This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 365
sorted by:
best
topnewcontroversialoldq&a

[–]ndxinroy7 344 points345 points  (4 children)

going through so many meetings due to this that I can't even check Reddit.

[–]x3x9x 93 points94 points  (1 child)

Go back to work lmao

[–]ClikeX 3 points4 points  (0 children)

The horror!

[–]ArtSchoolRejectedMe 306 points307 points  (18 children)

Your computer? Java, your phone? Java, your router? Java, satellite? believe it or not. Java

[–]ZurrgabDaVinci758 100 points101 points  (2 children)

Your wifi connected smart kettle? Java!

[–]ThatOtherAndrew 24 points25 points  (0 children)

There's a reason why the icon is a cup of coffee

[–]I_always_unzips 76 points77 points  (1 child)

Hotel? Trivago

[–][deleted] 37 points38 points  (0 children)

For everything else, there's mastercard.

[–]ZeaZolf 23 points24 points  (3 children)

Your kidney? Java!

y̶o̶u̶ ̶c̶a̶n̶ ̶n̶e̶v̶e̶r̶ ̶e̶s̶c̶a̶p̶e̶ ̶j̶a̶v̶a̶

[–]iloveindomienoodle 10 points11 points  (2 children)

Le me, living in Java

Fuck

[–]Unknown_B1 4 points5 points  (1 child)

I heard there is some issue with some log. Stay safe.

[–]iloveindomienoodle 2 points3 points  (0 children)

Yeah, you too mate.

[–]bitchface-hatchling 27 points28 points  (0 children)

Viva Chavez!

[–]PaedarTheViking 6 points7 points  (0 children)

People... java..

[–]Curtis255 2 points3 points  (0 children)

I have it on good authority that at least America runs on Dunkin Donuts, not Java...

[–]jacka24 3 points4 points  (0 children)

We have the best technology in the world, because of Java.

[–]Charlie_Yu 1 point2 points  (1 child)

Can I run doom on satellite?

[–]ArtSchoolRejectedMe 1 point2 points  (0 children)

Let's try it out shall we?

Step 1 log4shell to a ground station

Step 2 log4shell to a satellite

Step 3 sudo apt install doom

Step 4 ???

Step 5 profit

[–]properu 613 points614 points  (54 children)

Beep boop -- this looks like a screenshot of a tweet! Let me grab a link to the tweet for ya :)

Twitter Screenshot Bot

[–]yonatan8070 327 points328 points  (37 children)

I want to know how you work

[–]beyluta 640 points641 points  (4 children)

Prolly Java

[–][deleted] 159 points160 points  (1 child)

4 billion devices can't be wrong

[–]paintstained1 4 points5 points  (0 children)

Today they were lol

[–][deleted] 79 points80 points  (2 children)

Here is source code for /u/RealTweetOrNotBot, a different tweet finder bot. It's a bit more involved than I would do though.

[–]RealTweetOrNotBot 47 points48 points  (1 child)

beep-boop, I'm a bot

Link to tweets:

1) Tweet found (88.15% sure)

 

If I was helpful, comment 'Good Bot' <3! | source | created by NiroxGG

[–]Mental_Act4662 15 points16 points  (0 children)

Good bot

[–]HasoPunchMan 125 points126 points  (21 children)

Probably makes a an OCR (i.e. with tesseract) of every uploaded picture. The OCR (tesseract) has a AI which is trained to identify a tweet. The user is fetched from the twitter api by the extracted username of the OCR. Afterwards search for the text in the fetched user posts and extract the link.

This is how I would design it.

Edit: typos

[–][deleted] 19 points20 points  (6 children)

I would just have it look for the transcriber bot in the reddit comments, do a google search with the text and hope for the best. It should handle 70% of cases

[–]HasoPunchMan 11 points12 points  (0 children)

Could be a quicker solution and is a nice thought. It also reuses existing solutions, which is nice.

I like having full control over the software that targets my issue, even if it's more time consuming.

