The Chinese are Attacking!

screen-shot-2016-12-11-at-11-06-55-am
Every once in a while I check the logs of the server that hosts this blog, to see if there are any shenanigans going on. And every time I check, there ARE shenanigans. The Chinese have been slowly, patiently poking at this machine for a long, long time. The attacks will not succeed; they are trying to log in as “root”, the most powerful account on any *NIX-flavored computer, but on my server root is not allowed to log in from the outside, precisely because it is so powerful.

But the attack itself is an interesting look at the world of institutionalized hacking. It is slow, and patient, only making an attempt every thirty seconds or so. Many attack-blockers use three tries in a minute to detect monkey business; this will fly under that radar. Trying fewer than 200,000 password guesses per day limits the effectiveness of a brute-force attack, but over time (and starting with the million most common passwords), many servers will be compromised.

And in the Chinese view, they have all the time in the world. Some servers will fall to their attacks, others won’t. The ones that are compromised will likely be loaded with software that will, Manchurian-Candidate style, lie dormant until the Chinese government decides to break the Internet. And although servers like mine would provide excellent leverage, located as it is in a data center with high-speed access to the backbone, the bad guys have now discovered that home invasion provides a burgeoning opportunity as well. Consider the participation of refrigerators and thermostats in the recent attack on the Internet infrastructure on the East Coast of the United States and you begin to see the possibilities opened by a constant, patient probing of everything connected to the Internet.

I’ve been boning up on how to block the attack on my server; although in its current form the attack cannot succeed, I know I’ve been warned. The catch is I have to be very careful as I configure my safeguards — some mistakes would result in ME not being able to log in. That would be inconvenient, because if I’m unable to log in I won’t be able to fix my mistake. But like the Chinese, I can take things slowly and make sure I do it right.

An Internet Security Vulnerability that had Never Occurred to Me

Luckily for my productivity this afternoon, the Facebook page-loading feature was not working for me. I’d get two or three articles and that was it. But when it comes to wasting time, I am relentless. I decided to do a little digging and figure out why the content loader was failing. Since I spend a few hours every day debugging Web applications, I figured I could get to the bottom of things pretty quickly.

First thing to do: check the console in the debugger tools to see what sort of messages are popping up. I opened up the console, but rather than lines of informative output, I saw this:

Stop!

This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or “hack” someone’s account, it is a scam and will give them access to your Facebook account.

See https://www.facebook.com/selfxss for more information.

It is quite possible that most major social media sites have a warning like this, and all of them should. A huge percentage of successful “hacks” into people’s systems are more about social engineering than about actual code, and this is no exception. The console is, as the message above states, for people who know what they are doing. It allows developers to fiddle with the site they are working on, and even allows them to directly load code that the browser’s security rules would normally never allow.

These tools are built right into the browsers, and with a small effort anyone can access them. It would seem that unscrupulous individuals (aka assholes) are convincing less-sophisticated users to paste in code that compromises their Facebook accounts, perhaps just as they were hoping to hack someone else’s account.

I use the developer tools every day. I even use them on other people’s sites to track down errors or to see how they did something. Yet it never occurred to me that I could send out an important-sounding email and get people to drop their pants by using features built right into their browsers.

It’s just that sort of blindness that leads to new exploits showing up all the time, and the only cure for the blindness is to have lots of people look at features from lots of different perspectives. Once upon a time Microsoft built all sorts of automation features into Office that turned out to be a security disaster. From a business standpoint, they were great features. But no one thought, “you know, the ability to embed code that talks to your operating system directly into a Word doc is pretty much the definition of a Trojan Horse.”

So, FIRST, if anyone asks you to paste code into the developer’s console of your browser, don’t. SECOND, if you are in charge of a site that stores people’s personal data, consider a warning similar to Facebook’s. Heck, I doubt they’d complain if you straight-up copied it, link and all. THIRD, just… be skeptical. If someone wants you to do something you don’t really understand, don’t do it, no matter how important and urgent the request sounds. In fact, the more urgent the problem sounds, the more certain you can be that you are dealing with a criminal.

2

On the Subject of Tutorials, and Why the Internet is Awesome

A while back a buddy of mine had trouble with his washer. He was pinched for cash, so he tackled the problem himself, rather than call a repair man. He got some information off the Internet before he started, not all crystal-clear, but enough to dive in.

He fixed his washer. But along the way he did something else, as well: He carefully documented each step of the process, with commentary, lessons learned, and pictures. In the process not only did he save himself a hundred bucks or more, he helped a lot of other folks as well. It’s the most-hit page on his blog (last I heard), and for good reason. Here’s the tutorial, in case your washer’s not draining.

Sidebar: It’s a little frustrating for a blogger to create an episode that’s not the main focus of the blog and have that episode take off. In my case it was “New York Sucks”. But at least “How to Fix Your Washer” has some benefit to the world at large. Lately my tutorial about setting up a LAMP stack using MacPorts has become more popular, which makes me feel better.

