The Internet of Things Hamstrings The Internet, Dirty COW Makes Linux Vulnerable, and more can't miss news

An IoT botnet struck the Internet on Friday, Linux has a long-standing privilege escalation exploit, and tons of other news give us a full roundup for this week. Read on for details and more you need to know.

Around the Web

Which programming language should you learn first? As you might guess, there's not really a simple answer, but this is still a great piece to send to people asking you what language they should learn.

Feature flags are great for lots of things, but there are some cases where feature flags cause problems. This piece explains some of them and gives us some things to consider when including them in our code.

You may have noticed a tiny bit of trouble getting to popular sites on Friday - this was because of a gigantic DDoS against DNS provider Dyn. Flashpoint first linked these attacks to the Mirai botnet composed primarily of IoT devices first used to harass security researcher Brian Krebs, and the New York Times report further rounds out the context and details on the attack. Interesting to note that both Krebs and Dyn were recently, publicly, negative on the DDoS-for-hire business model and the companies that protect it... Just saying.

Speaking of security, Elie Burzstein gives us a totally fascinating glimpse into the world of high-end poker cheating, and you will legitimately be amazed at how advanced the hardware and software used to cheat is.

We talked about over-engineering a little bit last week, and this post from Fagner Brack explains it perfectly, including code samples, making it trivial to figure out if your team is over-engineering things and why that is a bad idea.

Linux is vulnerable to a nasty local privilege escalation called Dirty COW (CVE-2016-5195) that has been exploitable for nine years (since 2.6.22!) Additionally, there's evidence that exploits for this bug already exist in the wild, so if you haven't patched your kernels since Thursday... get on it. Speaking of Linux bugs, there's a great analysis on codeblog of the lifetime of a Linux security bug that helps illustrate how long it takes to patch bugs of different severity levels.

Our security corner this week is taking up about half the room, but there's even more than normal here. This week, in addition to the DDoS and Dirty COW, we learned that Axis Bank, India's 3rd largest private bank, had its systems breached - the latest in a long string of security troubles plaguing India's banking industry.

In other security news, a sidechannel attack in Intel's Haswell CPUs provides a method to bypass ASLR (in Linux, at least) on the popular processors. A security researcher developed a method to extract passwords from memory that are stored in popular password manager LastPass, and Rowhammer attacks on Android devices have provided another reliable root exploit for the platform.

On LinkedIn

So this DDoS was kind of a big deal, and a common question was "how could we stop this?" One answer comes from Mack M. Coulibaly, who wrote a great overview of BCP38, a protocol that could put an end to DDoS as we know it. Read it to learn how.

On a different note, we got an extremely thoughtful piece from David Koff, a software engineer at Nike, writing about his journey to figure out what really makes him happy. It's absolutely worth the read.

It's clear the Internet of Things has gotten to the point where we need to have better controls for it. How would you tackle the problem of having so many devices scattered around that currently are difficult or impossible to update? Write about it and include the hashtags #IoT and #SWE for a chance to have it featured on LinkedIn and in this roundup next week.

Follow me on LinkedIn or Twitter (@LefflerGreg) to keep up with my posts. If you have suggestions for things you want to read about, write about, or that I should know about, please leave a comment.

Share this post with your networks so that they can get up to speed on what matters in the Software Engineering world: