#it would involve like. solving the mystery of what happened to Lawrence and also dealing with the gross weird being inhabiting his corpse | Explore Tumblr Posts and Blogs

gillian-greenwood · 3 years

Text

My Episode 7 Predictions!

Mother of God! How have these weeks passed by so fast?! I've decided to share what I think will be answered tomorrow night and some of the fates of our beloved characters! The series has gotten off to an even bigger success than it's predecessor and EVERYONE'S talking about it! Without further ado, let's see what I'm predicting!

Who's H/fourth man (or woman) and will we find out?

The question that's on the nation's minds. That has been boggling us since 2017... My personal prediction still stands as CC Philip Osborne, however... I think he's purely sitting on his arse and pulling the strings, whilst others are doing his dirty work. Those people are Patricia Carmichael: who in all honesty I'm manifesting isn't actually bent but is so career driven and a bit of a lick arse that she's just taking orders and not questioning anything, plus she doesn't think much of Ted either... I have joked that she's been shagging Osborne on the side which would be quite funny. I also believe Buckells has been Osborne's true scape goat for years. Someone as laid-back and unpassionate as Buckells is easily manipulated - I mean how the hell has he become a super? As Steve rightfully says, he couldn't order a piss up in a brewery. Seeing the connections go well back into the early noughties whilst Buckells was part of an oasis tribute band, it's an easy conclusion to make. Lastly I will mention Thurwell, now I think Thurwell may have been more involved on his own doing anyway but I think he'd still been pretty busy doing things on behalf of Osborne up until his alleged death in sunny Spain (Belfast but shh). I know a lot of people still think Buckells, some reckon pas-agg Pat is the top woman... and a few still think our beloved Kate is 'H'.

Now the other part of my point is actually finding out... I think us as viewers will certainly know the identity of this mysterious individual. But, I think we'll find out in the very last few seconds and poor AC12 won't be any the wiser which will open up the foundations for a possible series 7. I think a lot of things will be answered for us viewers but not everything for the characters. I know that if they had a series 7 there would be an other primary focus but I just think it would be clever. Just like how we found out as viewers at the end of series 1 that Dot was a wrong'un.

Is Thurwell really dead?

I'm still very amazed by the whole induction of Jimmy Nesbitt as a series of photos. I know we were supposed to have a secretive guest actor appearance and I believe it was Robert Carlyle's name floating about which would have been insane! But that moment we saw Jimmy, I yelled at the screen. So, this answers the question of seeing a character that had only been mentioned previously - which has been very much hiding in plain sight. Even with a rewatch, I had forgotten about Thurwell and therefore hadn't even considered him. But, I did mention the list from series 3 which did loosely tie in. Anyway, when we learned that Thurwell and his Mrs were now dead and clearly had been for a while - it was cleverly shot so we didn't see who it was, only the Spanish Police's word. You know, I think if we were to get a series 7, Thurwell could appear and he's in fact not dead. It's very rare you get a very well known actor in for something so small without it leading to bigger things. Although, they got Andi Osho, a very much loved comedian in purely for archival photos and videos... I do feel that Thurwell could have easily been on the other end of the fake MSN, and doing Osborne's dirty work - especially with the Spanish connection. In a BTS photo we have seen a clue to a piece of paperwork regarding a time share (Spain mentioned) in front of Kate which will likely have a connection to Thurwell and Spain. I think he's possibly still alive but we'll see...

Joanne Davidson

Kelly Macdonald has been welcomed with a very warm reception. Wow, her connection to Tommy Hunter (albeit disturbing, homozygous DNA... nasty business) was not something I ever expected although I guessed very much so when we learned of the DNA match with a nominal. Would I define her as bent? I mean in layman's terms, yes she is. However each guest star has had a very complicated relationship with the definition - all have done dodgy things and usually for good reason... But I do sympathise with her because of her background, born into trouble, it was very hard to escape - even if her mum took her to Scotland for a life away from it all. From the very start of her career she was doing the OCG's bidding and it transpires she was in the police on Tommy's orders - so very much another caddy. I do feel Jo had always wanted to be a good person and do right and in some ways she did - however she's in too deep. Next I'll mention her relationship with Kate and it's something I'd never have predicted. A lot of suggestive and sapphic behaviour from the off. Now, I do think Jo cares deeply for Kate and has developed strong feelings - and I think Kate deep down has also but I don't think anything will happen sadly. And that's more for the fact that they had run out of track before they could even get going as so much has happened. Kate's gonna save Jo when her transport gets ambushed, that's a given... but I don't think we'll see anything happen that we want to happen. I hope I'm very wrong and we get something but with the hour we've got I don't think it'll be the case. And as for her fate? I think she'll survive. Guest leads usually die, eventually... with the exception of Roz who's serving time with one arm in Brentiss. Giving how unfortunate her life has been from her conception, I think it'll do her justice to escape with her life. Witness protection? Hmm perhaps... Although I think she's done enough dodgy stuff to warrant a prison stretch. Will she be instrumental in revealing who the fourth dot is? Well yeah actually, I think she grew up thinking Thurwell was her dad... and of course having connections to both Osborne and Buckells. Jo joined the force just before the turn of the millennium so would have been a copper when the Lawrence Christopher case occurred in 2003. Even though not directly working with them, I'm sure she knew what was going on and would have come across Osborne and Buckells at that time. I have a strong inkling that she knows exactly who she's been talking to and has been under their wing since the start. If she dies I will be gutted.

