undefined | Better HN

0 pointsdekhn8y ago0 comments

You don't need to modify existing analysis programs. I worked on a Cloud Genomics product and we inspected BAM parsers, etc, and they all lack basic validation, so it's trivial to create malicious inputs that cause them to crash.

When we filed bugs against the products, the reply was that security was not a priority, because academics.

These kinds of parsers often run on machines that have a great deal of valuable intellectual property on them. It's not unreasonable to believe that somebody might exfiltrate IP from a biotech using malicious DNA sequences. It's unlikely, but not unreasonable to believe.

0 comments

4 comments · 2 top-level

snakeanus8y ago· 2 in thread

No such thing as "intellectual property". And it's not like the original program would disappear anyway so I can't see the issue in that specific case.

dekhnOP8y ago

I worked at a Biotech. many companies store unpatented DNA sequences as secret intellectual property.

snakeanus8y ago

And this is a bad thing.

1 more reply

jomar8y ago

Keep filing those bugs. The authors of at least some BAM/etc parsers are listening:

e.g. https://github.com/samtools/htslib/issues?q=is%3Aissue%20aut...

j / k navigate · click thread line to collapse