Picture of the Internet

This Is the Most Detailed Picture of the Internet Ever (and Making it
Was Very Illegal)

http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever

"The resultant map isn't perfect, but it is beautiful. Based on the
parameter's of the researcher's study, the map is already on its way to
becoming obsolete, since it shows only devices with IPv4 addresses. (The
latest standard is IPv6, but IPv4 is still pretty common.) The map is
further limited to Linux-based computers with a certain amount of
processing power. And finally, because of the parameters of the hack, it
shows some amount of bias towards naive users who don't put passwords on
their computers."

--
glen e. p. ropella  http://tempusdictum.com  971-255-2847

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

This Is the Most Detailed Picture of the Internet Ever (and Making it
Was Very Illegal)

http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever

"The resultant map isn't perfect, but it is beautiful. Based on the
parameter's of the researcher's study, the map is already on its way to
becoming obsolete, since it shows only devices with IPv4 addresses. (The
latest standard is IPv6, but IPv4 is still pretty common.) The map is
further limited to Linux-based computers with a certain amount of
processing power. And finally, because of the parameters of the hack, it
shows some amount of bias towards naive users who don't put passwords on
their computers."

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Me parece increíble que 420.000 usuarios de Linux sean tan descuidados y no le presten el mínimo de atención a la más básica medida de seguridad como es tener un password  para ingresar al perfil. También es interesante ver el nivel de acceso de Linux en todo el mundo.

I can not believe 420,000 Linux users are so careless and do not pay the least attention to the most basic security measure is to have a password to enter the profile. It is also interesting to see the level of access of Linux worldwide.

I have read the paper (but only once through) and it appears that most if not all of the machines in question are in fact "embedded" computers running inside of printers, webcams, NAS devices, set-top internet devices (game consoles/Netflix boxes/etc) and even industrial control systems.   I do not see anywhere where "real computers" are excluded, I assume that they are (mostly) self-excluded by not having a telnet port open and/or having more security than no password or admin/admin or root/root as password.  

I would call this more of an exploit than a hack (if the difference matters)...   and the humility shown in the work and in the paper is surprising.   If you read deep enough, you will discover that a side-effect of this work was to take very limited steps to lame another botnet being deployed at the same time, known as "Aida".   All of the resulting data is available online ~.6TB worth...  I'll be interested in subsequent analysis!

My own work in the area is 6-10 years old and while I folllowed most of  the jargon and acronyms in the paper, I felt incredibly out of date!

- Steve

This researcher/engineer

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 5/1/13 9:54 AM, glen e p ropella wrote: at least one of his maps seems to conflict with the XKCD gripe:
     http://xkcd.com/1138/
about "heat maps" and normalization.

But (s)he also references XKCD as the source of his "Hilbert Map".

I *told* you that XKCD is becoming an important source of reference
information!




============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I can't help but wonder why we don't extend the "virus" (or "infection")
metaphor all the way out.  The way viruses interact with our bodies is
pretty !@#@$@& complex.  I don't know of any naturally occurring viruses
that are (purely) beneficial.  But there are many that are, in some
sense, neutral.  It's reasonable to think there exist beneficial
viruses, analogous to probiotic gut flora.  Toss that into the hat with
endogenous retroviruses and a somewhat rebellious attitude I hear from
some people about purposefully exposing themselves to dirty contexts and
refusing to use hand sanitizers in order to keep their immune system in
good shape, and you begin to see a stark difference between the metaphor
as used in computer networks versus the real thing.  (Sheesh, is that a
run-on sentence?)

I know a few radically "open" advocates here in Portland who refuse to
secure their wifi access points/routers with passwords, allowing their
neighbors and passers by to access a demilitarized zone on their
network.  This results in a "donation" of bandwidth to the public.  But
despite their technical efforts and skills with their internal
firewalls, it still puts their network at risk.  I would think we might
extend the "infection" metaphor deeper and develop layers and
sub-systems of different sorts of "immunity" against botnet, worm, and
virus infections.  But some of them, perhaps running BOINC or like this
mapping botnet, could be considered healthy infections, perhaps even
crowding out bad infections (e.g. Aida) like the good bacteria in our guts.

On 05/01/2013 11:46 AM, Steve Smith wrote:

--
glen e. p. ropella  http://tempusdictum.com  971-255-2847

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Glen - Stephanie Forrest at UNM (formerly CNLS/SFI) has done extensive work in
this general area, I'm not up on why/how it is (not) implemented in the
real world.   You might have known her during your time at SFI?

