Recent searches
Search options
#Log4Shell
0 posts0 participants0 posts today
I never imagined GitHub would ask me to speak about Log4Shell.
But it happened.
GitHub asked me to share the story as I lived it, for the benefit of all maintainers and users of open source. How could I say no?
I hope it helps build a more secure future.
No more Log4Shell.
The GitHub Blog · Inside the breach that broke the internet: The untold story of Log4ShellLog4Shell proved that open source security isn't guaranteed and isn’t just a code problem.
JUnit 6 broke 50 repos. I’m delighted.
If a dependency bump can shatter your stack, you don't need fewer updates. You need better tests.
I maintain 50+ OSS repos as one human. I don't babysit them. I automated everything, including updates and minor releases. Many repos haven't been touched in 6 years. AS now JUnit 6 rolled in, a chunk failed. Perfect.
Why perfect? Because failure is a signal, not a disaster. Good tests mean breakage never escapes. I've had repos fail on a Java date parser change. Beautiful. I saw it before release, fixed it, moved on. During Log4Shell and Spring4Shell I didn't panic. I just waited for the next update. That's what behaviour tests are for. And no, they are not slow. If your tests crawl, your design does too.
I trust code I write. I do not trust magic. I remove convenience glue that silently rots:
I don't need MultiValueMap when Map<List> is clearer.
I don't need StringUtils.isEmpty when a simple null or empty check is obvious.
I don't need annotations that smuggle in half a framework.
Every extra library is a future liability: CVEs, Licences, Security, Data Privacy, Performance, breaking changes, mental overhead. Use them to start, then delete them to last. Fewer moving parts mean fewer ways to die.
After 6 years my micro systems still boot in micro seconds, still read clean, still behave. CI pipelines aged, sure, but the code stayed boring. Boring is freedom. Quiet, peaceful, done.
If your stack cannot auto-update without heart palpitations, the problem isn't updates. It's architecture.
Principles I ship by
Automate updates and everything else I can. Let tests be the gate, not fear.
Push behaviour tests to the edges. If it's slow, refactor until it isn't.
Prefer primitives and standard libs. Delete decorative wrappers.
Design for micro systems, not micro monoliths. Start fast, stay fast.
Fewer tools, fewer surprises, fewer nights on fire.
Congratulations. The system failed safely. After fix, you may proceed to do literally anything else with your life.
After #Log4Shell hit, I dreamed of writing a Java Logging book.
Beginner-friendly and full of what I’ve learned as a trainer.
Today, that dream became real.
@ManningPublications just launched my book in their MEAP program, and I’m incredibly proud and grateful.
After all these years at the ASF, it feels like a circle has closed.
Get it 50% off:
Manning PublicationsJava Logging - Christian GrobmeierLogging is a must-know skill for Java developers.
Logging is the art of making things visible—and when your codebase crashes at 5PM Friday you’ll want all the data you can get about your application! Java Logging introduces and expands the logging skills every developer needs to master. For newer coders, everything is explained from the ground up in clear, accessible language. For the old hands, this is a chance to catch up with the state of the art in tools and techniques, including Log4j2!
In Java Logging you’ll learn:
Reading and analyzing log files
The key components of standard logging systems
Writing good and useful logging code
Integrating multiple logging tools into your workflow
Logging lets you monitor your software for unexpected behavior, spot slowdowns and areas for performance tuning, easily audit for compliance and—most important of all—makes it easier to debug when things go wrong. Your expert guide in Java Logging is Christian Grobmeier, logging veteran and current maintainer of Apache Log4j. Through stories of experience, hands-on examples, and important tips, Christian shows you how to create the kind of logs that you (and your colleagues) will be thankful for.
The next 𝗟𝗼𝗴𝟰𝗦𝗵𝗲𝗹𝗹 is not a matter of 𝘪𝘧, but 𝘸𝘩𝘦𝘯. The critical Java libraries we use daily are built mainly by volunteers
𝗪𝗲 𝗰𝗮𝗻'𝘁 𝘄𝗮𝗶𝘁 𝗳𝗼𝗿 𝗮𝗻𝗼𝘁𝗵𝗲𝗿 𝗱𝗶𝘀𝗮𝘀𝘁𝗲𝗿!
That's why we're building a new solution: a nonprofit partnership between 𝘁𝗵𝗲 𝗰𝗼𝗺𝗽𝗮𝗻𝗶𝗲𝘀 𝘂𝘀𝗶𝗻𝗴 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗝𝗮𝘃𝗮 𝗹𝗶𝗯𝗿𝗮𝗿𝗶𝗲𝘀 and 𝘁𝗵𝗲 𝗺𝗮𝗶𝗻𝘁𝗮𝗶𝗻𝗲𝗿𝘀 (like @pkarwasz of Apache Log4j) who support them.
To build a model that works, we need your input.
We've just updated the agenda for #SharkFest'23 ASIA with a new class from Sake Blok! His session is titled: "#LOG4SHELL: Getting to know your adversaries"
Sign up today and save on registration: https://sharkfest.wireshark.org
Just in time for the holidays, we've uploaded another video from #SharkFest'22 US by Sake Blok! He walks us through his experience getting infected with #LOG4SHELL and how he used Wireshark to investigate.
In remembrance of Log4J #Log4Shell here are two poems I wrote about it:
Ahoy, a good tale mate
could help abate
Some woe from this time
When vulnerabilities were at prime
As we spray
mitigations for log4j
Alt:
Ahoy, a good tale mate
could help abate
Some woe from this time
When vulnerabilities were at prime
while we gorge
on mitigations for log4j
These connect to a thread someone wrote about the history of logs 
Link: https://twitter.com/Cyber_Cox/status/1471912802256404481?s=20&t=E3J-UpJJ4BL6Er3rbNwb4Q
TwitterChris on Twitter“There's a lot of talk about logs lately, but do you know why we call it a "log"? It's actually pretty interesting!
The term originated in the days of sail. Back then, sailors would determine their speed by throwing a literal log overboard, which was tied to a rope.”
#VXUnderground published a first worm sample that uses a #Log4Shell to install Monero-miner.
Self-propagating #Mirai-bot identified by security researcher 1ZRR4H@twitter.com
#Log4Shell is showing us that the current state of vulnerability scanning technology is insufficient. Who has ideas on how to improve in a way that would make it possible to properly handle a #log4j event?
This seems to become the de-facto list of affected applications: https://github.com/cisagov/log4j-affected-db
github.comGitHub - cisagov/log4j-affected-dbContribute to cisagov/log4j-affected-db development by creating an account on GitHub.
Smashing Security podcast #256: Virgin Media just won’t take no for an answer, NFT apes, and bad optics https://grahamcluley.com/smashing-security-podcast-256/ #facialrecognition #SmashingSecurity #Vulnerability #vulnerability #VirginMedia #Law&order #log4shell #Podcast #Mobile #log4j #Spam #NFT
grahamcluley.comSmashing Security podcast #256: Virgin Media just won’t take no for an answer, NFT apes, and bad opticsAfter a brief discussion of the Log4Shell vulnerability panic, we discuss how Virgin Media has got itself into hot water, a fat-fingered fumble at the Bored Ape Yacht Club, and how to hack around your…
Log4Shell: The race is on to fix millions of systems and internet-connected devices https://grahamcluley.com/log4shell/ #Vulnerability #vulnerability #opensource #log4shell #Minecraft #Malware #Apache #log4j
grahamcluley.comLog4Shell: The race is on to fix millions of systems and internet-connected devicesEveryone is talking about Log4Shell, a zero-day remote code execution exploit in versions of log4j, the popular open source Java logging library.