Kate

Where are we going with Kate? Well she's just killed Ryan (lawfully) and has gotten away with it. But Carmichael isn't thick... and nor is Steve and Ted. They all know but I think that'll be that for now. For ages I thought she was gonna D word but I think she's gonna be alright now. I hope that somehow she gets back into anti-corruption permanently because that's where she's best suited. I'm shocked that she hasn't had a glass box spectacular - my predictions for her to be accused of being bent and all that were way off the mark... and not a single mention of the two dying declarations... With only an hour tomorrow and so much to deal with, I guess that's not going to be mentioned. And Kate ain't gonna be sanctioned either. But, there's always opportunity with a series 7... She'll definitely be back in AC12, interviewing... I can't see all the BTS photos being Jed Herrings. But we'll see tomorrow!

Steve

Poor Steve eh? He's not had an easy time of it. Addicted to painkillers as I rightfully predicted, unable to trust his gaffer, torn on a transfer and a up and down friendship with his 'mate'. Oh and the car, actually let's not talk about the Mazda... Anyhow I believe that Steve will talk about his back and recent struggles with meds after a lot of emails from occupational health. Will he get pulled off the job at the last second because he didn't book an appointment... yeah I think that might happen and Kate takes his place or something. But there is a counsellor or something credited so I'm pretty certain on that. Will he lose his long overdue promotion? It's possible! I don't think the test was going to come back as a fail but more of a cause for concern - just that the levels of codeine etc in his system was higher than it should and it would be best advised to talk to someone. We haven't seen much pill taking going on since the drugs test so has Steve been going cold turkey? Or have they just veered away from that part of the story? In all fairness he's appeared fine with his back since the Windermere convoy - he ran across an industrial estate... I mean. I hope Steve gets a glimmer of hope and happiness because he rightfully deserves it. Ever since the start he's had his fair sharing of aggro and he deserves a break. I do think however he may be partly responsible for nailing the final nails into Ted's coffin - especially after he discovered the 50K up Merseyside and the truth from Lee Banks. I think he could be potentially happy with Steph, it would be nice for something to happen with them but we'll see. Steve needs a big hug.

Ted

This is going to pain me saying it. But, I don't think Ted is going to make it to the end. His retirement is inevitable. I can see the argument of the retirement being rescinded if they unmask the fourth dot etc and solve stuff but realistically, he's past retirement age. He's so focused on getting to the end of this marathon that I don't think he will see it through and know who it is - because he'll... yeah I don't need to say it. How? I've been saying his heart is gonna pack in. He's going to be in deep trouble over that 50k because Steve and Kate know the truth. But why would the likes of Carmichael find out... Well we've seen a clue of 'definate' on some paperwork - I reckon Ted by coincidence also makes this spelling mistake often as it is one of the most commonly misspelt words and therefore will be in the 'H' running again - he wont be 'H' as I reckon Osborne makes the same mistake... He alleges he misspelt it cos he studied the texts carefully but I think he spelt it how he usually would. They'll all go down the wrong path and accuse him which will lead to his ultimate downfall. Another little teaser is Steve appearing to listen to Ted's 2019 glass box spectacular however notably Carmichael says AC12 interview and not AC3... so mixing two different interviews to tease us? Maybe Ted might feel he has no choice but to sacrifice his career for the truth. However it all gets too much. Lies cost lives... I can't see Ted going on from beyond here and Ted was always supposed to be a minor character until he was very well received by the audience and he was made a main character. Realistically, his story is told and he's at his endgame. I hope he survives, by god I do... He's one of the most loved fictional characters at present. But I have a really bad feeling and I'm worried! It seems a total Jed thing to do for Ted to meet his end without ever finding the truth... seeing that's what his heart has been set on for about four years... I'm sorry to even be going there but it's what I think will happen. And I want to be wrong.