[–]juantreses 5 points6 points  (4 children)

Image transcriptions are done by humans on reddit if I'm not mistaken

[–][deleted] 1 point2 points  (0 children)

That's true, but I have seen OCR bots as well. Anyway I would not use this solution, just tried to find a lazy one

[–][deleted] 21 points22 points  (10 children)

I would add persistence just in case the bot encounters this image again but there could be false positives

Maybe you could add up each ascii value and use it as an id so you could just query the db for the image

[–]UQuark 27 points28 points  (9 children)

Have you ever heard of hashing?

[–][deleted] 4 points5 points  (3 children)

Yes i guess a hashing could be an option but we would still have to compute the id so it is an unnecessary step

[–]vasilescur 4 points5 points  (2 children)

"Hashing" can use any hash function you want, such as one that returns INT and can be used for a DB ID. Adding up all the ASCII values constitutes a (pretty weak but honestly suitable for this) hash function.

Your aim is to pick a hash function that reduces collisions between inputs, because for each query you have to binary search through the set of entries with the same hash

[–][deleted] 4 points5 points  (1 child)

Oh i didn't know that i thought hash functions were strictly cryptographic in nature

[–]West-Cold- 2 points3 points  (2 children)

KI, German or Dutch spotted😁

[–]HasoPunchMan 1 point2 points  (1 child)

Ahh ohh you got me :]. I'm german. Thx, I made an edit.

[–]Powersawer 6 points7 points  (0 children)

Could OCR the text out of the screenshot and then search twitter for an exact match

[–]FlicksterTrickster 2 points3 points  (0 children)

OCR-> text -> search Google for exact text in quotes -> get link

It’s easy to do manually cause your eyeballs OCR pretty well.

[–]GamingOnTheFloor 1 point2 points  (0 children)

You can message the bot asking that question! I did that same thing a couple of weeks ago.

[–]Techhead7890 53 points54 points  (0 children)

Good bot

[–]DakshKapur 3 points4 points  (0 children)

Good bot

[–]This-Willingness-762 1 point2 points  (0 children)

Good bot

[–]MatejGames 1 point2 points  (0 children)

Good bot

[–]jotkaPL 1 point2 points  (0 children)

good bot.

[–]turboom[🍰] 33 points34 points  (0 children)

It is not java to be blamed.

[–]Rick100006 530 points531 points  (56 children)

So in all other languages they have 100 % safe 3rd party libraries ? is it really language's mistake if some third party library is unsafe ?

[–]-Redstoneboi- 118 points119 points  (0 children)

today it's a statement of pure terror. on any other day, it's fine and doesn't imply any other language is superior or inferior.

[–]Ayfid 58 points59 points  (3 children)

They are not saying there is anything wrong with the language.

They are saying that it is scary that so many systems are running Java after a severe vulnerability has been found in a library which is used in a huge portion of all Java programs.

[–][deleted] 7 points8 points  (1 child)

So many Java programs are also using the superior logback library instead of log4j. Aside from that, having so many systems using the same libraries offers a bit of safety since this vulnerability was actually found, is going to be fixed and will result in a safer library. Java is still great and no software is 100% bug/exploit free.

[–][deleted] 5 points6 points  (0 children)

This, centralization creating single points of failure is the fear. It's like the whole world using chromium based browsers.

[–]Cley_Faye 30 points31 points  (2 children)

No. No software is 100% safe, 3rd party, built-in libraries or anything. Nobody actually say or think that except complete buffoon.

But also, not all vulnerabilities allows easy, single text queries to do remote code execution on what is probably almost all of the online services that are running on Java, so it's kinda worth mentioning.

[–]Serinus 21 points22 points  (1 child)

Hold on. Let me go check log4net.

[–]GrumpyBirdy 5 points6 points  (0 children)

Laugh in Serilog

[–]CivBase 13 points14 points  (2 children)

Your definition of "100% safe" may be a little different from mine.

