Hashtags are like a lot of things in life. They definitely should be used, especially if you’re trying to signal to specific groups of people or specific causes on social media, but there is such a thing as overdoing it.

Don’t believe me? there’s a lot of data to back up that claim.

The short version is, if you want your message to have an impact, don’t use more than two of them per social media message. Three or more and your message starts to become diluted, and your intended audience will ignore it. This is especially true on Twitter, though less so on other social networks like Instagram or Google Plus. On Facebook, hashtags are pretty much useless.

This is also worth keeping in mind if you’re posting the same content to multiple social networks. Don’t cram your content with hashtags on Twitter just because it’s going to Instagram, for example.

And of course, when using hashtags, make sure they’re relevant. Nothing will kill a message faster than its being tagged with an inappropriate hashtag, or tagged with something that happens to be trending or that has a lot of followers.

So the next time you want to strangle one of your friends for using too many hashtags, now you can do it politely, and explain that there are data to back you up.

A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.
The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1
“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH officials wrote in an advisory published Thursday. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”

Source: Bug that can leak crypto keys just fixed in widely used OpenSSH

The OpenSSH maintainers have released a patch that fixes this, so if you’re using OpenSSH, update. It’s always important to make sure you’re running the latest versions of the things you depend on, especially when security fixes are involved.

And if you haven’t done so already, please consider contributing to free software like this. Free, (as in freedom) is everyone’s responsibility, and even if you’re not a coder, you can still contribute. All of the security, server-side software, and the client-side software used to interact with the server, which is widely used is free software. In order for that to remain the case, the upkeep of said software/tools canot be left to “other people.” so if you haven’t done so already, consider giving something back to the communities whose software you freely use to get your work done, or daily tasks completed. Your contributions, whether in time and talent or monetary form, make a difference.

The U.S. Department of Justice has yet to issue regulations on how e-commerce operators and governments can meet their website accessibility obligations under the Americans With Disabilities Act. In the meantime, many of the country’s top retailers are being hit with lawsuits for allegedly failing to make their websites accessible to the legally blind.

Source: Fighting for Accessible Websites Under the ADA: Daniel Goldstein, Brown Goldstein Levy, Baltimore

While I have yet to hear of any WordPress-specific agencies or shops whose clients have been shaken down by the National Federation of the Blind, this trend is on the upswing. So if you’re not building accessible websites for your clients yet, please start. Don’t ask them if accessibility is a requirement. If you start at the beginning, it’s not going to be a large expense. Please don’t make your clients wait until they get a demand letter or a lawsuit over their website. By that point, the costs of remediation go up exponentially, and you end up with an unhappy client. So don’t put your clients at risk by leaving accessibility until the end, or out of the equation altogether.

Malwarebytes has spotted an advertising campaign in the wild that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services).
The rogue actors behind this fraudulent activity are cleverly leveragingĀ a European law on the use of cookies to seemingly prompt visitors to answer a question.

The law applies regardless of where the website is actually hosted. Any website that is using cookies for any purpose and is targeting European users, even if not solely, must ask consent from its users to store or retrieve information from their devices. (Source)

Malwarbytes has a complete breakdown of the attack and its implementation, with screenshots, on their blog.

From the Linode status blog:

A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.

This may have contributed to the unauthorized access of the three Linode customer accounts mentioned above, which were logged into via manager.linode.com. The affected customers were notified immediately. We have found no other evidence of access to Linode infrastructure, including host machines and virtual machine data.

The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings.

Now’s a good time to change all your passwords and audit your servers.

None of this means that Linode has been irresponsible, at least that we know of. Security is hard, and this kind of thing can and will happen to any and every clowd provider. It’s only a matter of time before Amazon gets hit.

Regular server audits and password changes are critical for anything that’s connected to the internet, which at this point is more and more of the things. It’s good practice to have some kind of security policy in place, regardless of the technology you’re using. Policy is just as much a part of security as the technical aspect.