Got my old pc up as a home server, probs overkill but was sitting collecting dust.
Ryzen 2700x, Crosshair Vii, 970 evo plus 500gb 64gb ram and an Nvidia quadro p4000 32TB WD Red as Nas Storage.
Currently Running all as VMs/LXC via proxmox
Adguard
Home Assistnat
Plex, sonarr/ radarr/ bazarr / deluge.
TrueNas using HBA passthrough for my drivers
Bitwarden
Prometheus and Grafana for monitoring
Traefic reverse proxy
Ubiquity Controller
Google's ad network is pretty ubiquitous since it spans almost all the known web. Facebook is pretty big too but relies mostly on its own platform (FB, Inst etc.). For sure Google is affected, but I imagine the impact is less.
Also one thing that shouldn't be missed: Google controls Android, the most popular mobile OS in the world (except US maybe) so it wasn't affected as strongly by Apple's clampdown.
The lesson to Zuck is clear: he absolutely needs to own the next digital platform, and in his mind its the metaverse so he's going all in. I question the decisions he makes but the reasoning seems pretty solid at least (unlike a certain Electric Car maker)
That's a version of this which doesn't stress out employees so the best ones don't jump the ship at first occasion.
Our org went through something similar some 6 year ago, and it was a stark contrast with previous frequent firing rounds when nobody would be secure, sometimes even best within given team were let go (ie due to current allocation issues).
But this can replace small firing ie up to 10%, not when you are doing stuff musk-style.
Instagram, Facebook and messenger working for me. Whatsapp still down though, for me anyway. Cant like or comments posts. I get this message in dev tools: "A server error field_exception occured."
Nit: I wouldn't say "originating". That's where this specific exploit is coming from "most recently". But it would seem to not be script kiddies and they're listing like 8 countries. I would assume the bad actors could be anywhere, proxying traffic through any number of other places.
Failure to sanitize input is one thing, but the bigger issue to me is that, with so many of these Java server installations, that a simple injection can immediately lead to "game over" from a server takeover perspective.
For the bug in question, I bet the vast majority of webservers never need the ability to call unrestricted Runtime.exec(), yet access to that is just one unsanitized input away from complete control over your server.
OS vendors have made leaps and bounds in the past decade making it much harder for code vulnerabilities to lead to system takeover. I'd argue it's time for server code and language runtimes to make it easier to write secure code.
That’s fair. But there needs to be a point somewhere that you just get work done.
I absolutely agree that runtimes, frameworks, and server code should do a better job at trust and sanitization, but you will always get to a point where if you want to get something done, you need to do the work.
I guess I’m skeptical that eval() or runtime.exe could or even should take in lists and configs of what the code is allowed to do and monitor for it during execution. It seems like doing that would add countless issues and complexity, but more so just kick the can down the code to another layer with the same eventual issue.