Let’s take a moment more to understand why my friend’s blog episode was so effective. First, there was the voice: “I’m just Joe Homeowner with a couple of wrenches and a mysterious machine that’s not working right. But I fixed the bastard.” Second, the tutorial answered a specific need. Third, Joe Homeowner was there with you every step of the way, with pictures and the kind of observations that never appear in service manuals.

The most effective reference materials are almost never videos. When I’ve got both hands tied up with the task, I just want to be able to look at the screen and see what I need to know. I want a still image I can absorb at my pace, and look for reference points to reconcile with what’s in front of me. I want to read the instructions three times without having to rewind.

This is the sort of content ‘they’ were thinking about twenty years ago when they were trying to convince us that the Internet was a good thing.

Last weekend I benefitted from a similar tutorial. Owners of 1999 and 2000 Miatas know code P0402: Excessive EGR flow. Usually a P0401 comes first. It’s a design flaw; there’s a narrow passage in the intake manifold that gets clogged. The killer is that the ol’ 402 suggests that a $200 part needs to be replaced. Actually, that’s almost never true in this car. All you have to do is remove the throttle body, take off the top part of the intake manifold, and clean that passage out.

Reference material close at hand, I'm ready to fix my car.

Reference material close at hand, I’m ready to fix my car.

The task is not difficult, but it can be intimidating. What you need is some guy like you who’s done it, who took pictures, who remembers the details, and isn’t afraid to admit he was a little frightened going in. You can feel his satisfaction as you read the how-to and you know you will feel that way too.

The ONE THING I wish he might have mentioned was “when you take the age-hardened hose off the top of the intake manifold, be careful not to break the PCV valve.” But that’s a topic for another episode.

There’s a tutorial out there for almost everything. Almost. Next time you’re facing a task, if you can’t find a good set of instructions on the Internet, do the Web a favor. Make the first tool you pick up a camera. Take a little longer on your repair, record each step, and remember your moments of uncertainty and how you dealt with them. Put it out there and make the world a better place.

1

iTelescope

I was reading up on the big-ass comet (who’s name is not actually ISON) heading our direction, and the article mentioned that the discovery had been confirmed by iTelescope (among others). (REAL QUICK digression: I really like the word “precovery” — Once the discoverers said, “hey, there’s a comet there!” other astronomers were able to use data gathered before the official “discovery” to confirm the finding. Precovery.) So anyway, Since I work at the company that invented put-an-i-on-it product naming, I had no choice but to look into this iTelescope thing. I had this idea that maybe there were a million webcams all pointed at the sky, and with the combined computing power of the participants a useful image could be inferred.

Of course, I was wrong. It was early in the morning and the caffeine hadn’t reached the critical parts of my brain — the parts that would have considered the logistical nightmare my “global fly-eye” idea would entail. Maybe in a few more years…

But what I did find is entirely cool, and has the benefit of actually working. iTelescope is a cooperative that has some 20 pretty-dang-good telescopes, and for a fee you (yes, you) can use them to take pictures of the sky. (The difference between ‘telescope’ and ‘camera’ is all in the lens.) iTelescope has three facilities around the globe (New Mexico, Spain, and Australia), so it’s always night somewhere. You control the telescope over the Internet and download your results. Oh, these times we live in. (In these times, it must also be said: you retain all rights to the photos.)

How much does it cost? That depends on the telescope you choose and the phase of the moon. Prices start in the neighborhood of seventeen bucks an hour and go up from there. That seems like a lot of money, until you consider what it would cost to get these images on your own. Eleven (at least) have even been honored as APOD.

It feels odd to think of it as ‘photography’ when you’re so disconnected from the camera – heck, you’ll probably never even see the telescope you’re using. Many of the other decisions one makes in terrestrial photography are moot as well — there’s no depth of focus to deal with, for instance. Someone else has set up the camera; all you have to do is point it. Except, when you look at the gallery, you see that there are many images that combine dozens of exposures, some with different filters, sometimes with different data coming from different telescopes. Dang. Seriously, how many photographers have access to such a vast array of gear? (Answer: now, we all do.)

There is still an art to getting that spectacular deep-space image, and just as a fashion photographer has assistants to handle the details, iTelescope users have the iTelescope staff and a helpful Web robot. Good times, my friends. Good times.

1

Tor and Privacy

The other day I was looking for something completely unrelated and I came across an interactive diagram that shows what information is protected when you use a secure Web connection. The diagram also mentions something called “Tor”, which protects other parts of the information that gets transmitted with every message your computing device sends over the Web.

