As the software world is reeling over the log4j exploit (aka Log4Shell, aka CVE-2021-44228), I can’t help but feel a little tinge of unhealthy schadenfreude over the Java ecosystem. As I see it, Java’s infatuation with remote object directories and service providers directly led to this whack-a-mole-security-vulnerability reality that Java has been stuck in for decades. Java Naming and Directory Interface - JNDI Common Object Request Broker Architecture - CORBA Remote Method Invocation - RMI It brings to mind Moxie Marlinspike’s 2011 article “The Cryptographic Doom Principle” where he laid out the following: