Tales from the jar side: Log4J vulnerability, A controversial Chess World Championship second, and Amusing tweets

Dad joke: "Go to bed! The cows are sleeping in the field." "So? What's that have to do with anything?" "It's pasture bedtime!"

Dec 12, 2021

Welcome, fellow jarheads, to Tales from the jar side, the Kousen IT newsletter, for the week of December 5 - 12, 2021. This week I taught my Spring Data JPA course on the O’Reilly Learning platform and two NFJS Virtual Workshops: one on Reactive Spring and one on Gradle Concepts and Best Practices.

(If you compare that welcome to previous weeks, you’ll notice I now refer to you as my fellow jarheads, since I’m as much a reader of this newsletter as you are. 😀)

If you wish to become a jarhead by subscribing to this (free!) newsletter, please use this button:

Log4J Vulnerability

This tweet sums up what happened Friday, extending over the weekend. I should warn you, though, that if you don’t already know what it’s referencing, it won’t make much sense:

DM of Engineering @dmofengineering

Your party is resting in the forest. Suddenly the log you are sitting on bites you. Roll for initiative and cancel everyone’s PTO.

If you use certain versions of the Java logging library, Log4J, and you include user inputs in your log statements, on Friday it was discovered that hackers might be able to execute code on your system. This is called an RCE (Remote Code Execution) vulnerability, and it’s considered about as serious as these things get.

Microsoft (of all companies) has a good summary of the problem and several workarounds. Another good description can be found in Sebatian Daschner’s newsletter.

As usual when one of their own is attacked, the open source community sprang into action, and several patches have already been released. In fact, a new version of Log4J was released right away (2.15.0), so the easiest way to fix your system is to upgrade. Other workarounds are available if that’s not possible.

The other important thing to avoid is attacking the maintainers of the library:

Volkan Yazıcı @yazicivo

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.

Aleksey Shipilëv @shipilev

Sending hugs to Log4J people. This must be an extraordinarily shitty Friday for them. https://t.co/eLW36sILG7

Of course, since the jarheads reading this newsletter are all far more clever, empathetic, and understanding than the average developer, I’m sure none of you would do that. Still, you might need to remind others not to blame the three people (!) who maintain this library on their own time (!) as a part-time job (!).

Many, many enterprise applications rely on the open source community for their foundations, as this tweet (refactored from a older versions) shows:

Bruno Borges @brunoborges

#Log4J

The goal seems to be to shame businesses into funding the development of open source libraries, and there’s something to that. As Cédric Champeau points out in this thread, however, that would not have mattered in this particular case.

Cédric Champeau @CedricChampeau

It's a bit annoying how folks think that funding OSS would have avoided the log4j problem. It wouldn't. We all write bugs, more important is the process to fix them and how easy it is to upgrade. In this case despite not being paid, log4j maintainers did a great job.

The problem did not affect me personally. As the subtitle of my blog says, borrowing from Good Will Hunting, “I teach this stuff. I didn’t say I know how to do it.” I teach lots of courses, but I don’t maintain any public-facing systems that might be subject to this problem.

I view the whole event as a success story, demonstrating how a team of developers all over the world can come together to solve a problem. I really like distributed, international, teams like that, which leads me to my next topic.

Chess Tribalism

I’ve often talked about my fondness for chess in this newsletter. If you are a fan at all, you’re probably aware that World Champion Magnus Carlsen has been defending his title from challenger Ian (pronounced “Yan”) Nepomniachtchi (pronounced, believe it or not, Nee-PON-nee-shee, more or less). Over the last couple of weeks they played what was supposed to be a 14 game match.

The first five games were hard-fought draws, where game 2 in particular could have gone either way. Game 6 became a classic, one of Carlsen’s best games of his career, as he accumulated tiny advantages and then squeezed out a magnificent win in 136 moves played out over nearly 8 hours.

Nepo (as they call him), never really recovered. After a draw in game 7, he blundered away a pawn into an inferior position in game 8, leading to another Magnus victory. Then he allowed his bishop to get trapped in game 10 in a blunder most commentators described as astonishing at that level and lost again. Finally, in game 11, he made another mistake that led to an attack by Magnus that should have ended the game early, but instead the champion chose a conservative line which took longer to win but was never really in doubt. That gave him 7 1/2 points to 3 1/2 for Nepo, and the match was over.

