~zluudg@TTBP



17 october 2023

Network Management Systems - A Good Place to Hide?

I think about network infrastructure deployment sometimes. Quite often, in fact. Some would even say too often, but I disagree with that. Perhaps I think about deployment of telco and networking equipment just enough. For this reason I'm always on the lookout for breaches, hacks and tricks related to that sort of stuff.

One thing that I saw recently that amused me was the fact that AvosLocker seems to disguise a backdoor as a network monitoring tool:

https://www.cisa.gov/sites/default/files/2023-10/aa23-284a-joint-csa-stopransomware-avoslocker-ransomware-update.pdf

It makes sense to me somehow, with network monitors often being quite complicated pieces of software with a lot of different traffic coming in and out of them. Put shortly: a good place to hide some fishy communication. The SolarWinds incident also serves as a good example of this:

https://arxiv.org/abs/2308.10294

I have been greatly enjoying Johannes Ullrich's "What's Normal?" posts and I believe awareness of such things could be of help if you suspect that someone is hiding in your network infrastructure:

https://isc.sans.edu/handler_list.html?author=642063&fname=Johannes&lname=Ullrich

But what's normal for a messy system such as a network manager?

Tags

#ownwritings, #cybersecurity, #networkingequipment, #malware, #telco, #telehacks, #awareness



04 october 2023

Telepoetry no. 0158

Foliate
Radiate

Beaming, gleaming, leaves streaming

Mast flower
Sun tower

Swaying, relaying, always playing

Petal-projected
Palm-expected

Fly on, little dandelion ion, fly on

Tags

#ownwritings, #telepoetry



30 september 2023

Bush on the Web

Author: Vannevar Bush
Title: As We May Think
Link: https://www.w3.org/History/1945/vbush/

Summary

Classic text from The Atlantic that essentially describes the Web, fifty years or so before before the web came to be.

My Thoughts

Impressive how someone can see around the next corner like that. In 1945, computers were still being invented. Yet, Bush somehow manages to extrapolate how they will be used.

Tags

#commentary, #blogging, #memex, #classics, #theweb



27 september 2023

Telepoem no. 550

From below
Heaven sent
Grains of sand
Sediment
A speck of dust
Cosmic clock
Our new home
Telephone rock

Tags

#ownwritings, #telepoetry



26 september 2023

What is digitalization, really?

My father is a plumber. He started in that line of work in his early teens, went to a two-year high school program for formal education in the trade and then he continued in that line of work. Connectivity and digitalization were not part of his early life. Computers were not part of his early life. But tinkering with technology always was: cars, electronics, music and audio equipment, household appliances and so on. Thus, when computers started entering the small offices and homes of our home country in the 80s and 90s, his mind was wide open to the possibilities. Using BASIC, he wrote a small application for indexing and keeping track of the keys to the locations where his employer was doing plumbing work. He made a small website to document company events such as barbecue parties and softball tournaments. He used Windows/Total Commander to connect to FTP servers hosted by his friends. He and his bandmates hosted a phpBB forum for staying in touch with booking agents, bar owners, fans, freelance sound engineers and the likes.

When I think of digitalization, I think of my dad and his willingness to put in a little bit of effort to reap the benefits of digital technology on his own terms. A digitalization where the user is not helplessly dependant on a specific technology or product, but in control and able to make choices and where abstaining is always an option. Sadly, this is not the digitalization I see today.

A few weeks ago, I took the car to work. I usually go by train. After parking my car, I went up to the sign showing which of the many parking apps this particular spot used for handling payments. Using my de-Googled Android phone, I installed "Greenwashed ParkApp co." from a third-party store and opened it only to be met by the "Google Play services not supported by your devices" salute. But even if I'd had Google Play services installed, I would still need to be logged in with a Google account. Wait, what? I need a Google account to park my car at work? MicroG aside, what the hell kind of digitalization is that? Somewhere between my dad and his bandmates hosting their own webapp and me having to sign in to Google to park my car at work, something went wrong. Instead of building our digitalized society to our own liking, we are renting it. It is not really ours, not really something we can pride ourselves with.

Luckily, there was still an old parking meter nearby, so I used that instead.

Tags

#ownwritings, #selfhosting, #digitalization, #theweb, #crappytech



25 september 2023

The First Hack I Ever Saw

Roughly twenty years I ago I saw my first hack. And by "hack", I mean "hack" as in something involving computers and someone's digital assets being compromised. Coincidentally, it is also how I learned the Alt+Tab keyboard shortcut.

Me and my friends (whom I shall call Alice and Mallory) were gathered around the classroom computer in elementary school. I don't really know why we had a computer in our classroom, noone was ever using it for studying. Alice was sitting at the keyboard and I was sitting on a chair behind her. Mallory was standing next to the computer, facing me and Alice. It was between classes and we were chatting casually about everything and nothing. Even though she was not supposed to, Alice decided to check her messages on the social network that was all the rage among the kids back then. The computer was already running so she just opened a web browser and navigated to the login page of the application.

