--- Log opened Tue Dec 14 00:00:30 2021 |
01:10 | | gizmore|2 [kvirc@Nightstar-64gomq.dip0.t-ipconnect.de] has joined #code |
01:13 | | gizmore [kvirc@Nightstar-6vqjbg.dip0.t-ipconnect.de] has quit [Ping timeout: 121 seconds] |
01:45 | | Degi [Degi@Nightstar-ekfvr7.pool.telefonica.de] has quit [Ping timeout: 121 seconds] |
01:46 | | Degi [Degi@Nightstar-mvef4h.pool.telefonica.de] has joined #code |
02:30 | <&ToxicFrog> | Useful thing if you have a homeserver and want a quick and dirty "do I have any potentially vulnerable jars on the system" check: |
02:30 | <&ToxicFrog> | $ locate '*.jar' | while read jar; do unzip -l $jar | fgrep -q log4j && echo $jar; done |
02:30 | <&ToxicFrog> | This will have a lot of false positives but it's a handy starting point. |
02:34 | <&McMartin> | Yay, zero output! |
02:34 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has quit [[NS] Quit: -a- Connection Timed Out] |
02:34 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has joined #code |
02:39 | <&McMartin> | ... ah, yes. That would do it. |
02:39 | <&McMartin> | The only Java on this system is OpenOffice. |
02:43 | <&ToxicFrog> | It's also important to check that your updatedb cron is working, because if it's not that's another reason to get no output~ |
02:55 | <&McMartin> | I just ran locate alone and it's giving me a good list~ |
02:58 | <&McMartin> | It occurs to me that one would also wish to run locate '*log4j*' if you do Java development or build Java stuff from source in case they just included it in their source tree/uncompressed classfiles |
02:59 | | * McMartin also manually runs updatedb to make sure, and yeah, same list |
03:02 | <&ToxicFrog> | Aah, true -- in my case all the stuff I run, even that I'm developing, is run from jars |
03:09 | < Mahal> | for Reiv: what is log4j |
03:09 | < Mahal> | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 |
03:09 | < Mahal> | https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 |
03:09 | <&Reiver> | woot |
03:09 | < Mahal> | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default |
03:09 | < Mahal> | basically: enter correct string into a field like say username |
03:10 | < Mahal> | now you have rce to the server doing the logts |
03:10 | < Mahal> | ta-a |
03:10 | <&Reiver> | oh ew |
03:10 | < Mahal> | that github link is a semi-comprehensive list of companies affected |
03:11 | <&ToxicFrog> | The most amusing use of this I've seen is "send a properly formatted attack as a chat message to a minecraft server" -> "all clients connected to that server are now running Doom" but is of course very easy to use for evil |
03:12 | < Mahal> | that _was_ funny |
03:13 | <&ToxicFrog> | It was a lot less funny for people at work who maintain Java-based stuff, which, mercifully, does not include my team |
03:13 | <&ToxicFrog> | (I'm oncall at the moment so that would have been a VERY exciting weekend) |
03:13 | | * Mahal nods |
03:13 | < Mahal> | It's been a total shitshow, totally get it |
03:18 | <&McMartin> | The fact that Apache Struts is on this list is going to be apocalyptic all on its own. That library is far, far too widespread to get a comprehensive list of all companies using it to power their websites |
03:20 | < Mahal> | 1000000000% |
03:21 | <&McMartin> | (That also said: this is also part of why the "corporations are leeching off of open source projects that they don't fund" critiques are a little off-base. Log4J is *part of the Apache Tomcat ecosystem*, and not only is that ecosystem corp-backed, Apache stuff is generally corp-*founded*, and not small corps, either.) |
03:21 | <&McMartin> | (Though AIUI the fix for this did come from a volunteer from Nowhere Large) |
04:49 | | Vorntastic [uid293981@Nightstar-phvupn.irccloud.com] has joined #code |
04:49 | | mode/#code [+qo Vorntastic Vorntastic] by ChanServ |
05:18 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has quit [[NS] Quit: -a- Connection Timed Out] |
05:23 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has joined #code |
05:27 | | himi [sjjf@Nightstar-1drtbs.anu.edu.au] has quit [Ping timeout: 121 seconds] |
05:48 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has quit [Connection closed] |
07:31 | | himi [sjjf@Nightstar-v37cpe.internode.on.net] has joined #code |
07:31 | | mode/#code [+o himi] by ChanServ |
11:11 | <~Vorntastic> | Oh oh last week i got paid to write code for the first time in a while |
11:12 | <@TheWatcher> | \o/ |
11:17 | <&Reiver> | ! |
11:17 | <&Reiver> | Tell us more master |
11:20 | <~Vorntastic> | Someone in the love2d discord hired me to write cooperative multiple-agent pathfinding. So i did |
11:22 | <~Vorntastic> | https://media.discordapp.net/attachments/474705430434807819/916074856817258557/JUEJtbLmcL.gif this is the result |
11:22 | <~Vorntastic> | (no i don't know why they break into 6 and 4) |
11:24 | <~Vorntastic> | Then after i did he told me it's going into a free game~ |
11:26 | <&[R]> | I've paid to get some FOSS code written |
11:26 | <&[R]> | Sometimes someone just wants some help |
11:33 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has joined #code |
12:11 | <&Reiver> | Vorntastic: Oh man I did not realise you were a Professional Coder on that one, well done! |
12:11 | <&Reiver> | That it's for a free game points to some true dedication, lol |
12:55 | | Kizor [a@Nightstar-nfsqa7.yok.fi] has quit [Ping timeout: 121 seconds] |
13:09 | | Kizor [a@Nightstar-nfsqa7.yok.fi] has joined #code |
13:10 | | Kizor is now known as NSGuest11769 |
13:23 | <&ToxicFrog> | Vorntastic: oh awesome |
13:23 | <&ToxicFrog> | McMartin: I think that critique is pretty on-base generally, it just doesn't apply here specifically (and I haven't seen anyone trying to apply it) |
14:11 | | mac [macdjord@Nightstar-re5.7if.45.45.IP] has joined #code |
14:11 | | mode/#code [+o mac] by ChanServ |
14:14 | | macdjord [macdjord@Nightstar-re5.7if.45.45.IP] has quit [Ping timeout: 121 seconds] |
15:08 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
15:08 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
15:54 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has quit [Ping timeout: 121 seconds] |
16:04 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has joined #code |
16:29 | | Vorntastic [uid293981@Nightstar-phvupn.irccloud.com] has quit [[NS] Quit: Connection closed for inactivity] |
16:30 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has quit [Ping timeout: 121 seconds] |
16:52 | < catalyst> | Vorntastic: wait, you have a credit? :O I didn't see what everyone's reacting to ^^ |
16:52 | < catalyst> | oh he's offline :< |
16:52 | < catalyst> | Vornicus* |
16:53 | <~Vornicus> | I got paid to write code for the first time in a long while |
16:53 | <~Vornicus> | for a cooperative pathfinding system that the buyer will be using in a free game |
16:54 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has joined #code |
16:54 | <@sshine> | cooperative pathfinding? sounds exotic. |
16:55 | | Emmy [Emmy@Nightstar-l49opt.fixed.kpn.net] has joined #code |
17:00 | < catalyst> | awesome :) |
17:00 | < catalyst> | do you get a credit? |
17:20 | | Kindamoody[zZz] is now known as Kindamoody |
18:21 | | abudhabi [abudhabi@Nightstar-ujik0p.adsl.tpnet.pl] has joined #code |
18:22 | | * abudhabi backs up /home from his 8yo laptop (already bought used). |
18:23 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has quit [Ping timeout: 121 seconds] |
18:24 | < abudhabi> | I've had it for at least five years, and over time the Mint I installed on it has degraded with use. Similarly, its only fan is awfully loud now. I still want to use it, but it needs a clean reinstall and to be looked at by some laptop fan specialist. |
