“Suspicious” event routes traffic for big-name sites through Russia | Ars Technica

Russia briefly hijacked key Internet sites Wednesday through manipulation of BGP, the Internet’s routing tables. In a war, you can bet that the Internet will be one of the first targets. Is Russia testing its plans?

Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

The unexplained incident involving the Internet’s Border Gateway Protocol is the latest to raise troubling questions about the trust and reliability of communications sent over the global network. BGP routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks. But despite the sensitivity and amount of data it controls, BGP’s security is often based on trust and word of mouth. Wednesday’s event comes eight months after large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services were briefly routed through a Russian government-controlled telecom, also under suspicious circumstances.

Source: “Suspicious” event routes traffic for big-name sites through Russia | Ars Technica

AIM taught us how to communicate in real-time online – Houston Chronicle


AOL shut down AOL Instant Messenger (AIM) today. Rest in peace, h0tgrits.

Toward the mid-1990s, America Online (by then going by its nickname, AOL) was the company through which most Americans accessed the Internet. As many as half of the CD-ROMs produced at the time bore the near-ubiquitous AOL logo, offering early computer users the opportunity to surf the Internet for a flat fee – at the time, US$19.99 for unlimited monthly access.

With nearly half of U.S.-based Internet traffic flowing through AOL, the stage was set for a social evolution of sorts that shifted our collective relationship with technology and each other. AOL Instant Messenger, or AIM, was launched in May 1997 as a way for AOL users to chat each other in real time, via text.

The service’s Dec. 15 shutdown was announced, notably, on a new real-time text communication channel, Twitter. That is just one testament to AIM’s lasting effects on how people use technology to connect today.

Source: AIM taught us how to communicate in real-time online – Houston Chronicle

Skimmer was on Raleigh ATM at State Farmers Market for nearly 3 months | WNCN

When first reading this story, I got the state farmers market confused with the state fairgrounds. I know I’ve used the state fairgrounds ATM this year but I know I’ve not used the farmers market ATM this year.

Raleigh Police arrested a man for credit card theft after investigators say he installed the credit card skimmer in the Farmers Market ATM. Police say he installed it on July 2 and a service technician found it and it was removed on September 24.

Source: Skimmer was on Raleigh ATM at State Farmers Market for nearly 3 months | WNCN

Google collects Android users’ locations even when location services are disabled — Quartz

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Source: Google collects Android users’ locations even when location services are disabled — Quartz

How Facebook Figures Out Everyone You’ve Ever Met

In real life, in the natural course of conversation, it is not uncommon to talk about a person you may know. You meet someone and say, “I’m from Sarasota,” and they say, “Oh, I have a grandparent in Sarasota,” and they tell you where they live and their name, and you may or may not recognize them.

You might assume Facebook’s friend recommendations would work the same way: You tell the social network who you are, and it tells you who you might know in the online world. But Facebook’s machinery operates on a scale far beyond normal human interactions. And the results of its People You May Know algorithm are anything but obvious. In the months I’ve been writing about PYMK, as Facebook calls it, I’ve heard more than a hundred bewildering anecdotes:

  • A man who years ago donated sperm to a couple, secretly, so they could have a child—only to have Facebook recommend the child as a person he should know. He still knows the couple but is not friends with them on Facebook.
  • A social worker whose client called her by her nickname on their second visit, because she’d shown up in his People You May Know, despite their not having exchanged contact information.
  • A woman whose father left her family when she was six years old—and saw his then-mistress suggested to her as a Facebook friend 40 years later.
  • An attorney who wrote: “I deleted Facebook after it recommended as PYMK a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email.”

Connections like these seem inexplicable if you assume Facebook only knows what you’ve told it about yourself. They’re less mysterious if you know about the other file Facebook keeps on you—one that you can’t see or control.

Source: How Facebook Figures Out Everyone You’ve Ever Met

New “Quad9” DNS service blocks malicious domains for everyone | Ars Technica

The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don’t run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google’s), except that it won’t return name resolutions for sites that are identified via threat feeds the service aggregates daily.

