Hammer of Technology

Of course, this industry tycoon also said that, fortunately, this loophole was first exposed by Professor Ning, and because of the time difference, Huaxia should be the first to receive this news, which also means that Huaxia will suffer the least damage ...

The characteristics of the Internet were brought into full play, countless news were collected in the Ningban group, and soon everyone sorted out the context and learned what happened this afternoon...

how to say?The children in Ningban were really convinced.They thought that if Professor Ningwei took action, the controversy would be quickly quelled. They even believed that if Ningwei wanted to say hello, he could delete all the comments on the Internet.

If this is the case, everyone may feel relieved, but they will definitely not feel very comfortable.Because that's not the way they approve.

But things are really different now.

When many children log in to the previous programmer forum, they really experience the feeling of showing off their might...

Because someone has already pretended to be a member of the Ning class and posted a post in it. The post is very popular, and it is full of worship.

"Big bosses in Ningban, stop making trouble. You are going to lead the industry in the future. Don't get angry with us small characters."

"I was wrong, I was really wrong, I will never join in this kind of fun on the forum again, and I will never say that java will always be a god, please forgive us."

"You guys from Ningban, if you have something to say, let's talk about it. Really, many of us have already collectively @administrator, throwing the guy who likes nonsense into the dark room. Are you satisfied? If you are satisfied, please tell me Thank you, Professor Ning, for your kind words!!! I have been so busy for a whole year, and Iron Man can't stand it!"

"Don't stare at our java, is there no problem with PHP? Is VB perfect? ​​Is C# really free of loopholes? Big bosses in class Ning, talk to your family, Professor Ning, and let them work too! Get Java and squeeze it! Please."

"Fuck, who are you? We didn't mess with Ning Ban when we were engaged in VB, some people shouldn't try to make trouble! Ning Ban is very strong, it's obvious to all!"

……

In fact, everyone can be sure that the ID on the forum says that he is a classmate of Ning class, and he must not be a member of their class, because this post was posted at four o'clock in the afternoon. At this time, all members of Ning class are sweating like rain on the playground. No one asks for leave.

This is actually something that can make the children of Ningban angry, but at this time, no one cares about it.Even the vast majority of children are already too embarrassed to continue to add insult to injury on the forum.

These outstanding and proud young geniuses who are more mature than ordinary children but have no social experience, are passionately thinking about how to win when the debate is at a disadvantage, but when the opponent is already defeated, beg to be submissive But it really made them lose the motivation to continue to beat the dog in the water, just secretly feeling refreshed in their hearts...

As a result, Ning Ban's group chat suddenly became lively.

"Ha, do these guys know how powerful they are?"

"Professor Ning is too ruthless, the attack is Wang Zha!"

"Hey, I think we can go to the forum and say something, as long as they don't slander Ning Ban, we promise not to use Professor Ning first!"

"I'm dying of laughter. Just now I saw that it has been exposed on Penguin. These days, java programmers across the country have to work overtime to find a way to fix this vulnerability, even the programmers of security companies are no exception. And the security of almost all technology companies in China All departments are issuing notices and will not accept the ApacheLog4j2 remote code execution vulnerability for the time being. Now there is no official news from Apache, it must be because of the time difference. this problem."

Those who are more courageous even start to directly @宁为了.

"@宁微, Professor Ning, come out and say a few words!"

Someone took the lead, and a group of children suddenly became enthusiastic, scrambling to start @起来他们的精神师......

……

It's not that Ning Wei didn't pay attention to Ning Ban's group chat, but that he is quite busy now.

Ning Wei sent the message to Oracle in the afternoon. The time difference caused it to be around 2:[-] in the morning on the other side of the ocean, when people sleep most soundly.So the first ones to react were those network security companies and major cloud service providers in China.

After all, this level of vulnerability is too terrifying. If one is not handled properly, God knows how many devices will be compromised.After all, Log4j2 is an extremely commonly used general-purpose component library, which has caused this vulnerability to affect almost all mainstream frameworks in the Java ecosystem, and these mainstream frameworks cover almost all Java technologies.

One can imagine how big the response was.

So the reaction from the outside world couldn't be more normal.