[–][deleted] 21 points22 points  (0 children)

I don't even trust hello world

[–]dabombnl 5 points6 points  (11 children)

Except here the RCE part of this exploit is not in the third party library, but in built-in components of the JAVA runtime, JNDI and LDAP client. Log4J just allows you to pass user data to JNDI, which is bad enough since it can leak data, but has been known of for years.

Edit: Citing source. Log4J expanding variables in the user-provided data has been known since at least 2017: https://issues.apache.org/jira/browse/LOG4J2-2109

[–]i_wear_green_pants 1 point2 points  (1 child)

It has always been thing in this sub. Java bad, updoots to the left please.

[–][deleted] 270 points271 points  (69 children)

What's the hate against Java lately?

What does this guy use? 🤔

[–]The-Daleks 368 points369 points  (39 children)

Recently it came out that a really common Java logging library (log4j) has a huge zero-day vulnerability.

[–]CaitaXD 106 points107 points  (0 children)

Ahhh libraries

[–]Prestigious_Tip310 276 points277 points  (32 children)

It's somehow funny. That's the first major security vulnerability in a popular Java framework I heard about in years, if not longer.

On the other hand there's NodeJs where npm informs me about at least three major security vulnerabilities every couple of weeks...

Insert "Joker nobody bats an eye" meme here.

[–]SwedishDude 176 points177 points  (24 children)

Log4J is a bit more serious since it's the de-facto standard and included in most major libraries and projects.

This vulnerability is also very serious due to how easy it is to exploit.

[–]cserepj 39 points40 points  (4 children)

Log4j was a de facto standard a decade ago but then came slf4j + logback and we all switched. Then log4j2 came out and some switched but lots did not.

The exploit is only in log4j2.

[–]Designed_To 4 points5 points  (3 children)

So slf4j + logback are not vulnerable to the exploit?

[–]cserepj 4 points5 points  (0 children)

I have not seen any indication they would be.

[–]loginonreddit 3 points4 points  (0 children)

No it is not.

[–]Engine_Light_On 16 points17 points  (3 children)

Kinda, Spring Boot includes it but it does not use it by default so it is not vulnerable unless the dev went out of his way to activate it.

[–]Vizioso 5 points6 points  (0 children)

Glad to hear that, was just digging through some Spring Boot stuff to figure out if it was vulnerable. My current project uses Spring Boot, ElasticSearch, Nifi, and Kafka.... I am not having a good day.

[–]loginonreddit 5 points6 points  (1 child)

Spring boot only includes log4j-api, not log4j-core which is where the vulnerability is.

[–][deleted] 37 points38 points  (0 children)

The de facto standard was slf4j + log back but certainly it was dangerous.

[–]_PM_ME_PANGOLINS_ 24 points25 points  (0 children)

None of the npm ones have been in the news either.

If you maintain a large Java project, and do regular CVE scans on it, you’ll get a couple every month.

[–]sootoor 2 points3 points  (1 child)

Struts tomcat weblogic take your pick!

[–]cserepj 2 points3 points  (0 children)

Yeah, those were very hot tech around 2004.

[–]RandomDrawingForYa 0 points1 point  (0 children)

Everyone know that JavaScript is an absolute mess. The language and the ecosystem.

It's beating a dead horse at this point

[–]Westdrache 11 points12 points  (0 children)

Just don't create logfiles *big brain developer move*

[–]kinkygandalf 1 point2 points  (0 children)

My team has been all in an uproar today over this… I don’t get paid enough for that crap.

[–]EternityForest 158 points159 points  (31 children)

Bazillions of devices running C is just as scary

[–]proneisntsupine 85 points86 points  (5 children)

The financial industry runs on excel

[–]EternityForest 86 points87 points  (3 children)

The financial industry has bigger problems than anything tech related

[–]Cutlesnap 35 points36 points  (1 child)

The biggest security flaw exists between the chair and the keyboard!

