197 stories

Zoom won't encrypt calls so they can sell you out to the cops

Direct from CEO Eric Yuan. Today. He said this today.

Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

"Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Yuan said on the call.

Based on their track record, it's not like they could ensure the privacy of your calls even if they wanted to. But it's good to know up front that they absolutely do not want to.

Previously, previously, previously, previously, previously, previously, previously.

Read the whole story
62 days ago
Share this story

Career Choice Tip: Cybercrime is Mostly Boring

1 Share

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path.

Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

“The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

From the paper:

“We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

“However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.


For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

“And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”


Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

“While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”


Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

“Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

“If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

“Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

“Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

Read the whole story
63 days ago
Share this story

I'm likely giving up on trying to read Fedora package update information

1 Comment

Perhaps unlike most people, I apply updates to my Fedora machines through the command line, first with yum and now with dnf. As part of that, I have for a long time made a habit of trying to read the information that Fedora theoretically publishes about every package update with 'dnf updateinfo info', just in case there was a surprise lurking in there for some particular package (this has sometimes exposed issues, such as when I discovered that Fedora maintains separate package databases for each user). Sadly, I'm sort of in the process of giving up on doing that.

The overall cause is that it's clear that Fedora does not really care about this update information being accurate, usable, and accessible. This relative indifference has led to a number of specific issues with both the average contents of update information and to the process of reading it that make the whole experience both annoying and not very useful. In practice, running 'dnf updateinfo info' may not tell me about some of the actual updates that are pending, always dumps out information about updates that aren't pending for me (sometimes covering ones that have already been applied, for example for some kernel updates), and part of the time the update information itself isn't very useful and has 'fill this in' notes and so on. The result is verbose but lacking in useful information and frustrating to pick through.

The result is that 'dnf updateinfo info' has been getting less and less readable and less useful for some time. These days I skim it at best, instead of trying to read it thoroughly, and anyway there isn't much that I can do if I see something that makes me wonder. I can get most of the value from just looking at the package list in 'dnf check-update', and if I really care about update information for a specific package I see there I'm probably better off doing 'dnf updateinfo info <package>'. But still, it's a hard to let go of this; part of me feels that reading update information is part of being a responsible sysadmin (for my own personal machines).

Some of these issues are long standing ones. It's pretty clear that the updateinfo (sub)command is not a high priority in DNF as far as bug fixes and improvements go, for example. I also suspect that some of the extra packages I see listed in 'dnf updateinfo info' are due to DNF modularity (also), and I'm seeing updateinfo for (potential) updates from modules that either I don't have enabled or that 'dnf update' and friends are silently choosing to not use for whatever reasons. Alternately they are base updates that are overridden by DNF modules I have enabled; it's not clear.

(Now that I look at 'dnf module list --enabled', it seems that I have several modules enabled that are relevant to packages that updateinfo always natters about. One update that updateinfo talks about is for a different stream (libgit2 0.28, while I have the libgit2 0.27 module enabled), but others appear to be for versions that I should be updating to if things were working properly. Unfortunately I don't know how to coax DNF to show me what module streams installed packages come from, or what it's ignoring in the main Fedora updates repo because it's preferring a module version instead.)

Read the whole story
176 days ago
Change logs are dying.
Share this story

"Enjoy your dystopia!"

1 Comment and 4 Shares
@kmlefranc: I had to get a background check for my job, and it turns out the report is a 300+ page pdf of every single tweet I've ever liked with the work "fuck" in it.

I came home to a package containing a printout of all 351 pages of it! Obv the dystopia cares about wasting paper. [...] The background check company is Sterling Talent Solutions, and it looks like they contracted with Fama Technologies for this part of the report. [...]

To those asking - I did not give them my handle or permission, I'm assuming they just found this via my (old) name. [...] The especially creepy part is this didn't turn up anything at all relevant or incriminating! I keep personal info on my non-public accounts. But their shitty algorithm means that my "reputation" and "character" is flagged as questionable and sent to my boss. [...]

Though I also liked the "positive flags" section that picked up the words donate and volunteer - most of which were critiques of capitalism and charity culture.

Previously, previously, previously, previously.

Read the whole story
184 days ago
Share this story
1 public comment
173 days ago
I thought this was satire when I saw the headlines

Take action to save .org and prosecute those who sold out the internet


As many of you have no doubt heard, control of the .org registry has been sold to private interests. There have been attempts to call them to reason, like Save .ORG, but let’s be realistic: they knew what they’re doing is wrong, the whole time. If they were a commercial entity, our appeals would fall on deaf ears and that would be the end of it. But, they’re not a commercial entity - so our appeals may fall on deaf ears, but that doesn’t have to be the end of it.

The level of corruption on display by the three organizations involved in this scam: ICANN (Internet Corporation for Assigned Names and Numbers), ISOC (The Internet Society), and PIR (Public Interest Registry), is astounding and very illegal. If you are not familiar with the matter, click this to read a summary:

Summary of the corrupt privatization of .org

The governance of names on the internet is kind of complicated. ISOC oversees a lot of activities in internet standards and governance, but their role in this mess is as the parent company of PIR. PIR is responsible for the .org registry, which oversees the governance of .org directly and collects fees for every sale of a .org domain. ICANN is the broader authority which oversees all domain allocation on the internet, and also collects a fee for every domain sold. There's a complex web of documents and procedures which govern these three organizations, and the name system as a whole, and all three of them were involved in this process. Each of these organizations is a non-profit, except for PIR, which in the course of this deal is trying to convert to a B corp.