Being a somewhat inexperienced computer user (as most twelve-year-olds were in the early 00s), she was looking down at the keyboard while she was typing. As Alice was just about to enter her password, Mallory's hand quickly and unnoticably shot out and pressed Alt+Tab, ever so smoothly and without pause or hesitation in the conversation we were having. An MSN Messenger chat window that someone had left open came into focus. Unclear whose it was (also not relevant in this story) but Alice's password ended up right there in the text buffer of the chat window, in cleartext. Before Alice hit Enter, Mallory swiftly pressed Alt+Tab and circled back to the web browser, where the password field was still awaiting input. Alice hit Enter and looked up at the monitor. She saw the usual prompt along the lines of "password cannot be empty, please try again". With a shrug and a facial expression that said "Computers, eh? Whatcha gonna do?", she complied and logged in, successfully this time.

After checking her messages, Alice, being a good girl, logged out of her account and went out to play with her friends, leaving me and Mallory alone at the computer. With emphasis, Mallory circled to the MSN chat window using the keyboard and looked at me in triumph. I didn't understand at first what I was looking at, a chat window with some nonsensical text not yet sent, but Mallory explained: it was her password. He showed me his Alt+Tab trick and verified that his hack had worked by logging in on her account. In many ways, it was a very good hack; Alice was unaware that she had been compromised and apart from the password string in the MSN Messenger text buffer (which Mallory cleared after memorizing the password) there were no indicators of compromise for anyone to find. The only flaw in Mallory's attack was to disclose it to me. Otherwise, her execution was perfect. Fortunately for Mallory, and unfortunately for Alice, I'm blowing the whistle twenty years after the fact.

Alice ended up defamed before all her friends. Something I could have prevented, where it not for my cowardice. Ultimately, word got out that Alice's account had been hacked. She changed her password, won her reputation back and went on with her life. Last time I saw her she had a kid on her hip and looked well enough. She didn't recognize me. That was ten years ago. I don't think this incident had any significant impact on her life in the long-run, but I am still disapointed in myself because in my first brush with cyber security, I failed to do the right thing. I should have told her about it immediately. Since then, I've learned a thing or two about cyber security and I'm now commited to helping out whenever I can, for whatever that's worth to twelve-year-old Alice.

Tags

#ownwritings, #cybersecurity, #socialengineering, #awareness, #socialnetworks



24 september 2023

Doctorow on the Memex

Author: Cory Doctorow
Title: The Memex Method
Link: https://pluralistic.net/2021/05/09/the-memex-method/

Summary

Doctorow explains his method of blogging and how his posts sometimes "nucleate" and start to point in directions towards what eventually become longer texts.

My Thoughts

For the foreseeable future, this blog is at risk of becoming a list of links to various texts by Cory Doctorow. Nonetheless, as a novice blogger I found this text to be encouraging and inspiring. The idea that a blog is supposed to be a log of your activity on the web, a (we)blog, was new to me. That makes me slightly less embarrassed to do this thing where I mainly just link to content written by others.

Tags

#commentary, #blogging, #memex, #theweb



15 september 2023

Doctorow on Openwashing

Author: Cory Doctorow
Title: "Open" "AI" isn't
Link: https://pluralistic.net/2023/08/18/openwashing/#you-keep-using-that-word-i-do-not-think-it-means-what-you-think-it-means

Summary

Doctorow criticizes the company name OpenAI by saying that what they do is neither open, artificial nor intelligent. He goes on and talks about how the fact that big companies offer open source software (such as Android) does not give us users noticeably more freedom (still stuck choosing between Apple and Google). His main point is that open does not equal freedom, either because companies exaggerate their openness or because their openness locks developers into an ecosystem where they basically end up doing work for free: every that gets added to Google Play Store adds value to Google's Android business as a whole.

My Thoughts

In a discussion I had with my colleagues some time ago, the thought came up that the "Big Evil Company, inc." of the future will pose as some sort of research institute or foundation. I was surprised to see that there seems to be a word for it: openwashing.

Tags

#commentary, #openwashing, #crappytech, #ai



31 august 2023

PHK on electronic privacy

Author: Poul-Henning Kamp
Title: Don’t “Think of the Internet!”
Link: https://queue.acm.org/detail.cfm?id=3606023

Summary

PHK criticizes arguments in favor of electronic privacy and freedom that can be boiled down to "but think of the Internet!" and likens it to the "but think of the children" argument, which he believes is often used dishonestly.

My Thoughts

First article I read by someone from the FOSS world that adds some nuance to the debate around Chat Control 2.0 and similar bills that would regulate the use of strong encryption. I am in favor of electronic privacy and I do think that Chat Control 2.0 is a ridiculous proposition, but PHK's article made me ask myself "why?" seriously for the first time in a long time.

When I ask myself "why is electronic privacy important to me?", I arrive at something akin to "that's what we had back when the Internet was good". Reading PHK's article made me want to find a more profound answer, which is arguably a good thing. I'm still searching, though...

Tags

#commentary, #privacy, #chatcontrol, #eu, #crappytech, #theweb