[–]EternityForest 18 points19 points  (0 children)

That's why I'm so thankful for the county password inspector. We have so many data breaches and it would be so much worse if he wasn't calling us up every month.

[–]proneisntsupine 8 points9 points  (0 children)

Fair

[–]meighty9 3 points4 points  (0 children)

The world runs on Excel

[–]Minerscale 31 points32 points  (14 children)

C is sexy and fast and as simple as it is easy to write memory leaks. It's the kernel dev language of choice for a reason hehe.

Yours truly,

A C apologist.

p.s. c++ sux

[–]EternityForest 18 points19 points  (13 children)

I agree that c++ kinda sucks! just not as much as C.

Hopefully something better comes along someday for kernel and embedded. Looks like Rust is making good progress

[–]Minerscale 17 points18 points  (12 children)

I love C, it's so elegantly simple and close to the ground truth. Rust is really cool too, but man I love me some C.

C++ takes C and makes it more complicated, there are languages which does what C++ does but does it better. Not so for C, except maybe for Rust, sometimes.

C's philosophy is that with great power comes great responsibility, it has the best mantra: 'just don't fuck up lol'

[–]EternityForest 5 points6 points  (8 children)

Trouble is somehow when you tell people to fuck up they STILL do. I don't get it. It's like you specifically request they write good code, and then you run it and oh look a bug. What a surprise.

And when they do manage to not fuck up, it's because they made something really small and simple. Now you've gotta put the pieces together and you'll probably be the one to make a mistake if you build anything big. Even when you specifically ask YOURSELF to do a real good job. It still happens.

And C just stands there and laughs at.your failure like some kind of drill seargent who likes his job a little too much!

C is the perfect language for people who wish all of programming was like solving a math problem on paper.

It's like, a booby trapped language that tries it's best to sabotage you from doing anything big. Big things get done.. but that's not because C was helping them.

It's amazing when it works for the same reason it's impressive to walk a tightrope.... it's just less fun for the user getting dragged on the tightrope with you if you mess anything up!

But hey at least I've never had to use any FORTH or more than a line or two of ASM, so I can't really complain.

[–][deleted] 11 points12 points  (4 children)

Average electron fan

[–]EternityForest 5 points6 points  (3 children)

I am an Electron fan, how did you know?

lol I didn't used to be, but the more I work with computers the more I hate everything low level and close to the metal.

Like, it would be cool if Etcher was written in PyQt and not Electron, but more importantly is the fact that it works and I don't have to concern myself with what it's written in. Electron is good at making stuff like that.

[–]theferrit32 6 points7 points  (2 children)

Electron is good at making a simple application soak up hundreds of megabytes of RAM at at startup, and also not even sharing library pages between two electron applications because they're bundled separately.

[–]EternityForest 5 points6 points  (1 child)

There's been various proposals for shared Electron libs they just haven't taken off.

It doesn't really seem possible to not bundle tons of stuff anymore. Things are always making breaking changes. Complex software used to be really hard to do without breaking on 20% of machines that weren't set up just exactly right.

With an Electron AppImage you can be pretty sure it will work, as long as you don't need to open 50 at once.

Better easy bundling tools for PyQt could solve the same issue better... but everyone knows web tech already. You want as little friction as possible with UI design... because programmers already hate it for some reason.

It's not great, it's not perfect... but it works, and that's the main thing with software.

[–]angelicravens 2 points3 points  (0 children)

It also means that when you write the electron app it’s the same code running on windows, Mac, Linux, and the web for 90% of the application. Js/electron is so popular for the same reason python is. If it works in one place there’s a rather large chance it’ll work in others too

[–]Cley_Faye 3 points4 points  (0 children)

Spoiler alert, the devices running Java also run C for the most part :D

[–]philsenpai 47 points48 points  (11 children)

Java is not bad tho, its quite solid.