18:25 | <~Vornicus> | catalyst: I would imagine so, yes |
18:26 | < abudhabi> | I've already opened it up and vacuumed the innards. No effect on the noisiness of the fan. |
18:27 | <~Vornicus> | cooperative pathfinding isn't that hard really: basically you have dudes on 2d space, and they each do their pathfinding and claim paths through 3d space as theyr do it. |
18:35 | < catalyst> | v cool =) |
18:44 | <@sshine> | Vornicus, is it any of these algorithms you implemented? https://www.aaai.org/Library/AIIDE/2005/aiide05-020.php |
18:44 | <~Vornicus> | That's the paper i used |
18:47 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has joined #code |
18:50 | | catalyst_ [catalyst@Nightstar-04p9gu.dab.02.net] has joined #code |
18:52 | | catalyst [catalyst@Nightstar-ejd4sd.cable.virginm.net] has quit [Ping timeout: 121 seconds] |
19:09 | | Alek [Alek@Nightstar-06ca3p.il.comcast.net] has quit [[NS] Quit: ] |
19:14 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has quit [Ping timeout: 121 seconds] |
19:18 | | Alek [Alek@Nightstar-06ca3p.il.comcast.net] has joined #code |
19:19 | | Alek [Alek@Nightstar-06ca3p.il.comcast.net] has quit [[NS] Quit: ] |
19:21 | | Alek [Alek@Nightstar-06ca3p.il.comcast.net] has joined #code |
19:21 | | Alek [Alek@Nightstar-06ca3p.il.comcast.net] has quit [[NS] Quit: ] |
19:22 | <&McMartin> | TF: I've seen a few, albeit mostly on ragegasm social media |
19:23 | <&McMartin> | ... of course as soon as I say that I start reading my ArsT backlog. Here's one right here: "The source of the vulnerability is faulty code developed by unpaid volunteers at the non-profit Apache Software Foundation" |
19:24 | <&McMartin> | From https://arstechnica.com/information-technology/2021/12/hackers-launch-over-840000-attacks-through-log4j-flaw/ |
19:24 | <&McMartin> | It's been a long time since I was in the Java world, but the last time I was, the ASF was an "unpaid nonprofit" the same way Khronos/OpenGL was, if that |
19:24 | | Alek [Alek@Nightstar-06ca3p.il.comcast.net] has joined #code |
19:30 | <&ToxicFrog> | Yeah, "non-profit" does not mean "no-one working there gets paid" |
19:33 | | NSGuest11769 [a@Nightstar-nfsqa7.yok.fi] has joined #code |
19:39 | <&McMartin> | Though at least in the US, it does mean "you are legally forbidden from expanding your operations in any way", which is occasionally exciting |
19:40 | <&McMartin> | Huh, yeah,but that is correct, they are a nonprofit, not the related not-for-profit |
19:43 | <&Reiver> | wait, no expansions ever? |
19:43 | <&Reiver> | I guess to avoid the Growth Exploit but |
19:44 | <&McMartin> | not-for-profits are different for tax purposes and are permitted to expand operations. |
19:44 | <&McMartin> | One of the local coffeeshops is a nonprofit, but they had to become a not-for-profit instead for three years once because they wanted ot take over the upstairs floor of their location. |
19:48 | <&[R]> | Wow |
19:50 | <&[R]> | https://smartasset.com/financial-advisor/non-profit-vs-not-for-profit |
20:02 | <&McMartin> | The coffeeshop, I imagine, falls into some kind of "civic league". They were pretty aggressive about doing stuff in and for the surrounding neighborhood |
20:07 | <~Vornicus> | I had no idea there was any distinction at all |
20:20 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has quit [Connection closed] |
20:29 | <&[R]> | https://twitter.com/TomAnthonySEO/status/1470374984749133825 |
20:40 | | catalyst_ [catalyst@Nightstar-04p9gu.dab.02.net] has quit [Ping timeout: 121 seconds] |
20:44 | <&[R]> | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 |
20:50 | | himi [sjjf@Nightstar-v37cpe.internode.on.net] has quit [Ping timeout: 121 seconds] |
20:51 | <&[R]> | log4j can't catch a break |
