has vulnerabilities, but getting so many vulnerabilities at once is an experience that no one has ever experienced. This time, Ningwei did not specifically demonstrate how to exploit these vulnerabilities, only a simple description given in March.

After being frightened, the technicians quickly began testing and determined that more than 30 medium and high-risk vulnerabilities did exist. In this way, the vulnerability list and test results provided by Ningwei were quickly placed on Alberta Lynn's desk.

After reading it, the head of the Apache Foundation also broke out in a cold sweat, and then heaved a sigh of relief. How should I put it? Alberta Lynn thought that giving out three or five high-risk vulnerabilities was the limit of what he could bear. Giving out a donation of 10 million was actually more about getting married. good karma.

For software that is widely used, loopholes cannot be eliminated.

Maybe just because of an update to block a vulnerability, a new vulnerability may appear.

Spending a little more money so that Ningwei can follow the agreed rules in the future is considered a profit for them.

Who dares to think that Ningwei actually has so much vulnerability information? When I think of Ning Wei saying on Weibo that he doesn’t mind keeping Java programmers busy for a whole year, it seems that this is not bragging...

So in theory, the donation of 10 million US dollars is indeed worth it. Thinking of this, Alberta Lynn did not dare to neglect, and immediately started calling and instructing the departments to start moving according to the verbal agreement with Ning Wei just now.

The money must be donated, and the goodwill must be earned.

If so many vulnerabilities are really exposed to the outside world at the same time, combined with the impact just caused by log4j2, it will cause countless people to crash directly, and even question the overall security of Java. Once this stereotype is established, that will be the biggest blow. .

Although in the short term, everyone may have to bite the bullet and continue to use the Java environment, because many projects have their continuity, but the future is uncertain. If it loses the favor of a large number of customers, Java will not be irreplaceable. In other words, no computer language in this era is irreplaceable.

However, when Alberta Lynn finished all this, she saw the news that she would donate to Yanbei University Ningban on the official website. She breathed a sigh of relief and was suddenly stunned at the same time.

Because he suddenly thought of his last agreement with Ning Wei.

Yes, the two agreed that after Ning Wei provided these loopholes to them, they would only keep silent for a month. If the officials fail to seal these vulnerabilities after a month, will Ningwei still disclose these vulnerabilities to network security companies and major server providers as before?

Really, it's not that Alberta Byrne underestimates the official programmers responsible for solving bugs. If there are only three or five vulnerabilities, a month is probably enough. But if there are dozens of vulnerabilities spread across different locations, is this month really enough?

You must know that before each announcement and update is released to the outside world, it needs to undergo rigorous internal testing. At least it must be ensured that the updates made to make up for the loopholes will not create bigger loopholes, right?

Debugging bugs is not an easy task for any programmer, and in many cases it even affects the whole body. It’s no joke that the number of bugs increases as time goes by. Gamers have probably experienced this before. Seeing some games getting bigger and bigger as they are updated, the number of bugs increases. It’s really hard to describe my feelings.

In fact, this is true for any program. Many bugs that are tested in the early stages of program design are not bad, and the world can be improved if we take a step back. But for a software that has already had a huge influence, it is hard to say if so many bugs can be solved at once only through patching.

This is still a situation where software vulnerabilities are relatively easy to deal with. For those who make hardware, such as Intel, there are cases where a CPU vulnerability is passed down for several generations...

So for three or five major vulnerabilities, one month is a tight time limit, and more rewards can be obtained. It is barely enough, but with dozens of bugs to be fixed, one month is really a joke.

Thinking of this problem, Alberta Lynn was really stunned. My eyes fell on the phone unconsciously...

His face suddenly became bitter, no, he had to call Ning Wei. When he thought of the call just now and the difficult attitude on the other side, Alberta Lynn regretted being so active just now. But there is no way, he is really afraid that Ning Wei will fulfill the agreement seriously...

The only good thing is that this time he doesn't have to wait for the boss to help him connect. His number should already be in Ning Wei's address book, right?

…

"Hey, Professor Ning Wei, I'm sorry for not disturbing you, right?"

"Actually, I'm sorry to bother you, Mr. Lin. You may not know that I have the habit of walking by the lake with my lover after dinner. It's been two hours since we just talked. I just finished eating and was walking with the girl I like. , I was just telling her a joke, but your call interrupted my train of thought..."

"Haha, Professor Ning, you really know how to joke."

"hehe……"

"That's right, Professor Ning, we just received the vulnerability list from you. We really appreciate your support for our work. But dealing with so many bugs at once is a huge challenge for us. So. I think one month may not be enough time..."

"You all already know what the problem is, how can one month not be enough?"

"this……"

"Really, Mr. Linn, your efficiency is too low. If you don't have confidence in your technical department, my team can help you as a consultant. These bugs will definitely be solved in a month."

"Ah? Is this okay?"

"Of course you can. But again, our Ningban team is full of waste and is waiting to be prospered..."

"Needless to say, Professor Ning, on behalf of the foundation, I have decided to donate another 10 million US dollars to Ning Ban to express the foundation's support for Chinese higher education. I hope this money can cultivate more computer talents and promote the world's computer The development of language.”

"On behalf of Ningban, I would like to thank you for your generosity, Mr. Lin En. Well, I will send you ideas for solving the problem via email later."

"Thank you, Professor Ning!"

"You are welcome! See you!"