Hacking is like art. No, hacking IS an art. And, much like art, you can spend years in school learning things like perspective and color theory, but if you can’t actually draw, all that knowledge won’t get you anywhere. Just as no two artists will paint the same scene the same way, no two hackers plan their attacks in the same way. This makes the job of infosec defenders very hard.
Most hackers are not the 1337 Mr. Robot style of multi-talented, morally driven, drug addled global activist. Most hackers are low-skilled folks that re-use published tools written by actual skilled hackers. These tools can be used by almost anyone to find and exploit vulnerable servers. This type of hacker isn’t well rounded, isn’t targeting any person or server in particular, and is happy to play the numbers game to test millions of servers to find 1 or 2 they can get into. We call this class of hacker a “script kiddie” or, more commonly, “skiddies”.
It’s been a busy summer for me and my writing has fallen by the wayside. I don’t feel too bad about that – summer is fleeting in Canada, after all. But the days are getting shorter and I am starting to plan my rides to take place between 11 am and 5 pm because it’s too cold to be barreling down the highway at any other time. But soon, far too soon, I will pack the bike away in storage for the winter and that’s the signal that I need to get back to writing.
It’s been a fairly slow summer, tech-wise. The only story with legs is the U.S. TikTok saga that has been broiling for several months and is just now showing signs of coming to a resolution. It’s an incredibly silly situation, manufactured by an incredibly silly President, almost certainly attributed to the fact that it’s campaign time in the US leading up to the Presidential election in November. But what the hey, let’s take a look at it just for fun.
Many of us get too much email. Some of us have figured out how to filter email to deal with it. And a very few of us have figured out how to write those filters from scratch, which basically makes us gods. Let me anoint you.
What’s email filtering?
Some people call this email “sorting” – whatever floats your boat. Whatever you call it, this is the process that many of us use to sort our incoming email into folders automatically for us. For many people, this is likely only useful for our work email, but there’s a population out there (like me) that has to filter personal email as well because we get so much of it. It’s not a popularity thing, it’s usually a robot thing. I have so many monitors and alerts and other processes running on my personal infrastructure that I get a lot of automated emails. I need those sorted properly otherwise it’s just a big pile of junk in my inbox and I miss things.
I’ve been online longer than there has been an internet. My first foray into the online world was forums on local bulletin board systems. I talked mostly with people I already knew, and I met many more along the way. Because long-distance phone calls cost money, we generally only called local BBSes and that led to the common practice of user meets. We’d meet at pool halls around the city and get to know each other IRL. We weren’t all necessarily best buddies, but we did all know each other. I eventually graduated to the global Usenet newsgroups and as internet connections became faster and cheaper, now rub elbows with people all over the world. Because of my long history with online communities, I am always intrigued, almost fascinated, by how online communities work. And, in a lot of cases, why they’re generally failing so badly now.
This post is a good old-fashioned “How To”. There is no audio version because this type of post works best visually.
* *
Syncing files across our many devices is big business. Internet giants like Dropbox have built an entire business around it. Google Drive is a critical tool in Google’s arsenal to harvest and sell our personal data and the well-known open-source project syncing project, NextCloud is sweeping the internet. There is no denying that there is a huge demand to have all our data at our fingertips on all our devices all the time. Syncing is the answer to this demand, but not the way these guys are doing it. Storing data in the cloud completely unnecessary to achieve sync-bliss and it increases your risk of data theft and exposure. The risk to reward ratio is low when using these cloud services and using a direct-sync tool like Syncthing lowers that risk dramatically while still providing up-to-date data on all your devices.
The 10-cent tour of syncing
Sync is a short form of the word synchronize. When we say our data is “synced” we really mean that the same version of that data exists on all the devices participating in the sync. When I change a spreadsheet on my home computer and save it to Dropbox, I know when I get to work I can pull that updated spreadsheet from the Dropbox folder on my work computer and carry on with my life. Google Drive, Nextcloud, and probably most other sync services work the same way.
Back in the early aughts consumer internet became fast enough that it became feasible to download large files. In those days, the biggest files on the internet were usually audio and video files. Streaming wasn’t a thing yet, so this milestone ushered in a massive change in how we consumed content, and it freed us from the 250 channels of crap that the major media houses were jamming down our throats. It also allowed small voices to speak, neutering a powerful lobby of a corrupt mainstream media which was partially funded by special interest groups. It finally put the power back in our hands to consume the content we wanted, and that power largely came from a little thing called podcasts.
I work for one of those very rare companies that lets me try to do things I’ve never done before. I’m many years into this Linux sysadmin thing (La Cosa Linuxstra) and you don’t get very far into this gig without having some scripting chops. Sysadmin code is generally only as elegant as “whatever stops this emergency right now” and I’m the champ of hackey code that keeps stuff running. What I have less experience with is designing complex, easily maintainable code.
Despite that shortcoming, I’ve been entrusted to write some software automation. I’ve spent the last several months creating a bot that takes loosely formatted customer input and tries to produce useful responses. The challenges have been great all throughout the stack. At the bottom, I’ve had to become more familiar with developer stuff like pull requests (wha?) Somewhere in the middle I’ve had to shelve some really powerful concepts because the underlying infra doesn’t exist. At the top, I’ve spent some tense moments trying not to cringe with embarrassment as my fledgling bot gives an absolute asinine answer to a fairly straightforward request.
Bots are like kids. They’re never really grown up. But you can still learn a lot along the way. Here’s some of the things I’ve learned on this ride.
This is a topic that holds a lot of interest for me. As an infosec professional, I have some passing familiarity with Law Enforcement Officers (LEO). The open-source hacker in me resists these interactions by habit, but also usually has to acquiesce because the requests I see are typically legal and rational. My angle in this newsletter is to bring light to technology-adjacent topics, primarily focussing on the unintended consequences, or surprise niche issues, that technology creates in every day lives. The topic I’ve written about below is a slam dunk for this theme, but I hesitated to write it for a long time. This hesitation is because I am not deaf to the major issues facing police forces in the United States, and specifically, the “defund the police” protests taking place worldwide. For that reason, I’d like to make clear from the onset that what I’ve written about below has nothing to do with the current police issues in the US – I’m not commenting on them, and I am not offering any point of view on them.
The internet has facilitated mass surveillance on a scale that delights law enforcement and terrifies the rest of us who are “in the know.” The sole function of the internet is to route traffic to and from us and remote internet servers. Those remote internet servers are where the websites and emails and chats and ads are stored, waiting to be shot down the tubes into our eyeballs. In technical circles, we refer to this as convergence. The internet converges traffic from all over the world to specific destinations, just like a highway system converges traffic to little cities dotted all over the countryside. Convergence is the internet’s biggest asset and also the biggest lure for law enforcement.
Despite being in the middle of a long and wildly varying career in technology, I’ve always favoured low-tech solutions to problems. In my line of work that usually means using some low-level technology solution; like, instead of using giant config management tools like Puppet (a real thing), use a simpler ssh-based CM tool like Ansible. The lower level stuff is usually less feature-rich out of the box, but that typically makes it easier to bend to your will. And, it is almost always more resilient because it’s simpler. But my absolute favourite thing isn’t low-tech tech, it’s no-tech solutions altogether.
The basic problem with technology is that much of it is not very good. Technology is just a product manufactured by companies trying to make money. And, just like non-tech products, a lot of it isn’t terribly effective when stacked up against less complicated solutions. Here are some of the most effective, no-tech solutions to real-life problems:
The art of making money on the internet has evolved a lot. Almost every business is doing some portion of their business over the internet, be it just having a humble website to connect with customers or running a full-blown business that can only function over the internet such as the Ubers of the world. Within that second category, there is a subset of businesses that are part of the internet itself. In that group are companies that offer things like web hosting, email services, and domain registration. It’s this last group that is on my radar today.
