Fix Story Time formatting

Fix the two story times that didn't include indentation
(all the others did).

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

secure_software_development_fundamentals.md

@@ -2839,8 +2839,9 @@ There are two common measures you can take on Unix-like systems to harden them a
 1. All directories that are writable by multiple users should also have the “sticky” bit set. In most modern Unix-like systems, a directory with the “sticky” bit set restricts changes that are allowed in the directory. For example, on Linux systems the sticky bit means for any file in that directory, only the file's owner, the directory's owner, or root user can rename or delete the file. Normally on Unix-like systems insertion and renames of files in a directory can be done by all the users with write permission on the directory, regardless of the file owner. The sticky bit is typically already set for pre-existing shared directories like `/tmp` but you must specially set the sticky bit if you create new directories where writing is shared between users. The sticky bit makes some kinds of attacks harder to perform, including ones based on creating or changing links in that directory.
 2. Where available, enable “protected sticky symlinks” (aka `protected_symlinks`). In systems with protected sticky symlinks, a symbolic link is only followed if it is outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink's owner.  Many Linux distributions enable this by default, including Ubuntu, Fedora, and Red Hat Enterprise Linux.
 
-😱 STORY TIME: VestaCP Link Following Vulnerability (CVE-2021-30463)
-VestaCP is an open source hosting control panel (enabling users of a hosting service to manage their hosting package, e.g., purchase domain names, install applications, create and manage email accounts, and upload website files).  Unfortunately, VestaCP through version 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions, a vulnerability identified as [CVE-2021-30463](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30463).
+> 😱 STORY TIME: VestaCP Link Following Vulnerability (CVE-2021-30463)
+
+> VestaCP is an open source hosting control panel (enabling users of a hosting service to manage their hosting package, e.g., purchase domain names, install applications, create and manage email accounts, and upload website files).  Unfortunately, VestaCP through version 0.9.8-24 allows attackers to gain privileges by creating symlinks to files for which they lack permissions, a vulnerability identified as [CVE-2021-30463](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30463).
 
 The fundamental problem is that the VestaCP application presumed that any files under the user home directory (directly or indirectly) were necessarily owned and controlled by the user. But this is not necessarily true in modern operating systems. In the vast majority of modern operating systems, hard and symbolic links enable other files to be referenced from them.
 
@@ -4912,8 +4913,9 @@ Many builds are reproducible without any changes, however, some are not. The fir
 
 More information on how to create reproducible builds is available; see [“Documentation” from the Reproducible Builds project](https://reproducible-builds.org/docs/).
 
-😱 STORY TIME: Subversion of SolarWinds Orion’s Build System
-Orion is an enterprise network management software suite from SolarWinds that includes performance and application monitoring as well as network configuration management. In 2020 a threat actor modified the Orion build system so that built versions of Orion would include malicious code. This subverted built system was then signed by the legitimate SolarWinds code signing certificate. This subversion was very damaging; the US government’s Cybersecurity & Infrastructure Security Agency (CISA) even issued an emergency directive (“[Emergency Directive 21-01]](<https://www.cisa.gov/emergency-directive-21-01>)” from CISA). Many security countermeasures couldn’t work in this case; “review code” didn’t work (the change was inserted by the build system and thus not seen by its developers), “check for signatures” didn’t work (it was legitimately signed), and monitoring for problems did not work for a while (because in many organizations this was the monitoring system). For more information, see [Alert AA20-352A](https://www.cisa.gov/emergency-directive-21-01) from CISA and “[Preventing Supply Chain Attacks like SolarWinds](https://linuxfoundation.org/blog/preventing-supply-chain-attacks-like-solarwinds/)” by David A. Wheeler.
+> 😱 STORY TIME: Subversion of SolarWinds Orion’s Build System
+
+> Orion is an enterprise network management software suite from SolarWinds that includes performance and application monitoring as well as network configuration management. In 2020 a threat actor modified the Orion build system so that built versions of Orion would include malicious code. This subverted built system was then signed by the legitimate SolarWinds code signing certificate. This subversion was very damaging; the US government’s Cybersecurity & Infrastructure Security Agency (CISA) even issued an emergency directive (“[Emergency Directive 21-01]](<https://www.cisa.gov/emergency-directive-21-01>)” from CISA). Many security countermeasures couldn’t work in this case; “review code” didn’t work (the change was inserted by the build system and thus not seen by its developers), “check for signatures” didn’t work (it was legitimately signed), and monitoring for problems did not work for a while (because in many organizations this was the monitoring system). For more information, see [Alert AA20-352A](https://www.cisa.gov/emergency-directive-21-01) from CISA and “[Preventing Supply Chain Attacks like SolarWinds](https://linuxfoundation.org/blog/preventing-supply-chain-attacks-like-solarwinds/)” by David A. Wheeler.
 
 🔔 Hardening the CI/CD pipeline against unauthorized access, malicious code, or system compromise is part of 2021 OWASP Top 10 #8 (A08:2021), *Software and Data Integrity Failures*.