brhfl.com

I’m behind on posting about this, but given my potential audience, I wouldn’t be doing so as a warning anyway but rather a curiosity. A couple of weeks ago, malicious code was discovered in an npm package called flatmap-stream placed as a dependency inside event-stream. Publish rights to event-stream were apparently handed off to the bad actor, a user with no history whatsoever, because according to the original author:

he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and havn’t for years.

The attack was quite targeted – a payload was encrypted using the description of another package, the code would only be executed if this package was present. It appears that the end goal was getting bitcoin wallet access, as this targeted package was directly related to the Copay wallet. I don’t have much experience with npm, but I’ve gathered that its approach to dependencies is decentralized ownership/maintenance with centralized package lists/names/etc. It also seemingly pushes minor updates (as declared by the author) automatically, but not major ones. The vector of attack here was quite fascinating then: find a package that doesn’t appear to have been maintained for a while and that is often used alongside a well-maintained package that you want to infiltrate; ask to maintain the first package; push malicious code as a minor update and remove it immediately in a major update; sit back as it makes its way through projects everywhere.

Title link goes to the event-stream issue thread, which is well worth reading for information on the discovery, the forensics process, and a bit of back-and-forth about maintainer responsibility in the open source world. Additionally, in a gist, the original author responded to these issues of responsibility. Finally, if you don’t want to piece it together via the thread, Zach Schneider has an excellent explanation of the attack.

I never thought I’d link to one of those terrible sites that forces you to scroll through an entire page worth of image before you can even begin reading, but here we are. If you haven’t visited Wired recently, be warned: it is very user-antagonistic. But this article, despite its brevity and reading like an ad for Cloudflare, is pretty interesting. The gist is that one of Cloudflare’s hardware random number generation techniques involves photographing an array of lava lamps.

A while back, I started testing two things to switch up my browsing habits (and partially free them from Google): I began using Firefox Quantum¹, and I switched my default search provider to DuckDuckGo. I have been spending pretty much equal time with both Google and DuckDuckGo since (though, admittedly, I have many prior years of comfort with Google). This has been more than just a purposeless experiment. Google started out as a company that I liked that made a product that I liked. This slowly but surely morphed into a company that I was somewhat iffy about, but with several products that I liked. Nowadays, the company only increases in iffiness, but Google’s products are increasingly feeling bloated and clumsy. Meanwhile the once-laughable alternatives to said products have improved dramatically.

As far as results are concerned, Google (the search engine, from here on out) is still quite good. When it works, it’s pretty much unbeatable for result prioritization, that is, getting me the answer I’m seeking out with little-to-no poking around. But it’s not infrequent that I come across a query that simply doesn’t work – it’s too similar to a more common query, so Google thinks I must have wanted the common thing, or Google includes synonyms for query terms that completely throw off the results. The ads, and sponsored results (aka different ads) are increasing to the point of being a distraction (particularly on mobile, it can take multiple screens worth of scrolling to actually get to results). AMP content is prioritized, and AMP is a real thorn in the side of the open web (Kyle Schreiber sums up many of AMP’s problems succinctly). Finally, Google is obviously an advertising company, and we all know by now that everything we search for exists as a means to track us. This is not a huge complaint for me; it’s a known ‘price’ for the service. For as much as it leads to targeted advertising, it also helps tailor search results. Of course, this seems nice on the surface, but is a bit of a double-edged sword due to the filter bubble.

To be fair, some of these things are mitigated by using encrypted.google.com, but its behavior is seemingly undocumented and certainly nothing I would rely on². This is where DuckDuckGo, which was designed from the ground up to avoid tracking, comes in. DuckDuckGo makes its money from ads, but these ads are based on the current search rather than anything persistent. They can also be turned off in settings. The settings panel also offers a lot of visual adjustments, many of which I’m sure are welcome for users with limited vision³. Anyway, my experiences thus far using DuckDuckGo as a serious contender to Google are probably best summed up as a list:

• For the most part, normal search seems to have near-parity with Google, that is, if I’m looking to be taken elsewhere on the web, I will likely get a helpful result as quickly or nearly so as I would with Google. More niche searches, Google definitely does better diving deep for. Occasionally, if I’m looking to refer back to a specific post on this blog, I’ll just lazily search ‘brhfl firefox’ or the like, and Google definitely gets me there more quickly.
• Google seems to crawl (or at least re-crawl) more often, that is, the descriptions for pages seem like they update quite a bit more often.
• I loathe infinite scrolling, which means that Google has the ‘better’ pagination UI in my opinion. You can disable the automatic loading of more results in DuckDuckGo, but it still loads ‘pages’ in a gross, AJAXy way instead of having real pagination.
• Infinite scrolling aside, however, the minimalist UI is much cleaner than Google’s increasingly messy results list. It also (again, infinite scrolling aside), feels snappier, though I doubt it’s actually faster. I think the immediacy of the content simply makes it feel like good things are coming fast.
• DuckDuckGo has great keyboard support, whereas Google has… none. DuckDuckGo lets you navigate results with either cursor keys or vim keys, and vim keys override Firefox’s instant search, making for an incredibly convenient keyboard-driven experience.
• ‘Instant Answers’ are a mixed bag in that they just work… differently than Google’s analogue, with some being more useful, others less. Right now, for example, searching for ‘Ada Lovelace’ brings up images and Wikipedia on Google, vs. news and Wikipedia on DuckDuckGo⁴. In this instance, I think DuckDuckGo made a better choice, but it’s hard to say when images of a person would be more or less useful than news. Some really weird math (like ‘days in a year times 2) works in Google, but not DuckDuckGo. Oddly, ‘days in a year’ yields a weird calendar result via TimeAndDate.com from Google, whereas DuckDuckGo tells us the answer: 365.25. Instant Answers have been created and submitted by the community, so there is some weird, frivolous stuff like the ability to play 2048.
• Bangs are my saving grace as far as Firefox’s terrible search bar is concerned, they’re just handy shortcuts to other search engines. For example, ‘!a sailor moon luna plush’ to search Amazon for, well, a Sailor Moon Luna plush. These, too, have been at least somewhat user-submitted, and presumably this is why these are fairly inconsistent. Translation (via Google Translate) is an obvious show of this: many have three distinct forms (to Estonian, for example, can be !gtes, !gtestonian, or !gt-estonian), but not all. Remembering which languages have what bangs available is an exercise for the user. One also has to consider what would be an Instant Answer vs. what would require a bang – ‘translate river to estonian’ pulls up an instant result in Google, but in DuckDuckGo one must rely on a bang. I don’t know that I would give these a second thought if not for trying to fix Firefox.
• Some trivial matters…
  • The DuckDuckGo team seems really responsive and open to discussion on Twitter, which is always nice.
  • There’s a mobile browser app, which is sort of… a heavier version of Firefox Focus, almost? Just a privacy-focused browser, with something called a privacy grade that ranks sites based on how much tracking it finds, and reports the tracking to you. It’s a welcome addition to the browser space.
  • They also make desktop browser extensions that I haven’t used but that I believe do basically the same stuff as the mobile browser.
  • Google doodles will always be great, that’s like a really weird human edge that Google has.

All in all, I have no qualms using DuckDuckGo as my primary search engine. I will not pretend that I do not occasionally need to revert to Google to get results on some of the weirder stuff that I’m trying to search for – although, as mentioned earlier, Google thinks it’s smarter than me and rewrites my obscure searches half the time anyway. DuckDuckGo isn’t entirely minimalist or anything, but its straightforward representation, its immediacy, and its clarity all remind me of how clean Google was when it first came to exist in a sea of Lycoses, AltaVistas, and Dogpiles. It returns decent results, and it’s honestly just far more pleasant to use than Google is these days.

A handful of reports out there about a recent DDOS attack that relied on memcached and DDOS’s best friend, UDP. Link is to Cloudflare’s blog post about the attack, which is a thorough yet accessible explanation. It seems like this is the most amplified amplification attack yet, and without even using a significant number of memcached vectors. A lot of potential vectors were from cloud hosts like AWS and Linode – many of these have apparently closed up the hole. Hopefully this minimizes the potential for a larger attack, but it’s worth quoting Cloudflare:

The [UDP] specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! […] Developers: Please please please: Stop using UDP.

Cloudflare also touches on the fact that the larger problem is IP spoofing, and they wrote a followup post about that specifically. I just found the memcached amplification attack fascinating.

Brian Krebs reports on one of the stranger scams I’ve read about in recent years. Essentially an author’s name (and tax info) was used to publish a book of pure nonsense using CreateSpace, and sell it for an exorbitant price, presumably as part of a money-laundering scheme:

Reames said he suspects someone has been buying the book using stolen credit and/or debit cards, and pocketing the 60 percent that Amazon gives to authors. At $555 a pop, it would only take approximately 70 sales over three months to rack up the earnings that Amazon said he made.

Patrick Reames, the (real) author in question, discovered the whole thing upon being sent a 1099 for massive earnings he hadn’t actually made. A rather convoluted scheme, but it’s easy to see how it wouldn’t be detected for quite some time. Fascinating read.

Somehow I missed this until now, but of course after Mozilla went and released their first good web browser in forever, they then went and mucked everything up. Apparently the ‘Shield Studies’ feature, which is supposed to act as a distributed test system for new features, was instead used to unwittingly install a disturbing-looking extension that was effectively an ad for a TV show. The problem ultimately seems to stem from a disconnect between Mozilla (the corporation) and Mozilla (the NPO and community) – and in fact, their developers were not thrilled about it. This is a huge breach of trust, and if Mozilla (the corporation) can’t wrap their head around their own manifesto, I can’t imagine a very good future. Mozilla did acknowledge that they fucked up, but the apology seems rather half-hearted at best. I know I have disabled Shield Studies, and until I see some evidence that a genuine attempt is being made to restore user trust, I will remain skeptical of Mozilla’s motives.

Well, this sucks. My host, NFSN, is doing a major overhaul to their pricing scheme simply because the internet has become such a horrible hotbed of malice. To be clear, when I say ‘this sucks’, I don’t mean any negativity toward NFSN. The article link up there goes to their blog post explaining the matter, and it frankly seemed inevitable that fighting DDOS attacks would catch up to their pricing scheme. Previously, if you had a static site with low bandwidth and storage, you could probably get a year out of a quarter (domain registration not included, of course). The new plan allows for basically a $3.65 annual minimum which is still impressive (especially given what NFSN offers). But it’s a bummer that it’s come to this.

I would like to reiterate that this is not a complaint against NFSN. I will continue to use them for hosting, I will continue to recommend them, I will continue to praise them. I believe this is a necessary move. I’m just really, really pissed off that this is where we are with the internet. I don’t know what’s going on behind the scenes as far as law enforcement, but the internet is a global network (really?) and that’s not an easy problem to solve. I just hope something is happening to clean this wasteland up, because the advancements we’ve made in the information age are too important to bury under a sheet of malice.