Category: Tech

Posted on
by

Today I found myself thinking of Terminator 3, specifically the plotline in which all kinds of random computer crashes are spreading across the internet.

For obvious reasons.

In today’s real world incident, it’s a bug in an auto-pushed update for widely-used security software by CrowdStrike, ironically used to protect mission-critical systems. In the two-decade-old movie (pardon me while I turn to dust), it’s Skynet spreading itself across the internet.

At the time, I thought the nuclear strike would wipe out a lot of internet infrastructure, destroying major nodes and leaving pieces of Skynet disconnected from each other. A commenter remarked that he’d been doing research for a novel and experts agreed that enough of the major nodes and infrastructure would survive the attack to keep the network functioning.

The interesting thing: Neither of us had heard the story that ARPANET (the internet’s predecessor) had been designed for that scenario. These days, it’s pretty much repeated as gospel… but apparently it wasn’t a design goal, and the idea that it was can be traced back to a 1991 article in Network World magazine that conflated ARPANET with a different network design, which was never actually built. (via)

From there it took on a life of its own for the same reason many urban legends (and conspiracy theories) do: it made a better story.

Posted on
by

OSNews reports that Dillo has released a new version for the first time in almost a decade!

Now there’s a blast from the past!

Dillo (as in armadillo) is a super-minimalist web browser for Linux and related systems that’s especially useful on low-end hardware. I used it for a while back in the early 2000s, though not as my primary browser. It was great for reading documentation, though, because it was so fast (and docs usually don’t need JavaScript (and if they do, they shouldn’t)).

I haven’t really kept up with it since 2009 or so, not long after the the major 2.0 release, but I built its RPMs for a while. First on my desktop for RHL/Fedora, then on multi-boot partitions to build for older versions and other distributions like SuSe and Mandriva, then using User-Mode Linux (an older virtualization system). I later moved the build system to an expendable frankenputer after an OS installer trashed my partition table. The last set of RPMs I built were for Fedora and RHEL back in 2009. (These days, with containers and modern virtualization, it would be *so* much easier and safer to do all on one box!)

Apparently the project stalled in 2016 after one of the main developers, Sebastian Geerken died. A few years later, lead developer Jorge Arellano Cid just stopped posting online. A couple of years after that, the domain name expired and was picked up by a spammer. (I should see if I still have any links to the old site on here and update them.)

It’s sad to hear that Sebastian passed away.

I hope Jorge is okay and just off-grid somewhere.

This year’s new project has brought it up to date with modern SSL/TLS capabilities, which is a much bigger deal now than it seemed to be in the early 2000s, as well as improved CSS support and other improvements. I’ll have to try out how well it handles today’s (static) web. I bet it’ll run great on the PineTab2!

Updates: Not surprisingly, Dillo handles Snac pretty well. It’s able to view public Snac posts/timelines and log in to my account here. But posting isn’t working.

Not so much Pixelfed or Mastodon, both of which are JS;DR. GoToSocial static pages are readable, but it’s not using any of the styles.

The new project offers plugins for Gemini, Gopher, man pages and IPFS, as well as something called Spartan that appears to be another minimalist protocol like Gemini.

And it does indeed run quite fast on the Pinetab!

Posted on
by

Interesting spam/phish technique: Look for subdomains with CNAMEs or SPF records that point to abandoned domains that you can then register…and effectively take control of the subdomain or SPF.

They haven’t seen any cases where it’s been used to host a phishing site at, say, an msn.com subdomain, but they’ve seen thousands of cases where it’s been used to pass email verification checks.

The article describing “SubdoMailing” gives a detailed example of a spam that made use of an msn.com subdomain that was used for a sweepstakes way back in in 2001, with a CNAME pointing to the long-abandoned domain name for the contest, but the subdomain was never actually deleted.

Lesson: check your DNS for any dangling references to outside domains that might not exist anymore!

Posted on
by

I’ve been meaning to disconnect from Jetpack for a while now. This seems like a good time to do it, and to finally clear out the older Tumblr and WordPress.com blogs I don’t use anymore.

Tumblr and WordPress to Sell Users’ Data to Train AI Tools404 Media

It’s the kind of thing that you expect from Google or Facebook, or from any number of start-ups, but there’s been this sense that Automattic should know better — and with Tumblr being login-walled and ad-saturated, and the push to upsell in their WordPress plugins, and now this…it’s looking like they don’t.

I don’t think they’ve hit the “trust thermocline” yet, but selling user data is a pretty clear line.

As for AI access to the Firehose: My previous understanding of the firehose is that it’s basically an aggregation of what you’d see in a bunch of blogs’ public RSS feeds. Which, OK, fine. Analyze your heart out. Display my posts in your RSS reader. Just make sure private posts and comments don’t leak.

But LLM training isn’t the same as analytics, or showing a properly attributed post in a reader. And quietly changing the terms to allow more kinds of re-use on something most people using the service don’t know about? Not cool.

And not making it clear what is and isn’t included for which purposes? That breaks down trust.

Before this, I wasn’t worried about the Firehose. But now I’m not sure I can trust Akismet, never mind Jetpack, and I’m looking for a new spam filter.

Originally posted across several threads through my GoToSocial test site.

Update: Automattic did clarify that self-hosted blogs with Jetpack are not included in the training data. Only company-hosted blogs on Tumblr and WordPress.com. But I still uninstalled Jetpack from this site, just to be sure. Like I said, I’d been meaning to for a while.

Posted on
by

The year is 2006. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2011. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

The year is 2022. I’m complaining on my blog about businesses training their customers to fall for phishing attacks.

Corporations haven’t learned. Unfortunately, their customers have learned from all this training. And so has the fraud industry. Even if you’re usually savvy about this sort of thing, you can get caught up if the circumstances put you just off-balance enough to line up the holes in each overlapping layer of security.

I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don’t know how to pronounce my bank’s name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch – they didn’t raise red flags. Cory Doctorow on “Swiss-cheese security.”

And here I am, in 2024, complaining on my blog about…well…you know.