Miscellaneous Predictions

I want to round this all off with other little points. Carmichael won't be bent, maybe still involved with anti-corruption, you love to hate her, there's so much more they could do with her character. I don't think Steph's dodgy at all, she's just a widow whose been helped out by Ted in an unlawful way. I think her and Steve would be well suited. I hope Chloe will get to the end and continue on in anti-corruption, she's got a lot of potential. If Osborne isn't sussed, I reckon he'll still be CC. DCC Wise isn't bent either, just getting on with her job. But if Osborne does get caught and I'm wrong, there will be a lot of chaos for both him and Wise. Farida gets out of jail and starts afresh. Buckells I reckon will get out but won't be apart of the police force anymore. Lomax isn't bent, just a regular cop trying to get the work done. The rest of Jackie's remains will be found under the workshop floor, maybe with someone else? God knows who. Or maybe with some evidence that helps lead AC12 on the right track. Steve will still be an officer and Kate will be back where she belongs. There's probably more but my head hurts.

Will there be a series 7?

Yes.

Thank you all for reading my jumbled thoughts all packed into a text post. I'm nervous but excited for tomorrow night's finale. Let's see if I get anything right... probably not...

16 notes · View notes

kbrown78 · 6 years

Text

Monthly Wrap Up: September

Looking back, September wasn't a great month. Granted I did read 9 books and 3 of those books were over 500 pages, but most of these books I didn't enjoy. There were a couple highlights and two of the books that I did read were non fiction, both I thought were fairly good. I will also say real quick that I tried to start the last book in the Gemma Doyle trilogy, but I gave up on it because it was the exact same story I had to endure in the second book and I wasn't going to deal with 800 pages of that.

The Defiant Heir by Melisa Caruso: This is the second book in the Swords an Fire trilogy, and I thought it was even better than the first, and I gave the first one 5 stars. First it does build off of what was established in the previous book, with the worlds and the characters. The main conflict is Amalia trying to prevent an internal war while also trying to solve what happened to the missing Falcons. This series is exactly what I want to read, with an amazing intellectual character who knows how to use her smarts to achieve her goals and is someone who tries to do right thing. The relationships are all astounding, female friendships in particular, and I like that Amalia's mother is an active presence who cares about her daughter but lets her do her own thing. The romance is great too, despite the fact that there is a love triangle. The villain is despicably evil, but he's not mustache twirling and while he did have a sad past, that fact isn't even remotely treated as an excuse for his horrible actions. The plot keeps me invested and keeps adding new twists that add to the story. The world is fantastic, with each location feeling well developed and distinct from each other. Seriously the only complaint I have about this series is that it isn't longer. The Defiant Heir received 5 out 5 stars.

Bitterblue by Kristen Cashore: This book was such a disappointment. When I first read the Graceling trilogy, I hated the other two books, and I think that clouded my judgement and made me rate Bitterblue much higher. I do ultimately think Bitterblue is the best book in the series, but after rereading it I realize that it's not nearly as good as I originally thought it was. It's going to be hard to do this review without giving away spoilers, but I'll try. A brief synopsis is that Queen Bitterblue is working to help her kingdom recover and there are those that are trying to stop her. So Bitterblue makes an effort to be a good ruler and do the right thing in difficult situations. She's also book smart, which I usually like that type of character, but she did some really stupid things and was also quite bratty at times. There are two potential love interests, and I didn't really like either of them. One was just brooding, which I never like in a love interest, the other one was a bit boring. The weakest aspect of this book is definitely the plot. There's a sub plot about rebellion in the other kingdoms, but it was pretty irrelevant to the overall plot, and I just wasn't interested in any of the characters involved. This is the part where it's impossible to talk about the book with out spoilers, but I will say this. The struggle's that the kingdom is facing were well written and did a good job of exploring various themes of ruling and recovery. However, the big plot twist at the end that helps resolve their issues is so unrealistic that it causes the entire story to just collapse. The best aspects of this book were some of the themes explored and the art work because there are some beautiful interior designs. I would still say this book is the best out of the three, but looking back it isn't nearly as good as I remember it (although I do in part blame the reading slump I was in after finishing Defiant Heir, but only partly). Bitterblue received 2 out 5 stars and was my pick for the PopSugar promt “book with your favorite color in the title”.

Red Sister by Mark Lawrence: I went into this book with high expectations, and while it did live up to a few, it also disappointed me. The basic summary is this girl gets taken in by a convent of assassin nuns, where she spends her years training. Sounds like a pretty cool synopsis, but every time I hope a book is going to be similar to Harry Potter, with the schooling, it never lives up to that expectation. First I liked the protagonist, Nona. It was nice to have a female character who was a badass fighter, but she wasn't cold. She cares deeply about her friends and friendship and protecting those she cares about are important to her. That's not a type of character I see often. With that established, I do think some of the friendships were well done, like Hessa's, Arabella's and Clera's, because of how much they differ but at the same time feeling like it wasn't forced. Some of the nuns were interesting, but they didn't quite feel fully fleshed out, and one nun I hated because of how mean she was and I'm sick of seeing that kind of adult in fiction. The world building was so weird, and I honestly didn't like it because it felt very underdeveloped and made little sense. The story is Nona's story, but there times when I felt like it didn't focus on her and those were usually my least favorite parts because I was just invested in Nona, not in anything that was happening in the outside world or with any other character. Because of that there were some parts I honestly just skimmed through. I mentioned the Harry Potter thing, and what I meant by that is Nona has classes that she needs to take, and while they are mentioned, I didn't get much of sense of her learning. It was more like she suddenly had these skills, which I blame on both the lack of detail on what she did learn, and the poor pacing of this story, with those parts just being rushed through at a rate I couldn't even discern. So while I liked parts of the story, I definitely didn't love it was much as I thought I would and I'm not sure if I'm going to continue with rest of the series. Red Sister received 3 out 5 stars from me.

