Kind likes

This is a “vaccination” for the log4j vulnerability Given a vulnerable piece of software, it exploits the log4j vulnerability, just to install a new piece of code that prevents exploiting it in the future Ethical? github.com/Cybereason/Log…

Daniel Feldman (@d_feldman)Sat, 11 Dec 2021 16:21 GMT

https://twitter.com/FiloSottile/status/1469441487175880711

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/FiloSottile/status/1469441477642178561

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

Post details

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.

Post details

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

twitter.com/shelbyspees/st…

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT

WholesomeMemes (@WholesomeMeme)Sat, 11 Dec 2021 12:59 GMT

Googling to learn more about the #Log4J vuln and google helpfully let me know that log(4) J is 0.602059991 joules

Edwin (@ed___wins)Fri, 10 Dec 2021 23:17 GMT

the dirty secret is that sound works just fine on linux. it's a just a lie told by the linux-using devs to get out of conference zooms with windows-using management.

Grant Horwood ↙↙↙ (@gbhorwood)Fri, 10 Dec 2021 19:16 GMT

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/aureliusraines2/status/1469333701804937217

I wouldn’t be surprised if there are some male teachers who keep a list of female students’ 18th birthdays 🥴🤢

GDP Misleads (@GDP_Misleads)Fri, 10 Dec 2021 17:01 GMT

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.

Post details

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Post details

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Tony Hawk is proof that no one would think Clark Kent is Superman

Post details

At coffee shop this morning: Girl behind counter: (not joking) “has anyone told you that you look like Tony Hawk?” Me: yes, so much that I sometimes write about it. Her: haha, here’s your coffee Other girl by exit: (leans toward me as I walk out): “you really do look like him”

Tony Hawk (@tonyhawk)Fri, 10 Dec 2021 16:17 GMT

andrew 🏳️‍🌈 (@McFreakinAndrew)Fri, 10 Dec 2021 16:59 GMT

At coffee shop this morning: Girl behind counter: (not joking) “has anyone told you that you look like Tony Hawk?” Me: yes, so much that I sometimes write about it. Her: haha, here’s your coffee Other girl by exit: (leans toward me as I walk out): “you really do look like him”

Tony Hawk (@tonyhawk)Fri, 10 Dec 2021 16:17 GMT

Love that the Levi’s shop app used \n\r instead of \r\n

Ryan Pepper (@drpeps92)Sat, 11 Dec 2021 09:59 GMT

someone once broke up with me because they “had a big crush on this random person at a party” and it made them realize they weren’t that attracted to me. I moved on and got married and years later found out that I married THE RANDOM PERSON AT THE PARTY!!!!! Lol suck it

ely kreimendahl (@ElyKreimendahl)Thu, 09 Dec 2021 23:38 GMT

tell your girl you love her or Pete Davidson will

the King of Salad Island (@torchadub)Thu, 09 Dec 2021 20:29 GMT

He's making a list, And checking it twice, You're gonna find number 8 Very hard to believe. Santa Clause is working for Buzzfeed.

Olaf Falafel (@OFalafel)Fri, 10 Dec 2021 13:32 GMT

This log4j exploit = remote code execution in basically everything Arbitrary code execution in iCloud, Twitter, Steam, CloudFlare, Amazon, Tesla, Baidu, Tencent This may well be devastating 0day RCE exploit that has ever been dropped in all of history. github.com/YfryTchsGD/Log…

Mustafa Al-Bassam (@musalbas)Fri, 10 Dec 2021 13:28 GMT

"Best practices" are only the "best" because nobody's found anything better yet. (Also, they can be subjective, so calling them "best" can sometimes be a misnomer).

Kent C. Dodds 💿 (@kentcdodds)Fri, 10 Dec 2021 14:41 GMT

This is an amazing work by @volker_simonis to patch the critical #log4j bug for running JVM instances. If you have services that use Log4J and you can not update them today you should execute this program / agent to patch your running #Java JVM instances on the fly 👍👍👍

Post details

I've written a simple (i.e. standalone, no dependencies) Java program which patches JndiLookup.lookup() to return a fixed string and not parse its arguments. This should fix CVE-2021-44228 (i.e. RCE in Log4j) without restarting your JVM process. #Log4J github.com/simonis/Log4jP…

Volker Simonis (@volker_simonis)Fri, 10 Dec 2021 10:45 GMT

Hendrik Ebbers 👾 (@hendrikEbbers)Fri, 10 Dec 2021 11:08 GMT

https://twitter.com/volker_simonis/status/1469256987196100608

Howto detect if affected: Start netcat parallel to your app: "nc -lp 1234", then type the following into app where it gets logged (e.g. the query string of your search): "${jndi:ldap://127.0.0.1:1234/abc}" If you then see garbage/emojis in the netcat console your're vulnerable!

