Schneier then follows that linkified fact up immediately with a parenthetical that Collin isn’t to blame. But then why call out that very potentially stigmatic thing at all, with sources to boot?
That explanatory note from Collin was buried in a mailing list and was at most a footnote to this story. Now it’s going to be part of the public accounting pushed by a famous security pundit with international reach, and with very little other context given to mitigate.
Either Schneier was trying to make a point of some kind, in which case he sure wheedled around it, or he should’ve been considerably more careful with essentially the only personal fact he chose to highlight about Collin. Either way, I’m disappointed.
His mental health wasn’t relevant to the attack from any report I’ve read. That makes it a bit odd and more than a little thoughtless to highlight it.
People slow down on projects for a ton of reasons. The guy could have been in chemo or had a kid. The result would be the same: he’d need a co-maintainer to keep the pace. The attackers would’ve capitalized on that. They’d plainly been waiting for whatever opportunity would work.
That's the money quote, right there. As long as people are willing to pay for shit, there will be people willing to produce and sell shit.
Why bother doing due diligence, if skipping it, means an extra lambo in the garage?
"Everything". Really. I use numerous programs that do not "contain dozens of libraries".
How could he improve the sentence. Perhaps something like
"Many programs link to dozens of these libraries..."
"Everything most people use contains dozens of these libraries..."
And so on.
I am typing this comment in textmode using a text-only browser that is statically-linked to less than five libraries, including libc. I'm not using any commercial libraries. I have no idea what comprises "everything" anyone reading it is using or whether each of those things is linked to "dozens of libraries". How would I. And neither does this author.
How difficult is it for an author to verify the accuracy of each sentence in an article. Perhaps it is more difficult when you rely on software developers as sources and they tell you a story full of hyperbole, exaggeration and biased, selective disclosure of facts.
The article in japantimes.co.jp someone submitted was absolutely cringeworthy.
Libraries, SDKs, APIs, a framework, a language, a compiler/interpreter, a OS/kernel, testing framework, perf testing, debugger, IDE, version control system, hosting site, documentation site, etc.
Obviously, there are rare instances when there is a mostly standalone app (or some ecosystem that isn’t based on OSS), but those seem to be the rare exceptions, rather than the rule.