20:53 | | catalyst [catalyst@Nightstar-2jjac3.dab.02.net] has joined #code |
21:54 | | Kindamoody is now known as Kindamoody[zZz] |
21:56 | < Emmy> | Well, you know what they say: misfortune never comes alone. |
22:19 | | * mac grumps at today's Advent of Code problem |
22:19 | <@mac> | I found a Very Clever Optimization, implemented it perfectly - only to find it doesn't actually help at all in this case. |
22:19 | <@mac> | The problem is: you're given a string and a set of rules. Each rule is of the form 'Wherever you see a certain 2-letter substring, insert this character in the middle'. You need to find how many of each letter are in the string after applying the rules a certain number of times. |
22:19 | <@mac> | Aha! says I. I don't need to consider the whole string at once. Wherever there are two letters which do not interact, I can split the string into two non-interacting /particles/, and not care which order they appeared in originally. |
22:20 | <@mac> | I can then apply the rules to each particle separately, and split the each resulting string into more particles if possible. |
22:20 | <@mac> | That way, I only need to track how many of which particles are in the string, and I can even cache the results of applying the rules for each particle. |
22:20 | <@mac> | Well, I coded it, tested it, and it works... |
22:20 | <@mac> | ... but it turns out the AoC problem defines a rule for /every possible pair of letters/, so the problem string never actually breaks down into smaller particles at any stage. |
22:26 | <&Reiver> | ;_; |
22:29 | | * mac has already found a different variation on the idea which /will/ work, and is indeed more efficient than that one, but is still annoyed at the waste |
22:41 | | himi [sjjf@Nightstar-1drtbs.anu.edu.au] has joined #code |
22:41 | | mode/#code [+o himi] by ChanServ |
22:54 | <&McMartin> | Yep, 14b took me a few tries to get a correct answer out |
23:01 | | abudhabi_ [abudhabi@Nightstar-v5lk86.adsl.tpnet.pl] has joined #code |
23:05 | | abudhabi [abudhabi@Nightstar-ujik0p.adsl.tpnet.pl] has quit [Ping timeout: 121 seconds] |
23:08 | <@mac> | The solution that *did* work: |
23:08 | <@mac> | Pbhag ubj znal gvzrf rnpu 2-punenpgre fhofgevat nccrnef va gur fgevat, r.t. 'nopno' -> 'no' * 2, 'op' * 1, 'pn' * 1. |
23:08 | <@mac> | Abj lbh pna nccyl rnpu ehyr gb nyy vgf eryrinag fhofgevatf ng bapr, r.t. vs bar bs lbhe ehyrf vf 'Sbe "no", vafreg "p"', gura gubfr 2 'no' orpbzrf 2 'np' naq 2 'po'. |
23:08 | <@mac> | (Vs gurer vf ab ehyr sbe n tvira cnve - juvpu vf arire gur pnfr sbe gur NbP ceboyrz, ohg zvtug unccra va gur trareny pnfr - gerng vg nf vs gurer jrer n ehyr juvpu whfg cebqhprq vgf vachg.) |
23:08 | <@mac> | Ol nqqvat hc nyy gur bhgchg fhofgevat pbhagf - ornevat va zvaq gung zhygvcyr ehyrf pna cebqhpr gur fnzr fhofgevat - lbh trg gur ahzore bs rnpu fhofgevat va gur fgevat cbfg-ehyr. |
23:08 | <@mac> | Gb pbhag ubj znal gvzr n tvira punenpgre nccrnef va gur bhgchg, whfg nqq hc nyy gur fhofgevatf juvpu unir vg nf gur 1fg punenpgre... |
23:08 | <@mac> | ... jvgu gur pnirng gung gur fvatyr ynfg punenpgre va gur fgevat vf abg pbhagrq ol nal cnve, ohg nyfb arire punatrf, fb vg zhfg or genpxrq frcnengryl. |
23:10 | <&[R]> | #aocspoilers... |
23:11 | <@mac> | Didn't know we had that. (Thus the rot13.) |
23:21 | | catalyst_ [catalyst@Nightstar-ejd4sd.cable.virginm.net] has joined #code |
23:24 | | catalyst [catalyst@Nightstar-2jjac3.dab.02.net] has quit [Ping timeout: 121 seconds] |
23:34 | | catalyst_ [catalyst@Nightstar-ejd4sd.cable.virginm.net] has quit [Connection closed] |
23:34 | | Emmy [Emmy@Nightstar-l49opt.fixed.kpn.net] has quit [Ping timeout: 121 seconds] |
23:44 | | catalys97 [catalyst@Nightstar-ejd4sd.cable.virginm.net] has joined #code |
--- Log closed Wed Dec 15 00:00:32 2021 |