Uwe Schindler 👮💳💉💉 (@thetaph1)Fri, 10 Dec 2021 11:51 GMT

I've written a simple (i.e. standalone, no dependencies) Java program which patches JndiLookup.lookup() to return a fixed string and not parse its arguments. This should fix CVE-2021-44228 (i.e. RCE in Log4j) without restarting your JVM process. #Log4J github.com/simonis/Log4jP…

Volker Simonis (@volker_simonis)Fri, 10 Dec 2021 10:45 GMT

I once went on a first date with this guy who, at the end of the date, turned to me and said, “This was fun! I’ll reach out regarding next steps,” immediately apologized for using work language, and ran away embarrassed. I wonder what happened to him, OH RIGHT WE LIVE TOGETHER.

Andrea (@an_dree_ahhh)Thu, 09 Dec 2021 23:16 GMT

Jeff Bezos' 9-minute joyride to the edge of space created more carbon emissions than 1 billion people produce in an entire lifetime

W.E.D.em Boyz (@LeftistWonk)Thu, 09 Dec 2021 04:55 GMT

It is literally impossible for a film to have a shot that looks this cool now. You just can't top this

THEY/SHE BALLARD (@BODY_W0_WHORGAN)Thu, 09 Dec 2021 22:11 GMT

The annoying thing about working on private codebases is often I write code I'm really pleased with and I'd absolutely love to share it! But there's so much business logic baked in that either doesn't make sense or I can't show without upsetting customers 😢

Katy 🐭✨ (@KatyCodesStuff)Fri, 10 Dec 2021 09:31 GMT

I just knocked up a quick JavaAgent that works around the log4j zero day: github.com/stuartwdouglas…. It basically just nulls out the JndiLookup class in log4j.

Stuart Douglas (@stuartwdouglas)Fri, 10 Dec 2021 06:27 GMT

Today is my last day with @Justice_Digital. Super proud of everything we accomplished over the past three years. No doubt I’m leaving one of the best digital teams in government.

Tom Withers (@tomtucka)Fri, 10 Dec 2021 09:40 GMT

https://twitter.com/tomtucka/status/1469240717168025602

I’ve decided to take the leap into contracting so I can travel more, I’ll be joining teams in @GDSTeam next week for the next 12 months, after that I’m planning to take 4 months off to travel south east Asia!

Tom Withers (@tomtucka)Fri, 10 Dec 2021 09:40 GMT

best new yorker cartoon in decades probably

Aleph (9, 5) (@woke8yearold)Thu, 09 Dec 2021 04:11 GMT

If you can get a certificate in it, it’s not Agile. You can’t certify "do what works & if it doesn’t work, fix it." You can’t certify "talk to each other." You can’t certify "build small." You can’t certify "treat people with respect." You can’t certify "pay attention & learn."

Allen Holub (@allenholub)Fri, 10 Dec 2021 02:22 GMT

I see folks making fun of the CVE issued for the default password on Raspberry Pi I personally want to see CVEs for EVERY _static_ default credential. I want it to show up in searches for the vendor name or product, CVE counts for a vendor, and in risk ratings for the product.

Tom Sellers (@TomSellers)Wed, 08 Dec 2021 16:54 GMT

https://twitter.com/jacobian/status/1469131850962518017

I deleted an incorrect tweet about mitigations. Here's the correction: PoC is here: github.com/tangxiaofeng7/… (and it's legit, I've seen verification). Mitigation: update to log4j 2.10 and set the env var LOG4J_FORMAT_MSG_NO_LOOKUPS=true; OR upgrade to 2.15rc1 or above.

jacobian (@jacobian)Fri, 10 Dec 2021 02:35 GMT

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

RagnarRox 🏴‍☠️ (@RagnarRoxShow)Thu, 09 Dec 2021 12:26 GMT

I’m starting to worry that @tomkrazit and the rest of the @protocol gang are going to give me a run for my money on ridiculous @awscloud puns.

Corey Quinn (@QuinnyPig)Thu, 09 Dec 2021 17:37 GMT

I am begging you to read this engagement announcement from my parents’ local paper

Atom Atkinson (@AtomAtkinson)Thu, 09 Dec 2021 04:26 GMT

When I’m #WFH but hosting an event, I go posh af for the food I make myself. For my second day at #APIdays, I made scallops with truffle tortellini. 😋

Jennifer Riggins (@jkriggins)Thu, 09 Dec 2021 12:48 GMT

The only times I've been motivated in my career was when I was building a product I was excited about and/or used in my personal life prior to accepting the job. Having a personal stake in the game really improved my morale.

Emma Bostian 🐞 (@EmmaBostian)Thu, 09 Dec 2021 12:45 GMT

https://twitter.com/spacetwinks/status/965428890830344193

A beautiful twist. (for those who want to drill down: scifi.stackexchange.com/questions/1313… )

Micah Wittman (@micahwittman)Mon, 19 Feb 2018 21:49 GMT

you want me to go see the great clown pagliacci. the person who I actually am

Adam Cerious (@Browtweaten)Thu, 09 Dec 2021 01:06 GMT