In a nutshell, Tor makes it impossible (as far as we can tell) to trace a message from source to destination. This could be really, really beneficial to people who would like to, for instance, access a site their government does not approve of. (If that government already suspects the citizen is accessing a forbidden site, they can still put sniffers on either end of the pipeline and infer from the timing of messages that the citizen is acting in an unpatriotic fashion, but they can’t just put a sniffer on the forbidden end to see who happens by.)

There are lots of other times you might want to improve your privacy; unfortunately not all those activities are legal or ethical. A lot of verbiage on Tor’s site is to convince the world that the bad guys have even better means of protecting privacy, since they are willing to break the law in the first place. Tor argues that they are at least partially evening the playing field. They mention reporters protecting sources, police protecting informants, and lawyers protecting clients. My take: you had me at “privacy”.

To work, Tor requires a set of volunteer middlemen, who pass encrypted and re-encrypted messages from one to another. Intrigued, I looked into what would be involved in allocating a slice of my underused server to help out the cause. It’s pretty easy to set up, but there’s a catch. If you allow your server to be an “exit point”, a server that will pass messages out of the anonymous network to actual sites, sooner or later someone is going to be pissed off at someone using the Tor network and the only person they’ll be able to finger is the owner of the exit point. Legal bullshit ensues.

Happily, there are lawyers standing by to protect the network, and some of them might even be itching for a showdown with The Man. Still, before I do anything rash, I need to check in with the totally awesome folks at MacMiniColo, because shit could fall on them, since my server is in their building. If they have qualms (they are not a large company), then I could still be a middle node in the network, and that would help some. But simply because of the hassles involved with being an exit node, that’s where I can do the most good.

I’ll keep you posted on how this shakes out. I need to learn more. If I decide to move ahead, there’s a lot of p’s to dot and q’s to cross, and my server company may ixnay the whole idea. In the meantime, check out Tor, especially if you have nothing to hide.

More Thoughts on Spam

A recent attempt at comment spam on my blog was a message heavy with phrases designed to get a search engine riled up: Attorney Personal Injury Las Vegas, Attorney Personal Injury, Lawyer Personal Injury, Our lawyer handles all the legal matters professionally!

By putting those phrases here, not connected to the Web site of the sleazy lawyer resorting to illegal practices to promote his business, I weaken the search engine power by diluting the phrase. I think. That or I get blacklisted by the Goog.

But it seems like there should be more I can do. Here, on my blog, is a law firm breaking the law. Let me say that again, so you get the full feel of it. A group of people who are bound to upholding the law, are breaking the law right here and now.

From their Web site (careful not to actually click any link in the spam), I sent them this message:

You guys are lawyers. Yet you, or agents employed by you, are engaging in illegal spamming. Really, you guys should be smarter than that.

Fix it.

No reply, though days have passed now. There won’t be a reply. But I’m watching my spam bin with a little extra diligence right now; the next one is going to the Nevada Bar Association.

In the meantime, I got a glut of comment spam from a Forex trading site. Forex (foreign exchange) is the practice of trading currency, a high-risk practice of predicting the perceived values of global currencies, and the pool is filled with sharks ready to fleece ordinary joes who somehow get the impression that there’s quick money in those markets. The brokers brag that they have a can’t-lose system, and the unsophisticated suckers buy in, lose their money, the brokers pocket the profits, and the system worked. It really is a can’t-lose system — for the brokers.

So, when I got a heapin’ helpin’ of spam from a Forex site, I decided once more to play an activist role. I went to the site (as always, careful not to use the link in the spam directly) and it seemed to be devoted to exposing the bad guys. They’re called the Forex Peace Army, or FPA. Still, a spamming asshole is a spamming asshole. I sent them a message:

While your site makes it appear that you want to be one of the good guys, you are engaged in illegal spam activities. That is disappointing, and hypocritical. Please stop.

And they wrote back! To paraphrase (and infer just a bit): Sorry, but some jerks we pissed off have started a spam smear campaign. Any data you can give us might help us bring them down.

Alas, it looks like the jerks outsourced their libelous campaign; the spams I got came from China. Still, I’m sending them the data, in hopes that maybe somewhere along they way the FPA will catch a break and get the evidence they need. And you have to like an organization named Forex Peace Army. I picture a shark in tie-die.

1

Open Letter to Yontoo

Tonight I came home to discover that whenever I looked at this site, it was wrapped in advertising. Yikes! I was relieved to discover that it was ‘only’ on my machine; I had unknowingly inherited a browser extension that turned Safari into a giant billboard. Panic gave way to annoyance.

The creator of this extension is called Yontoo. They suck. But you can be sure that I didn’t run a Yontoo installer recently. Something else I installed did me the favor of sliding that sucker onto my machine. Tonight I wrote Yontoo this message:

How can I find out how you [sic] software was installed in my browser? I certainly didn’t ask for it, but obviously at some point when I thought I was installing something else, I got your stuff too. I want to know who to yell at.