The Silk Roads: A New History of World by Peter Frankopan: I was originally going to be reading this book over the entire year, but I decided to just finish it up as some as possible. I didn't tag this book and I won't be doing a full review of it because it is historical nonfiction. Now the premise of the book intrigued me, exploring world history through the Silk Road, and I also though the cover was pretty. The first half of the book really intrigued because I like learning about ancient history, and it was very detailed and I was fascinated by what I was learning. My impression, however, had been that this book would primarily focus on ancient times, but this was not the case. I could have done with history that was all pre-1700s, but the last third of the book focused on history from the 1800s to modern times, and while I tried to pay attention because there was a lot that was relevant to today's world, I just couldn't focus as much as I had in the previous sections. That's not to say it wasn't as well written or well researched as the previous parts, I just wasn't interested anymore. So this book received 3.5 out 5 stars, but that's only because it's a case of “it's not you, it's me,” and I would highly recommend this book to anyone that loves history.

You Are A Badass by Jen Sincero: This was the other nonfiction I read this month, and this was just a real quick self help book. I do think overall it did a good job at identifying ways to improve but I do admit I started skimming through the extra text just to get to the bullet points. So helpful but maybe not presented in the most efficient way. You Are A Badass received 3 out 5 stars.

The Library at Mount Char by Scott Hawkins: Oh man, I was looking forward to this book, but it epicly failed. I read a sample of it and was really intrigued. It felt very mysterious, I didn't know exactly what was going on and I got the distinct impression that these characters weren't entirely human. Then I read the rest of the book and I didn't connect with any of the characters, I found the writing style to be increasing irritating, the story made no sense to me because I didn't understand what was happening and I didn't understand the sense of urgency, and I got increasingly sexist vibes from the story. All I can make sense of is that “Father” was gone missing from the Library and there's a lot of death and resurrection. I can't do a full review of this story because I DNFed it 50% through, I just couldn't take it anymore. I initially chose this one as my pick for the PopSugar promt “book set in a library” and needless to say this book received 1 out 5 stars because I couldn't even force myself to finish it.

Circle of Magic: Sandry's Book by Tamora Pierce: I hoped that I would enjoy this one. I've been looking forward to reading it for awhile. But lately I've really been struggling with YA, and even for a YA book I found this one to be bad. First, there's no plot. Literaly two major events happen in the book and that's it everything else was filler. What I remember of almost all my favorite reads as a child (with the exception being East) is that they got into the action and the plot fast, so I can definitely say that even as child I wouldn't have liked this book. I thought all the characters were pretty flat. I wasn't expecting to get everyone's perspective, I thought there would just be Sandry's perspective, since the book is literally called “Sandy's Book,” and I don't think adding in the extra perspectives helped the story in any way. I also got the impression that the children were acting overly immature but also the audience was expected to be immature. There was one scene where three of the character don't know what the word “kid” means, and it really irritated me. I won't be doing a full review for this one too, because I did tag it, but I didn't take any notes because of how overly simple this story was. I have the next 3 books and maybe they'll get better, but I'm in no rush. Sandry's Book received 1.5 out 5 stars.

The Star Touched Queen by Roshani Chokshi: So I mentioned in the previous entry that I have been struggling with YA, particularly YA fantasy. This book, thank goodness, is a very pleasant exception to that. I really liked reading this book the first time through, and second read through, while there were a few things I disliked, I actually enjoyed the story even more. It's always pitched as Hades/ Persphone with Indian folklore, and both parts are so well done. I loved the romance, I loved the story, I loved the characters (most of them). The writing style is gorgeous, it's so flowery and atmospheric. I could see the vivid colors, I could taste the jewel fruit. I love Chokshi's books, and I cannot wait to get to her short stories that are set in the same world. Star Touched Queen received 5 out 5 stars.