ICANN can set price limits on the sale of .org domains. In March of 2019, they proposed removing these price caps entirely. During the period for public comment, they received 3,300 comments against, and 6 in favor. On May 13, they removed these price caps anyway.

In November 2019, ISOC announced that they had approved the sale of PIR, the organization responsible for .org, to Ethos Capital, for an unspecified amount. According to the minutes, the decision to approve this sale was unanimously voted on by the board. Additionally, it seems that Goldman Sachs had been involved in the sale to some degree.

Fadi Chehadé became the CEO of ICANN in 2012. In 2016, he leaves his position before it expires to start a consulting company, and he later joins Abry Partners. One of the 3 partners is Erik Brooks. They later acquire Donuts, a private company managing domains. Donuts co-founder Jon Nevett becomes the CEO of PIR in December 2018. On May 7th, Chehadé registers EthosCapital.com, and on May 13th ICANN decided to remove the price caps despite 0.2% support from the public. On May 14th, the following day, Ethos Capital was incorporated, with Brooks as the CEO. In November 2019, ISOC approved the acquisition of PIR by Ethos Capital, a for-profit company.

These are the names of the criminals who sold the internet. If you want to read more, Private Internet Access has a good write-up.

Okay, now let's talk about what you can do about it.

If you are familiar with the .org heist, then like me, you’re probably pissed off. Here’s how you can take action: all of these organizations are 501c3 non-profits. The sale of a non-profit to a for-profit entity like this is illegal without very specific conditions being met. Additionally, this kind of behavior is not the sort the IRS likes to see in a tax-exempt organization. Therefore, we can take the following steps to put a stop to this:

  1. Write to the CA and VA attorney general offices encouraging them to investigate the misbehavior of these three non-profits, which are incorporated in their respective states.
  2. File form 13909 with the IRS, encouraging them to review the organization’s non-profit status.

This kind of behavior is illegal. The sale of a non-profit requires a letter from the Attorneys General in both California (ICANN) and Virginia (ISOC, PIR). Additionally, much of this behavior qualifies as “self-dealing”, or leveraging one’s power within an organization for their own benefit, rather than the benefit of the organization. To report this, I’ve prepared a letter to the CA and VA Attorney’s General offices, which you can read here:

I encourage you to consider writing a letter of your own, but I would not recommend copying and pasting this letter. However, this kind of behavior is also illegal in the eyes of the IRS, and a form is provided for this purpose. Form 13909 is the appropriate means for reporting this behavior. You can download a pre-filled form here, and I do encourage you to submit one this yourself:

This only includes complaints for ICANN and ISOC, as PIR is seeking to lose its non-profit status anyway. You can print out the PDF, fill in your details on both pages, and mail it to the address printed on the form; or you can download the ODG, open it up with LibreOffice Draw, and fill in the remaining details digitally, then email it to the address shown on the page.1

Happy Thanksgiving! Funny how this all happened right when the American public would be distracted…

  1. Crash course in LibreOffice Draw: press F2, then click and drag to make a new textbox. Select text and use Ctrl+[ to reduce the font size to something reasonable. The red button on the toolbar along the top will export the result as a PDF. 

Read the whole story
249 days ago
Share this story

The problems with piping curl to a shell are system management ones

1 Share

I was recently reading Martin Tournoij's Curl to shell isn't so bad (via), which argues that the commonly suggested approach of using 'curl example.com/install.sh | sh' is not the security hazard that it's often made out to be. Although it may surprise people to hear this, I actually agree with the article's core argument. If you're going to download and use source code (with its autoconfigure script and 'make install' and so on) or even pre-build binaries, you're already extending quite a lot of trust to the software's authors. However, I still don't think you should install things with curl to shell. There are two reasons not to, one a general system management one and one a pragmatic one about what people do in these scripts.

The general system management one is that to manage and maintain your system over time, you need to control what changes are made to it and insure that everything is handled consistently. You don't want someone's install script making arbitrary and unknown changes to your system, and it gets worse when that install script can change over time. The ideal thing to install is an artifact that you can save locally and that makes limited and inspectable changes to your system (if any). Good install options are, for example, a self-contained tarball that you can extract into a directory hierarchy of your choice (and that doesn't even have to be owned by or extracted by root), or a package for the standard package manager on your system that doesn't contain peculiar custom scripts with undesired side effects. An un-versioned shell script fetched from a remote end that you don't save or inspect and that will make who knows what changes on your system is a terrible idea for being able to manage, maintain, and understand the resulting system state.

The pragmatic reason is that for some reason, the people writing these install shell scripts feel free to have them make all sorts of nominally convenient changes to your system on behalf of their software. These shell scripts could be carefully contained, minimal, and unchanging (for a particular release), doing very little more than what would happen if you installed a good package through your package manager, but very often they aren't and you'll wind up with all sorts of random changes all over your system. This is bad for the obvious reason, and it's also bad because there's no guarantee that your system is set up in the way that the install script expects it to be. Of course generally 'make install' has the same problem, which is why experienced sysadmins also mostly avoid running that as root.

(More generally, you really want to manage the system through only one thing, often the system's package manager. This is the problem with CPAN and other independent package systems (althogh there are good reasons why people keep creating them). Piping curl to a shell and 'make install' are just magnified versions of it. See also why package systems are important.)

Read the whole story
268 days ago
Share this story
Next Page of Stories