1. 3

    It would be really interesting to learn what makes the author believe this set of relays is malicious. Though, of course, sharing this information would burn the technique…

    1. 2

      Definitely, like what does this mean:

      and the fact that someone runs such a large network fraction of relays “doing things” that ordinary relays can not do (intentionally vague)

      What kind of things can an ordinary client “not do”? Are those things just not built into the typical implementations or maybe the nodes coordinate amongst themselves and act in a way that a single node wouldn’t?

      1. 2

        If you control every node in the onion chain, you can can see the whole communication stream AND know which ip addresses are communicating with which services, and maybe fingerprint the browser using tor based off the tor config sent in (preferences as to routing) and the ssl negotiation traffic (it’s not a lot, but it’s not nothing) AND if there’s a self signed cert at the service being accessed, you can also MITM the stream and access the cleartext.

        At scale, that might yield some interesting information if you wanted to identify people with double lives that might be interesting (under cover spies, people worth blackmailing, discover clues to the future in traffic analysis), especially if you use other surveillance techniques like buying dns lookup data or operating major network infrastructure.

        Edit: On reflection this would be feasible and not especially expensive for a consortium of international law enforcement agencies looking to see who’s using illegal market places and distributing csam, with a smattering of maybe catching some terrorist activity.

      2. 1

        Well once you’ve identified a large group, if they keep coming back when removed from the directory, it’s not someone just doing it for fun.

        The question is how do they identify the group is under common control.

      1. 6

        The MSRC article mentioned in the comments is also extremely interesting: Building Faster AMD64 memset Routines. In particular, the post does a great job of explaining performance despite how opaquely modern CPU features behave (cache lines, branch prediction, speculative execution, etc.).

        Sidebar: I love the idea of optimizing at the scale of single instructions and yet have an effect on the total performance of the system.

        1. 1

          The automemcpy paper at ISMM this year was also interesting (and the code from it is now being merged into LLVM’s libc). The most surprising thing to me from both their work and Joe’s experiments on Windows was that 0 is one of the most common sizes for memcpy.

        1. 15

          Note: this article contains inline images of marked classified documents.

          This comment is not intended to spark a discussion; simply put, some people may want to avoid the article for this reason.

          1. 9

            Those images are the same as those found on this webpage: https://nsa.gov1.info/dni/nsa-ant-catalog/usb/index.html which is the first hit for a web search.

            There is a wikipedia page on them https://en.wikipedia.org/wiki/NSA_ANT_catalog which says they were leaked in 2013 by Der Speigel.

            I can see that NDA being applied to “I took a peek at my bosses desk” or “I went on the dark web and paid 10 bitcoins for this information”. I can not see that being applied to “I did a web search and found it on wikipedia.”

            And in any case, I don’t know if those are authentic or made up by a teenager hoping to get money from Der Speigel.

            1. 5

              Out of curiosity… why?

              1. 12

                IANAL etc etc… My understanding is something along the lines of… those holding US clearances sign an NDA to agree not to access classified documents for which they are not authorized nor need to access. I understand these people may want to avoid marked classified documents leaked online, for example because they may not have the “need to know”.

                I’m not here to dictate or judge, just to note for those who care about this material.

                1. 4

                  Correct! It’s generally the same reason why prominent emulator developers won’t look at or access leaked documents/source code. It’s a whole can of beans that nobody should ever put themselves near.

              2. 1

                Good point, it would be polite to put up a “spoiler warning” if you’re going to do this. And there are plenty of publicly available examples they could have used to make the same point. Ah well.

              1. 5

                I had just read Dan Luu’s post Some reasons to work on productivity and velocity where he makes some similar arguments. I’ve enjoyed both these discussions.

                1. 2

                  Now imagine the system can toggle which peer is the master node, thus transferring control flow over network, even right in the middle of a loop or deep closure. Photon achieves this.

                  I’m interested to see how the authors approach security and trust with this model. Its neat that the system can pass around execution environments from client to server to client again; what happens if the client is untrusted? Perhaps there is a virtual evaluator or sandbox that restricts access to resources on the server.

                  1. 2

                    I have the same question. One might use micro apps inside an SPA with different ACLs for each backend connection. Or more fine-grained per-attribute ACL but then it is unknown to me (and I am very interested to know!)

                  1. 5

                    I’ve enjoyed the series of articles and appreciate that when the author received feedback, they incorporated it and used that as fodder for subsequent blog posts. As a reader, it’s felt as if I were along for the ride.

                    1. 5

                      The nom error handling section of this post is the best Ive stumbled across so far. Some concrete examples of getting the span location and human readable messages. Definitely will be using these tips in my projects.

                      1. 8

                        Am I alone in feeling frustrated that botnets are ubiquitous in the modern Internet but very little seems to be being done to combat them? Are botnet takedowns not well publicised, or is it simply too much effort for it to be economical? Perhaps someone with experience in the area can enlighten me.

                        1. 14

                          Author here : you are not alone. This is the first time I have had to actually do anything but any server is continually being bombarded with obviously malicious traffic. In this case, I am not sure what the botnet is even trying to achieve but CloudFlare tells me that they are still out there averaging about 1000 hits per hour.

                          I sometimes see hand-wringing articles on why the hobby website seems to be dying out. Constant maintenance in the face of persistent attacks is one reason.

                          1. 4

                            Big mood. My website (christine.website) gets like 150 GB of traffic per month and Cloudflare only really makes me send out about 50 GB of that. Most of it is poorly configured RSS readers and scraper bots that don’t respect robots.txt. Huge pain. My gitea instance had to have Russia and China blocked at the Cloudflare level to avoid it pegging a core constantly. It constantly oomed my Kubernetes cluster back when I hosted things on it.