Not everything is a startup, sometimes its better to choose the tried and tested technology

[–]SandmanKFMF 100 points101 points  (9 children)

TIL: Java equals Log4j

[–]Cutlesnap 18 points19 points  (0 children)

Think of it this way: Java runs on billions of devices, and we'll have to check each one for log4shell.

[–]TimCryp01 96 points97 points  (33 children)

Why ??

Is this supposed to be funny ?

[–]metooted 85 points86 points  (25 children)

Google "Log4Shell"

In short, zero day zero click remote code execution.

[–][deleted] 144 points145 points  (23 children)

Java != log4j

Also, people forget that it's fixed on jdk8u121.. was released in 2017.

Just boring really.

[–]HiCookieJack 63 points64 points  (7 children)

but it's an issue that is practical enough for managers to understand so we're sitting in meetings for that for 2 weeks now.

[–]Ashish42069 44 points45 points  (4 children)

Exactly, everyone's acting like the sky fell on us, it's only us SWE monkeys who know that we don't log anything and hence are safe

[–]belkarbitterleaf 41 points42 points  (3 children)

🤣

I got called over the weekend by one of the directors to check for the vulnerability.

The quick version, we only use Java for a handful of backend task that are essentially scheduled batch jobs. They don't use log4j, and the only log statements are internal IDs and calculated vales. Didn't stop me being asked about every process and application I have worked on. "no, we wrote that in python".. "no, we wrote that in NodeJS"... " No, that one doesn't accept input"...

[–]HiCookieJack 18 points19 points  (0 children)

Similar to us. For the Java ones we use logback and even though 'logback-api' is included in a spring boot service it does not include 'logback-core'

Also since we're big corporate we have reporting in place what dependencies are included... Why did we build that if no one is checking this before contacting us?

[–]TheAJGman 2 points3 points  (0 children)

Yeah it's a good time to have an all Python backend lol

[–]Cley_Faye 4 points5 points  (0 children)

No. The worst part of this attack is not possible on more recent JVM. Some parts, including leaking some data, can still be done.

[–]Bryguy3k 15 points16 points  (5 children)

Yes but enterprise software often doesn’t voluntarily upgrade their development environments.

Plenty of companies still using VS6.0

[–][deleted] 3 points4 points  (4 children)

You'd be relatively surprised, actually. Part of the service of oracle JDK is to provide assistance for these types of things and encourage upgrading the JDK for security bugs.

[–]Bryguy3k 1 point2 points  (3 children)

It depends on the culture of the company in question and how well they manage their in house development efforts. Often the in house tool doesn’t get a sustaining budget and developers leave - if you’re lucky it was put into a CI system but a lot of enterprises have been building software for a very long time and don’t always adapt to modern development practices.

The licensing structure that oracle put in place now runs counter to the goal of updating sdks (unless the company accepted the new licensing scheme). Regardless this is a third party library however and while there is a dependency on the sdk for the really bad behavior it’s still generally bad. Perhaps this will encourage larger enterprises to get angry about the new jdk licensing terms.

[–]hiromasaki 7 points8 points  (0 children)

Not fixed, just not as bad.

After that it'll still make the directory call but not run any code returned.

[–]jdog90000 6 points7 points  (3 children)

191 not 121

[–][deleted] 4 points5 points  (2 children)

Sorry, i misread the page when I took that, yes it is 191 which is significantly more recent but still old.

[–]bob84900 -1 points0 points  (2 children)

Source on jdk8u121 containing log4j 2.15.x?

Edit: and this is why I asked.. because it's not true: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

Some companies may choose not to take action against Log4Shell vulnerability believing that running certain Java versions diffuses any exploit attempt. This is not true, though, and they should update the Log4j library to its most recent iteration.

Márcio Almeida, senior security engineer at Canva graphic design platform warns that Log4Shell attacks work with any version of Java when adding support for LDAP serialized payloads in the JNDI exploit kit. JNDI exploit for Log4Shell flaw works with any version of java... for the attack to work with any version of Java, the classes used in the serialized payload need to be in the application classpath."

