> I just personally looked into this and can confirm we did not take down this repo nor are we actively removing Log4j related content from @github
, consistent with our policies re: dual-use
I made wrong assumptions when writing this tweet. I clarified this on Twitter. Apologies for the confusion. Not sure if it makes sense to delete the tweet / thread.
This is surprising, considering what is outlined in a previous comment[1]. I hope GitHub provides more transparency on the takedown actions for "malicious content / exploits" like they do for DCMA notices[2].
Apologies for making wrong assumptions. I removed the original Tweet (see screenshot[3] for the original).
They do this every time, and have a previously stated spproach of blocking zero day attack scripts for the first X days of a zero day, when they deem it sufficiently dangerous to the Internet. So, yes, yet again, they’re doing this, just as they always do. Is there something new this time that makes this newsworthy?
Put the zip file to your static site, mirror to bitbucket, mirror to sourcehut. I have more doubts, that you don't find the code. Maybe a link inside the CVE would be good.
As far as I can tell the existing policy is not to allow public repos of a zero day vuln exploit while it is still unpatched. The code is allowed after the issue is mitigated
This seems like a pretty reasonable policy all things considered
Github isn't powerful per se, they just capture a high percentage of the market for online code hosting. But it's just one website. Anyone can set up a git repo, an instance of a git host, etc.
Everyone can, but most just use Github. As a consequence they get to shape the development processes of pretty much anyone and also to do shit like this.
"Shape" is too broad. Everyone has access to lots of almost identical tools from competitors. It's like saying Ford get to "shape" the driving experience of millions - so what? And switching Git provider is much easier than switching car.
> "Shape" is too broad. Everyone has access to lots of almost identical tools from competitors.
Exactly. That's precisely because Github is so big that nobody (except possibly sourcehut, but that's niche) dares to do anything differently and everyone just blindly copies whatever Github does. If that's not "shaping the development experience for everyone", I don't know what is.
I’d love to read a longform blog post about that. Anything that fits into a tweet has already been said a bunch of times already, and hasn’t made a compelling case that there’s a problem here.
I’m pretty sure they only takedown exploit code, not scanner code, but people often choose not to distinguish those conceptually, which makes it quite difficult to have a discussion about it.
They seemed pretty powerful while I was waiting for codex access.
I could imagine a world where a select segment of developers got access to an even more impactful tool, with the rest being left out due to arbitrary opaque decisions. How did they even pick who to allow early Codex access? Was it some intern just looking at Google Forms submissions? An algorithm?
GitHub is depended on by most of the software engineers of the world, who themselves hold immense power to decide society's path. All that to say, GitHub is powerful.
I'm much more worried about everyone on this site just believing everything they read, then instantly getting mad instead of doing a simple "is this really true" search or even gaining a single data point of their own.
this whole culture is just freaking ripe for manipulation. it's so easy.
To be honest, after I posted the comment I was unsure if I ought to edit to add that I don't mean it as a diss or with any ill intent... to any human. Just an amusing "isn't this cute" parallel.
And also I sorta want to add something about necessity being the mother of invention. There's a lot of very high quality proxy/vpn/DPI evasion code that seems to come from China. ;)
Its not safe to assume such clearly bigoted things. In fact the worlds safety levels are impinged negatively by such hubristic nationalism. Its probably safer to assume this was discovered by the NSA years ago and left unreported for their own hijinks - after all, the NSA has a far worse track record of violating peoples human rights than, pretty much, any other organization on the planet.
Nothing 'whatabout' it: the moral authority you think you have, does not exist.
Thus, your prejudice is clear and you'd be better off directing your ire towards an institution you can actually do something about as a member of a Western democracy or one of the 5-eyes superstate member nations: the NSA.
Why not both? Places like HN are full of legitimate criticism of western abuses of power, and you can plainly see it if you do a search, since it doesn’t get scrubbed from the internet unlike certain places.
Yes, I expect the NSA to get first dibs on using anything Amazon discovers too. Two wrongs do not make a right.
