GitHub taking down tools allowing defenders to reproduce the Log4j vulnerability (opens in new tab)

(twitter.com)

212 pointschristophetd4y ago94 comments

94 comments

57 comments · 17 top-level

floatingatoll4y ago· 7 in thread

They do this every time, and have a previously stated spproach of blocking zero day attack scripts for the first X days of a zero day, when they deem it sufficiently dangerous to the Internet. So, yes, yet again, they’re doing this, just as they always do. Is there something new this time that makes this newsworthy?

turminal4y ago

Every time this happens we should think about how powerful github has become and why are we collectively allowing this.

dghlsakjg4y ago

Git allows multiple remotes, and it really isn’t that hard to self host something like gitlab.

For people that operate near the edges of acceptable (create tools that are VERY easy to misuse) this kind of redundancy should be SOP

2 more replies

Cthulhu_4y ago

Github isn't powerful per se, they just capture a high percentage of the market for online code hosting. But it's just one website. Anyone can set up a git repo, an instance of a git host, etc.

1 more reply

floatingatoll4y ago

I’d love to read a longform blog post about that. Anything that fits into a tweet has already been said a bunch of times already, and hasn’t made a compelling case that there’s a problem here.

I’m pretty sure they only takedown exploit code, not scanner code, but people often choose not to distinguish those conceptually, which makes it quite difficult to have a discussion about it.

Also, see top reply on this post, which references a dual-use policy: https://twitter.com/_mph4/status/1470343429599211528

aaomidi4y ago

Would help if gitlab didn't block search engines from indexing it.

jokowueu4y ago

github isnt powerful

3 more replies

naikrovek4y ago

I'm much more worried about everyone on this site just believing everything they read, then instantly getting mad instead of doing a simple "is this really true" search or even gaining a single data point of their own.

this whole culture is just freaking ripe for manipulation. it's so easy.

overflyer4y ago· 7 in thread

But there's not only Github. They can just use Gitlab or if that does not work Codeberg. Somehow the whole industry really seems to be content with bootlicking any of the Big Five.

jchw4y ago

The problem with betting on the underdog is that the internet is still young. GitHub has momentum; it may not have a guaranteed long-term future, but as of now it is the open source project forge with the best long-term outlook. If you had bet on Google Code, your project is at least still accessible today. If you bet on Sourceforge, the same is true, although for a period of time you could’ve had your own project page distributing malware. (I am aware that it has changed hands since these incidents, but this still happened nonetheless.) GitLab also seems like an OK bet… but from there on out, it feels like you have to be careful. A random Gitea instance is never a safe bet. Even if you run it on your own, you don’t know how long you’ll be around to keep the lights on; life is fragile.

I still find Golang’s module cache mechanism to be bothersome in some regards, but I think they were on the money with their concerns. It’s probably the only way modules can stay “decentralized” with confidence. But, that solution requires at least one central entity that is trusted and can shoulder the costs of such a service; and it only solves a narrow portion of the problem, relevant to the module system of a single programming language.

There’s no easy way out; nothing is truly autonomous. Explicitly organized groups of people running a legitimate business probably have a better long-term outlook than a band of cypherpunks running P2P services, or what have you. (Believe me, it pains me to say it, because I sure wish it wasn’t so.)

In this way, I think it’s obvious why people pick GitHub. It’s because it’s in the best position of the best segment for code hosting. It’s backed by a billion dollar multinational corporation. It’s been around the block a few times and is a robust business of its own.

Even if your concern isn’t longevity, GH is still giving you the best standing as far as network effects go. It’s just hard to blame anyone.

faeyanpiraat4y ago

Blockchain to the rescue! /s

Y_Y4y ago

GitHub is running on momentum at this point. I only use it for cloning nowadays. They've even made that a hassle, I'd like to use SSH for all my connections, but it seems like they'd prefer I got their shitty custom tool, or used https and typed a lot of passwords.

These days for preference I'll use shart (sr.ht) or, even better, the project's own git server.

weikju4y ago

ssh works fine for me.. what issue are you having?

1 more reply

loxias4y ago

Or just, ya know, a $5 linode holds my git repos just fine. :) The problem is the centralization/SPOF itself, not whatever platform or SPOF used.