Last time I had an in-depth visit with her was maybe 2007 and I'm sure a
great deal has happened since!  It seemed like a lot was funded by DARPA
at the time and therefore some of that wasn't being published in the
open (or was being delayed?)

http://www.cs.unm.edu/~immsec/research.htmI always leave my WiFi open and the doors to my house unlocked... both
are considered an invitation to mischief.   All the mischief I have
experienced in my life has been in *in spite of* such precautions...
most house-door locks are easily defeated (and certainly are the easily
broken windows throughout most houses without alarms/bars) as are car
windows (smash and grab).

The aesthetic of leaving an open WiFi is not just bandwidth of course,
but access...  I'm not trying to make it easy for my teenage neighbor to
double his bitTorrent feeds, I'm trying to make it easy for his friend
who visits to hop on a network and check his email without having to go
through the (often elaborate) transaction of getting a password.

I use my internet as if it is being monitored (wait, it probably is,
even if my wifi is locked down) just as I assume anyone who wants to can
get into my vehicle on a whim...  (Don't leave valuables in plain sight,
if you lock the door, they still get them, but you also have a window to
replace now).   Convertible owners often don't lock their doors, who
wants the top slashed just  so someone can riffle your glove box and
look under the seats for the hidden valuables?

"do you have WiFi? can I use it?"
     "sure"
"I see your network requires a WPA Password, do you know it?"
     "let me see.. my dad set that up... I think it was..."
"did he write it down"
     "yuh... its around here somewhere.."
"do you remember a mnemonic?"
     "yuh... it was something about his birthdate and his first pet and
his grandmother's maiden name.."
"ok...  hmmm..."
     "shuffle shuffle"...
"nevermind, I see your neighbor has an open WiFi, I'll just pop on that."
     "great!"
"no problem, thanks (for nuthin)"

In Berkeley ca 2005, if I felt sluggish (I mean my internet), I would go
check my DHCP logs on my router to see how many people were on it... it
was often a significant fraction of the limit I had set of 30.   At the
time I only typically had 1-3 devices of my own on it.  Within my reach
there was usually 1 or 2 other open nets and dozens (there was a large
apartment building right next door) of closed ones.   If any of the
connections seemed to be using egregious amounts of bandwidth (this was  
802.11G) I would bump them off and block them if they came back too
often (using big bandwidth).   If I was grumpy or in a hurry I would
just shake everyone off and see how many came back quickly.

Fundamentally I never felt abused.  It was healthy to be reminded that
my network traffic was transparent to anyone interested in looking (not
just those with enough resources to tap the local/regional backbones).  
Don't send anything clear-text.  HTTPS and SSH are your friends.  Keep
your *services* passworded, etc.

There are those who prefer to wear a belt *with* their suspenders and
there are those that don't.

- Steve



On 05/01/2013 11:46 AM, Steve Smith wrote:

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 05/01/2013 03:06 PM, Steve Smith wrote:
> You might have known her during your time at SFI?
>
> Last time I had an in-depth visit with her was maybe 2007 and I'm sure a
> great deal has happened since!  It seemed like a lot was funded by DARPA
> at the time and therefore some of that wasn't being published in the
> open (or was being delayed?)

Yeah, I talked to her a number of times while I was there. It would be
interesting to find out she's continued to work on it, or if someone
else took it further.

> In Berkeley ca 2005, if I felt sluggish (I mean my internet),

I can imagine a more urban area being more problematic.  I've heard that
some ISPs include restrictions on wifi sharing in their terms of service
"agreements":

http://w2.eff.org/Infrastructure/Wireless_cellular_radio/wireless_friendly_isp_list.html

--
glen e. p. ropella  http://tempusdictum.com  971-255-2847

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

>> In Berkeley ca 2005, if I felt sluggish (I mean my internet),
> I can imagine a more urban area being more problematic.  I've heard that
> some ISPs include restrictions on wifi sharing in their terms of service
> "agreements":
>
> http://w2.eff.org/Infrastructure/Wireless_cellular_radio/wireless_friendly_isp_list.html
While the agreements tend to be a little vague and biased *against* the
consumer (not a surprise given who writes them?), there *is* some common
sense we use everywhere.   We don't take an all-you-can-eat salad bar
plate and feed a family from it but we might give a child or a partner a
morsel from our plate without guilt.   We don't help our neighbor tap
our water main so they can shut off their own service but we might water
an isolated corner of their lawn or a flowerbed that is close to our own
but hard to reach from their own infrastructure.  We don't steal pencils
and pens from our workplace to avoid buying them for our children's
school or our own home desk but we don't panic when we leave work with
one in our pocket.  We don't insure a car for a high-risk driver to use
without putting them on the list of drivers but we might let them borrow
our car now and again.

This seems like another form of tragedy around the commons?

So, how *do* legitimate Mesh Networks get created/propogated if access
to the backbone is controlled by angry trolls at the gates?

I am sure that in Berkeley there were any number (probably much less
than 50% of the households) who depended on the goodwill of folks like
myself to avoid obtaining their own service.

On the other hand, my experience with PacBell suggests these folks felt
that may have felt they had no good options.    PacBell required that I
sign a 12 month agreement to get internet... even though I told them I
only planned to live there 11 months... they had no option so I took the
12 month deal.  When it was time to leave, I tried to get them to waive
the $200 "early termination fee" when I was shutting down 20 days before
my 365...   they weren't having it.  So finally I told them I would keep
the service until the year was up and they said that as soon as they
detected that all my devices were disconnected from the service *they*
would terminate my service (unattended service?), which they did, and
then levied the $200 fee which I ignored which still plagues me
everytime I try to refinance my house!   In the post subprime mortgage
world, it seems a smudge as faint and explainable as that can move you
from super-prime to questionable!  Students who likely move through
apartments as frequently as on a semester basis are just SOL unless good
samaritans (scofflaws?) like myself provide an alternative?

- Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

http://w2.eff.org/Infrastructure/Wireless_cellular_radio/wireless_friendly_isp_list.html

Per my last question of "how is a mesh network to get started, propogate, etc.?" the list above *does* address this somewhat... 

You might have known her during your time at SFI?

Last time I had an in-depth visit with her was maybe 2007 and I'm sure a
great deal has happened since!  It seemed like a lot was funded by DARPA
at the time and therefore some of that wasn't being published in the
open (or was being delayed?)

Yeah, I talked to her a number of times while I was there. It would be
interesting to find out she's continued to work on it, or if someone
else took it further.

From her CV, here are the things I guess she is working on now!



============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On Wed, May 01, 2013 at 07:00:12PM -0600, Steve Smith wrote:
That is so daft. I can understand them not refunding the remainder of
the 12 month contract, but to levy an early termination fee when the
pro-rata refundable amount is less than the levy is crazy.

How long a period of disconnection counts as an unattended service
anyway? I regularly power down all my computers, routers, phones etc.,
when going on extended holidays (more than a few days), partly as a
green measure to prevent unnecessary usage of electricity, but also as
prevention against hackers, lightning strikes and other calamities.

If that were in Australia, you'd lodge an objection with the ACCC. And
I'd expect you'd win.

Cheers
--

----------------------------------------------------------------------------
Prof Russell Standish                  Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Professor of Mathematics      [hidden email]
University of New South Wales          http://www.hpcoders.com.au
----------------------------------------------------------------------------

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 5/1/13 3:39 PM, glen e p ropella wrote:
> I would think we might
> extend the "infection" metaphor deeper and develop layers and
> sub-systems of different sorts of "immunity" against botnet, worm, and
> virus infections.  But some of them, perhaps running BOINC or like this
> mapping botnet, could be considered healthy infections, perhaps even
> crowding out bad infections (e.g. Aida) like the good bacteria in our guts.
>
What is good or bad?  If someone installs an internet webcam without a
password, why would they expect internet users not to reach that
webcam?   If someone installs a set-top box to a cable TV coax, do they
seriously not expect that their viewing habits won't be recordable?

Immunity to the "bad" first has to determine that something can even be
defined to be bad.   When a person shops at a mall, do they expect to be
anonymous?  If so, I hope they wear dark glasses and a trench coat!   Or
if they go to a favorite restaurant and the waiter asks "The usual?"  
should they be alarmed?    What's the general "immunity" here?  
Choosing to be conversational or aloof is personality trait, not a
universal.   If the waiter doesn't ask a second time, that's a choice of
the waiter, presumably a function of the model they've inferred of their
patron's behavior.

In so far as computing environments, or operating systems, are
concerned, I think the goal should be to state a clear security model
and implement it correctly.   I think these "evolutionary" layers are
just a way of saying, "Golly, we just don't understand what we want or
how to implement it."

If the goal is to have a open negotiation process between all kinds of
agents over scheduling, that's a novel use case for connected devices.  
But I'd say most people aren't interested in facilitating computational
internet terrariums (though that would be neat). That there exist
botnets is just to say there exist exploitable bugs, and that users have
a poor understanding of what they expect -- that there exist careless
and irresponsible people.

Marcus

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Steve Smith wrote at 05/01/2013 06:00 PM:
> This seems like another form of tragedy around the commons?

