You don’t have to read it, but you just might learn something.
Leading Thought
Prime
How one of Vladimir Putin’s most prized hacking units got pwned by the FBI
Thanks to Matt Davis for sharing this great story about how Snake, a Russian-sponsored virus propagating in different forms since 2003, was defeated by the FBI. While this is a gross-oversimplification, the crux of it is that sloppy programming mistakes allowed them to crack the encryption being used and ultimately write a counter-virus to neutralize Snake.
If you enjoy infosec stories, hacking stories, or even stories about the global shadow war being fought on The Internet, then definitely give it a read.
Despite the bravado of its developers, Snake is among the most sophisticated pieces of malware ever found, the FBI said. The modular design, custom encryption layers, and high-caliber quality of the code base have made it hard if not impossible for antivirus software to detect.
How a Grad Student Uncovered the Largest Known Slave Auction in the U.S.
This is a story everyone should read, to truly understand how common the trade of people was in the United States, as well as the scale. Up until this discovery, the largest auction that had been discovered was 436 people – families ripped apart. This auction was vastly more, with an estimated value of $7.7M in current value.
But this simple discovery uncovered much more than just the largest auction known to date. The story also details how the wife of owner of the slaves at auction bought a couple of plantations that they had owned, as well as a large number of the slave auctioned at the estate. It is just one example of a family still revered for their standing in the community.
While this may make some uncomfortable, it’s important that we all face the history of the United States to fully understand the disparity we see today. Much of the generational wealth of white people has been built on the backs of the labor of others. To deny the impact of our past is to be doomed to repeat much of the worst parts.
Enslaved people could be bought on credit, so banks that mortgaged the sales made money, too. Firms also insured slaves, for a fee. Newspapers sold slave auction ads. The city of Charleston made money, too, by taxing public auctions.
Jack Kirby’s Son, Neal Kirby Responds to Stan Lee Disney+ Documentary
If you are old enough to have read the Silver and Golden age comics from Marvel, then you know the importance of Jack “King” Kirby to Marvel Comics success. While Stan Lee managed to take mast of the credit for the creation of characters like Captain America, Black Panther, The Fantastic Four, and X-Men, among others, none of them would have existed without Kirby.
With Disney now owning the Marvel properties, it should come as no surprise that they continue the self-made mythos Stan Lee created for himself. If you know only the Marvel movies, or are only familiar with Marvel from the outside, then you likely believe that Stan Lee was Marvel Comics. The reality is much different, as anyone who is a fan of Kirby’s work will attest. Give it a read. While Stan Lee was important to the success of Marvel, he by no means did it alone, and the contributions of men like Kirby should neither be ignored nor forgotten.
Are we to assume Lee had a hand in creating every Marvel character? Are we to assume that the other co-creator never walked into Lee’s office and said, “Stan, I have a great idea for a character!” According to Lee, it was always his idea.
Coming Soon
Black Hat USA
(August 5-10, 2023 | Mandalay Bay / Las Vegas + Virtual)
Infosec your thing? Then check out this conference in Vegas. There are two day classes available, as well as briefings demos, and more.
Black Is Tech 2023
(In-Person (Atlanta, GA): August 9 – 11, 2023 | Virtual: August 7 – 9, 2023)
The Black Is Tech Conference is a platform that connects Black tech professionals, students and entrepreneurs and provides access to resources for growth and development for these groups.
Humble Bundles
Popular Programming Languages 2023 Book Bundle
New offering from Humble Bundle benefitting Code for America – and, if you don’t know it’s there, there is an Adjust Donation button that will let you give more of the take to charity! For a minimum donation of $25 you get 15 titles, including:
- Learning TypeScript
- Multithreaded Javascript
- Cloud Native Go
- Robust Python
- Programming C# 10
- And more!
Sybex Certification Prep Book Bundle
New offering from Humble Bundle benefitting American Library Association – and, if you don’t know it’s there, there is an Adjust Donation button that will let you give more of the take to charity! For a minimum donation of $25 you get 22 titles, including:
- CISM Certified Information Security Manager Study Guide
- CompTIA A+ Complete Study Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102, 5th Edition
- CompTIA Linux+ Study Guide: Exam XK0-005, 5th Edition
- CompTIA Server+ Study Guide: Exam SK0-005, 2nd Edition
- (ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition
- And more!
Data
Covering Index in SQL
Nice little post here about what a covering index is and how they can help you (or not) retrieve data more quickly.
Engineering
Refactoring Is Not Just Clickbait
This is a recording of a talk Kevlin Henney gave at NDC London 2023. Good information not only about what refactoring is, but why it’s a necessary part of regular development.
A lot of developers will say things like ‘My Product Owner doesn’t allow us to refactor’ or ‘We can’t get a story prioritized for refactoring and addressing tech debt’. But there is a fundamental misunderstanding here about refactoring: it’s not a story, it’s not prioritized, and it doesn’t need approval. Refactoring code for maintainability and understandability is a critical part of development and should be factored into estimates (if you do estimates). Take pride in your work. Be a craftsman.
Worth a watch by anyone involved with software development for a better understanding of refactoring. If you happen to run into the Product Owner or business partners that think that refactoring is separate from development, show them this. It just may make your life easier.
It’s unmanaged technical debt, that’s your problem. How did you get it?
We have no idea. It just appeared. Like the bugs.
But until you understand that, that it is the act of a thousand edits – it doesn’t happen just once, technical debt does not just mysteriously appear overnight, oh look, I suddenly got a mortgage, I hadn’t planned on that! (yeah, banks are a little more cautious about things like that) – it’s more a case of these are small debts, they are your little credit card things, I’ll just charge this, I’ll just do that, a snack here, a snack there, a shortcut here, a shortcut there. Yeah, I know there’s a better way of doing this… and a thousand edits later, you’re going like Ooh, where did this come from?
Infosec
Can you trust ChatGPT’s package recommendations?
This is a fun read of a proof-of-concept attack based on AI hallucinations (when an AI generates unexpected, untrue results not backed by real-world data) – and, yes, it is coming from a company that wants you to use their product. Still, the idea is intriguing and worth a read.
The basic premise is that when asked to provide a coding solution, an AI system may hallucinate a package (or library) that doesn’t actually exist. If this hallucination is known by an attacker, then a malicious package may be created to fill the void such that the next user to have the hallucination presented as a solution will find the recommended package and (potentially) install it – essentially a supply chain attack.
While it may seem that the chances of this occurring are low, the simple fact that someone has now tried it and found it to be a potential attack vector almost wills it into reality. The Open Source community brings a lot of power for good with it but, like anything, can be exploited by those with nefarious intentions, damaging the entire ecosystem. Time will tell how much of a problem this will become but, if you develop software professionally and use open source software, make sure you know what you are installing (which you hopefully already do).
Observability (O11y)
Implementing Open-Source Monitoring and Observability In Kubernetes
Good post here introducing tools like Grafana, Prometheus, FluentD, among others, to create an observability solution for your Kubernetes clusters. There isn’t a ton of detail here beyond run this helm command to get X, but it is enough to whet your appetite and get you started.