IndieWeb post types

from @BlackHatEvents USA 2016: A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh blackhat.com/docs/us-16/mat… now the exploit vector presented in 2016 is the #log4jRCE. attached slide #11 from the presentation below. :)

an0n (@an0n_r0)Sat, 11 Dec 2021 12:23 GMT

since everyone is talking about log4j/supply chains an experiment years ago i calculated 1-bit offset utf8 strings of the top few hundred npm packages and registered packages under them they received thousands of hits per week from machines trying to download and execute them

suzuha (@dystopiabreaker)Sat, 11 Dec 2021 08:06 GMT

developer pro tip: the best way to prevent log4j from executing shell commands or querying LDAP is to not allow any user input of any kind

laserllama (@laserllama)Sun, 12 Dec 2021 03:32 GMT

RT @reathchris as a user i want you to leave me alone

A Christmas Carol 🎄 (@CarolSaysThings)Fri, 10 Dec 2021 07:49 GMT

RT @Ryan_Ken_Acts I perpetually feel like I’m 2 to 3 good back cracks from knowing true peace

A Christmas Carol 🎄 (@CarolSaysThings)Fri, 10 Dec 2021 07:38 GMT

Gotta love Hermes: “We left the parcel on your porch” In the picture: not my gd porch 😒

A Christmas Carol 🎄 (@CarolSaysThings)Fri, 10 Dec 2021 17:40 GMT

RT @UrbanNathalia

A Christmas Carol 🎄 (@CarolSaysThings)Thu, 09 Dec 2021 22:38 GMT

we’re calling this thing the Yule Log4j, right? cuz in the dark of winter we’ve gathered together to watch it burn?

gemily son of glóin (@themortalemily)Sat, 11 Dec 2021 18:23 GMT

Running Tycho?

Post details

Any Theories?? #TheExpanse #ScreamingFirehawks #TheExpanse601 #TheExpanseSeason6

The Discuss (@TheDiscussPod)Sat, 11 Dec 2021 21:24 GMT

James S.A. Corey (@JamesSACorey)Sat, 11 Dec 2021 22:41 GMT

Maintainable open source is not an easily solved problem. And yet most of our tech stacks would shut down if open source code was all of a sudden unavailable.

Laurie (@laurieontech)Sat, 11 Dec 2021 22:44 GMT

As someone who does this quite often, they are not ignoring you. They are overwhelmed. They are forgetful. They are trying to figure out what it means to care for themselves and actually do it. They do not hate you. They, in fact, probably miss you.

Amy Gaeta (@GaetaAmy)Wed, 08 Dec 2021 03:37 GMT

there is a cat!!! at this party!!! twitter.com/himaisie/statu…

Post details

party outfit

maisie 🔔 🏳️‍⚧️ (@hiMaisie)Sat, 11 Dec 2021 12:56 GMT

maisie 🔔 🏳️‍⚧️ (@hiMaisie)Sat, 11 Dec 2021 21:57 GMT

The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Catalin Cimpanu (@campuscodi)Sat, 11 Dec 2021 17:41 GMT

It took me about 5 minutes to start locally running an open source Ruby project despite the fact that I never touched Ruby on Rails in the past & project itself didn’t have related docs. Now that’s what I call strong external community resources that are easy to find 👏

Cake is Kate. Always has been 💫 (@kefimochi)Sat, 11 Dec 2021 23:27 GMT

This is a “vaccination” for the log4j vulnerability Given a vulnerable piece of software, it exploits the log4j vulnerability, just to install a new piece of code that prevents exploiting it in the future Ethical? github.com/Cybereason/Log…

Daniel Feldman (@d_feldman)Sat, 11 Dec 2021 16:21 GMT

https://twitter.com/FiloSottile/status/1469441487175880711

The market rate of a developer who can maintain a large open source project is at least $300k/yr. (Conservatively, check levels.fyi.) The most I've seen someone rack up on GitHub Sponsors and Patreon is like $1,000/month. You see the problem?

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/FiloSottile/status/1469441477642178561

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. "I work on Log4j in my spare time" "always dreamed of working on open source full time" "3 sponsors are funding @rgoers's work: Michael, Glenn, Matt" People, what are we doing.

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

Post details

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

fun exercise for folks with production code in github: go to the Insights tab in your repo and navigate to the Dependencies page. pick a package that looks interesting and find out how it's funded.

shelby spees (@shelbyspees)Sat, 11 Dec 2021 16:34 GMT

This may seem like overkill, but it's really an investment in your company's stability. #OpenSource may reduce many costs of development, but it's not entirely free. Don't find out that the library that's integral to your infrastructure is un(der)-funded when it's too late.

Post details

orgs: hire an oss strategy person to do this for your entire product portfolio. add in “what does the project need” to the “how is this being funded?” question eng: do this for your tech stack

twitter.com/shelbyspees/st…

p🍐ris (@ParisInBmore)Sat, 11 Dec 2021 16:38 GMT

julia ferraioli (@juliaferraioli)Sat, 11 Dec 2021 17:53 GMT

WholesomeMemes (@WholesomeMeme)Sat, 11 Dec 2021 12:59 GMT

Googling to learn more about the #Log4J vuln and google helpfully let me know that log(4) J is 0.602059991 joules

Edwin (@ed___wins)Fri, 10 Dec 2021 23:17 GMT

the dirty secret is that sound works just fine on linux. it's a just a lie told by the linux-using devs to get out of conference zooms with windows-using management.

Grant Horwood ↙↙↙ (@gbhorwood)Fri, 10 Dec 2021 19:16 GMT

No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? apache.org/dev/pmc.html Open Source needs to grow the hell up. Yesterday.

Post details

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. twitter.com/shipilev/statu…

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile)Fri, 10 Dec 2021 22:58 GMT

https://twitter.com/aureliusraines2/status/1469333701804937217

I wouldn’t be surprised if there are some male teachers who keep a list of female students’ 18th birthdays 🥴🤢

GDP Misleads (@GDP_Misleads)Fri, 10 Dec 2021 17:01 GMT

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them.

Post details

If you're running a server with #Log4J, please add the following JVM argument to your command line immediately to protect against a 0-day exploit. -Dlog4j2.formatMsgNoLookups=true lnkd.in/gHmEFJ9w #Java #Security #Infosec

Bruno Borges (@brunoborges)Fri, 10 Dec 2021 06:07 GMT

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Post details

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. twitter.com/brunoborges/st…

Aleksey Shipilëv (@shipilev)Fri, 10 Dec 2021 15:26 GMT

Volkan Yazıcı (@yazicivo)Fri, 10 Dec 2021 16:55 GMT

Tony Hawk is proof that no one would think Clark Kent is Superman

Post details

At coffee shop this morning: Girl behind counter: (not joking) “has anyone told you that you look like Tony Hawk?” Me: yes, so much that I sometimes write about it. Her: haha, here’s your coffee Other girl by exit: (leans toward me as I walk out): “you really do look like him”

Tony Hawk (@tonyhawk)Fri, 10 Dec 2021 16:17 GMT

andrew 🏳️‍🌈 (@McFreakinAndrew)Fri, 10 Dec 2021 16:59 GMT

At coffee shop this morning: Girl behind counter: (not joking) “has anyone told you that you look like Tony Hawk?” Me: yes, so much that I sometimes write about it. Her: haha, here’s your coffee Other girl by exit: (leans toward me as I walk out): “you really do look like him”

Tony Hawk (@tonyhawk)Fri, 10 Dec 2021 16:17 GMT

Love that the Levi’s shop app used \n\r instead of \r\n

Ryan Pepper (@drpeps92)Sat, 11 Dec 2021 09:59 GMT

someone once broke up with me because they “had a big crush on this random person at a party” and it made them realize they weren’t that attracted to me. I moved on and got married and years later found out that I married THE RANDOM PERSON AT THE PARTY!!!!! Lol suck it

ely kreimendahl (@ElyKreimendahl)Thu, 09 Dec 2021 23:38 GMT

tell your girl you love her or Pete Davidson will

the King of Salad Island (@torchadub)Thu, 09 Dec 2021 20:29 GMT

He's making a list, And checking it twice, You're gonna find number 8 Very hard to believe. Santa Clause is working for Buzzfeed.

Olaf Falafel (@OFalafel)Fri, 10 Dec 2021 13:32 GMT

This log4j exploit = remote code execution in basically everything Arbitrary code execution in iCloud, Twitter, Steam, CloudFlare, Amazon, Tesla, Baidu, Tencent This may well be devastating 0day RCE exploit that has ever been dropped in all of history. github.com/YfryTchsGD/Log…

Mustafa Al-Bassam (@musalbas)Fri, 10 Dec 2021 13:28 GMT