Jump to content

Recommended Posts

  • 2 weeks later...

                         held.thumb.png.cda8553787a38f5c5562f84982bdc636.png

 

                         held2.thumb.png.96a4ef14e7e3d4b41ca835f5e9f90507.png

 

                               Sulu: Captain, we can't escape... Hamburger helper is holding us in place!

 

                         helpinghand.thumb.jpg.2b67462358411c301f4389a5e22eba42.jpg

 

                                     Chekov: Mwaybe if we had some macaroni, we could distwract it.

Edited by HOME AUTOMATION
  • Haha 2

Pardon me for going off on a tangent, but all this reminds me that, since LG is getting out of the cell phone business, they are closing their developer website Dec 31st, and thus you will no longer be able to get a bootloader unlock code for your LG phone(s). So you need to go there soon if you need to install custom firmware so you can keep your still perfectly good LG phone up to date and secure. This is completely legal of course.

 

I'll reserve comment on the subject at hand for now.

  • Thanks 1

I trolled the intertubes for possible solutions to my "nylon wants to crawl off the buildplate" problems.

 

Found lots of people swearing by phenolic paper glued to a glass plate.

 

But also found a reference to just printing on white copy paper that's PVA glued to the plate.

 

Been running a test print on glued paper.  It has crawled a little, but works damn well! (Running on the i3 clone)

 

 

I have ordered some after market hot-end parts for my chiron that should allow me to convert it to a 100% metal hotend, and replace the PFTE tubing in the bowden extruder with a higher temp one. Will get the needful next wednesday.  (Then will test on PEB shells, which have balefully crawled on me in the past... this could be a game changer for me. Paper and school glue are cheap, large print beds are not.)

Edited by wierd_w
  • Like 1
7 hours ago, jrhodes said:

Does @PeteE not check his messages any more?

Sent him a message last month, still marked not read yet.

Ahh, sorry.  I read your message in my email and somehow cleared the red (!) on messages box on the web page, and then forgot about it.

  • Like 3

We got a hint of wind in south Arkansas and I'm not needed to rake my yard now, but my son said he was working till 1am about 30 mins away and said the rain and wind was hard. I decided to let him drive my 4WDtruck vs his Camry after seeing the weather report coming out.

 

  • Like 1
31 minutes ago, GDMike said:

We got a hint of wind in south Arkansas and I'm not needed to rake my yard now, but my son said he was working till 1am about 30 mins away and said the rain and wind was hard. I decided to let him drive my 4WDtruck vs his Camry after seeing the weather report coming out.

 

Looks like a tornado went through the area north east of Jonesboro.

  • Sad 2

In terms of the LDAP query, it seems such a "feature" should be required to be enabled, not enabled by default.

 

(The "Office" meme reminds me of an old buddy of mine. About 20 years ago he worked for a huge banking system processing service. He was running a group of their SQL servers, or at least an assistant admin. Anyway, one day one of the big bosses and the lead database engineer came down to his cube, frantic, asking about if he had been using blank sa passwords on his systems.  He said, "No, because I'm not a complete moron."  The database lead's face turned red and he stormed away.  After a short conversation with the boss, it became apparent that the database engineer was, in fact, a complete moron.)

  • Like 2

The problem is that the feature originally made some sense, but it was expanded further and further, and then included in a place that rips open a giant security hole.

 

Originally, you could expand environment variables and settings, like in ${java:version}. Later, they added other schemes, and one of them, jndi, obviously allows for loading a class that interprets the following string. Next, you expand that from a local class name to a URL.

 

And finally, someone had the "cunning idea" to include that expansion into the logging pipeline, possibly to allow for such things like log.write("${java:version}"). Normally, it should suffice to get that expanded string first, then log it, but that way you can have it a bit more comfortable (and the sum of comfort and security is constant, as you know). At that point, the super-flexible plugin-oriented expansion system already allowed for downloading classes from anywhere and to run them.

 

No one obviously saw an issue that a logger may log anything provided from outside, and the loader loaded and executed everything you told it to.

 

As was written in a tech article on an IT news page (heise.de), log4j is perfectly working according to its specifications. There is no bug.

8 minutes ago, mizapf said:

No one obviously saw an issue that a logger may log anything provided from outside, and the loader loaded and executed everything you told it to.

I would like to know the age of these programmers.  Not too long ago (okay, maybe around a decade,) there was a log monitoring package written in Perl which fell victim to an injection by crafting queries which would get logged, then the executed by the log monitor.  IIRC, AWStats' live CGI got bit by that, as well.

 

10 minutes ago, mizapf said:

As was written in a tech article on an IT news page (heise.de), log4j is perfectly working according to its specifications. There is no bug.

Indeed, it is a feature.  An abused feature, but a feature nonetheless.  Like SMTP before the days of SMTP AUTH and firewall rules to prevent open-relay.  I would think to block certain protocols leaking from my network, like SMB, NFS, SQL, &c.  But as I do not use LDAP internally that would have slipped my mind.

  • Like 2
3 hours ago, mizapf said:

As was written in a tech article on an IT news page (heise.de), log4j is perfectly working according to its specifications. There is no bug.

The article was hilarious ... here is the Google Tranlation to English.

  • Like 2
  • Haha 2
4 hours ago, mizapf said:

The problem is that the feature originally made some sense, but it was expanded further and further, and then included in a place that rips open a giant security hole.

This is /always/ how it works. That's why the great features need to be examined at the system level, not the feature level. Nobody likes to do that because nobody wants to own entire products anymore. Cause it's haaaard.

Software will continue to do this.

 

  • Like 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...