Carlsen is from Norway, and Nepo is from Russia. That turned out to be important in the controversy that erupted over the weekend.

Magnus Carlsen @MagnusCarlsen

No rest today, working hard updating my Instagram📱

On Saturday Magnus tweeted a video announcing the team of Grandmasters that helped him both before and during the match:

chess24.com @chess24com

Now @MagnusCarlsen reveals his team! @PHChess "the adult in the room", @FressinetL "I wanted someone French & MVL & Bacrot were not available", @GMJanGustafsson "the go-to guy for medium & low-culture references", @jordenvforeest, "the new guy" & ideas man Dubov! #CarlsenNepo

One of them, “ideas man” Daniil Dubov, is also from Russia, and that’s the problem. A couple of GMs high in the Russian hierarchy got upset that one of their own would help Carlsen rather than Nepo. Even though the championship is an individual title, Russia has always cared a bit too much that the title be held by a Russian (and prior to that, a Soviet).

When Bobby Fischer upset Boris Spassky in 1972, the Soviets lost the title they’d held since 1948. In case you’re interested, the sequence of champions went:

Mikhail Botvinnik, 1948 - 1957
Vasily Smyslov, 1957 - 1958
Botvinnik (won the rematch), 1958 - 1960
Mikhail Tal, 1960 - 1961
Botvinnik (again won the rematch), 1961 - 1963
Tigran Petrosian, 1963 - 1969 (technically Armenian, but that was part of the Soviet Union in those days)
Boris Spassky, 1969 - 1972
Bobby Fischer, 1972 - 1975

Fischer never played for the title again, forfeiting it when he couldn’t come to an agreement to play the Soviet’s next great hope, Anatoly Karpov.

Anatoly Karpov, 1975 - 1985
Garry Kasparov, 1985 - 1993 (also Armenian. His matches with Karpov were epic.)

Then things got weird. Kasparov broke away from FIDE, the international body governing chess, and FIDE gave the title back to Karpov, though Kasparov disputed it and arguably was champion until 2000.

For several years, from 2000 - 2006, the situation was chaotic, involving different champions recognized by different bodies, much like boxing. Finally, in 2006, everything got reunited again.

Vladimir Kramnik, 2006 - 2007 (yet another Russian)
Viswanathan Anand, 2007 - 2013 (the “Tiger from Madras,” from India!)
Magnus Carlsen, 2013 - present

Anand’s breakthrough was historic, and led to a surge of interest in chess in India. The current generation of staggeringly talented juniors from India is a direct result, and if India isn’t already considered a chess superpower, they soon will be.

Magnus won the title in 2013 at age 22, and has defended it four times, including once against Anand, and once against the Russian Sergey Karjakin, who was one of the Grandmasters criticizing Dubov for working with a non-Russian. Things got pretty ugly over the weekend.

Sergey Karjakin @SergeyKaryakin

Of course I congratulate a World Champion, but just a small remark. Imagine you have to play a World Championship match against Carlsen. Will you accept help from let's say...Hammer or Tari?

I didn’t understand this at first, until I realized he was saying that he wouldn’t trust any Norwegians to help him defeat Magnus. It then got worse:

Mikhail Golubev @mikhail_golubev

The Russian Grandmaster and chauvinist Shipov aka 'Crest', who constantly gets commentator's job at the major #FIDE events, accused his compatriot Grandmaster Dubov (who was on Carlsen's team at #CarlsenNepo) of treason: kasparovchess.crestbook.com/threads/8306/p… 😱

The situation is still developing, but here’s a link to Dubov’s response. He argues that he’s had a long-term relationship with Carlsen, he likes working with him, doing so will benefit his career, and it’s an individual title anyway so what’s the big deal?

I don’t know how this going to play out. All I know is that the most likely future challenger who might actually take Magnus’s title is 18-year-old phenom Alireza Firouzja. Firouzja was born in Iran but had to emigrate to France because Iran would have prohibited him from ever playing anyone Israeli. So this politicization of chess (which has been around for decades) is not going away any time soon.