Fork me on GitHub
#off-topic
<
2021-12-10
>
Cora (she/her)05:12:13

I'm not sure where else to post this but this seems pretty bad https://www.lunasec.io/docs/blog/log4j-zero-day/

Cora (she/her)05:12:58

it feels like the sort of thing to post more widely but I think this is the only place currently that's appropriate

seancorfield05:12:17

Yikes! Yes, thankyou for posting this!

seancorfield05:12:01

There's a #web-security channel but it is small and does not have much activity.

seancorfield05:12:23

2.15.0 is available now.

genekim05:12:06

Thank you, @U02N27RK69K — "Apple iCloud, Minecraft, and others were vulnerable." Holy cow.

seancorfield05:12:56

Kicked off a CI build with 2.15.0 so we'll have that on production real soon now!

Thomas06:12:53

I was looking for an appropriate channel to post it when I saw your message (I woke up and saw the link on HN, great way to start the day.) Thanks for posting it!

nyantocat 1
Ben Sless07:12:58

Besides being incredibly important, there's something fun you could try doing with that - bootstrap a Clojure REPL . on a machine you control, ofc

2
Cora (she/her)07:12:30

I compete in CTFs and I fully support this idea 😉

Cora (she/her)07:12:59

rule 1 of hacking: only hack your own machines, and if not that then have permission in writing to do exactly what it is you're doing to the person/org being hacked

Ben Sless07:12:26

Clojure is actually pretty big to load, being lots of classes, but I wonder if you could inject a single class Scheme with interop

Cora (she/her)08:12:22

get a reverse shell and you can inject whatever things you want

genekim05:12:45

I had mentioned in my Clojure/conj 2019 talk that the phrase "to use in anger" required that things be not just for practice, but to achieve a mission. I just learned that I was not quite correct in this. The usage of this term in this way can actually can be traced back to submarine warfare in WWII, when US submarines found that torpedoes used in the Pacific were not detonating. And it turns out that they were not believed for nearly a year, despite many reports from submarine crews. And thus began a practice that torpedo test shots must be "fired in anger", causing deliberate damage, showing that they can achieve the ordinance goals. Huh!

thinking-face 5
seancorfield05:12:21

Interesting. That's a phrase I've used a lot over the years.

dpsutton05:12:57

@genekim do you remember if they determined a reason that the torpedoes did not detonate in the Pacific?

phronmophobic05:12:29

So how much damage does my code need to cause before I can say I've used a library/technology "in anger"?

7
Sophie10:12:22

The term "business impact" gets a completely different vibe in this context

😆 7
Drew Verlee22:12:24

be the change you want to see the world, tell them you have used software "in piece" but never anger. Then spread your arms wide as if to welcome them to bask in your wisdom.

🙏 1
dpsutton16:12:14

if you are trying to mitigate the log4j bug and copying the ‐Dlog4j2.formatMsgNoLookups=true from a tweet you will get the 8208 “hyphen” rather than ascii 45 “hyphen-minus” and the java command line will not recognize that as a property but just the name of the main class. Just FYI

👀 1
😄 1
adi19:12:17

Have you tried rubbing a database on it? https://www.hytradboi.com/ The hytradboi conference is open for CFPs. You may see a familiar name or two in the current lineup, from the Clojure and/or "It's just data" camps :).

seancorfield21:12:40

Too soon! :rolling_on_the_floor_laughing:

💜 1
sova-soars-the-sora23:12:26

Impressively quick haha

Cora (she/her)21:12:17

(alt: 4-panel xkcd comic. first pane, woman on phone hears "hi this is your son's school. we're having some computer trouble". second pane, woman says "oh dear - did he break something?", caller responds "in a way-". third pane, caller says "did you really name your son ($(JNDI:<LDAP://evilcorp>))Bobby?" and woman responds "Oh. Yes. Little Bobby Jindi, we call him". fourth pane, caller says "well, we've got our servers cryptolocked. I hope you're happy" and the woman responds "and I hope you've learned to sanitize your log4j inputs")

Drew Verlee22:12:18

did you copy that text over? Or did a program using your icon. I'm a tad confused 😄

Cora (she/her)22:12:20

I added alt text for the comic for anyone using a screen reader so they're not excluded

❤️ 1
Cora (she/her)22:12:27

I typed it all out

Drew Verlee22:12:33

that was nice of you. I wouldn't have thought to do that. thanks for explaining.

Drew Verlee22:12:10

I wouldn't have, as a comic writer, even thought to include that.

Cora (she/her)22:12:05

I wish it was a thing that was just expected

☝️ 1
phronmophobic22:12:18

TIL, there is a way to add alt text to an image in slack, https://slack.com/help/articles/4403914924435-Add-descriptions-to-images. It is a little convoluted though

👍 1
phronmophobic22:12:40

It does not provide instructions for the iOS app though

phronmophobic23:12:04

I tried it on a different slack server. You can add the extra details, but it does not show the alt text on hover. You can get the extra image details, but it is equally convoluted

Cora (she/her)23:12:19

I wish accessibility being inaccessible was a less common phenomenon

Cora (she/her)23:12:34

but that tracks with a lot of my experiences

Drew Verlee22:12:05

How can you tell the difference between an alias and a abstraction? A philosophical teaser to see you into the weekend!

respatialized00:12:59

Massive oversimplification answer: alias is a one to one relationship, abstraction is a one to many relationship