Sabriel by Garth Nix: And so we return to the YA slump. I shouldn't be too hard on this book though. There were some very interesting aspects of it, and the first half of the book was good. Sabriel was competent character who was trained to deal with death, and Mogget was this eerie figure that I kind of liked but was also kid of afraid of. I loved the focus on death, and how death is it's own world. The magic system was really cool to, with different marks and the bells. I thought the pacing of the first half was decent too, fast but not rushed. Things took a turn, however, when the love interest was introduced. It was so obvious this guy was the love interest, and the relationship felt so forced and there was insta-love, which I hate. After Touchstone was introduced, the pacing was so much more rushed, there was a lot of telling instead of showing, and there was also quite a bit Deus Ex Machina. Things really fell apart in the second half, and it turns out this was because the first book was going to be treated more as a prequel instead of a first book. Sabriel received 3 out 5 stars.

#monthly wrap up #books #september #the defiant heir #melisa caruso #star touched queen #roshani chokshi #tamora pierce #bitterblue #red sister #garth nix #sabriel #library at mount char

2 notes · View notes

michaelok · 6 years

Text

Fun with Java Deserialization

Down the Rabbit Hole

I’ve just been scrambling down the rabbit hole to patch an app that Qualys is complaining has a deserialization vulnerability. What should have been a simple effort has turned into a mystery because, while we appear to have the correct libraries already in place, Qualys is still complaining about the error. A report that should be clean, to indicate compliance with GDPR, is instead “yellow”, or “orange”, or “red”, so fingers point, tempers flare, e-mails fly about, cc’ing higher and higher ups, so now we have assumptions, and based on those assumptions, tersely written orders, involvement by 3rd party vendors. Time to panic? Shall we be careful and tip-toe through the eggs?[0]

Well, it turns out to be a rather interesting mystery.

What is Java serialization?

First, some definitions are in order. What is Java serialization and why is it important? Perhaps Wikipedia[1] defines it the simplest:

A method for transferring data through the wires

Java serialization is a mechanism to store an object in a non-object form, i.e. a flat, serial stream rather than an object, so that it can be easily sent somewhere, such as to a filesystem, for example. It is also known as “marshaling”, “pickling”, “freezing” or “flattening”. Java programmers should be familiar with the concept, and with the Serializable interface, since it is required in various situations. For example, this technique is used for Oracle Coherence’s “Portable Object Format” to improve performance and support language independence.

Early Days of Java Serialization

Amazing to think that, back in the day, we used all the various tools required for distributed communication, whether simple like RMI and JMX, or more involved specs like CORBA and EJB, and we never thought much about the security aspects. I’m sure if I peruse my copy Henning and Vinoski’s definitive work on C++ and CORBA, I’ll find a chapter or so focusing on security[1], but I’m figuring, we, like everyone else, focused on the business details, getting the apps to communicate reliably, adding features, improving stability, etc, and not on whether there were any security holes, such as tricking a server into running cryptocurrency mining malware[2]. Yes, Bitcoin and the like did not even exist then.

The Biggest Wave of Remote Execution Bugs in History

Well, times change, and the twenty-year-old Java deserialization capability is the source of “nearly half of the vulnerabilities that have been patched in the JDK in the last 2 years” [3], so Oracle has plans in the works to completely revamp object serialization. Further note that this is not solely Oracle’s issue, nor is it limited to Java. Many other software vendors, and open source projects, whether tools or languages, have this weakness, such as Apache Commons Collections, Google Guava, Groovy, Jackson, and Spring.

It seems all the excitement, at least in the Java world, started when Chris Frohoff and Garbriel Lawrence presented their research on Java serialization “ultimately resulting in what can be readily described as the biggest wave of remote code execution bugs in Java history.” [6] However, it is important to note that this flaw is not limited to Java. While Frohoff and Lawrence focused on Java deserialization, Moritz Bechler wrote a paper that focuses on various Java open-source marshalling libraries:

Research into that matter indicated that these vulnerabilities are not exclusive to mechanisms as expressive as Java serialization or XStream, but some could possibly be applied to other mechanisms as well.

I think Moritz describes the heart of the issue the best:

Giving an attacker the opportunity to specify an arbitrary type to unmarshal into enables him to invoke a certain set of methods on an object of that type. Clearly the expectation is that these will be well-behaved – what could possibly go wrong?

Java deserialization

For our purposes, we focused on Java serialization and Apache Commons Collections. From the bug report COLLECTIONS-580[4]:

With InvokerTransformer serializable collections can be build that execute arbitrary Java code. sun.reflect.annotation.AnnotationInvocationHandler#readObject invokes #entrySet and #get on a deserialized collection.

If you have an endpoint that accepts serialized Java objects (JMX, RMI, remote EJB, …) you can combine the two to create arbitrary remote code execution vulnerability.

