HACK Issue 003: Who discovered Log4J, Ambulance chasing, and No one gets hurt in the air
Greetings from Boise and Merry Christmas Eve!
As I write this, I'm sitting on my couch next to my Christmas tree. I have my morning coffee and I just completed my morning workout. Reflecting on the amazing time with family I have ahead today and tomorrow as we celebrate one of my favorite holidays, Christmas.
Enjoy the links and reads today and have a wonderful holiday season!
Security tweets and more Log4 to the J
Anyone vulnerable…. To log shell? Anyone NOT?
Live overflow did a vid . Love his creative style and communication capability.
Who discovered Log4j? I was asking myself that this week as I hadn't heard who it was or read about how it was discovered. So I did some googling. Turns out it was a young hacker who works on Alibaba's cloud security team.
Pretty amazing that #log4j RCE was discovered by an individual hacker - Chen Zhaojun from Alibaba's Cloud Security Team. And the hacker of the year award goes to...
— Luke Tucker 📈 (@luketucker) December 22, 2021
There's been some interesting conversations around this that I've seen in replies to that tweet and across the internet. There's a lot swirling around this and I think like any crises like this, it raises questions and puts a focus on areas that might need diving deeper into: like how we take for granted volunteer open source maintainers, and how we can't expect every line of code to be audited. Enter The Vigilant: Daniel Missler's idea that I think has potential.
Speaking of Daniel, here is Daniel Miessler's top 4 security podcasts and blogs / newsletters - I have been a paid subscriber of Daniel's content for years - high signal, must read content. And Clint reminds me of what I was doing with Zero Daily for a long time, but more technical and well just better. No one has the swagger and perspective that Patrick Gray does, always a strong choice. Give em all a follow.
Cybersecurity marketing wins and lessons
I'm always looking at cool things companies are doing to not "ambulance chase" with log4J type of vulns but add value into the narrative. Contribute a unique opinion, offer good data for public use, create spaces for conversation and knowledge sharing, discounting their services to those affected, etc. I saw one brand setup a twitter spaces room to discuss log4j with their team. It was a small room but I thought it was a cool idea nonetheless.
Also, my former colleagues at HackerOne put out some interesting data. Go hackers!
Into week 3 and some more #log4shell insights from @Hacker0x01: at its peak on December 12, 28% of all hackers submitted reports that day filed a log4shell report pic.twitter.com/gW4S03XBiF
— HackerOne (@Hacker0x01) December 21, 2021
Inspiration: No one gets hurt in the air
Sometimes the most secure thing to do seems like the most insecure. The great paradox of Christianity is the teaching that you are to die to yourself, humble yourself, empty yourself trusting fully in God. What seems like anathema is in fact the safest thing you can do. Because you’re tapping into something otherworldly. You’re inviting the divine to take over. The most dangerous and unsure thing we can do is live without God. For creation to live without its creator.
I was reflecting on this in my personal devotion and one of the books I'm reading is Not Fade Away, a very somber yet inspirational story by a successful businessman who wrote the book while he was dying of cancer. And he had a quote that I loved:
No one gets hurt in the air - Laurence Shames
The lesson I've taken away for myself and for you, dear reader, as we all enjoy the holidays and begin thinking about the new year and our potential resolutions and goals: Jump. It's the safest thing you can do. Follow your heart. Take the leap.
See you in the air.
Luke