I view all this the same way I view laws and selective enforcement by
DAs and LEOs.  Laws are there to provide options for the LEOs to
selectively choose who to "suppress".  (As with our disagreement about
the "scientific method", we probably disagree on this, too.  Perhaps the
authors of the law have other intentions.  But from what I've seen of
legislative bodies, especially those - like Oregon - with "initiative"
processes, whatever intentions might be there are lost in the noise of
money and contradictory ideology, kneaded by massively pragmatic, amoral
efficiency oriented bureaucrats.)

So it is with the various terms of agreement we click through without
ever reading.  If/when an individual emerges as a threat to the
corporation or government, rules are cherry-picked to bring the hammer
down on that individual in order to coerce them into behaving how they
"should" behave.

As long as you don't emerge as a threat, then you can get away with
pretty much anything.  To me, this is why "bards" and jesters are so
valuable and powerful.  They manage to walk that very fine line between
being a no-op and being a threat.  cf:

http://egyptianchronicles.blogspot.com/2013/05/bassemyoussef-saga-continues-khaled.html

> Students who likely move through
> apartments as frequently as on a semester basis are just SOL unless good
> samaritans (scofflaws?) like myself provide an alternative?

Heh, that's all very alien to me.  I lived in an old corps dorm with
concrete walls, group showers, and no air conditioning.  I had a few
"rich" friends who lived in the new dorms on the other side of campus,
with their own toilets, or off campus in (what seemed like) wildly
expensive apartments and houses.  They had their own phones, cars, etc.
 Most of them could even buy their food at the grocery store rather than
eating whatever the cafeteria provided on the "food plan". ;-)  All my
"internet access" came in the form of a green or orange screen in
various basements across campus.

Luckily, in large swaths of Portland, free wifi abounds due to the
heroes at the Personal Telco project: https://personaltelco.net/wiki

--
=><= glen e. p. ropella
I can tell just by the climate, and I can tell just by the style


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I think you answer your own questions, right?  The reason for people's
(false) expectations regarding computers like set top boxes or webcams
is _because_ of your latter argument.  If the goal is a "clear security
model", then when I install a webcam on my TV, I expect a clear security
model, not sporadic hack attempts by script kiddies or anonymous
internet mappers.

Your advocacy of engineering is what provides the false/misplaced
confidence of the average Joe.  Personally, I think we should stop
trying to convince average Joes that there exist white hat engineers who
spend their time looking out for us.  Instead, we should tell the
average Joe that these devices are _fun_ and anytime you bring a fun
device to a party, there will be at least one or two yahoos at the party
who will use it in a way you cannot predict. Similarly, if someone else
brings a device to a party, you are _obligated_ to abuse that device in
some way befitting your personality.  If they didn't want their device
abused, they should have left it at home, preferably turned off, in
their safe ... or better yet, smash it with a hammer and stop buying fun
devices.

Marcus G. Daniels wrote at 05/01/2013 08:39 PM:

--
glen e. p. ropella, 971-255-2847, http://tempusdictum.com
In all affairs it's a healthy thing now and then to hang a question mark
on the things you have long taken for granted. -- Bertrand Russell


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 5/2/13 11:25 AM, glen e. p. ropella wrote:
> I think you answer your own questions, right?  The reason for people's
> (false) expectations regarding computers like set top boxes or webcams
> is _because_ of your latter argument.
I don't agree, I think it's just because people don't think about the
consequences of their own actions.
They want some parental type person looking out for them in some vague
general sense (the white hat engineer).   But what that means is
something no one could really agree on, and most definitions we might
agree on would just be oppressive.

Marcus

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Marcus G. Daniels wrote at 05/02/2013 10:38 AM:
> I don't agree, I think it's just because people don't think about the
> consequences of their own actions.

I definitely agree with that.

> They want some parental type person looking out for them in some vague
> general sense (the white hat engineer).

But you can't make that cut cleanly.  We live in a marketing society.
And even if you consider a 3rd world economy, you can say that an
individual's expectations are, to a significant extent, determined by
the culture in which the individual lives.  In such social forcing
contexts, what an individual _wants_ is partly determined by what
society _tells_ them they want.

When internet ads tell me I want a new car, it's difficult to solely
place the blame on me for wanting a new car.  When internet ads tell me
I want an underweight supermodel for my girlfriend, or I want my abs to
look like a movie star's six-pack, it's difficult to solely blame me for
wanting those things.  The same is true for foods without poison or
bacteria in them, tap water that's drinkable, and set top boxes that
resist hack attempts.

If we stop telling them that they want such things, they might stop
wanting such things.

--
glen e. p. ropella, 971-255-2847, http://tempusdictum.com
You work three jobs?  Uniquely American, isn't it? I mean, that is
fantastic that you're doing that. -- George W. Bush


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com