And I’m not sure how good of a strategy it really is, at least not for the west. The value in using zero days for attacking enemies is highly speculative and not subject to public scrutiny, but the value in rolling out fixes as soon as possible to protect against anyone else is easily felt by everyone. I believe independent security researchers still exist, and they are worth fighting for.
“Chinese” was used
twice in the post; once in the informal (and usually hostile) abbreviation “CCP” for “Chinese Communist Party” and in “with Chinese characteristics”, a reference toa political motto of
the same party identified by the abbreviation, the Communist Party of China (CPC), who describes their system as “socialism with Chinese characteristics”.
So, yes, it's a reference to a particular political platform, not a nationality. It's no more ethnically bigoted than blaming a problem on the US Democratic or Republican party is.
The CCP is a political party, it being the only legal party is a political system. And I’m criticising it.
If you’re offended by the “with Chinese characteristics”, look up the origin of the phrase. It’s CCP code for “it’s not wrong when we do it”. When people questioned Deng Xiaoping’s reforms as being capitalist he responded with “it’s socialism with Chinese characteristics, I ain’t gotta explain shit”.
This is disappointing. I used this tool to understand the vulnerability within the first few hours of response. It allowed me to prove mitigations worked, and therefore gave certainty.
But there's not only Github. They can just use Gitlab or if that does not work Codeberg. Somehow the whole industry really seems to be content with bootlicking any of the Big Five.
The problem with betting on the underdog is that the internet is still young. GitHub has momentum; it may not have a guaranteed long-term future, but as of now it is the open source project forge with the best long-term outlook. If you had bet on Google Code, your project is at least still accessible today. If you bet on Sourceforge, the same is true, although for a period of time you could’ve had your own project page distributing malware. (I am aware that it has changed hands since these incidents, but this still happened nonetheless.) GitLab also seems like an OK bet… but from there on out, it feels like you have to be careful. A random Gitea instance is never a safe bet. Even if you run it on your own, you don’t know how long you’ll be around to keep the lights on; life is fragile.
I still find Golang’s module cache mechanism to be bothersome in some regards, but I think they were on the money with their concerns. It’s probably the only way modules can stay “decentralized” with confidence. But, that solution requires at least one central entity that is trusted and can shoulder the costs of such a service; and it only solves a narrow portion of the problem, relevant to the module system of a single programming language.
There’s no easy way out; nothing is truly autonomous. Explicitly organized groups of people running a legitimate business probably have a better long-term outlook than a band of cypherpunks running P2P services, or what have you. (Believe me, it pains me to say it, because I sure wish it wasn’t so.)
In this way, I think it’s obvious why people pick GitHub. It’s because it’s in the best position of the best segment for code hosting. It’s backed by a billion dollar multinational corporation. It’s been around the block a few times and is a robust business of its own.
Even if your concern isn’t longevity, GH is still giving you the best standing as far as network effects go. It’s just hard to blame anyone.
GitHub is running on momentum at this point. I only use it for cloning nowadays. They've even made that a hassle, I'd like to use SSH for all my connections, but it seems like they'd prefer I got their shitty custom tool, or used https and typed a lot of passwords.
These days for preference I'll use shart (sr.ht) or, even better, the project's own git server.
I think it defaults to showing the https cloning link when you're not logged in (and possibly don't have your public key added to your github account). While logged in it also defaults to ssh for me and works just fine.
As far as I know, the owner of JNDIExploit did not claim that GitHub took the repo down. I am trying to find their contact information to remove any doubts around this.
So what? There is plenty of ressources on how to fix the vulnerability. Those who really want to see the code will find it anyways, both maliscious actors and admins.
This mostly prevents skids from getting hold of it and using it against their school etc
I'm honestly kinda surprised. The policy seems willfully ignorant of the Streisand effect. I get the reasons behind it, I'm just surprised it wasn't laughed down at some internal Github planning meeting. "No, that'll never work Dave! 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0, remember?"
Interesting question. I have no idea if it's still relevant, though I imagine it is, and with the magical bytes being siloed in some file far, far away from VLC and libaacs.
