Sunday, December 12
RCE On Mars Edition
- A massive vulnerability in a Java logging library widely used in enterprise software caused utter panic at pretty much every major company in the world. One commenter mentioned being in a Slack channel with three thousand other engineers all working frantically to patch systems.
How much was the team of developers working to maintain this library being paid?
If you guessed absolutely nothing you'd be very close. (Christine.website)
This is obviously unsustainable. Trillion-dollar companies depend on this software and don't even think about contributing towards its upkeep.
Open source software is supposed to be open. It's not supposed to be free, because nothing is free. If you're not paying for it up front, you'll be paying for it later on by diverting every engineer in your entire organisation two days while other critical issues go ignored.
- We're from the government. We're here to help. (CISA)
The statement from CISA Director Jen Easterly on the Log4j vulnerability reads
blah blah blah blah blah you should probably patch that blah blah blah.Thanks Jen.
The director of the US Cybersecurity and Infrastructure Security Agency has an MA in politics, philosophy, and economics from Oxford, which qualifies her for the job almost as much as you might think.
- What went wrong?
Some idiots demanded that a logging library perform magic for them. (Crawshaw)
And once the magic was put in place, it couldn't be removed because that would break critical software.
And there wasn't anyone to take the necessary time to push back, deprecate the feature, and eventually remove it, because they weren't getting paid.
- Cloudflare reports on the vulnerability and their response. (Cloudflare)
One important point is that they firewall all their servers for both inbound and outbound access. If a server gets compromised but is blocked by default from accessing anything else, the damage is contained.
With this particular exploit the payload was installed by dialling out to a malicious server, and if that connection was blocked, nothing happened. The server got handed a bottle of poison pills but couldn't get the damn child-proof cap off.
- Future AMD GPUs could use stacked dies for cache memory and AI accelerators. (WCCFTech)
Maybe not the 2022 lineup, but this is likely to happen soon, for reasons.
- The reasons being that Moore's Law is ending - again - in 2028. (LessWrong)
At the 1.5nm node (which doesn't measure 1.5nm in any dimension but never mind that) planar scaling will likely stop.
What will happen instead - and the linked article goes into all the details you could possibly want - is that chips will go 3D. Flash storage already has, and it was a revolution. Cell phone chips stack storage and memory on top of the CPU. AMD is stacking cache on top of server CPUs, and Intel is wedging stacks of RAM into their supercomputer CPUs.
One of the side effects of this is that chips will get cheaper. Fabs - chip factories - are massively expensive, and only remain at the leading edge of technology for a couple of years. If they lasted for twenty years instead of two - and the machines to make the machines for the fabs also lasted twenty years instead of two - prices would come down drastically.
- I want to see default RED. (Reddit)
While Amazon's systems were down all over the place - not just at US-East-1 but where the one critical Amazon-based service I look after runs in US-West-2 - their public monitoring systems were reporting everything was fine because the outage prevented the monitoring page from updating.
Monitoring systems should autonomously go red if they can't update.
- Intel's new X710-T4L is a massive upgrade. (Serve the Home)
It's a quad 10Gbase-T card that uses a maximum of 14.2W with all ports running at full speed. The previous model peaked at 28.9W.
In fact, this model running at 10Gb uses less power than the previous model running at 1Gb. That's a huge improvement because a core delaying factor in the rollout of 10Gb Ethernet has been the power requirements for running it over cheap twisted-pair cable. (It uses less power over specialised cables or fiber, but the pricing is absurd.)
The new version of the card is also $100 cheaper than the old one at $500.
It's also out of stock everywhere because everything is.
- Except the QSW-M2108-2C which does seem to be available albeit in short supply. (QNAP)
I wanted a 2.5Gb / 10Gb managed switch for my lab buildout, but had planned to settle for an unmanaged model because I could find one that wasn't insanely expensive. This is just what I wanted - 8 x 2.5Gb ports, 2 x 10Gb ports with both RJ45 and SFP+ connectors, and fairly solid management features including link aggregation and VLANs.
Part of the function of the software lab I'm building is to simulate real-world faults, and being able to mess with the network under software control is a key part of that.
They also have a 16-port model, but that's more than I need, twice as expensive, and out of stock.
- Managed 1Gb switches are a dime a dozen. Well, not quite, but you can get them starting at around $35, a tenth the price of the cheapest managed 2.5Gb switches.
- A new FDA-approved eye drop causes red eyes and headaches. (CBS News)
Well, what the hell does it treat then?
It treats reading glasses.
If you're between 40 and 65 years old and need reading glasses (but not specifically prescription glasses) these eye drops can alleviate that need for six to ten hours.
Since I do need prescription glasses (I have three pairs for distance, computers, and reading, plus a couple of spares) these won't do anything for me, but if you just need plain cheap reading glasses they could do the trick.
- Apple found a benchmark where the 2021 M1 Max MacBook Pro is faster than the 2019 Intel Mac. (WCCFTech)
Linus Tech Tips tested the M1 Max and found that while it did excel on one test, most of the time it was slower than an Intel-based notebook with an RTX 3050 - at about one third the price.
That might change as they improve the drivers and software optimisation but right now it's a very expensive toy.
I'll likely be getting a MacBook Air or an iMac to do Mac and iOS software testing for work, but I'll be getting the cheapest model I can get away with.
Party Like It's 1979 Video of the Day
Posted by: Will at Monday, December 13 2021 12:30 AM (8548M)
Posted by: David at Monday, December 13 2021 02:19 AM (kOkn4)
Posted by: Rick C at Monday, December 13 2021 02:42 AM (Z0GF0)
Then I held my nose and upgraded to Windows 11. Overall the difference is meh but there are a few annoyances, including "why the hell is 'right-click on taskbar to get Task Manager' missing?!"
Posted by: Rick C at Monday, December 13 2021 02:48 AM (Z0GF0)
"Bring On The Night"
Posted by: normal at Monday, December 13 2021 11:05 AM (obo9H)
Posted by: Pixy Misa at Monday, December 13 2021 03:31 PM (PiXy!)
58 queries taking 0.4318 seconds, 343 records returned.
Powered by Minx 1.1.6c-pink.