In particular, this email was sent by Ning Wei. Although Ning Wei is still famous for his achievements in mathematics in the eyes of the public, even though he has already won the Turing Award.But from the perspective of the scientific and technological community, Ningwei's achievements in computing may even be more brilliant than his achievements in mathematics.

The turbulence algorithm is a product that can change the pattern of the network world. The three-dimensional silicon-through-tube technology has brought the global semiconductor industry into a new round of reshuffle. The birth of March directly opened the door to strong artificial intelligence in human society. No matter which technology is used, it directly promotes the improvement of productivity.

As for the achievements in mathematics, most of them are theoretical achievements. Although they are also very dazzling, they are not as intuitive as these appearances.

So after receiving Ningwei's email, the security departments of these companies immediately began to verify, and found that it was exactly as Ningwei said, and the notice began to be sent out at the speed of light, and then the Java programmers began to meet. Discuss how to fix this bug.

Here lies the problem. Ningwei’s emails are sent in groups, and all China’s network security and cloud service companies have sent them. These companies have their own customers. After verification, these companies will definitely be the first when sending out announcements. It is time to tell your customers that when countless Java programs are organized, you must tell them where the problem is, and do a demonstration, and then the vulnerability is spread like this...

From a loophole that should only be known to the official temporarily, it has become a loophole known to countless ordinary programmers in China. This is actually a very scary thing.According to the normal order, for example, if Ningwei wants to get an official reward, he should only report the vulnerability to the Apache official first, and then the Apache official will organize technical forces to analyze and solve the vulnerability, and then issue a notice to the outside world and apply a patch to solve the problem. Vulnerability issue.

But because of the time difference, the Apache official noticed that Ning Wei’s email had been fermented for several hours after the vulnerability, which means that there was almost no time for the official to find a way to patch and solve the vulnerability...

So everyone went crazy.

It cannot be said that Ning Wei's handling method was wrong, because Ning Wei really followed the laws and regulations of China.He discovered the loophole and didn't use it for his own profit. Instead, he informed the officials and Huaxia's network security company of the loophole as soon as possible, trying to reduce losses for everyone without asking for anything in return. He has deduced the word "good guy" to the world The ultimate, really can not ask for too much.

But for Apache officials, their customers are not only in China, but all over the world...

Huaxia responded very quickly, but this is not good news for companies outside Huaxia.

The problem doesn't stop there. When the official security department learned the cause and effect of this incident, especially after seeing Ning Wei's Weibo post, the last sentence shocked countless Java programmers in China, and it hurt deeply. Their already extremely fragile heart, liver, spleen, stomach and lungs...

"...If you are too busy, I will keep you busy this time. If you still complain about Ning Ban without any reason next time, I will keep you busy for a whole year."

What does it mean?

This means that because of an unexpected situation, Ning Wei first announced this vulnerability. If there are Java programmers who continue to stimulate Ning Ban, can he announce more vulnerabilities in the same way?

In other words, Ningwei has more than one Java vulnerability in his hands, but many, and can it be thrown out at any time if necessary?

The news spread, who would dare to use Java?A whole year of hustle and bustle?How many high-risk Java vulnerabilities do you have to master?Or that what they write is not a computer language, but a loophole?

Seeing this, how can one not panic?Even the appearance of being as stable as an old dog on the surface can't be done.

So, when the sun rose the next day, Apache officials also began to get busy, and Oracle also showed extremely high efficiency. First, the official announced the existence of the vulnerability, and informed all customers around the world of the security risks. The other team began to desperately try to find a way to contact Ning Wei.

Ningwei's contact information is easy to find. Many people know Ningwei's number and have ready-made mailboxes.

The problem is that Ningwei may not always reply when he sends an email. A whitelist is set up for the number that is not in his address book when he calls.

If it is placed in Huaxia, this is a proper temporary cramming, and the tragedy caused by not burning incense usually.

Fortunately, there are overlaps in everyone's circle of friends or in the address books of the two parties. After looking for a few big shots, they finally got in touch with Ningwei.

In fact, after Oracle decided to make JavaEE open source and free, it seems that this technology has become a mainstream computer language that can be promoted without cost.

But in fact, the structure of the Apache Foundation is no different from the operating company, and there is even a promotion mechanism inside.For example, the foundation has a board of directors, which supervises and manages the entire foundation, and each Apache project under the foundation has a project management committee to be responsible for the management of specific projects.

