If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A lot of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.
The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.
This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.
A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24
First things first: everyone "knows" that most brute force attacks are against the "root" account, right? This is certainly what earlier studies have found.
As it turns out, this used to be true, but it's not anymore. This graph shows that the fraction of brute force attacks using the username root was nearly 100% back in 2017, but it's been falling - by mid-2021, only around 20% off the attacks we saw were against root.
So, why? Well, we don't have a hotline to the attackers, but we have an educated guess from our own data and from many others' reporting: a lot of the usernames we see correspond to default usernames for #network#routers, specific #Linux distributions, specific server software, and #IoT devices. Basically, as we connect ever more stuff to the Internet (and generally try to protect the "root" account), attackers seem to be diversifying the accounts they are going after.
(There's a table of the top 100 usernames in the paper.)
One of the most frustrating things in modern technology is the effort spent trying to artificially restrict abundance. Take, for example, this tale from museum-worker Aaron Cope: I was out with a friend who worked for Twitter and I asked them whether it would be possible for the museum to “create 200,000 Twitter accounts, one […]
Are you making a video or a podcast about Fedora Silverblue, Kinoite, Sericea, Onyx, IoT or CoreOS ? Feel free to reach out on the Fedora discussion forum! We can help you figure out issues or answer questions you may have with those "new" variants.
If you prefer, you can also reach out directly to me. You might also want to reach out to @jorge (Universal Blue) or @sfalken (openSUSE MicroOS, Aeon, Kalpa).
I was out with a friend who worked for Twitter and I asked them whether it would be possible for the museum to “create 200,000 Twitter accounts, one for each object in the Cooper Hewitt’s collection”. My friend looked at me for a moment, laughed, and then simply said: No.
In that blog post, Aaron reveals that the San Francisco International Airport Museum is using ActivityPub to create automated social-media bot accounts for all its exhibits and, possibly, every object it hold.
And why not! That would be close to impossible to do on a centralised service. But on a decentralised service under your own control, it is relatively simple. Perhaps I only want to follow the museum's canteen, or I just want to engage with a specific artefact. The Fediverse makes that possible.
This reminds me of the Melbourne "treemail" phenomenon. Every tree in the city had an email address, ostensibly so residents could email maintenance issues for a specific tree. Instead, people started interacting with the trees and sending them little love notes!
Dearest Golden Elm Tree, I finally found you! As in I see you everyday on my way to uni, but I had no idea of what kind of tree you are. You are the most beautiful tree in the city and I love you
A few weeks ago, I read about Ben Smith inventing Tweeting trains. With a bit of code, every train line in the UK was suddenly represented on the web in a convenient format. Well… Convenient if you were on Twitter.
Museums, trees, and trains naturally brings me on to the Internet of Things. I think it is fair to say that IoT is in a bit of an odd place right now. Matter is a confusing mishmash of standards. Security and privacy issues dog the simplest devices. Many people don't even want their toaster online!
For the majority of domestic uses, people want an Intranet of Things. There's little need to have your light-bulbs controlled when you're outside of WiFi range. Similarly, it is probably a really bad idea to have your hydroelectric dam connected to the Internet.
Which brings me back to the Fediverse.
On the one hand, it would be nice to be able to follow @Yellow_Line@Transit_Authority.gov - or even @Bus_Stop_1234@bus_company.biz - that would allow for hyperfocused data getting to the right people. It seems feasible that every civic object could have a Fediverse account. From the individual streetlights to the municipal sewerage system. Perhaps people won't send love letters to overflowing drains - but a social-dashboard of your civic environment could be both practical and delightful.
And, as for your domestic gadgets? Why not give every room, or every light-bulb, in your home a private Fediverse account? You could send a message like:
Hey @thermostat, please set the temperature to 19°C. Thanks!
That might be a bit much! But I like the idea of a private social network which consists of all my IoT gadgets talking to me and each other.
Tipp Nr.30: Achte vor dem Kauf neuer Geräte/Technik unbedingt auf Fallstricke. Diese können sein: App-Zwang, Cloud-Anbindung etc. Nicht jeder »Scheiß« muss mit dem Internet verbunden sein. Wenn die Hersteller dann pleite gehen, sind die Geräte meist nicht mehr zu gebrauchen. Vorausschauendes Einkaufen kann das verhindern.
MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). It is of the most popular protocols in the Internet of Things domain. AWS supports MQTT, which is the default communication method between devices and AWS IoT Core service. But there are some significant differences between the implementation of the MQTT protocol at AWS and the OASIS specification.
Control your home with an AI-powered Assist, conditional sections and cards for your dashboards, Matter 1.3, amazing new media player commands, tag entities, and so much more! 🚀
Matter is coming to fix all your smarthome woes! A single IoT standard, working across multiple radio protocols, bringing together different products from many different manufacturers. And… it works! Mostly These are the Meross 315 Smart Plugs. They are …
W ostatnim odcinku pierwszego sezonu ICD Weekend Arek i Kuba opowiadają o newsach dotyczacych Facebooka, Apple i AI oraz dzielą się nowymi rekomendacjami aplikacji z F-Droida.
This piece is worth reading if you’re in tech criticism or infosec/cybersecurity and are being asked for commentary on IoT and smart home devices.
People aren’t foolish for using IoT or for wanting things to be easier in their homes. This tech makes positive and meaningful change for people of all kinds of abilities. It’s valid to worry about the privacy or security issues that IoT is riddled with, but don’t draw a direct line from there to blaming the user - some people have no alternatives that don’t involve giving up independent access to their own homes and lives. Everyone deserves to live in ways that fit their needs.
Instead, join the push to hold manufacturers and providers to account for poor security and privacy practices. Advocate for better, more respectful and accessible default configurations. Help people understand how to anticipate and mitigate the worst of these issues when they’re setting things up, and give them power and agency over their home systems.
We all deserve to have tech that works for us, in all the ways that matters.
I've got an idea. Let's form an IoT company. One that makes really great, high quality, well designed products. You know, ones that don't drop out every time you look at them wrong. We offer them cheap, burning through some VC money.
We will certainly fail. But for one glorious moment, people will know good IoT. And the next time somebody tries to sell them crap, they get beaten to a pulp with their shitty products.
And perhaps then, we will actually get good IoT stuff.