Hello, welcome to the Friday, August 26, 2020 edition of the Sands and a

Stom Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

In today's diary Rob addresses a common issue of URL shorteners.

They sure are handy and, yes, very commonly used,

but some users are concerned about not knowing where the link will exactly lead them.

If you want a bit more transparency,

Rob has a quick shell script for you to figure out where the journey goes after

clicking the link. The script will use curl to extract the location header in the response.

This header then, of course, will tell you what the next URL will be. Could of course be

another URL shortener. And then I mention that I'm going to talk

less about malicious packages. Well, we got some news from Pi Pi and I think it was still worth

mentioning and it isn't all good news. Pi Pii announced that they observed how several package maintainers credentials were compromised in a fishing attack.

The credentials were then used to inject malware into the packages that the victim owned and had control over.

The fishing message was actually quite cleverly done, I think.

It claimed to come from Pi Pi and it asked the developer to complete a mandatory

validation to avoid having their packages removed.

Now, there was a lot of talk lately about requiring things like to factor

authentication and such. So somewhat plausible to a developer that they may receive a message like

this, even though Pi Pi states that they will never remove a package just because you

didn't respond to an email like this.

Given all the news, so developers did click on the link,

...