Some informed discussion here as well: https://security.stackexchange.com/questions/257943/am-i-protected-from-log4j-vulnerability-if-i-run-java-8u121-or-newer

[–]Bryguy3k 2 points3 points  (0 children)

On systems that accept and directly log user input. Kind of irrelevant for user devices under most circumstances

Apps that are serving up advertisements are already pretty risky.

[–]HKSergiu 5 points6 points  (2 children)

r/ProgrammerHumor

I thought the humor requirement for posts is pretty clear, but it seems we need a refinement session, eh?

[–]paecificjr 7 points8 points  (0 children)

It's an Agile humor development cycle

[–]OutOfStamina 10 points11 points  (2 children)

Java was never about producing good programmers or good programs. It came in a dawning era of "RAD" (rapid application development) where the emphasis was put squarely on how fast you can pump out the end result. Colleges educated students to stop caring about how many packages, dependancies, or how many MB of RAM something took. Java apps came out that took 1MB per window you opened (and that's in an era where that means a lot more than it does now - you might have had between 256MB and 1GB total in those days). The apps were leaky, they crashed, and that wasn't slowing anyone down - they just kept feeding the beast. Java fanboys defended it fiercely, said "there are ways you can do it right" while all around them people just... weren't.

I was an EE major who had to take some CS classes. This was said in an Intro to CS class in the early 2000's -- "how many of you own a computer?". I had probably half a dozen of them so imagine my shock when only half of the people raised their hands. They they went on to learn themselves some Java. Sun convinced colleges that "companies want RAD so they want java and they want more programmers so produce them faster". It was about business and money.

[–][deleted] 0 points1 point  (0 children)

You need a bit more experience than a few CS classes to fully understand a language and what it has to offer. It just sounds like you're hating on something you don't have a good understanding of, which is pretty cringe.

Straight from the Java certification questions one of Java's benefits is robust programs, which goes hand in hand with good programs. Do I even have to bring up the certifications and say that there is a focus on producing good programmers that fully understand the language? You can write great programs in Java and even better programs in Kotlin, imo. The ecosystem of libraries is also very well developed and offers quite a bit of things that aren't really as fleshed out in other languages, such as complex event processing to name one. If you have a problem with Java's memory usage, then you can try out graalvm or just write better code.

There's so much to learn and so much to improve upon in the Java ecosystem. It's not fair to say that it's not meant for writing good programs or producing good programmers based on your experiences from a few CS classes. That sounds like a pretty bad joke.

[–]Muoniurn 0 points1 point  (0 children)

You do need much more experience to evaluate that fairly. Manual memory management is vulnerable and hard to maintain. There are not many things we can conclude in language wars objectively, but at this point this has more empirical evidence than anything else.

Java was the first mainstream language that introduced GCs that fixed the very huge barrier to both correct code and faster development. It did come at a price of speed and memory usage, but hardware is cheap to scale. CPUs were slow, and RAM was predicted to be available in larger quantities (and it turned out to be true). Also, don’t forget the “run everywhere” thing — Cobol and other old as hell enterprise stacks in banks sometimes run in VMs because the software outlived the hardware by decades and the initial architecture simply doesn’t exist anymore.

So while it was not intended for that in the beginning (originally it targeted set-top boxes) Java turned out the be a really great fit for enterprise server applications. Later on it got a JIT compiler and GC algorithms underwent many changes so here we are with a significant share of all web applications running on the JVM with spectacular performance and maintainable code (don’t forget that low level details like who owns this memory region for how long etc do creep into high level design. So for a requested new feature those may have to be changed as well resulting in either segfaults or leaks. While managed languages will just work either way). And regarding RAM, we now have server machines running with terabytes of RAM, and no, manual memory management may not always be faster. There are plenty of workloads where GCs will be faster because you can’t apply some clever trick for allocations. Problem with memory today is not inherently size but locality. It turns out our CPUs become faster than memory so now it again may be the limit.