_fizz_buzz_4y ago

Github is owned by Microsoft. Github IS the big five.

0xdeadb00f4y ago

That's OPs point though.

1 more reply

erk__4y ago· 6 in thread

Is there any indications that it was taken down by GitHub and not by the owner themself?

christophetdOP4y ago

It's a good point. I added a disclaimer to the tweet while confirming this, but I'm confident it's a GitHub takedown following their new policy: https://github.blog/2021-04-29-call-for-feedback-policies-ex...

christophetdOP4y ago

If anyone working at GitHub reads this, I opened support ticket #1425405 to request a confirmation.

testplzignore4y ago

Update to that post: https://github.blog/2021-06-04-updates-to-our-policies-regar...

runeks4y ago

Is there any indication that the owner took it down himself while claiming GitHub did it?

erk__4y ago

Where have the owner claimed that it was taken down?

2 more replies

spixy4y ago

yes https://news.ycombinator.com/item?id=29538540

artdigital4y ago· 4 in thread

A GitHub employee replied on Twitter:

https://twitter.com/_mph4/status/1470343429599211528

> I just personally looked into this and can confirm we did not take down this repo nor are we actively removing Log4j related content from @github , consistent with our policies re: dual-use

Maybe too early to grab pitchforks?

christophetdOP4y ago

I made wrong assumptions when writing this tweet. I clarified this on Twitter. Apologies for the confusion. Not sure if it makes sense to delete the tweet / thread.

christophetdOP4y ago

The tweet has been removed. Now that this has been clarified, I don't want to be a vector for spreading inaccurate information.

1 more reply

bla34y ago

If a tweet is wrong and you're not out to spread FUD, you delete the tweet. That's standard procedure.

1 more reply

ithinkso4y ago

Yes

yellow_lead4y ago· 4 in thread

The author of this tweet asks for upvotes on Twitter[1]. isn't that against rules?

[1] https://twitter.com/christophetd/status/1470293533416427524?...

christophetdOP4y ago

If that's against the rules, let me know and I will remove the post. It was never my intention to go against HN rules.

(I suggested that people upvote the thread for visibility in the community and to start the discussion. When something reaches HN frontpage, I believe it's the voice of the community, not mine anymore)

christophetdOP4y ago

I have now removed the tweet linking to this HN thread to ensure I am abiding by HN rules.

1 more reply

aspenmayer4y ago

Pretty sure upvoting for agreement is okay? Also, policing what people say outside HN doesn’t seem productive or supported by the rules.

xenocratus4y ago

> Don't solicit upvotes, comments, or submissions. Users should vote and comment when they run across something they personally find interesting—not for promotion.

https://news.ycombinator.com/newsguidelines.html

(just quoting what seems relevant, don't know if this actually falls under that item in the guidelines)

1 more reply

arkadiyt4y ago· 3 in thread

There's a mirror here:

https://codechina.csdn.net/mirrors/feihong-cs/JNDIExploit

loxias4y ago

Finding information that is "censored" or restricted by going to a Chinese source ... gobsmacking levels of irony. :D

mgbmtl4y ago

I get what you mean, but also worth noting that the vulnerability was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

2 more replies

canadatom4y ago

most the large enterprise has a direct connection to THE internet

ozim4y ago· 3 in thread

You all know that in Germany for example it is strictly forbidden to publish/code such tools.

From what I know there are also other countries that do the same.

So now GitHub would have to implement region availability not to get into trouble with German law.

Let alone this is so fresh that preventing script kiddies from downloading a tool is perfectly valid move.

tastroder4y ago

Yeah nah. While the particular law is incredibly vague nonsense, if the purpose of the tool is security research or to harden your infrastructure against the impact of the vulnerability (as opposed to preparation of an actual crime) it would not be illegal to publish this in Germany.

pbhjpbhj4y ago

Could you go into this a bit, is there caselaw you're relying on? AIUI (and I've not being following closely) Germany's equivalent to CFAA (in USA, or CMA in UK) makes the provision of 'hacker' tools capable of being used for intrusion to be a crime. Honestly, I thought it was an absolute liability law (that you can't work around by proving you had no ill intent)?

