@wolf480pl@mstdn.io @Nepiant@varishangout.net god I hate the "outdated libraries". The infosec guy at my workplace has scanners for all the crap and files installed on machines. And even to this day once in a while I get some E-mail where he's screaming about having found a machine with an old vulnerable log4j version. So I, the "field worker" have to drop the more important thing I'm doing (like I dunno, updating firmware on our switches or something) to go out and fix it ASAP I try to explain to him that "this is a locally running GUI application, installed on a user's machine, which doesn't listen to any ports or really communicate in any way, it only writes debug logs of what it does internally to AppData. The thing isn't bloody vulnerable when there's no way for an attacker to trigger log messages in log4j via a network connection, and if they can remotely control the user's machine to enter something into the piece of software we'd be fucked anyways" but no, "LOG4J BAD" so i have to go and fix it immediately no matter what I'm doing. So at the next monthly summary he can brag to management that he took action and made sure this very severe issue got fixed, "so please don't fire me". And if at the same time our switches got compromised because i was unable to secure them since my time was wasted on this log4j bullshit, I could bet an entire arm that he'd take zero responsibility and he'd convince management that it was my fault "because updating the switches is a regular maintenance task, not an infosec task". They usually do almost nothing besides check imaginary checkboxes for management and make work 10x harder for the rest of the IT department.