The Weekly Ink #25
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate the company - and anyone else who will listen - on security happenings and culture.
If you have links or projects that you think would be interesting to share, be sure to send them to labs@duosecurity.com.
One Finn's Weird Trick To Alienate Developers They Don't Want You To Know
There's a stereotype of IT workers as being elitist and selfish with little regard for the feelings of others, preferring the warmth of a flickering CRT to the warmth of human interaction. People with a brash streak, who aren't afraid to "call it as they see it" even if it means hurting some feelings; you know, tactless jerks.
Though he's shown awareness and empathy in the past after being rude, Linux kernel creator Linus Torvalds keeps finding himself at the center of controversy over comments he makes. In this case, Linus gave a meandering, deflective answer during a Q&A session at the linux.conf.au conference in response to applause-garnering questions about the negative tone on the Linux kernel mailing list that has driven some contributors away.
His basic argument is that "some people are unpleasant and really good technically" with the unspoken implication that there's no need for them to adjust their attitudes -- but wouldn't it be better to, you know, try to be pleasant and good technically? Or is that concept too "hugbox"-y and an unfair expectation for developer-types? Let us know in the comments.
This Journalist Worked To Expose Government Corruption... You Won't Believe What Happened Next!
Remember the Stratfor hack? When some Anons hacked into intelligence firm/government contractor Stratfor and released 200 gigabytes worth of data, including user database information, customer credit card numbers, and internal emails and documents prior to wiping a handful of servers? Barrett Brown does, seeing as this week he was sentenced to 63 months in prison (minus 28 months time served). In addition, he has been fined $890,000 in restitution regarding his involvement as an "accessory-after-the-fact" for obstructing the execution of a search warrant, and for making death threats against an FBI agent.
The judge in the case postponed sentencing of Brown to review the arguments at hand, and wound up agreeing with prosecutors' arguments that by linking to Anonymous' data dump, he aided in a conspiracy including theft of credit cards.
Civil libertarians argue that this sets a dangerous precedent and creates a possibly chilling effect for journalists when dealing with data obtained illegally. While Barrett was guilty on other counts (that he admitted to both in his speech during sentencing and via his guilty plea), is it fair to consider somebody a conspirator in a crime for linking to something that's already publicly available?
2 Classic Ways To Get Your Box Popped Only 90s Kids Will Remember
We could probably publish this story any time during the year and have it be accurate... there are new Java and Flash vulnerabilities in the wild!
The Flash vulnerability is particularly scary, as A) it's actively being exploited and B) there's a patch available that Adobe acknowledges may not address the issue entirely.
We strongly recommend **disabling Flash and Java in the browser if possible, or at least setting them to "click-to-play". In Chrome, you can even set exceptions for "trusted" sites that you know use these plugins (though the wisdom of doing so is questionable, the convenience is understood).
The Insane Super Cookie You Probably Didn't Know About... But Advertisers Do!
We've known for a few months that telecoms have been inserting uniquely identifiable headers in web traffic passing over their networks. AT&T stopped the practice, whereas Verizon bravely continues onward, like a privacy destroying engine that could. But it's okay, right? They promised "not to abuse it" -- whatever that means -- and offered a method to "opt-out" which only means Verizon claims they won't directly give your information to advertisers, but the headers are still inserted.
The funny thing about these injected headers is that they're also accessible to sites you access via their network... and advertising companies really like knowing who you are and tracking your activity, and Verizon gave them a great way to do so.
Gross.