The festive season is treating Terry’s chocolate orange as one of your five-a-day

Rebekah (@rkulidzan)Sun, 12 Dec 2021 13:22 GMT

https://twitter.com/ZiziFothSi/status/1469994367691763714

FLIRT LIZARD GONNA GET SOME HOLODICK

Katie (@ZiziFothSi)Sun, 12 Dec 2021 11:38 GMT

My #log4j status/tracking page is a little rough in spots, but the list of affected, claimed unaffected, and not-sure-yet products is getting the full undue diligence: techsolvency.com/story-so-far/c…

Royce Williams (@TychoTithonus)Sat, 11 Dec 2021 06:21 GMT

Consciously identifying that I have been talking solo for far too long at the zoom call but I have no idea how to wind this down so I just shout HAHA THAYS IT LIKE COMMENT AND SUBSCRIBE and throw my work laptop out of the window

laura with the red nose and the antlers (@freezydorito)Sun, 12 Dec 2021 11:48 GMT

Another chronically underfunded OSS library in the news. It’s simple: - Using OSS to make money? Fund it! - Want to see an OSS project advance? Fund it! - Want to help your dependencies succeed so you can hire people experienced in them? Fund them! NORMALIZE FUNDING OSS.

twitter.com/benjie/status/…

Post details

Why not take 5% of your engineering budget and invest it in the various open source projects you depend on? I'd hazard the returns you'd see over the coming years from this investment would be greater than having spent that same amount on payroll.

Benjie 🐘 (@Benjie)Thu, 18 Jun 2020 13:18 +0000

Benjie 🐘 (@Benjie)Sun, 12 Dec 2021 10:05 GMT

If you have a #Maven parent POM for your org or project, here's an enforcer rule to put into it which will ban any current of future usage of vulnerable #log4j2 versions. gist.github.com/gunnarmorling/…

Gunnar Morling 🌍 (@gunnarmorling)Sat, 11 Dec 2021 09:42 GMT

https://twitter.com/HOOKFanAcct/status/1469906909583097857

You deserve to get jumped

ASHUTOSH #GoGHC #PissariSTRONG 🥶🥶 (@PuroNerdAsh)Sun, 12 Dec 2021 05:49 GMT

a bad movie that’s entertaining is better than a good movie that’s boring

Post details

What movie opinion will get you jumped like this?

chu (@chuuzus)Sat, 11 Dec 2021 15:08 GMT

🌘 (@photonblasters)Sat, 11 Dec 2021 18:50 GMT

We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. blog.filippo.io/professional-m…

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Sat, 11 Dec 2021 19:22 GMT

from @BlackHatEvents USA 2016: A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh blackhat.com/docs/us-16/mat… now the exploit vector presented in 2016 is the #log4jRCE. attached slide #11 from the presentation below. :)

an0n (@an0n_r0)Sat, 11 Dec 2021 12:23 GMT

since everyone is talking about log4j/supply chains an experiment years ago i calculated 1-bit offset utf8 strings of the top few hundred npm packages and registered packages under them they received thousands of hits per week from machines trying to download and execute them

suzuha (@dystopiabreaker)Sat, 11 Dec 2021 08:06 GMT

developer pro tip: the best way to prevent log4j from executing shell commands or querying LDAP is to not allow any user input of any kind

laserllama (@laserllama)Sun, 12 Dec 2021 03:32 GMT

RT @reathchris as a user i want you to leave me alone

A Christmas Carol 🎄 (@CarolSaysThings)Fri, 10 Dec 2021 07:49 GMT

RT @Ryan_Ken_Acts I perpetually feel like I’m 2 to 3 good back cracks from knowing true peace

A Christmas Carol 🎄 (@CarolSaysThings)Fri, 10 Dec 2021 07:38 GMT

Gotta love Hermes: “We left the parcel on your porch” In the picture: not my gd porch 😒

A Christmas Carol 🎄 (@CarolSaysThings)Fri, 10 Dec 2021 17:40 GMT

RT @UrbanNathalia

A Christmas Carol 🎄 (@CarolSaysThings)Thu, 09 Dec 2021 22:38 GMT

we’re calling this thing the Yule Log4j, right? cuz in the dark of winter we’ve gathered together to watch it burn?

gemily son of glóin (@themortalemily)Sat, 11 Dec 2021 18:23 GMT

Running Tycho?

