A GitHub employee replied on Twitter:<p><a href="https://twitter.com/_mph4/status/1470343429599211528" rel="nofollow">https://twitter.com/_mph4/status/1470343429599211528</a><p>> I just personally looked into this and can confirm we did not take down this repo nor are we actively removing Log4j related content from @github
, consistent with our policies re: dual-use<p>Maybe too early to grab pitchforks?
UPDATE: GitHub CISO pointed out that GitHub did NOT take down the JNDI Exploit repository.<p><a href="https://twitter.com/_mph4/status/1470343429599211528" rel="nofollow">https://twitter.com/_mph4/status/1470343429599211528</a><p><a href="https://twitter.com/christophetd/status/1470346676053422081" rel="nofollow">https://twitter.com/christophetd/status/1470346676053422081</a><p>This is surprising, considering what is outlined in a previous comment[1]. I hope GitHub provides more transparency on the takedown actions for "malicious content / exploits" like they do for DCMA notices[2].<p>Apologies for making wrong assumptions. I removed the original Tweet (see screenshot[3] for the original).<p>[1] <a href="https://news.ycombinator.com/item?id=29538151" rel="nofollow">https://news.ycombinator.com/item?id=29538151</a><p>[2] <a href="https://github.com/github/dmca" rel="nofollow">https://github.com/github/dmca</a><p>[3] <a href="https://i.imgur.com/sJe3OTI.png" rel="nofollow">https://i.imgur.com/sJe3OTI.png</a>
They do this every time, and have a previously stated spproach of blocking zero day attack scripts for the first X days of a zero day, when they deem it sufficiently dangerous to the Internet. So, yes, yet again, they’re doing this, just as they always do. Is there something new this time that makes this newsworthy?
This is disappointing. I used this tool to understand the vulnerability within the first few hours of response. It allowed me to prove mitigations worked, and therefore gave certainty.
But there's not only Github. They can just use Gitlab or if that does not work Codeberg. Somehow the whole industry really seems to be content with bootlicking any of the Big Five.
So what? There is plenty of ressources on how to fix the vulnerability. Those who really want to see the code will find it anyways, both maliscious actors and admins.<p>This mostly prevents skids from getting hold of it and using it against their school etc
I'm honestly kinda surprised. The policy seems willfully ignorant of the Streisand effect. I get the reasons behind it, I'm just surprised it wasn't laughed down at some internal Github planning meeting. "No, that'll never work Dave! 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0, remember?"
You all know that in Germany for example it is strictly forbidden to publish/code such tools.<p>From what I know there are also other countries that do the same.<p>So now GitHub would have to implement region availability not to get into trouble with German law.<p>Let alone this is so fresh that preventing script kiddies from downloading a tool is perfectly valid move.
Looks like original is up? Or is it a re-upload?<p><a href="https://github.com/Jeromeyoung/JNDIExploit-1" rel="nofollow">https://github.com/Jeromeyoung/JNDIExploit-1</a>
The author of this tweet asks for upvotes on Twitter[1]. isn't that against rules?<p>[1] <a href="https://twitter.com/christophetd/status/1470293533416427524?s=20" rel="nofollow">https://twitter.com/christophetd/status/1470293533416427524?...</a>
<i>Github taking down whitehat tool for reproducing vulnerability</i>.<p>The title as it stands begs the question: Who is "allowing defenders",
Github or the tools? Also "defenders" is a weird word to use here.
Whoever wants this gone is actively scrubbing it from GitHub (ie, it seems to be GitHub doing this). A few moments ago I found <a href="https://github.com/0x727/JNDIExploit" rel="nofollow">https://github.com/0x727/JNDIExploit</a>, but while browsing around the repo suddenly went 404. Wow.<p>However, it seems that the way GitHub handles forks vs user deletions is that when a user deletes a fork (or it's Done For Them™), it seems that the fork "root owner" is transferred within the chain to someone else. I don't quite get it. Or maybe something else is going on.<p>In any case, a few minutes ago <a href="https://github.com/search?l=&q=filename%3AJNDIExploit.iml&type=code" rel="nofollow">https://github.com/search?l=&q=filename%3AJNDIExploit.iml&ty...</a> was showing JNDIExploit under "0x727", but now the page is showing the repo "owned" by a different user (with the network graph on the repo page showing everyone else as forking the repo from that new user).<p>So the above search link is your best bet to finding the repo. It's currently listed as owned by "zzwlpx", but you'll probably see a different user (especially if <a href="https://github.com/zzwlpx/JNDIExploit" rel="nofollow">https://github.com/zzwlpx/JNDIExploit</a> no longer works).<p>It currently has 245 forks, so good luck, GitHub, keeping this squashed. [Edit: I now see a comment mentioning that GitHub has a policy of trying to squash 0days for the first X days, which is a very understandable reaction given that it's where <i>everyone</i> goes, from the skiddies who just like seeing things burn (and prevent everyone from having nice things, to the researchers trying to respectfully evaluate damage. Sigh.]<p>---<p>Some other things I found while playing with GitHub search:<p><a href="https://github.com/zhuowei/GhidraLog4Shell" rel="nofollow">https://github.com/zhuowei/GhidraLog4Shell</a><p><a href="https://github.com/samjcs/log4shell-possible-malware" rel="nofollow">https://github.com/samjcs/log4shell-possible-malware</a><p><a href="https://github.com/mbechler/marshalsec/" rel="nofollow">https://github.com/mbechler/marshalsec/</a>