17 october 2023
Network Management Systems - A Good Place to Hide?
I think about network infrastructure deployment sometimes. Quite often, in
fact. Some would even say too often, but I disagree with that. Perhaps I
think about deployment of telco and networking equipment just enough. For
this reason I'm always on the lookout for breaches, hacks and tricks related
to that sort of stuff.
One thing that I saw recently that amused me was the fact that AvosLocker
seems to disguise a backdoor as a network monitoring tool:
https://www.cisa.gov/sites/default/files/2023-10/aa23-284a-joint-csa-stopransomware-avoslocker-ransomware-update.pdf
It makes sense to me somehow, with network monitors often being quite
complicated pieces of software with a lot of different traffic coming in and
out of them. Put shortly: a good place to hide some fishy communication.
The SolarWinds incident also serves as a good example of this:
https://arxiv.org/abs/2308.10294
I have been greatly enjoying Johannes Ullrich's "What's Normal?" posts and I
believe awareness of such things could be of help if you suspect that someone
is hiding in your network infrastructure:
https://isc.sans.edu/handler_list.html?author=642063&fname=Johannes&lname=Ullrich
But what's normal for a messy system such as a network manager?
Tags
#ownwritings, #cybersecurity, #networkingequipment, #malware, #telco, #telehacks, #awareness
permalink
04 october 2023
Telepoetry no. 0158
Foliate
Radiate
Beaming, gleaming, leaves streaming
Mast flower
Sun tower
Swaying, relaying, always playing
Petal-projected
Palm-expected
Fly on, little dandelion ion, fly on
Tags
#ownwritings, #telepoetry
permalink
30 september 2023
Bush on the Web
Author: Vannevar Bush
Title: As We May Think
Link:
https://www.w3.org/History/1945/vbush/
Summary
Classic text from The Atlantic that essentially describes the Web, fifty
years or so before before the web came to be.
My Thoughts
Impressive how someone can see around the next corner like that. In 1945,
computers were still being invented. Yet, Bush somehow manages to extrapolate
how they will be used.
Tags
#commentary, #blogging, #memex, #classics, #theweb
permalink
27 september 2023
Telepoem no. 550
From below
Heaven sent
Grains of sand
Sediment
A speck of dust
Cosmic clock
Our new home
Telephone rock
Tags
#ownwritings, #telepoetry
permalink
26 september 2023
What is digitalization, really?
My father is a plumber. He started in that line of work in his early teens,
went to a two-year high school program for formal education in the trade and
then he continued in that line of work. Connectivity and digitalization were
not part of his early life. Computers were not part of his early life. But
tinkering with technology always was: cars, electronics, music and audio
equipment, household appliances and so on. Thus, when computers started
entering the small offices and homes of our home country in the 80s and 90s,
his mind was wide open to the possibilities. Using BASIC, he wrote a small
application for indexing and keeping track of the keys to the locations where
his employer was doing plumbing work. He made a small website to document
company events such as barbecue parties and softball tournaments. He used
Windows/Total Commander to connect to FTP servers hosted by his friends. He
and his bandmates hosted a phpBB forum for staying in touch with booking
agents, bar owners, fans, freelance sound engineers and the likes.
When I think of digitalization, I think of my dad and his willingness to put
in a little bit of effort to reap the benefits of digital technology on his
own terms. A digitalization where the user is not helplessly dependant on a
specific technology or product, but in control and able to make choices and
where abstaining is always an option. Sadly, this is not the digitalization I
see today.
A few weeks ago, I took the car to work. I usually go by train. After parking
my car, I went up to the sign showing which of the many parking apps this
particular spot used for handling payments. Using my de-Googled Android
phone, I installed "Greenwashed ParkApp co." from a third-party store and
opened it only to be met by the "Google Play services not supported by your
devices" salute. But even if I'd had Google Play services installed, I would
still need to be logged in with a Google account. Wait, what? I need a Google
account to park my car at work? MicroG aside, what the hell kind of
digitalization is that? Somewhere between my dad and his bandmates hosting
their own webapp and me having to sign in to Google to park my car at work,
something went wrong. Instead of building our digitalized society to our own
liking, we are renting it. It is not really ours, not really something we can
pride ourselves with.
Luckily, there was still an old parking meter nearby, so I used that instead.
Tags
#ownwritings, #selfhosting, #digitalization, #theweb, #crappytech
permalink
25 september 2023
The First Hack I Ever Saw
Roughly twenty years I ago I saw my first hack. And by "hack", I mean "hack" as
in something involving computers and someone's digital assets being
compromised. Coincidentally, it is also how I learned the Alt+Tab keyboard
shortcut.
Me and my friends (whom I shall call Alice and Mallory) were gathered around
the classroom computer in elementary school. I don't really know why we had a
computer in our classroom, noone was ever using it for studying. Alice was
sitting at the keyboard and I was sitting on a chair behind her. Mallory
was standing next to the computer, facing me and Alice. It was between classes
and we were chatting casually about everything and nothing. Even though she was
not supposed to, Alice decided to check her messages on the social network that
was all the rage among the kids back then. The computer was already running so
she just opened a web browser and navigated to the login page of the
application.