If you carefully study the members of the board of directors, you will find that many of those directors and directors hold important positions in large companies such as Intel, IBM, Facebook, etc. The reason is of course that as an open source and free foundation, they need donations from these large companies.The motivation of these corporate donations is to influence the development direction of these open source software.

For example, for hardware manufacturers, can such influential open source software support their own hardware better?For a company like Microsoft, since this technology has developed to a certain extent, it is too big to lose, it is better to simply donate some money to make Java more friendly to its own software, which is also a win-win situation.

There are also untargeted conflicts of interest, such as Facebook, which also needs to use Apache software, but Facebook's main business is social networking, not server development, and the organization can provide it with a complete set of services through donations. Technology can actually save a lot of research and development costs.

This is also the reason why various open source communities are now concerned, and everyone has their own interests.Of course, the premise is that Java can guarantee its current status, and there are enough people to use it, so that it can maintain the motivation of countless large and small factories to donate.

So no matter how he felt when he made the call, as the current head of the Apache Open Source Foundation, Alberta Lynn still kept his attitude very low. It can be said that this is respect for the strong, and it can also be said that this is Respect for money.

"Professor Ning, I finally got in touch with you. Maybe you don't know very well, but many of our administrators actually respect Professor Ning very much..."

Very polite opening, countless compliments as if they don’t want money, and even at the end, the person in charge directly threw out an olive branch: “Actually, we have always expected Professor Ning to serve in the Apache Foundation, and I have been considering extending an invitation to you before. , to become a member of our board of directors, I think the status of lifetime honorary director matches you, we can jointly contribute to maintaining the Java environment, I wonder if Professor Ning is interested?"

Ning Wei, who was sitting in the office, was completely unprepared.

Well, his speech on Weibo and notifying the officials of the loopholes are all for the purpose of maintaining the cohesion of Ningban, but now the officials are in a hurry...

This made Ning Wei feel a little funny, honorary director for life?To be honest, Ning Wei doesn't care much about these titles.If he wants to get a title, Jiang University has contacted him several times, hoping that he will go to Jiang University and get a certificate of lifetime special honorary professor. He has been going there because Ning Ban can't spare time.

Naturally, he would not value the identity of the lifetime honorary director of the foundation.

"Mr. Lynn, let's talk about these things later. To be honest, I don't know much about Java, and I don't plan to do any research. The director's status is still forgotten. What do you want me to do? Isn't the vulnerability already submitted to you? Yet?"

"Professor Ning, you are too polite. If you haven't done any research on Java...well, let's not talk about it. I really have something to call you. We are very grateful that you can provide us with Java's high-risk vulnerabilities, but you I know, if there are other vulnerabilities in Java, you can submit them to us according to the community announcement, and we will be able to provide you with a bonus according to the agreed method..."

"Oh, there are bonuses! In fact, I don't really need bonuses, but if there are, you can donate to the Ning class of Yanbei University in the name of the Apache Foundation. Don't worry, these bonuses can be used for Ning class Scholarships and rewards for outstanding teachers. On behalf of all the teachers and students of Ningban, I would like to express my gratitude to the Apache Foundation..."

Alberta Lynn: "..."

------------

332 N Multiple Misunderstandings

Alberta Lynn really wanted to be tough. In fact, he was always tough in the past. Even if a security expert discovered java and wanted to get a bonus, the Foundation would be tough.

For example, discuss with Ning Wei, if you want a bonus, then the vulnerability cannot be exposed in this way; for example, he really wants to tell Ning Wei to respect enough open source workers like them, they have millions of customers around the world , there are tens of millions of programmers living off the free programs they provide...

But these words were finally held back alive.

There are actually many reasons, maybe because he really doesn't know whether Ningwei has mastered many loopholes, he can't be sure whether Ningwei is using the problem, he can't even be sure whether Ningwei wants to launch a brand new computer language, so Let's start with Java first.

The young academic master on the opposite side had too brilliant a record in the past, so he couldn't be hardened. After being speechless, he could only follow Ning Wei's meaning. After all, if he could spend some money to buy peace, it might be the best good result.

The only problem is that the professor at Yanbei University doesn't seem to understand what he means. He seems to be asking for a bonus for this Log4j2 vulnerability.