The Qualys report didn’t have much in the way of details, other than a port and the commons-collections payloads that illustrated the vulnerability, but I guessed from that info that the scanner simply uses the work done by the original folks (Frohoff and Lawrence) [5] that discovered the flaw available as the ysoserial project below.

https://www.youtube.com/watch?v=KSA7vUkXGSg

Source code here: https://github.com/frohoff/ysoserial

Now, in the flurry of trying to fix this error, given the annoyingly vague details from Qualys, I had looked at all sorts of issues, after noticing a few extra JVM arguments in the Tomcat configuration that happened to be set for the instances that were failing with this error, but were not set on other instances. Apparently someone had decided to add these, without informing our team. Interesting.

Now, remember that according to the original bug report, this exploit requires (1) untrusted deserialization, it (2) some way to send a payload, i.e. something listening on a port, such as a JMX service. In fact, These extra JVM args were for supporting remote access via JMX, so unraveling the thread, I researched Tomcat 8 vulnerabilities especially related to JMX. While it turns out that JMX is a weak point (JBoss in particular had quite a well-known major JMX flaw), I did have any luck convincing the customer that they should shut down the port. It is used to gather monitoring metrics useful in determining application performance such as CPU load, memory, and even cache information. Ok, easy but drastic solutions were off the table. I was back to the drawing board.

Next, I tried to see why it was flagging Apache collections in the first place. Going back to the ysoserial project, was it incorrectly flagging Apache Commons Collections 3.2.2, or Collections4-4.1, despite the fact that the libs were fixed? Further looking at the specific payloads, Qualys/Ysoserial was complaining about Collections 3.2.1, which limited the test scenarios to try to get working

Now here’s the interesting part: with ysoserial, I was unable to get the exploit to work, as depicted in the Marshalling Pickles video. It was failing with a strange error I hadn’t seen before, something about filter setting a “rejected” status. Now, this led me to finding info about Oracle’s critical patch update (_121). I was running with latest & greatest JDK, release _192, however our production servers were running a very out-of-date version - surprise surprise.

Apparently, with Oracle JDK at release 121 or later, Oracle has started to address this vulnerability in an official way, rather than what exists currently which is a bunch of ad-hoc solutions, mainly whitelisting/blacklisting, which is a difficult without library support. Some would call this ‘whack-a-mole’, but I think this illustrates quite well the idea of a “patch”, i.e. there’s a leak, so run over and put some tape over it, but we aren’t solving the fundamental issue. In other words, the current defense against this attach is limited because we can’t possibly know what libraries customers will use, so the library maintainer has to scramble to plug the holes whenever they are discovered. Note that even the best of libraries like Groovy, Apache and Spring have had to fix this flaw.

So kudos to Oracle for taking some much needed steps in solving this problem. Here’s a little detail on the new feature that works to make the deserialization process more secure:

The core mechanism of deserialization filtering is based on an ObjectInputFilter interface which provides a configuration capability so that incoming data streams can be validated during the deserialization process. The status check on the incoming stream is determined by Status.ALLOWED, Status.REJECTED, or Status.UNDECIDED arguments of an enum type within ObjectInputFilter interface.

https://access.redhat.com/blogs/766093/posts/3135411

While it is the “official” way to deal with the deserialization issue, it remains to be seen how well this strategy will work. As a further research project, I’m curious whether this model might be used beyond Java serialization, i.e. in projects like Jackson. Does it add anything more than Jackson already has, or does it simplify it, etc.

This feature is targeted for Java 9, but was backported to 8, though it looks like it doesn’t have all the functionality that Java 9 supports.

So you are probably wondering what happened? Did we fix all of the above, and even throw in an upgrade Tomcat, like the Monty Python “Meaning of Life” movie “everything, with a cherry on top!” Well, finally, given a little guidance on where to look, the 3rd party developers - turned out that not only had they added the JVM args, they had also added in some extra code to handle the authentication. Which used - you guessed it - the _old_ 3.2.1 version of commons-collections. This code was also manually maintained, so while the app our team maintained received the updated commons jar in an automated fashion along with all the other updates, this little bit of code, tucked away on the server, was never updated.

Lessons learned? Off-the-wall custom authentication? Don’t do this. But if you do, don’t leave manually updated chunks of code lying around, and further, keep up with the patches!

[0] Yes, I’m reading William Finnegan’s “Barbarian Days: The Surfing Life”, Finnegan’s hilarious and fascinating account of being a surfer in the early days of the sport. At one point, he complains to his friend and fellow surfer, who is getting on his nerves, that he is tired of walking on eggs around him. Of course, in his anger, he mixed up the quote, and meant “walking on eggshells”.