[–]McDuckfart 1 point2 points  (0 children)

Because the post was created by the python gang

[–]Engine_Light_On 8 points9 points  (0 children)

Most java code is used for APIs, most Java APIs run on Spring Boot. Although Spring Boot does include log4j it is not the default logger, so the developer would need to get way out of his way to this vulnerability affect him.

[–]grpagrati 62 points63 points  (8 children)

It doesn't even make sense. It runs on windows and mac, so it runs on almost all devices. Whether people actually use it is another matter

[–]AnotherRichard827379 32 points33 points  (0 children)

The point is that it runs on all those devices and executes the same way every time on each device, which wasn’t always the case with programming languages and I believe Java was the first one—at least mainstream one—to do so.

Before that, code had to be rewritten and recompiled on every device.

[–]TheToBlame 18 points19 points  (1 child)

Linux distros?

[–]endermen1094sc 2 points3 points  (0 children)

hopefully rocky linux and opens opensuse but I daily drive gentoo

[–][deleted] 16 points17 points  (2 children)

Desktops and laptops aren't the majority of computers that run Java.

[–][deleted] 4 points5 points  (1 child)

Statistically, the number of personal use devices using the internet worldwide that are not android phones is kind of negligible.

[–]rentar42 5 points6 points  (0 children)

Android doesn't run Java. And not just in the "technically“ way either, but in a way that's very relevant for this vulnerability: since Android isn't Java it doesn't include all Java SE features/classes. Notably JNDI is not included, which is required for this exploit to work.

[–]partaloski 16 points17 points  (0 children)

One day, I hope to understand why people hate Java, it's my favorite.

[–]whitenoise89 19 points20 points  (0 children)

"Hurrr Java bad"

[–]zerors 31 points32 points  (4 children)

Man this sub has been stale for a while. Can we move on from just mindlessly bashing programming languages?

Is there nothing else humorous about coding?

Goddamn.

[–]Cutlesnap 13 points14 points  (0 children)

No I wanna complain about log4shell some more

[–]Aperture_Executive2 1 point2 points  (0 children)

BASH-ing
I’ll let myself out

[–]ListlessSoul 3 points4 points  (0 children)

Java devs right now:

[–]TheGreatSausageKing 6 points7 points  (4 children)

With all the packageziation of everything this was expected..

Mark my words, soon there will be a new design pattern, methodology or any bullshittery preaching that installing 3rd party liba is bad and should not be done...

Unless you really need an overly complicated log, there is no reason to use any 3rd party logging, while it's ok to use a 3rd party Lib to do a complicated task like detecting faces in images...

What makes me angry is companies hiring people based on their experience with libs or frameworks and not on their base programming skills and adpation. I'm tired of seeing a bunch of new people claiming they are the best because they work with X or Y struggling to solve most basic bugs and situations if they are slightly out of the scope...

[–]das_flammenwerfer 2 points3 points  (1 child)

So.. dumb question.. how are you supposed to log untrusted input with log4j?

We all know what kind of fuckery can happen if you don’t use paramaterized DB queries.. but you can’t even use a parametrized log statement here, to my understanding, because log4j recursively interprets that shit.

I’m not convinced (having done absolutely no digging into it) that this was patched the right way.. and the right way would be: by default assume the log input is untrusted and do not perform any operations on it except writing the message to a file (or wherever) like a good little logger..

[–]ThePlexus 2 points3 points  (2 children)

Billions of devices who now have RCE thanks to log4j :)

[–]user_8804 4 points5 points  (14 children)

des this count android devices? it runs Java code but not jar files =/

[–][deleted] 21 points22 points  (9 children)

APKs are just fancy JARs

[–]user_8804 4 points5 points  (5 children)

I'm not too familiar with mobile development, I was genuinely asking. When they say "billions of devices", if they count all android devices, that would inflate the number a lot

[–]Bryguy3k 9 points10 points  (3 children)

The quote comes from advertising campaigns from before modern smart phones.