Seriously, Alberta Lynn would definitely be willing to give other bug rewards. As long as Ning Wei is willing to submit the bug to them, he doesn't even have to pay attention to whether the format of the materials submitted by Ning Wei is standardized, but this bug...

"Professor Ning, donating money is easy to talk about, but what I want to be sure of is whether you have any other Java vulnerabilities..."

"Why? Do you still want to donate more to our Ningban? Don't worry, there must be. Really, I didn't think that there are still many loopholes in Java. If you are really willing to help us selflessly I can also provide you with some of Huaxia's educational undertakings." Ning Wei said heartily.

As soon as this incident happened, I would rather go to March directly, knowing that March has collected almost all the vulnerabilities of all mainstream computer languages ​​and software, including mainstream operating systems.It's just that this matter has been stuck in Sanyue for collection, and Ning Wei hasn't used it yet.

At that time, the collection of these vulnerabilities was actually to better promote the March Smart Platform. At that time, Ning Wei’s thinking was actually very simple. Let those big companies join the preparation of the March Smart Platform, and they will provide the most needed data in March. Of course, the platform should also return something of equivalent value to these companies.

Helping these companies find the loopholes hidden in the code is also a benefit of joining the platform, but who knows that Ning Wei thinks this is a win-win situation, but people don't appreciate it, so these things were collected in March, but all It didn't come in handy.

How should I put it, in the era of strong artificial intelligence, everyone seems to underestimate the ability of strong artificial intelligence, which makes Ning Wei feel very helpless.Now this situation probably belongs to waste utilization.

With Ning Wei's current status and status, it is naturally impossible to do such a thing with a bunch of loopholes to make a profit, that is, this time it just happened, otherwise Ning Wei would have almost forgotten that there is such a problem.

Ning Wei's words completely destroyed Alberta Lynn.

If the foundation is willing to donate money, it means to provide more bugs. In his understanding, the foundation needs to donate to Yanbei University first, and then Ning Wei will tell them some bugs in java.But this is not in line with the process. The general process should be that Ning Wei submits the bug first, and then the professional security personnel will review the bug, and then determine the level of the bonus according to internal regulations, and then send the money to the bug provider.

Donate money first... How much is appropriate?

I really wanted to talk to Ning Wei about the rules, but thinking that the other party didn't seem to be a big boss who liked to play cards in an orderly manner, and the loopholes that were exposed casually were indeed too terrifying, Alberta Lynn hesitated again.

After careful consideration for a while, Alberta Lynn finally decided to compromise and said, "I am willing to donate 500 million US dollars to Yanbei University on behalf of the foundation. What do you think of Professor Ning?"

"Five million dollars? Oh, see, you mean, I will give you the bug first, and then you will decide how much to donate, right? This five million dollars is the bounty I gave you for this bug earlier? Right? ? Then I will send you the details of the vulnerability later, and you can see how much you can donate, so I can count on it?" Ning Wei asked.

Alberta Lynn was speechless... He really didn't expect Ning Wei to have such a big appetite, and he felt like he was being blackmailed.But in fact, he really misunderstood Ningwei. If he communicated more with some bigwigs in the industry, he would know that when many of his compatriots come to Ningwei to give money, they say that the unit is 500 million. He opened his mouth [-] million here, but he really didn't get much interest in Ning Wei.

To put it bluntly, this is purely because of his appetite, or he has no idea about money. The compatriots of Alberta Lynn have successfully made Ningwei produce a kind of wealth that even the big companies on the other side are extremely rich. Speaking of Give money, that is one is more generous than the other.

"No, Professor Ning, you may have misunderstood the bug bounty. In fact, according to the bug reward standard announced by Password, generally speaking, the highest 0day high-risk vulnerability is a reward of 20 US dollars. Take Google as an example. Last year, the whole In 700, Google spent only $[-] million on bug bounties, which is already a lot, and Microsoft and Apple spent even less on bug bounties than Google.”

"As a company that provides free software to many companies in the world, the Apache Foundation is actually less likely to invest too much money in providing bug rewards. Taking Java as an example, many vulnerabilities are provided to us by our internal members for free. Yes. The donation of 500 million US dollars is to hope that you can give us all the vulnerabilities you have mastered in advance, so that we can make better and more targeted optimization of Java, which is what we hope for millions of members Responsible."