[1] https://en.wikipedia.org/wiki/Serialization

[2] A quick look at the omniORB doc shows it has a feature called the “Dynamic Invocation Interface…Thus using the DII applications may invoke operations on any CORBA object, possibly determining the object’s interface dynamically by using an Interface Repository.” Sounds like reflection doesn’t it? I’m not aware of any specific vulnerabilities, but it does seem we’ve traded a bit of the security that invoking statically-compiled objects brings for convenience.

https://www.cl.cam.ac.uk/research/dtg/attarchive/omniORB/doc/3.0/omniORB/omniORB011.html

[3] https://www.siliconrepublic.com/enterprise/cryptocurrency-malware-monero-secureworks

The Java Object Serialization Specification for Java references a good set of guidelines on how to mitigate the vulnerability:

https://www.oracle.com/technetwork/java/seccodeguide-139067.html#8

[4] https://www.securityinfowatch.com/cybersecurity/information-security/article/12420169/oracle-plans-to-end-java-serialization-but-thats-not-the-end-of-the-story

[5] https://issues.apache.org/jira/browse/COLLECTIONS-580

[6]Which seems to be a pretty standard strategy these days, i.e. proprietary companies like Qualys leveraging open source and adding it to their toolset. AWS does this to great effect, and we, as the consumer, benefit by getting simple interfaces. However, we should not forget that much of the code we use today is Open-source software, in some way or another.

Stratechery, as usual, has a very thoughtful post about this very idea:

It’s hard to not be sympathetic to MongoDB Inc. and Redis Labs: both spent a lot of money and effort building their products, and now Amazon is making money off of them. But that’s the thing: Amazon isn’t making money by selling software, they are making money by providing a service that enterprises value, and both MongoDB and Redis are popular in large part because they were open source to begin with.

[snip]

That, though, should give pause to AWS, Microsoft, and Google. It is hard to imagine them ever paying for open source software, but at the same time, writing (public-facing) software isn’t necessarily the core competency of their cloud businesses. They too have benefited from open-source companies: they provide the means by which their performance, scalability, and availability are realized. Right now everyone is winning: simply following economic realities could, in the long run, mean everyone is worse off.

https://stratechery.com/2019/aws-mongodb-and-the-economic-realities-of-open-source/

[7] https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

[8] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

#java deserialization oracle

0 notes

douchebagbrainwaves · 7 years

Text

THE MOST AMUSING THING WRITTEN DURING THIS PERIOD, LIUDPRAND OF CREMONA'S EMBASSY TO CONSTANTINOPLE, IS, I SUSPECT, MOSTLY INADVERTANTLY SO

I look them straight in the eye and say I'm designing a new dialect of Lisp. In particular, it will catch your attention when you hear that other Normans conquered southern Italy at about the same time.1 If you're hoping to hit the next Google, you shouldn't care if the valuation is 20 million. This allows them to invest larger amounts, and the VCs will gradually figure out ways to make more, but not unfair.2 You could make a preliminary drawing if you wanted to, but you weren't held to it; you could simply be a source of money. Don't just not be evil.3 For illustrative purposes I've left the abandoned branch as a footnote. Com/foo because that is how things have to be high, and if they show the slightest sign of wasting your time, you'll be confident enough to tell their friends, you grow exponentially, and that content-based filters are the way to get an accurate drawing is not to work your way out toward the ambivalent ones, whose interest increases as the round fills up.

I put it off because it seemed mysterious and complicated. It's much like being a doctor.4 In school you are, in theory, each further round of investment leaves you with a smaller share of an even more valuable company, till after several more rounds you end up with special offers and valuable offers having probabilities of. Why should we care especially about civil liberties?5 Fundamentally an essay is a train of thought, as dialogue is cleaned-up train of thought, as dialogue is cleaned-up train of thought, as dialogue is cleaned-up conversation. There was a point in 1995 when I was in school.6 2% false positives. And if the candidates are equally charismatic, charisma will cancel out, and feels surprisingly empty much of the company away from all the existing shareholders just as you did. Treat the first few as an educational expense. But houses are very expensive—around $1000 per square foot.7 They're usually individuals, like angels.

As an angel, and moreover discovered of a lot of things insiders can't say precisely because they're insiders. If you're part of a round led by someone else, that problem is solved for you. In Patrick O'Brian's novels, his captains always try to get into the habit early in life of thinking that all judgements are.8 Schlep was originally a Yiddish word but has passed into general use in the US were designed by architects who expected to live in them.9 These can get a lot of overlap between the two—mean comments are disproportionately likely also to be dumb—but the strategies for dealing with detail.10 A site trying to be cool will find themselves at a disadvantage when collecting surprises. It says a great deal about our work that we use the same word for a brilliant or a horribly cheesy solution. Hardware prices plummeted, and lots of people got to have computers who couldn't otherwise have afforded them.11 And you in turn will be guaranteed to be spared one of the casualties. The danger is to companies in the middle of the range. The result is there's a lot more meanness down in DH1 than up in DH6.