1 more reply

Laforet4y ago

They already have the mechanism in place and actively use it to block content by region as requested by respective governments.

https://docs.github.com/en/github/site-policy/github-governm...

https://github.com/github/gov-takedowns

yessirwhatever4y ago· 3 in thread

Don't upload it to fucking Github.

And fuck github.

numlock864y ago

Thanks for these elaborate arguments against GitHub. This really gave me some insights and ideas I didn't have previous reading your reasoning. I'll consider using an alternative now. Thanks again for your effort.

pbhjpbhj4y ago

Sorry to be un-HN-like, but thanks for the laugh :D

yessirwhatever4y ago

You're welcome.

loxias4y ago· 2 in thread

I'm honestly kinda surprised. The policy seems willfully ignorant of the Streisand effect. I get the reasons behind it, I'm just surprised it wasn't laughed down at some internal Github planning meeting. "No, that'll never work Dave! 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0, remember?"

ascar4y ago

For anyone else who is wondering what's up with that hex string:

AACS encryption key controversy

https://en.m.wikipedia.org/wiki/AACS_encryption_key_controve...

yrro4y ago

Does the key still work?

1 more reply

exikyut4y ago· 1 in thread

Whoever wants this gone is actively scrubbing it from GitHub (ie, it seems to be GitHub doing this). A few moments ago I found https://github.com/0x727/JNDIExploit, but while browsing around the repo suddenly went 404. Wow.

However, it seems that the way GitHub handles forks vs user deletions is that when a user deletes a fork (or it's Done For Them™), it seems that the fork "root owner" is transferred within the chain to someone else. I don't quite get it. Or maybe something else is going on.

In any case, a few minutes ago https://github.com/search?l=&q=filename%3AJNDIExploit.iml&ty... was showing JNDIExploit under "0x727", but now the page is showing the repo "owned" by a different user (with the network graph on the repo page showing everyone else as forking the repo from that new user).

So the above search link is your best bet to finding the repo. It's currently listed as owned by "zzwlpx", but you'll probably see a different user (especially if https://github.com/zzwlpx/JNDIExploit no longer works).

It currently has 245 forks, so good luck, GitHub, keeping this squashed. [Edit: I now see a comment mentioning that GitHub has a policy of trying to squash 0days for the first X days, which is a very understandable reaction given that it's where everyone goes, from the skiddies who just like seeing things burn (and prevent everyone from having nice things, to the researchers trying to respectfully evaluate damage. Sigh.]

---

Some other things I found while playing with GitHub search:

https://github.com/zhuowei/GhidraLog4Shell

https://github.com/samjcs/log4shell-possible-malware

https://github.com/mbechler/marshalsec/

christophetdOP4y ago

That's useful, thanks for sharing! Based on this, it seems extremely likely that GitHub has taken down JNDIExploit, as opposed to its owner removing it themselves. (See the question raised in https://news.ycombinator.com/item?id=29537822)

christophetdOP4y ago

UPDATE: GitHub CISO pointed out that GitHub did NOT take down the JNDI Exploit repository.

https://twitter.com/_mph4/status/1470343429599211528

https://twitter.com/christophetd/status/1470346676053422081

This is surprising, considering what is outlined in a previous comment[1]. I hope GitHub provides more transparency on the takedown actions for "malicious content / exploits" like they do for DCMA notices[2].

Apologies for making wrong assumptions. I removed the original Tweet (see screenshot[3] for the original).

[1] https://news.ycombinator.com/item?id=29538151

[2] https://github.com/github/dmca

[3] https://i.imgur.com/sJe3OTI.png

btbuilder4y ago

This is disappointing. I used this tool to understand the vulnerability within the first few hours of response. It allowed me to prove mitigations worked, and therefore gave certainty.

schleck84y ago

So what? There is plenty of ressources on how to fix the vulnerability. Those who really want to see the code will find it anyways, both maliscious actors and admins.

This mostly prevents skids from getting hold of it and using it against their school etc

e12e4y ago

Looks like original is up? Or is it a re-upload?

https://github.com/Jeromeyoung/JNDIExploit-1

jimmyvalmer4y ago

Github taking down whitehat tool for reproducing vulnerability.