“Anyone anywhere can use it,” said Phil Rettinger, GCA’s president and chief operating officer, in an interview with Ars. The service, he says, will be “privacy sensitive,” with no logging of the addresses making DNS requests—”we will keep only [rough] geolocation data,” he said, for the purposes of tracking the spread of requests associated with particular malicious domains. “We’re anonymizing the data, sacrificing on the side of privacy.”

Source: New “Quad9” DNS service blocks malicious domains for everyone | Ars Technica

Experian Site Can Give Anyone Your Credit Freeze PIN — Krebs on Security

What good does it do to lock down your credit with a credit freeze if Experian will hand over your PIN to anyone who asks?

An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

Source: Experian Site Can Give Anyone Your Credit Freeze PIN — Krebs on Security

Bay Area housing: Sunnyvale home sells $800,000 above asking

This story caught my eye, when a modest, 2,000sf home in Sunnyvale, CA sold for $800,000 over asking price. True, there is a little real estate sleight-of-hand going on here with how it was priced but there’s no denying that this is an eye-popping sale.

This kind of outrageous housing market is what comes to mind when I think of what might happen if Amazon chooses to set up its second headquarters in the Triangle. I think of the stunning metamorphosis that’s taken place this year in the neighborhood surrounding East Raleigh’s Ligon Middle School, where affordable homes have been all but demolished in favor of fancy new homes, and I wonder how long it will be before no one here but stock-option millionaires can live where they work.

Be careful what you wish for, Raleigh. More on this in an upcoming blog post.

A house in Sunnyvale just sold for close to $800,000 over its listing price.

Your eyes do not deceive you: The four-bed, two-bath house — less than 2,000 square feet — listed for $1,688,000 and sold for $2,470,000.

“I think it’s the most anything has ever gone for over asking in Sunnyvale — a record for Sunnyvale,” said Dave Clark, the Keller Williams agent who represented the sellers in the deal. “We anticipated it would go for $2 million, or over $2 million. But we had no idea it would ever go for what it went for.

”This kind of over-bidding is known to happen farther north in cities including Palo Alto, Los Altos and Mountain View. But as those places have grown far too expensive for most buyers, future homeowners have migrated south to Sunnyvale, a once modest community that now finds itself among the Bay Area’s real estate hot spots.

Source: Bay Area housing: Sunnyvale home sells $800,000 above asking

DefCon 25

Having worked in IT for (gasp!) twenty-five years, I have long enjoyed the side of my job that deals with securing the networks I am responsible for. Network security is a game to me; trying to find and stop hackers before they find and stop me. As my blogging has revealed over the years, I enjoy solving a good mystery. How far back can a track an attacker? Or an adversary? How much knowledge can I dig up? This is all very fun.

My current job doesn’t deal with this directly as I am lucky to have a great team who watches the network. Still, I have to pay some attention to what’s what. So, when the department budget allowed for sending me to my first DefCon, I was delighted to go. Two weeks ago, I was on a plane to Las Vegas to join 25,000 other “hackers” in an intense, three-day powwow of matching wits, sharing forbidden knowledge, and proving points.

This year is the 25th anniversary of DefCon (i.e. “DefCon 25”). DefCon gets its name partly from the U.S. Department of Defense’s “Defense Condition” levels, as popularized by the movie “War Games.” Partly, it’s a made-up word with the “Con” meaning “convention.” DefCon was started (if I am correct) by Canadian bulletin-board owners who decided that on-line meetings were not enough. It has continued to be one of the premier conferences/training sessions that draws attendees from around the world.
Continue reading

As a Woman in Tech, I Realized: These Are Not My People – Bloomberg

A woman in tech suggests there’s a kernel of truth in the “Google Memo.”

No, the reason I left is that I came into work one Monday morning and joined the guys at our work table, and one of them said “What did you do this weekend?”

I was in the throes of a brief, doomed romance. I had attended a concert that Saturday night. I answered the question with an account of both. The guys stared blankly. Then silence. Then one of them said: “I built a fiber-channel network in my basement,” and our co-workers fell all over themselves asking him to describe every step in loving detail.

At that moment I realized that fundamentally, these are not my people. I liked the work. But I was never going to like it enough to blow a weekend doing more of it for free. Which meant that I was never going to be as good at that job as the guys around me.

Source: As a Woman in Tech, I Realized: These Are Not My People – Bloomberg