Well, what’s it like living in the last throes of the Free Software Foundation (FSF)? Many companies came out against the FSF’s recent decision to re-add he who was mentioned in DevOps’ish 145. Red Hat probably gave the most scathing repudiation. I can think of no worse strategy than bringing back someone who for so long abused, criticized, belittled, harassed, and bullied the people (especially women) around them. I used to support FSF and only did so after he who was mentioned in DevOps’ish 145 (droves of others are denouncing the decision too). It’s truly rare that I reassess my automated donations and think about where I’m donating money. I’m glad this utterly insane event sparked this reevaluation for me. Now that he who was mentioned in DevOps’ish 145 is back at the FSF, I put out a call on Twitter for suggested charities or foundations I could support. Folks came through. I’ve not only found a better place to send money than FSF, but I also added more causes in the process. I try to live life as transparently as possible. I do list what Causes I support on my website. I’m happy to say that I added the Software Freedom Conservancy, Outreachy, and /dev/color this week. I probably should have been supporting Outreachy long ago but, it’s better late than never. There are probably many other places I could be putting money to foster a more inclusive tech sector. If you, dear reader, have suggestions about which non-profits I should be engaged with, please hit reply and let me know. ...

The idea for the subject of this week’s intro came from K Rain Leander. Rain asks, “The past year has been one of lockdowns, increased security and decreased travel. DevOps became DevSecOps became DevSecOpsBiz. And the world embraced the work / life balance culture of DevOps. What are your favourite cultural shifts from the last year? What do you want to let go of forever? As we take a look at the latest updates in the DevOps world, also take a look at you and yours and let us know how you’re doing. And if we can help, let us know how.” I won’t touch on the “DevOps became DevSecOps became DevSecOpsBiz” point because, while I have seen more folks saying DevSecOps outright, I cannot say the same for “DevSecOpsBiz.” Lockdowns and constant existential dread are strongly demotivating. I’ll be happy when kids start getting vaccines in their arms. I’m very much tired of the constant worry and struggle. But, we as a society keep doing insane things. Case in point, letting the numbers get down to “safe” levels then reopening (in any capacity) until the number of deaths go back up. I get it; commerce is important. But do we constantly have to ride this up and down roller coaster? It’s disheartening and downright cruel to watch more people die so someone could sit in a half-capacity restaurant that they could have taken home. The things that haunt me in my life from my past are the lives I could’ve saved but was unable to. ...

In a first, there are two DevOps’ish Indexes in flight right now. I did not want this day to ever happen but here we are. Solarwinds and Microsoft both have their hands full. DevOps’ish has your back. Here’s all the data points for both incidents so far. NEW DevOps’ish Microsoft Exchange Hafnium Compromise Index DevOps’ish Solarwinds supply chain compromise Index What a time to be alive. Also, DevOps’ish is 101 subscribers from officially passing the 5,000 subscribers mark. This is a critical point in a newsletter’s life. I’d be very appreciative if you forwarded this to a friend, tweeted about the newsletter, or posted something on LinkedIn. Thank you! People Allan McDonald, Who Refused To Approve Shuttle Challenger Launch, Dead At 83 “His job was to sign and submit an official form. Sign the form, he believed, and he’d risk the lives of the seven astronauts set to board the spacecraft the next morning. Refuse to sign, and he’d risk his job, his career and the good life he’d built for his wife and four children. ...

A one-stop shop for opinion, analysis, and/or coverage of the Microsoft Exchange Hafnium compromise. Coverage includes official statements and filings, accredited media coverage, industry analyisis, and noteworthy blogs, digital media, and other mediums as deemed worthwhile. Note: All links shared here have gone through the normal DevOps’ish editorial and curation process. To add content for review, issue a pull request against this file in GitHub. Official Statements Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871) Joint Cybersecurity Advisory Compromise of Microsoft Exchange Server CISA Strongly Urges All Organizations to Immediately Address Microsoft Exchange Vulnerabilities | CISA Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 – Microsoft Security Response Center Multiple Security Updates Released for Exchange Server – updated March 12, 2021 – Microsoft Security Response Center “Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.” —National Security Council Twitter Guidance on Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA CSS-Exchange/Security at main · microsoft/CSS-Exchange Background Press Call by Senior Administration Officials on the Administration’s Response to the Microsoft and SolarWinds Intrusions | The White House Press No sign of Exchange-related ransomware hitting UK orgs, claims NCSC as it urges admins to scan for compromises • The Register Exchange servers first compromised by Chinese hackers hit with ransomware | Ars Technica Report: At least 10 hacking groups are exploiting Microsoft Exchange flaws | VentureBeat White House cites ‘active threat,’ urges action despite Microsoft patch | Reuters Microsoft Exchange server attacked by Hafnium, company says - CNN Biden administration expected to form task force to deal with Microsoft hack linked to China - CNNPolitics Tens of thousands of US organizations hit in ongoing Microsoft Exchange hack | Ars Technica Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims | WIRED There’s a vexing mystery surrounding the 0-day attacks on Exchange servers | Ars Technica Critical 0-day that targeted security researchers gets a patch from Microsoft | Ars Technica White House task force met with private sector to discuss Microsoft software vulnerabilities | VentureBeat Microsoft Exchange Server hacks ‘doubling’ every two hours | ZDNet Exchange Server attacks: Microsoft shares intelligence on post-compromise activities | ZDNet AP sources: SolarWinds hack got emails of top DHS officials Exchange Server attacks: Microsoft shares intelligence on post-compromise activities | ZDNet Industry Hackers dropping DearCry ransomware using Exchange Server exploit Microsoft Exchange hack, larger than originally believed, prompts emergency task force - SiliconANGLE Microsoft was warned months ago — now, the Hafnium hack has grown to gigantic proportions - The Verge US National Security Council urges review of Exchange Servers in wake of Hafnium attack • The Register The Microsoft Exchange Server mega-hack – what you need to know – HOTforSecurity More hacking groups join Microsoft Exchange attack frenzy Blogs, Newsletters, Digital Media, etc. Researchers warn of a surge in cyber attacks against Microsoft ExchangeSecurity Affairs Microsoft Exchange Server Attack Escalation Prompts Patching Panic Microsoft updated MSERT to detect web shells used in attacks against Microsoft Exchange installsSecurity Affairs Microsoft releases one-click Exchange On-Premises Mitigation Tool 92% of all on-premises Microsoft Exchange servers exposed online affected by the ProxyLogon vulnerabilities are now patched

This week I heard about and witnessed some pretty disgusting behavior in the greater cloud native community. First, I saw a tweet from a CNCF Ambassador saying KubeCon was pay to play (the tweet is gone now but, you better believe they lost a follower that day). If KubeCon were pay to play, I’d have spoken at the last three years of KubeCons. Red Hat spends a shitload of money sponsoring KubeCon and the Linux Foundation. It does not, nor should it ever influence the talk selection process. Next, I heard firsthand about people jumping into KubeCon track committee members’ DMs and chastising them for not selecting their talk. I won’t be naming and shaming. They’ve done that for themselves. But, I can guarantee you, this is not how you want to make a name for yourself in the community. Oh… Some random Google software engineer got blocked because they did not understand any word I wrote. Then proceeded to put words into my mouth about how the selection process works. At some point in the process, a deciding factor in the talk selection process could be looking for a submitter’s online presence (yes, speaker names get Googled routinely). The submission process does involve some links to social media and/or GitHub, for example, if memory serves me right. Building a KubeCon track is a super laborious process that you have to dedicate serious time to in a brief time window. IT’S HARD WORK. ...