The title as it stands begs the question: Who is "allowing defenders", Github or the tools? Also "defenders" is a weird word to use here.

TruthWillHurt4y ago

Sure, a tool for defenders... like Kali Linux is for security researchers..

hvgk4y ago

Remember GitHub is not Git. Needs to be pushed elsewhere. Everywhere.

j / k navigate · click thread line to collapse

94 comments

57 comments · 17 top-level

floatingatoll4y ago· 7 in thread

turminal4y ago

Every time this happens we should think about how powerful github has become and why are we collectively allowing this.

dghlsakjg4y ago

Git allows multiple remotes, and it really isn’t that hard to self host something like gitlab.

For people that operate near the edges of acceptable (create tools that are VERY easy to misuse) this kind of redundancy should be SOP

2 more replies

Cthulhu_4y ago

Github isn't powerful per se, they just capture a high percentage of the market for online code hosting. But it's just one website. Anyone can set up a git repo, an instance of a git host, etc.

1 more reply

floatingatoll4y ago

I’d love to read a longform blog post about that. Anything that fits into a tweet has already been said a bunch of times already, and hasn’t made a compelling case that there’s a problem here.

I’m pretty sure they only takedown exploit code, not scanner code, but people often choose not to distinguish those conceptually, which makes it quite difficult to have a discussion about it.

Also, see top reply on this post, which references a dual-use policy: https://twitter.com/_mph4/status/1470343429599211528

aaomidi4y ago

Would help if gitlab didn't block search engines from indexing it.

jokowueu4y ago

github isnt powerful

3 more replies

naikrovek4y ago

this whole culture is just freaking ripe for manipulation. it's so easy.

overflyer4y ago· 7 in thread

But there's not only Github. They can just use Gitlab or if that does not work Codeberg. Somehow the whole industry really seems to be content with bootlicking any of the Big Five.

jchw4y ago

Even if your concern isn’t longevity, GH is still giving you the best standing as far as network effects go. It’s just hard to blame anyone.

faeyanpiraat4y ago

Blockchain to the rescue! /s

Y_Y4y ago

These days for preference I'll use shart (sr.ht) or, even better, the project's own git server.

weikju4y ago

ssh works fine for me.. what issue are you having?

1 more reply

loxias4y ago

Or just, ya know, a $5 linode holds my git repos just fine. :) The problem is the centralization/SPOF itself, not whatever platform or SPOF used.

_fizz_buzz_4y ago

Github is owned by Microsoft. Github IS the big five.

0xdeadb00f4y ago

That's OPs point though.

1 more reply

erk__4y ago· 6 in thread

Is there any indications that it was taken down by GitHub and not by the owner themself?

christophetdOP4y ago

If anyone working at GitHub reads this, I opened support ticket #1425405 to request a confirmation.

testplzignore4y ago

Update to that post: https://github.blog/2021-06-04-updates-to-our-policies-regar...

runeks4y ago

Is there any indication that the owner took it down himself while claiming GitHub did it?

erk__4y ago

Where have the owner claimed that it was taken down?

2 more replies

spixy4y ago

yes https://news.ycombinator.com/item?id=29538540

artdigital4y ago· 4 in thread

A GitHub employee replied on Twitter:

https://twitter.com/_mph4/status/1470343429599211528

> I just personally looked into this and can confirm we did not take down this repo nor are we actively removing Log4j related content from @github , consistent with our policies re: dual-use

Maybe too early to grab pitchforks?

christophetdOP4y ago

I made wrong assumptions when writing this tweet. I clarified this on Twitter. Apologies for the confusion. Not sure if it makes sense to delete the tweet / thread.

christophetdOP4y ago

The tweet has been removed. Now that this has been clarified, I don't want to be a vector for spreading inaccurate information.

1 more reply

bla34y ago

If a tweet is wrong and you're not out to spread FUD, you delete the tweet. That's standard procedure.

1 more reply

ithinkso4y ago

Yes

yellow_lead4y ago· 4 in thread

The author of this tweet asks for upvotes on Twitter[1]. isn't that against rules?

[1] https://twitter.com/christophetd/status/1470293533416427524?...

christophetdOP4y ago

If that's against the rules, let me know and I will remove the post. It was never my intention to go against HN rules.

christophetdOP4y ago

I have now removed the tweet linking to this HN thread to ensure I am abiding by HN rules.

1 more reply

aspenmayer4y ago

Pretty sure upvoting for agreement is okay? Also, policing what people say outside HN doesn’t seem productive or supported by the rules.

xenocratus4y ago

> Don't solicit upvotes, comments, or submissions. Users should vote and comment when they run across something they personally find interesting—not for promotion.

https://news.ycombinator.com/newsguidelines.html

(just quoting what seems relevant, don't know if this actually falls under that item in the guidelines)

1 more reply

arkadiyt4y ago· 3 in thread

There's a mirror here:

https://codechina.csdn.net/mirrors/feihong-cs/JNDIExploit

loxias4y ago

Finding information that is "censored" or restricted by going to a Chinese source ... gobsmacking levels of irony. :D

mgbmtl4y ago

I get what you mean, but also worth noting that the vulnerability was discovered by Chen Zhaojun of Alibaba Cloud Security Team.

2 more replies

canadatom4y ago

most the large enterprise has a direct connection to THE internet

ozim4y ago· 3 in thread

You all know that in Germany for example it is strictly forbidden to publish/code such tools.

From what I know there are also other countries that do the same.

So now GitHub would have to implement region availability not to get into trouble with German law.

Let alone this is so fresh that preventing script kiddies from downloading a tool is perfectly valid move.

tastroder4y ago

pbhjpbhj4y ago

1 more reply

Laforet4y ago

They already have the mechanism in place and actively use it to block content by region as requested by respective governments.

https://docs.github.com/en/github/site-policy/github-governm...

https://github.com/github/gov-takedowns

yessirwhatever4y ago· 3 in thread

Don't upload it to fucking Github.

And fuck github.

numlock864y ago

pbhjpbhj4y ago

Sorry to be un-HN-like, but thanks for the laugh :D

yessirwhatever4y ago

You're welcome.

loxias4y ago· 2 in thread

ascar4y ago

For anyone else who is wondering what's up with that hex string:

AACS encryption key controversy

https://en.m.wikipedia.org/wiki/AACS_encryption_key_controve...

yrro4y ago

Does the key still work?

1 more reply

exikyut4y ago· 1 in thread

---

Some other things I found while playing with GitHub search:

https://github.com/zhuowei/GhidraLog4Shell

https://github.com/samjcs/log4shell-possible-malware

https://github.com/mbechler/marshalsec/

christophetdOP4y ago

UPDATE: GitHub CISO pointed out that GitHub did NOT take down the JNDI Exploit repository.

https://twitter.com/_mph4/status/1470343429599211528

https://twitter.com/christophetd/status/1470346676053422081

Apologies for making wrong assumptions. I removed the original Tweet (see screenshot[3] for the original).

[1] https://news.ycombinator.com/item?id=29538151

[2] https://github.com/github/dmca

[3] https://i.imgur.com/sJe3OTI.png

btbuilder4y ago

This is disappointing. I used this tool to understand the vulnerability within the first few hours of response. It allowed me to prove mitigations worked, and therefore gave certainty.

schleck84y ago

So what? There is plenty of ressources on how to fix the vulnerability. Those who really want to see the code will find it anyways, both maliscious actors and admins.

This mostly prevents skids from getting hold of it and using it against their school etc

e12e4y ago

Looks like original is up? Or is it a re-upload?

https://github.com/Jeromeyoung/JNDIExploit-1

jimmyvalmer4y ago

Github taking down whitehat tool for reproducing vulnerability.

The title as it stands begs the question: Who is "allowing defenders", Github or the tools? Also "defenders" is a weird word to use here.

TruthWillHurt4y ago

Sure, a tool for defenders... like Kali Linux is for security researchers..

hvgk4y ago

Remember GitHub is not Git. Needs to be pushed elsewhere. Everywhere.

j / k navigate · click thread line to collapse