If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A lot of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.
The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.
This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.
A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24
First things first: everyone "knows" that most brute force attacks are against the "root" account, right? This is certainly what earlier studies have found.
As it turns out, this used to be true, but it's not anymore. This graph shows that the fraction of brute force attacks using the username root was nearly 100% back in 2017, but it's been falling - by mid-2021, only around 20% off the attacks we saw were against root.
So, why? Well, we don't have a hotline to the attackers, but we have an educated guess from our own data and from many others' reporting: a lot of the usernames we see correspond to default usernames for #network#routers, specific #Linux distributions, specific server software, and #IoT devices. Basically, as we connect ever more stuff to the Internet (and generally try to protect the "root" account), attackers seem to be diversifying the accounts they are going after.
(There's a table of the top 100 usernames in the paper.)
One of the most frustrating things in modern technology is the effort spent trying to artificially restrict abundance. Take, for example, this tale from museum-worker Aaron Cope: I was out with a friend who worked for Twitter and I asked them whether it would be possible for the museum to “create 200,000 Twitter accounts, one […]
Inspired by the article written by @Edent on the Fediverse of Things (#iot, #wot), I experimented with using an LLM to interpret home automation requests that could be sent using #ActivityPub and convert them to JSON device commands. I documented the results in the following blog article: https://www.stevebate.net/fediverse-of-things-and-llms/
I was out with a friend who worked for Twitter and I asked them whether it would be possible for the museum to “create 200,000 Twitter accounts, one for each object in the Cooper Hewitt’s collection”. My friend looked at me for a moment, laughed, and then simply said: No.
In that blog post, Aaron reveals that the San Francisco International Airport Museum is using ActivityPub to create automated social-media bot accounts for all its exhibits and, possibly, every object it hold.
And why not! That would be close to impossible to do on a centralised service. But on a decentralised service under your own control, it is relatively simple. Perhaps I only want to follow the museum's canteen, or I just want to engage with a specific artefact. The Fediverse makes that possible.
This reminds me of the Melbourne "treemail" phenomenon. Every tree in the city had an email address, ostensibly so residents could email maintenance issues for a specific tree. Instead, people started interacting with the trees and sending them little love notes!
Dearest Golden Elm Tree, I finally found you! As in I see you everyday on my way to uni, but I had no idea of what kind of tree you are. You are the most beautiful tree in the city and I love you
A few weeks ago, I read about Ben Smith inventing Tweeting trains. With a bit of code, every train line in the UK was suddenly represented on the web in a convenient format. Well… Convenient if you were on Twitter.
Museums, trees, and trains naturally brings me on to the Internet of Things. I think it is fair to say that IoT is in a bit of an odd place right now. Matter is a confusing mishmash of standards. Security and privacy issues dog the simplest devices. Many people don't even want their toaster online!
For the majority of domestic uses, people want an Intranet of Things. There's little need to have your light-bulbs controlled when you're outside of WiFi range. Similarly, it is probably a really bad idea to have your hydroelectric dam connected to the Internet.
Which brings me back to the Fediverse.
On the one hand, it would be nice to be able to follow @Yellow_Line@Transit_Authority.gov - or even @Bus_Stop_1234@bus_company.biz - that would allow for hyperfocused data getting to the right people. It seems feasible that every civic object could have a Fediverse account. From the individual streetlights to the municipal sewerage system. Perhaps people won't send love letters to overflowing drains - but a social-dashboard of your civic environment could be both practical and delightful.
And, as for your domestic gadgets? Why not give every room, or every light-bulb, in your home a private Fediverse account? You could send a message like:
Hey @thermostat, please set the temperature to 19°C. Thanks!
That might be a bit much! But I like the idea of a private social network which consists of all my IoT gadgets talking to me and each other.
This piece is worth reading if you’re in tech criticism or infosec/cybersecurity and are being asked for commentary on IoT and smart home devices.
People aren’t foolish for using IoT or for wanting things to be easier in their homes. This tech makes positive and meaningful change for people of all kinds of abilities. It’s valid to worry about the privacy or security issues that IoT is riddled with, but don’t draw a direct line from there to blaming the user - some people have no alternatives that don’t involve giving up independent access to their own homes and lives. Everyone deserves to live in ways that fit their needs.
Instead, join the push to hold manufacturers and providers to account for poor security and privacy practices. Advocate for better, more respectful and accessible default configurations. Help people understand how to anticipate and mitigate the worst of these issues when they’re setting things up, and give them power and agency over their home systems.
We all deserve to have tech that works for us, in all the ways that matters.
🤖 Duo S RISC-V/Arm SBC features Sophgo SG2000 SoC, Ethernet, WiFi 6, and Bluetooth 5 connectivity - CNX Software
「 Linux and RTOS are said to be supported on the Duo S, and you’ll find buildroot-built OS images on GitHub to boot from either the microSD card or the eMMC flash. As of the current v1.0.9 image, Duo S does not yet support wiringX (C) and pinpong (Python) GPIO libraries, and Arduino support is not implemented either 」
🆕 blog! “Receive push notifications from your rice cooker”
I have a lovely, and reasonably priced, Mini Panda Rice Cooker. It does not have any SmartHome features. You put in water and rice, press a button, it cooks rice. Nice! The only problem is - I don't know how long the rice will take to cook. It uses "Fuzzy Logic" to work out exactly […]
🛗In the 4th episode of #TheElevator video series, discover DataThings, #spinoff company of the Interdisciplinary Centre for Security, Reliability and Trust (SnT) of the University of Luxembourg.
The #AI company offers customised digital twin solutions to help solve complex industrial problems and support sustainable operational decisions.
Connected devices offer great convenience, but often at the expense of #security and #privacy. Pressured by the competition, teams fail to thoroughly test their systems. The following is a great example of convenience vs. security:
2024.3 brings features we've wanted, and so many more we didn't know we needed. Phil and I break down this months features in the latest episode of the @homeassistant#podcast
Russell is an unsung hero of #OpenSource in Australia - it's his diligence and hard work that has kept the books straight for Linux Aus and auspiced conferences for several years now 👋
Matter is coming to fix all your smarthome woes! A single IoT standard, working across multiple radio protocols, bringing together different products from many different manufacturers. And… it works! Mostly These are the Meross 315 Smart Plugs. They are …