Post details

Any Theories?? #TheExpanse #ScreamingFirehawks #TheExpanse601 #TheExpanseSeason6

The Discuss (@TheDiscussPod)Sat, 11 Dec 2021 21:24 GMT

James S.A. Corey (@JamesSACorey)Sat, 11 Dec 2021 22:41 GMT

Maintainable open source is not an easily solved problem. And yet most of our tech stacks would shut down if open source code was all of a sudden unavailable.

Laurie (@laurieontech)Sat, 11 Dec 2021 22:44 GMT

As someone who does this quite often, they are not ignoring you. They are overwhelmed. They are forgetful. They are trying to figure out what it means to care for themselves and actually do it. They do not hate you. They, in fact, probably miss you.

Amy Gaeta (@GaetaAmy)Wed, 08 Dec 2021 03:37 GMT

there is a cat!!! at this party!!! twitter.com/himaisie/statu…

Post details

party outfit

maisie 🔔 🏳️‍⚧️ (@hiMaisie)Sat, 11 Dec 2021 12:56 GMT

maisie 🔔 🏳️‍⚧️ (@hiMaisie)Sat, 11 Dec 2021 21:57 GMT

The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Catalin Cimpanu (@campuscodi)Sat, 11 Dec 2021 17:41 GMT

It took me about 5 minutes to start locally running an open source Ruby project despite the fact that I never touched Ruby on Rails in the past & project itself didn’t have related docs. Now that’s what I call strong external community resources that are easy to find 👏

Cake is Kate. Always has been 💫 (@kefimochi)Sat, 11 Dec 2021 23:27 GMT

This is a “vaccination” for the log4j vulnerability Given a vulnerable piece of software, it exploits the log4j vulnerability, just to install a new piece of code that prevents exploiting it in the future Ethical? github.com/Cybereason/Log…

Daniel Feldman (@d_feldman)Sat, 11 Dec 2021 16:21 GMT

https://twitter.com/FiloSottile/status/1469441487175880711

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/FiloSottile/status/1469441477642178561

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

Post details

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.

Post details

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

twitter.com/shelbyspees/st…

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT

WholesomeMemes (@WholesomeMeme)Sat, 11 Dec 2021 12:59 GMT

Googling to learn more about the #Log4J vuln and google helpfully let me know that log(4) J is 0.602059991 joules

Edwin (@ed___wins)Fri, 10 Dec 2021 23:17 GMT

the dirty secret is that sound works just fine on linux. it's a just a lie told by the linux-using devs to get out of conference zooms with windows-using management.

Grant Horwood ↙↙↙ (@gbhorwood)Fri, 10 Dec 2021 19:16 GMT

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/aureliusraines2/status/1469333701804937217

I wouldn’t be surprised if there are some male teachers who keep a list of female students’ 18th birthdays 🥴🤢

GDP Misleads (@GDP_Misleads)Fri, 10 Dec 2021 17:01 GMT

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.

Post details

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Post details

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Tony Hawk is proof that no one would think Clark Kent is Superman

Post details

At coffee shop this morning: Girl behind counter: (not joking) “has anyone told you that you look like Tony Hawk?” Me: yes, so much that I sometimes write about it. Her: haha, here’s your coffee Other girl by exit: (leans toward me as I walk out): “you really do look like him”

Tony Hawk (@tonyhawk)Fri, 10 Dec 2021 16:17 GMT

andrew 🏳️‍🌈 (@McFreakinAndrew)Fri, 10 Dec 2021 16:59 GMT