Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future.

Log before Christmas poem

'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack,

The SBOMs were uploaded to the portal with care, In hopes that next year would be boring and bare

The interns were nestled all snug at their beds; While visions of dashboards danced in their heads;

The CISO in their 'kerchief, and I in my cap, Had just slept our laptops for a long winter's nap,

When all of a sudden the pager went ack ack I sprang to my laptop with worries of attack

Away to the browser I flew like a flash, Tore open the window and cleared out the cache

The red of the dashboard the glow of the screen Gave a lustre of disaster my eyes rarely seen

When what to my wondering eyes did we appear, But a new advisory and eight vulnerabilities to fear,

Like a little old hacker all ready to play, I knew in a moment it must be Log4j

More rapid than gigabit its coursers they came, And it whistled, and shouted, and called them by name:

"Now, Log4Shell! now CVE! now ASF and NVD! On, CISA! on, LunaSec! on, GossiTheDog!

To the top of the HackerNews! to the top of the wall! Now hack away! hack away! hack away all!"

Like the bits that before the wild CDN fly by When they meet with a firewall, they mount to the sky;

So up to the cloud like bastards they flew With tweets full of vulns, and Log4j too—

And then, in a twinkling, I read in the slack The wailing and screaming of each analyst called back

As I drew in my head, and was turning around, Down the network Log4j came with a bound.

It was dressed in a hoodie, black and zipped tight, The clothes were all swag from a conference one night

A bundle of vulns it had checked in its git And it looked like a pedler just being a twit

The changelog—how it twinkled! its features, how merry! Its versions were like roses, its logo like a cherry!

Its droll little mouth was drawn up like an at, And the beard on its chin made it look stupid and fat

The stump of a diff it held tight in its teeth, And the bits, they encircled the repo like a wreath;

It had a flashy readme an annoying little fad That shook when it downloaded, like a disk drive gone bad

It was chubby and plump, an annoying old package, And I laughed when I saw it, in spite of the hackage

A wink of its bits and a twist of its head Soon gave me to know I had everything to dread

It spoke not a word, but went straight to its work, And pwnt all the servers; then turned with a jerk,

And laying its patches aside of its nose, And giving a nod, up the network it rose;

It sprang to its packet, to its team gave them more, And away they all fled leaving behind a back door

But I heard it exclaim, ere it drove out of sight— "Merry Christmas you nerds, Log4j won tonight!"