Being a somewhat inexperienced computer user (as most twelve-year-olds were in
the early 00s), she was looking down at the keyboard while she was typing. As
Alice was just about to enter her password, Mallory's hand quickly and
unnoticably shot out and pressed Alt+Tab, ever so smoothly and without pause
or hesitation in the conversation we were having. An MSN Messenger chat window
that someone had left open came into focus. Unclear whose it was (also not
relevant in this story) but Alice's password ended up right there in the text
buffer of the chat window, in cleartext. Before Alice hit Enter, Mallory
swiftly pressed Alt+Tab and circled back to the web browser, where the
password field was still awaiting input. Alice hit Enter and looked up at the
monitor. She saw the usual prompt along the lines of "password cannot be
empty, please try again". With a shrug and a facial expression that said
"Computers, eh? Whatcha gonna do?", she complied and logged in, successfully
this time.
After checking her messages, Alice, being a good girl, logged out of her account
and went out to play with her friends, leaving me and Mallory alone at the
computer. With emphasis, Mallory circled to the MSN chat window using the
keyboard and looked at me in triumph. I didn't understand at first what I was
looking at, a chat window with some nonsensical text not yet sent, but Mallory
explained: it was her password. He showed me his Alt+Tab trick and verified
that his hack had worked by logging in on her account. In many ways, it was a
very good hack; Alice was unaware that she had been compromised and apart from
the password string in the MSN Messenger text buffer (which Mallory cleared
after memorizing the password) there were no indicators of compromise for
anyone to find. The only flaw in Mallory's attack was to disclose it to me.
Otherwise, her execution was perfect. Fortunately for Mallory, and
unfortunately for Alice, I'm blowing the whistle twenty years after the fact.
Alice ended up defamed before all her friends. Something I could have
prevented, where it not for my cowardice. Ultimately, word got out that
Alice's account had been hacked. She changed her password, won her reputation
back and went on with her life. Last time I saw her she had a kid on her hip
and looked well enough. She didn't recognize me. That was ten years ago. I
don't think this incident had any significant impact on her life in the
long-run, but I am still disapointed in myself because in my first brush with
cyber security, I failed to do the right thing. I should have told her about
it immediately. Since then, I've learned a thing or two about cyber security
and I'm now commited to helping out whenever I can, for whatever that's worth
to twelve-year-old Alice.
Tags
#ownwritings, #cybersecurity, #socialengineering, #awareness, #socialnetworks
permalink
24 september 2023
Doctorow on the Memex
Author: Cory Doctorow
Title: The Memex Method
Link:
https://pluralistic.net/2021/05/09/the-memex-method/
Summary
Doctorow explains his method of blogging and how his posts sometimes
"nucleate" and start to point in directions towards what eventually
become longer texts.
My Thoughts
For the foreseeable future, this blog is at risk of becoming a list of
links to various texts by Cory Doctorow. Nonetheless, as a novice blogger
I found this text to be encouraging and inspiring. The idea that a blog is
supposed to be a log of your activity on the web, a (we)blog, was new to
me. That makes me slightly less embarrassed to do this thing where I mainly
just link to content written by others.
Tags
#commentary, #blogging, #memex, #theweb
permalink
15 september 2023
Doctorow on Openwashing
Author: Cory Doctorow
Title: "Open" "AI" isn't
Link:
https://pluralistic.net/2023/08/18/openwashing/#you-keep-using-that-word-i-do-not-think-it-means-what-you-think-it-means
Summary
Doctorow criticizes the company name OpenAI by saying that what they do is
neither open, artificial nor intelligent. He goes on and talks about how the
fact that big companies offer open source software (such as Android) does not
give us users noticeably more freedom (still stuck choosing between Apple and
Google). His main point is that open does not equal freedom, either because
companies exaggerate their openness or because their openness locks developers
into an ecosystem where they basically end up doing work for free: every that
gets added to Google Play Store adds value to Google's Android business as a
whole.
My Thoughts
In a discussion I had with my colleagues some time ago, the thought came up
that the "Big Evil Company, inc." of the future will pose as some sort of
research institute or foundation. I was surprised to see that there seems to
be a word for it: openwashing.
Tags
#commentary, #openwashing, #crappytech, #ai
permalink
31 august 2023
PHK on electronic privacy
Author: Poul-Henning Kamp
Title: Don’t “Think of the Internet!”
Link:
https://queue.acm.org/detail.cfm?id=3606023
Summary
PHK criticizes arguments in favor of electronic privacy and freedom that can be
boiled down to "but think of the Internet!" and likens it to the
"but think of the children" argument, which he believes is often used
dishonestly.
My Thoughts
First article I read by someone from the FOSS world that adds some nuance to
the debate around Chat Control 2.0 and similar bills that would regulate the
use of strong encryption. I am in favor of electronic privacy and I do think
that Chat Control 2.0 is a ridiculous proposition, but PHK's article made me
ask myself "why?" seriously for the first time in a long time.
When I ask myself "why is electronic privacy important to me?", I arrive at
something akin to "that's what we had back when the Internet was good". Reading
PHK's article made me want to find a more profound answer, which is arguably a
good thing. I'm still searching, though...
Tags
#commentary, #privacy, #chatcontrol, #eu, #crappytech, #theweb
permalink