brhfl.com

"I don't know what to say" (external)

I’m behind on posting about this, but given my potential audience, I wouldn’t be doing so as a warning anyway but rather a curiosity. A couple of weeks ago, malicious code was discovered in an npm package called flatmap-stream placed as a dependency inside event-stream. Publish rights to event-stream were apparently handed off to the bad actor, a user with no history whatsoever, because according to the original author:

he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and havn’t for years.

The attack was quite targeted – a payload was encrypted using the description of another package, the code would only be executed if this package was present. It appears that the end goal was getting bitcoin wallet access, as this targeted package was directly related to the Copay wallet. I don’t have much experience with npm, but I’ve gathered that its approach to dependencies is decentralized ownership/maintenance with centralized package lists/names/etc. It also seemingly pushes minor updates (as declared by the author) automatically, but not major ones. The vector of attack here was quite fascinating then: find a package that doesn’t appear to have been maintained for a while and that is often used alongside a well-maintained package that you want to infiltrate; ask to maintain the first package; push malicious code as a minor update and remove it immediately in a major update; sit back as it makes its way through projects everywhere.

Title link goes to the event-stream issue thread, which is well worth reading for information on the discovery, the forensics process, and a bit of back-and-forth about maintainer responsibility in the open source world. Additionally, in a gist, the original author responded to these issues of responsibility. Finally, if you don’t want to piece it together via the thread, Zach Schneider has an excellent explanation of the attack.


Lava lamps as HRNGs (external)

I never thought I’d link to one of those terrible sites that forces you to scroll through an entire page worth of image before you can even begin reading, but here we are. If you haven’t visited Wired recently, be warned: it is very user-antagonistic. But this article, despite its brevity and reading like an ad for Cloudflare, is pretty interesting. The gist is that one of Cloudflare’s hardware random number generation techniques involves photographing an array of lava lamps.


DuckDuckGo

A while back, I started testing two things to switch up my browsing habits (and partially free them from Google): I began using Firefox Quantum1, and I switched my default search provider to DuckDuckGo. I have been spending pretty much equal time with both Google and DuckDuckGo since (though, admittedly, I have many prior years of comfort with Google). This has been more than just a purposeless experiment. Google started out as a company that I liked that made a product that I liked. This slowly but surely morphed into a company that I was somewhat iffy about, but with several products that I liked. Nowadays, the company only increases in iffiness, but Google’s products are increasingly feeling bloated and clumsy. Meanwhile the once-laughable alternatives to said products have improved dramatically.

As far as results are concerned, Google (the search engine, from here on out) is still quite good. When it works, it’s pretty much unbeatable for result prioritization, that is, getting me the answer I’m seeking out with little-to-no poking around. But it’s not infrequent that I come across a query that simply doesn’t work – it’s too similar to a more common query, so Google thinks I must have wanted the common thing, or Google includes synonyms for query terms that completely throw off the results. The ads, and sponsored results (aka different ads) are increasing to the point of being a distraction (particularly on mobile, it can take multiple screens worth of scrolling to actually get to results). AMP content is prioritized, and AMP is a real thorn in the side of the open web (Kyle Schreiber sums up many of AMP’s problems succinctly). Finally, Google is obviously an advertising company, and we all know by now that everything we search for exists as a means to track us. This is not a huge complaint for me; it’s a known ‘price’ for the service. For as much as it leads to targeted advertising, it also helps tailor search results. Of course, this seems nice on the surface, but is a bit of a double-edged sword due to the filter bubble.