It always strikes me as amusing that here we are, in the 21st century, and people are still trying to use shibboleths as a reasonable and scalable means of security. At least "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" has some internal humor to appreciate.
Yeah nah. While the particular law is incredibly vague nonsense, if the purpose of the tool is security research or to harden your infrastructure against the impact of the vulnerability (as opposed to preparation of an actual crime) it would not be illegal to publish this in Germany.
Could you go into this a bit, is there caselaw you're relying on? AIUI (and I've not being following closely) Germany's equivalent to CFAA (in USA, or CMA in UK) makes the provision of 'hacker' tools capable of being used for intrusion to be a crime. Honestly, I thought it was an absolute liability law (that you can't work around by proving you had no ill intent)?
IANAL but the few cases I'm aware off have all been thrown out. The hacker tool provision in question starts out from a position of intent [0] (which was part of why a high profile case where a journalist sued themselves was thrown out). I'm honestly not aware of a case where this was successfully applied in court since it's inception in 2007. I might have missed some smaller stuff over the years but as long as you're not actively advertising your make-pretend "dual use" malware exclusively on the dark net you'd likely be fine. Germany's supreme court has relatively early on argued on a pretty strict interpretation of the paragraph (according to various publications related to [1] back around 2010).
There have apparently been a few search warrants that referenced it but otherwise it's pretty much the toothless tiger you'd expect from a country that relies on potentially "dual use" software the paragraph would likely apply to in wider interpretations (or at least seems to be in constant talks with spyware manufacturers for their own executive branches).
edit: Okay, apparently I've missed a few [3] where it was actually applied. Maybe don't spy on people using keyloggers, but I'm sure other laws cover that part as well.
If that's against the rules, let me know and I will remove the post. It was never my intention to go against HN rules.
(I suggested that people upvote the thread for visibility in the community and to start the discussion. When something reaches HN frontpage, I believe it's the voice of the community, not mine anymore)
> Don't solicit upvotes, comments, or submissions. Users should vote and comment when they run across something they personally find interesting—not for promotion.
Whoever wants this gone is actively scrubbing it from GitHub (ie, it seems to be GitHub doing this). A few moments ago I found https://github.com/0x727/JNDIExploit, but while browsing around the repo suddenly went 404. Wow.
However, it seems that the way GitHub handles forks vs user deletions is that when a user deletes a fork (or it's Done For Them™), it seems that the fork "root owner" is transferred within the chain to someone else. I don't quite get it. Or maybe something else is going on.
In any case, a few minutes ago https://github.com/search?l=&q=filename%3AJNDIExploit.iml&ty... was showing JNDIExploit under "0x727", but now the page is showing the repo "owned" by a different user (with the network graph on the repo page showing everyone else as forking the repo from that new user).
So the above search link is your best bet to finding the repo. It's currently listed as owned by "zzwlpx", but you'll probably see a different user (especially if https://github.com/zzwlpx/JNDIExploit no longer works).
It currently has 245 forks, so good luck, GitHub, keeping this squashed. [Edit: I now see a comment mentioning that GitHub has a policy of trying to squash 0days for the first X days, which is a very understandable reaction given that it's where everyone goes, from the skiddies who just like seeing things burn (and prevent everyone from having nice things, to the researchers trying to respectfully evaluate damage. Sigh.]
---
Some other things I found while playing with GitHub search:
That's useful, thanks for sharing! Based on this, it seems extremely likely that GitHub has taken down JNDIExploit, as opposed to its owner removing it themselves. (See the question raised in https://news.ycombinator.com/item?id=29537822)
Thanks for these elaborate arguments against GitHub. This really gave me some insights and ideas I didn't have previous reading your reasoning. I'll consider using an alternative now. Thanks again for your effort.
https://twitter.com/_mph4/status/1470343429599211528
> I just personally looked into this and can confirm we did not take down this repo nor are we actively removing Log4j related content from @github , consistent with our policies re: dual-use
Maybe too early to grab pitchforks?