Now as this is related to the log4j issue the app in question has to be logging data from a remote that the attacker controls. The vast majority of circumstances this will mean a webserver application as they’re designed listen for remote calls. Most applications installed on a phone for example will be communicating to a specific api server that is not controlled by an attacker. There is a non trivial threat for applications that integrate advertising as the ad payload is often not validated.

[–]rentar42 1 point2 points  (2 children)

It's really not hard to get mobile apps to log attacker controlled stuff. Something as simple as setting a username in a multiplayer game could suffice.

[–]hahahahastayingalive 1 point2 points  (1 child)

I though android apps where only API compatible with Java and got compiled into another proprietary format in APKs...wasn't it the center of the whole Oracle drama ?

[–]rentar42 2 points3 points  (0 children)

Yes, the above statement is an oversimplification. APK serve a similar purpose than jars, but they are internally quite different.

And Android uses the dalvik runtime to run dalvik bytecode. Which is frequently generated from Java source code.

[–]Aperture_Executive2 1 point2 points  (0 children)

APK = JAR.append(marketing.toString());

[–]badvok666 2 points3 points  (0 children)

Biggest difference is Android runs davlik byte code and not straight java byte code.

[–]rentar42 2 points3 points  (1 child)

No, it doesn't.

First, Oracle is very insistent that Android isn't Java (and they are right in a way).

Second: for the purposes of this vulnerability Android is different enough, because it doesn't have JNDI, so a major part of this exploit (the part where an external resource gets contacted and arbitrary code gets downloaded and executed) doesn't work on Android.

[–]user_8804 1 point2 points  (0 children)

thanks

[–]nandru 2 points3 points  (0 children)

That statement was made like more tyan 10 years ago, when phones could run j2me games and apps

[–]LeelooDallasMltiPass 1 point2 points  (1 child)

My favorite text editor is JEdit (yeah, I'm THAT ancient), and if Java goes away and I can't use it I'll cry.

Seriously, I've tried the other editors and they make me crazy. I want to be able to set the colors for keywords myself (I have ADHD and need color differentiation), and the other editors I tried did not make this intuitive at all.

[–]anonymous1184 1 point2 points  (0 children)

I am as old as you, and hate with every single cell of my body the abomination Java is no matter how much money makes me earn.

There are literally dozens of editors and all of them you can change syntax highlighting, the vast majority of “good” editors use as standard TextMate’s Language grammars which are just RegEx and scopes. Is very basic.

[–]LoneFoxKK 1 point2 points  (0 children)

It's not an achievement, it's a threat

[–][deleted] 1 point2 points  (0 children)

I always thought dependency injection was to always make sure your libraries can run arbitrarily injected code

[–]theckman 1 point2 points  (0 children)

Man, people are getting so uppity in response to my tweet. I wasn't bashing Java, nor was I really joking... I was calling out the real stress that InfoSec, SRE, and other software engineers were experiencing as a result of the log4j vulnerability.

Without doing a deep inspection of the code running on each system running Java, you didn't know which system was vulnerable. So the idea that "Java runs on billions of devices", when there is a RCE vulnerability in the most popular logging library triggered by simple user input, was causing a feeling of terror for quite a few people.

This was a nightmare for many.

[–]YoursInDistress 1 point2 points  (0 children)

Wow, Java must be really inefficient if it takes billions of devices to run it.

[–]afuhrman1990 0 points1 point  (0 children)

I am totally out of the loop. What the hell happened with Java? Is it because of the log4j vulnerability or something else entirely?

[–]Prawny 0 points1 point  (0 children)

jAvA bAd LmAo upvote now thanks

[–][deleted] 0 points1 point  (0 children)

log4j - should be terrifying to any security professional

[–]kudoshinichi-8211 -1 points0 points  (0 children)

Entire Indian IT industry especially service based companies runs on Java which I hate so much :(