To be fair, some of these things are mitigated by using encrypted.google.com, but its behavior is seemingly undocumented and certainly nothing I would rely on2. This is where DuckDuckGo, which was designed from the ground up to avoid tracking, comes in. DuckDuckGo makes its money from ads, but these ads are based on the current search rather than anything persistent. They can also be turned off in settings. The settings panel also offers a lot of visual adjustments, many of which I’m sure are welcome for users with limited vision3. Anyway, my experiences thus far using DuckDuckGo as a serious contender to Google are probably best summed up as a list:

All in all, I have no qualms using DuckDuckGo as my primary search engine. I will not pretend that I do not occasionally need to revert to Google to get results on some of the weirder stuff that I’m trying to search for – although, as mentioned earlier, Google thinks it’s smarter than me and rewrites my obscure searches half the time anyway. DuckDuckGo isn’t entirely minimalist or anything, but its straightforward representation, its immediacy, and its clarity all remind me of how clean Google was when it first came to exist in a sea of Lycoses, AltaVistas, and Dogpiles. It returns decent results, and it’s honestly just far more pleasant to use than Google is these days.


An interesting memcached/UDP amplification attack (external)

A handful of reports out there about a recent DDOS attack that relied on memcached and DDOS’s best friend, UDP. Link is to Cloudflare’s blog post about the attack, which is a thorough yet accessible explanation. It seems like this is the most amplified amplification attack yet, and without even using a significant number of memcached vectors. A lot of potential vectors were from cloud hosts like AWS and Linode – many of these have apparently closed up the hole. Hopefully this minimizes the potential for a larger attack, but it’s worth quoting Cloudflare:

The [UDP] specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! […] Developers: Please please please: Stop using UDP.

Cloudflare also touches on the fact that the larger problem is IP spoofing, and they wrote a followup post about that specifically. I just found the memcached amplification attack fascinating.


Weird Amazon/CreateSpace fraud (external)

Brian Krebs reports on one of the stranger scams I’ve read about in recent years. Essentially an author’s name (and tax info) was used to publish a book of pure nonsense using CreateSpace, and sell it for an exorbitant price, presumably as part of a money-laundering scheme:

Reames said he suspects someone has been buying the book using stolen credit and/or debit cards, and pocketing the 60 percent that Amazon gives to authors. At $555 a pop, it would only take approximately 70 sales over three months to rack up the earnings that Amazon said he made.

Patrick Reames, the (real) author in question, discovered the whole thing upon being sent a 1099 for massive earnings he hadn’t actually made. A rather convoluted scheme, but it’s easy to see how it wouldn’t be detected for quite some time. Fascinating read.


"You're scaring us" (external)

Somehow I missed this until now, but of course after Mozilla went and released their first good web browser in forever, they then went and mucked everything up. Apparently the ‘Shield Studies’ feature, which is supposed to act as a distributed test system for new features, was instead used to unwittingly install a disturbing-looking extension that was effectively an ad for a TV show. The problem ultimately seems to stem from a disconnect between Mozilla (the corporation) and Mozilla (the NPO and community) – and in fact, their developers were not thrilled about it. This is a huge breach of trust, and if Mozilla (the corporation) can’t wrap their head around their own manifesto, I can’t imagine a very good future. Mozilla did acknowledge that they fucked up, but the apology seems rather half-hearted at best. I know I have disabled Shield Studies, and until I see some evidence that a genuine attempt is being made to restore user trust, I will remain skeptical of Mozilla’s motives.


The internet sucks (external)

Well, this sucks. My host, NFSN, is doing a major overhaul to their pricing scheme simply because the internet has become such a horrible hotbed of malice. To be clear, when I say ‘this sucks’, I don’t mean any negativity toward NFSN. The article link up there goes to their blog post explaining the matter, and it frankly seemed inevitable that fighting DDOS attacks would catch up to their pricing scheme. Previously, if you had a static site with low bandwidth and storage, you could probably get a year out of a quarter (domain registration not included, of course). The new plan allows for basically a $3.65 annual minimum which is still impressive (especially given what NFSN offers). But it’s a bummer that it’s come to this.

I would like to reiterate that this is not a complaint against NFSN. I will continue to use them for hosting, I will continue to recommend them, I will continue to praise them. I believe this is a necessary move. I’m just really, really pissed off that this is where we are with the internet. I don’t know what’s going on behind the scenes as far as law enforcement, but the internet is a global network (really?) and that’s not an easy problem to solve. I just hope something is happening to clean this wasteland up, because the advancements we’ve made in the information age are too important to bury under a sheet of malice.