Alberta Lynn explained with a wry smile.

Ning Wei suddenly realized.

He really never cared about the so-called bug bounty. After all, he didn’t rely on it to make a fortune. He just listened to Alberta Lynn’s words, and Ning Wei sighed: “So it’s like this! No wonder the products of these companies are so popular. It has been many years and there are still so many vulnerabilities. Why are these big companies so stingy in their spending on bug bounties? Vulnerabilities that can bring hundreds of millions of income to hackers, the highest reward is only $20? Security experts have found Vulnerabilities don’t have the motivation to study these with those hackers.”

Of course, Alberta Lynn would not tell Ning Wei that the big companies have a set of bug rewards on the surface, and there are also special personnel who will stare at the loopholes that are directly traded on the black market.Even if he wants to explain, the entire vulnerability industry chain is very complicated, how can he explain it clearly in a few words?I could only patiently talk to Ning Wei about popular science: "No, no, Professor Ning, you can't say that. After all, finding loopholes to get bonuses is completely legal and worth advocating. Taking advantage of loopholes for profit is illegal in any country with a sound legal system Yes, you will be hit. The two really cannot be compared together."

Ning Wei said with a lack of interest: "That's fine, 500 million is 500 million. Later I will provide a list of problems and send it to your official mailbox. Of course, you only donated such a small amount of money, so I can only I just took a random screenshot for you, it may not be complete, and I won’t give you another demonstration. That’s it, goodbye, Mr. Lynn. By the way, remember that the 500 million is a targeted donation to Ningban, don’t make a mistake .”

Although the market conditions are like this, Ning Wei still feels dull.It's like a chicken rib, it's a pity to discard it.However, 500 million US dollars is tens of millions of RMB, and it is actually okay to use it to distribute benefits to Ning Ban.

But considering that other rich people generally donate hundreds of millions to the school, his donation is only 500 million US dollars, and there is indeed a psychological gap.

"Wait, how about 1000 million US dollars? Really, Professor Ning, this is the budget that we have been repairing the loopholes for several years, and we are going to use it to contribute to the construction of the Ning class in the future. This... it should be almost the same ? But one thing, if your team finds other vulnerabilities in the future, can you submit them to the Apache Foundation according to the process, and let the officials decide when to release them?"

"Then if you don't update and fix the loopholes, won't the loopholes always exist?"

"This can actually set a date for the official response, such as one month. If we have not released an update patch for the vulnerability one month after we confirm receipt of the vulnerability information you sent, you can submit these vulnerabilities to other network security companies. .”

"Then... okay! Although a month is a bit long, it's better to make things perfect. In this way, after you donate the money to Ning Ban, I will send some loopholes that our team has mastered to the official email."

"Don't worry, we will contact Yanbei University to find out the donation channels. The 1000 million should be specially approved today, but we are not sure when it will be transferred to the designated donation account. You know, it takes some money to transfer large sums of money." The review time. However, we can announce the news on the official website at the same time to ensure that the money will be in place."

"Okay, then I'll send you a list later. That's it, I'll hang up first."

Hearing the word list, Alberta Lynn couldn't help shaking her eyebrows, and suddenly felt that the 1000 million dollars was probably worth it.

"Okay, goodbye, Professor Ning."

"Goodbye, Mr. Lynn."

……

After a not-so-pleasant phone call, Ning Weirang called up the Java vulnerability library list again in March, and after reading the entire five pages, he simply asked March to select half of the vulnerability details in the list according to the risk ratio. Sent to the official Apache email address.

This figure is very appropriate, and it is completely in accordance with the price Alberta Lynn said just now. At least in Ning Wei's opinion, it is worthy of the 1000 million dollars donated by the other party.To find out and sort out these loopholes, it took a lot of computing power in March, and everyone is not friends, so of course it is impossible for him to volunteer for the foundation.

Equivalent exchange is very good, no one takes advantage of anyone.

But even so, when the other party received the email, a group of technicians were stunned.

Are you kidding me?

There are 13 undiscovered high-risk vulnerabilities in the list? 21 medium-severity vulnerabilities and 49 low-severity vulnerabilities?