                            1. 1

                              My gitea instance had to have Russia and China blocked at the Cloudflare

                              Life already sucks for people stuck in Russia and China, and then people in the West ban them from their websites. From my experience, botnets are more or less evenly distributed in the big picture. I’d prefer people to not discriminate against millions of legitimate users just because at the moment the botnet distribution is (or seems) skewed.

                              That’s especially bad for people in China who cannot setup a VPN due to the “great firewall”.

                              In our project, we have a number of contributors from China. I can’t imagine just telling them: “your country is so full of botnets that it makes your participation not worth it, go f*ck yourself”.

                              1. 2

                                Believe me, I didn’t do this as a first measure. I blocked user agent after user agent, throttled things with nginx rules but they kept scraping every single visible link on my git server. I just gave up and blocked the whole country until I could figure out a better way to do it. Maybe now that it’s been blocked for long enough the scraper bots will have given up trying to index my git server and I can re-enable it to Russia/China. The country of the IP address was the only common factor.

                            2. 1

                              Also don’t forget that cloudflare protection for your website is for free, try securing your minecraft/voIP/other realtime stuff/non-http speaking server without investing money..

                            3. 3

                              What’s being done to combat them is moving more of the Internet under control of centralized corporations like CloudFlare. There is understandable discontent with that, but it is also not surprising given our political-economic trajectory.

                              Solving the problem in a satisfying or elegant way would not allow companies like CloudFlare to skim money off that top. And it’s not just CloudFlare: Big Tech in general benefits from the lack of a standardized distributed solution.

                              1. 2

                                Takedowns tend to be publicized pretty well when they happen, so that probably supports your point that they don’t happen often enough. They are difficult to do, both technically and legally. There’s an understandably high bar for exploiting software running on computers within your borders, for example.

                                Of course, there’s also a many billion dollar AV industry that should prevent such malware in theory. Or network appliances that again help in theory. But these don’t seem to protect the little people all that well.

                                1. 9

                                  The problem is humans.

                                  It would not be difficult for CloudFlare, Akamai, Fastly, and all the various honeypots in the world to round up the IPs that they have, say, a 50+% confidence are involved in a botnet and send a report to the WHOIS-listed owner of that netblock.

                                  Then what?

                                  Some networks are well-run and will respond quickly. I think this is a minority.

                                  Some networks won’t have anyone reading that email. Or they don’t read the language that it was sent in, and it looks just like more spam.

                                  Some networks don’t have anyone who is willing to take the responsibility for disconnecting/deauthorizing a client – might not even want to warn the client.

                                  It’s the spam problem all over again, but on a much larger scale.

                                  1. 4

                                    Some networks don’t have anyone who is willing to take the responsibility for disconnecting/deauthorizing a client – might not even want to warn the client

                                    But apparently also no one wants to just block them for good until they fix their things. I mean, this is how the big four are doing it with email. They even go so far to just blackhole emails from IPs they don’t like. Try getting removed from microsofts suspicious list, fueled by AI, you won’t get far. There is also a law in germany that makes you personally liable for trash that comes from your home network, they may even disconnect your line.

                              1. 6

                                I wonder if this model could be turned on it’s head to score each region of code by its expected bugginess.

                                “danger (or congrats): no one in the history of time has ever written anything like this before”

                                1. 1

                                  Although, I suppose the output might be less than useful: “I have a vague feeling that this might be wrong but I can’t explain why”.

                                  1. 6

                                    That could be incredibly useful as a code review tool! Kind of gives you a heatmap of which spots to focus most attention on as a code reviewer. I want it yesterday.

                                    1. 1

                                      Hm; OTOH, if a bug is common enough to have a major presence in the input corpus, I see how it could result in a false positive “green” mark for a faulty fragment of code… super interesting questions, for sure :) maybe it should only be used for “red” coloring, the rest being left as “unrated”.

                                1. 3

                                  In a way, I’m surprised how few times the term “Emacs” is used in this post (I think one? I’m on mobile right now). Magit has the following and recognition to stand on its own these days.

                                  1. 1

                                    Perhaps they should start bundling emacs+magit and emacs+orgmofe in a single package, like electron…

                                  1. 2

                                    The use of the word “backdoor” is odd.

                                    From what I gather, this is a rootkit. Upstream systemd doesn’t have this code.

                                    1. 3

                                      “Backdoor” is a common term within AV industry to refer to (unwanted) software that receives command and control from another system. A “rootkit” is software that hides itself from various listings, such as by manipulating kernel structures or inline hooking userland APIs. So, in antivirus lingo, this article describes a backdoor and not a rootkit.

                                      The malware masquerades as systemd by using that term in its filenames. I don’t see any indication that it is distributed with systemd (what you’d call a supply chain compromise).

                                    1. 3

                                      can anyone think of a quick and browser-local way to capture this information for oneself? pretty sure my habits align almost exactly and want to try to reproduce.

                                      also maybe identify some classes of queries that i can redirect to e.g. Dash and interact less with Google.

                                      1. 4

                                        Your browser history is captured in the local sqlite database. Shut down the browser (to let it release locked .db file) and use sqlite3 to query its database. Here’s (good enough) gist to start from – Playing around with Chrome’s history.

                                        1. 2

                                          See if you can get your browser history as a list of URLs. You could filter them down to known search pages and extract the queries from the query strings.

                                        1. 1

                                          The offensive tools used during a cyber operation might likewise have embedded “canary tokens”. So when responding to an incident, avoid triggering such tokens as you analyze malware or infrastructure.

                                          For example: typically don’t visit embedded URLs as an operator watching their web logs may decide to pack up shop and vanish.