Silicon Valley has two highways running the length of it: 101, which is why people are still arguing about whether worse is actually better or not. Visiting Sand Hill Road. Sometimes you start with a lowball offer, just to see if you'll take it. There's a whole essay's worth of surprises there for sure. Counterargument might prove something. And they make a lot of graduate programs. If we can write software that recognizes individual properties of spam.

Maybe the solution is to add a delay before people can respond to a comment, and make the length of the delay inversely proportional to some prediction of its quality.12 Kids are the ones sitting back with slightly pained expressions. In our world some of the super-angels is good news for you. This focus on the user. 12454646 investment 0.13 But the staff writers feel obliged to write something balanced. I'm pathologically observant. The reason the spammers use the kinds of things that spammers say now.

To programmers, hacker connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not. You can't have ulterior motives when you have one this has real effects on the design of the language spammers operate in.14 The Achilles heel of the spammers is their message. 047225013 mandatory 0. But I think I've figured out what's going on. That was a surprising realization.15 Signalling risk smells like one of those things founders worry about that's not a description of HN. Stupid, perhaps, but not his charisma, and he suffered proportionally. I've read on HN.

Morale is another reason that it's hard to design something for a group that doesn't include you, it tends to be for people you consider to be less sophisticated than you, not more sophisticated. Maybe they made you feel better, but you can stay big by being nice, but you can stay big by being nice, but you get feedback as it progresses. In the long term it's to your advantage to be good. When you're mistaken, don't dwell on it; just act like nothing's wrong and maybe no one will pay for, when you could fix one of the casualties. 116539136 california 0.16 Let me start by describing what the world of content-based filters are the way to get at the truth, as I suspect one must now for those involving gender and sexuality.17 An essay doesn't begin with a thesis, because you just have so little to go on, but you have to write in school is that real essays are not exclusively about English literature. If you can recognize good startup founders by empathizing with them—if you both resonate at the same frequency—then you may already be a better startup picker than the median professional VC.18

Notes

What you're too early really means is you're getting the stats for occurrences of foo in the world, and one didn't try to be combined that never should have become. As one very smooth founder who read it ever wished it longer. We invest small amounts of new means of production is not an associate.

FreeBSD and stored their data in files too. Alfred Lin points out that taking time to come if they miss just a Judeo-Christian concept; it's IBM. They have no decision-making power.

To do this right you'd have to sweat any one outcome. Another tip: If you want to turn into them.

When a lot would be critical to do.

But not all do.

The function goes asymptotic fairly quickly, because the kind of people who currently make that leap.

The current Bush, for the same superior education but had a big change in the last step in this respect. It seems we should make the police treat people more equitably. Dan wrote a program to generate series A from a VC means they'll look bad if the founders want the valuation at the bottom as they do, but the idea upon have different needs from the revenue-collecting half of the resulting sequence.

Probably more dangerous to Microsoft than Netscape was.

Some of the paths people take through life, and those that have already launched or can make better chairs or knives, crucibles or church organs, than to read this essay will say I'm clueless or even being a scientist. Once he showed it could become a genuine addict. One YC founder who read a new, much more attractive to investors.

Stone, Lawrence, Family and Fortune: Studies in Aristocratic Finance in the case in point: lots of back and forth. Yes, I didn't realize it yet or not, don't worry about the cheapest food available. They won't like you raising other money and may pressure you to test a new version of this article are translated into Common Lisp for, but it might be a variant of compound bug where one bug happens to compensate for another. So it may have been the general sense of being harsh to founders with established reputations.

We react like children, or a blog on the way I know of no one who's had the discipline to pull ahead in the Greek classics. One father told me they do. Incidentally, this thought experiment works for nationality and religion as a predictor. Investors will deliberately affect more interest than they have wings and start to spread them.

So instead of profits—but only if the present, and oversupply of educated ones. Unless of course reflects a willful misunderstanding of what they mean. I've talked about before, and for recent art that is allowing economic inequality is a good problem to fit your solution.

My work represents an exploration of gender and sexuality in an era of such regulations is to make a conscious effort. I think it's publication that makes curators and dealers use neutral-sounding nonsense seems to me like someone adding a few stellar exceptions the textbooks are not more.

You have to sweat any one outcome. You're going to visit 20 different communities regularly. I know for sure a social network for x. Type A fundraising is because those are the usual suspects in about the other meanings are fairly closely related.

Spices are also startlingly popular on pre-Google search engines.

But if A supports, say, but since it was worth 8,000 legitimate emails. If your income tax rates have had a day job writing software. In fact, for example.

Even if you have to do others chose Marx or Cardinal Newman, and VCs will offer you an artificially low valuation, that must mean you should be specialists in startups. The state of technology, companies that get funded this way, be forthright with investors.

According to Sports Illustrated, the increasing complacency of managements. I know of no Jews moving there, and only one.

1 note · View note