log4j - Are we doomed?

[Zook]

I'm just starting to hear more about this vulnerability.
Supposedly it can infiltrate any computer system in the world and has the potential to shut down the internet.
Reportedly, Iran is already trying to hack Israel's government computers with it.
It has also been reported that 800,000 attacks have been detected in a 72 hour period.

If you know any specifics please fill us in here.

 

[user8963]

shut down the internet...
is this a statement or a dream?

best what could happen

 

[Zook]

shut down the internet...
is this a statement or a dream?

best what could happen

Only if "the internet" is referring to Facebook, twitter, YouTube, tiktok, amazon, and google. (insert any other fake news & freedom of speech killing sites/companies here).

 

[Arjun]

If the Internet shuts down,. this planet will finally get some downtime. I don't think it would wreck havoc. Everyone is exhausted at this point. A little bit of relaxation helps. The internet definitely meddled with the elections. SSH my a$$

 

[DanDenver]

‘Shut down the internet’. This is a Hollywood notion. It is true that the issue is real, and is being aggressively exploited, but you take the concern to conspiracy level which is as always, only a fear based concern.

If you look up the conspiracy theory of a “fire sale” you will see that while it is technically possible from an intellectual viewpoint, in reality it could never happen. The same applies to this vulnerability. Just too many Hollywood movies out there romancing this stuff making it look like such things are possible.

I have been in the tech industry for over 20 years, I worked directly with Log4j for about 12 of those years until Logback supplanted log4j.

But just to summarize, the issue is very real and companies are working hard to migrate off of log4j. It is just the notion of the internet shutting down (in your case, numerous services simply going off line at the same time affecting many/most/all users) is just not practical in terms of reality. Though it would make a good movie. Watch “Live free or die hard” (Bruce Willis). It does a good job of chronicling how damaging a “fire sale” could be, though in reality (outside of a Hollywood movie) it just could not happen.

 

[DanDenver]

Oh, and the comment about 800,000 attacks in 72 hours is not much within the context of internet attack metrics, there are millions of attacks every day of all kinds on the internet.

 

[user8963]

It does a good job of chronicling how damaging a “fire sale” could be, though in reality (outside of a Hollywood movie) it just could not happen.

a worldwide pandemic made up by media and governments will never gonna happen.

bruce willis end of 2019

 

[Holbs]

I'm still waiting for the Y2K Millennium bug to come around and do that devastating damage (like clearing all the bad stuff off my credit report).

 

[Zook]

‘Shut down the internet’. This is a Hollywood notion. It is true that the issue is real, and is being aggressively exploited, but you take the concern to conspiracy level which is as always, only a fear based concern.

If you look up the conspiracy theory of a “fire sale” you will see that while it is technically possible from an intellectual viewpoint, in reality it could never happen. The same applies to this vulnerability. Just too many Hollywood movies out there romancing this stuff making it look like such things are possible.

I have been in the tech industry for over 20 years, I worked directly with Log4j for about 12 of those years until Logback supplanted log4j.

But just to summarize, the issue is very real and companies are working hard to migrate off of log4j. It is just the notion of the internet shutting down (in your case, numerous services simply going off line at the same time affecting many/most/all users) is just not practical in terms of reality. Though it would make a good movie. Watch “Live free or die hard” (Bruce Willis). It does a good job of chronicling how damaging a “fire sale” could be, though in reality (outside of a Hollywood movie) it just could not happen.

Oh, I'm no conspiracy theorist at all, not sure where you got that lunatic idea. Just what I've heard, and the telecom company I work for is completely clueless and ran by a bunch of the biggest dipshits I've ever seen. Also, seeing the pipeline that got shutdown, and reading/seeing of all the other companies getting hacked, and the fact that my ISP alone sucks too. Throw in the passion driven hackers across the world and the never ending, expansive spread of stupidity throughout the American population. I'm sure the threat is not as far off as ignorance would like to believe.

But yes, I've just heard a few things about log4j but haven't had the time to read up on it.

Also I'm afraid that any valuable published info may take it to a level above my comprehension. I tend to know just enough to be dangerous.

 

[IAmATeaf]

There have been hundreds of vulnerabilities over the past few decades, I personally don’t view this as being any better or worse, if you know what I mean than many that have come and gone.

Over the last few months for example there have been multiple vulnerabilities with Edge Chromium and Chrome, some so serious that some banks took the stance that prior versions would be banned and rolled out updated versions overnight.

If as consumers we worried about each and every I’d have no hair left, hang on I do have no hair left

 

[concord]

I saw the alert when it first came out, but haven't checked it out recently and assume there is no list of affected software/websites, etc that may be affected yet. Most likely we'll hear about them after they release a fix. Used to follow this stuff more intently, but turned over the websites I maintained to someone else.

As far as Y2K, I wish I was an experienced COBOL programmer at the time, they were hiring retired COBOL programmers for big bucks... Took one course in COBOL and that was enough, stuck with C/Object C/C++ instead.

 

[IAmATeaf]

This is a good article that explains it all in easy to read terms.

Protecting Against the Log4j (Log4Shell) Vulnerability

A new zero-day vulnerability, Log4j poses a significant risk to networks everywhere. Learn what you need to know about Log4Shell and what to do about it.

blog.morphisec.com

 

[Zook]

This is a good article that explains it all in easy to read terms.

Protecting Against the Log4j (Log4Shell) Vulnerability

A new zero-day vulnerability, Log4j poses a significant risk to networks everywhere. Learn what you need to know about Log4Shell and what to do about it.

blog.morphisec.com

Great article that puts it into perspective and put some of my concerns into the light. Fortunately, the company I work for will likely be doomed with this. LOL

 

[IAmATeaf]

Great article that puts it into perspective and put some of my concerns into the light. Fortunately, the company I work for will likely be doomed with this. LOL

It’s only an issue if the servers are internet facing and any decent companies who offers services on the internet would be foolish not to plug the gap.

 

[Arjun]

Heck if the internet goes down we won’t have to put up with fake news

 

[weigle2]

Heck if the internet goes down we won’t have to put up with fake news

Wishful thinking. It will still be broadcast over the airwaves on Television and Radio.