#eddie's OF account would crash the site | Explore Tumblr Posts and Blogs

purplesurveys · 3 years

Text

1041

survey by chasingghosts

What is the age gap between you and your parents? 27 for both. Technically, 26 years with my mom since she had yet to celebrate her birthday when she had me, but she was going to turn 27 all the same. Guh. I can’t believe I’m just five years away from that and I’m still nowhere near building my own family.

How many bathrooms does your house have? Is this enough? Two. I’d say it’s enough. Two people in the family rarely have to go to the bathroom at the same time so it works out for us.

Have you sent a letter to anyone in the past year? Yeah. I used to give Gabie a handwritten letter every Christmas along with her gifts. I still plan on writing her one, but obviously the content will be vastly different now.

Have you ever video chatted with someone you met online? I did this with Carley a handful of times; we’d video chat when I came home from school which was around the time she would get ready for school. She was such an extrovert who was so lovely and bubbly around me, and I’ve always felt bad that she had to contend with my shy ass with my mic always muted lol.

Are you hungry or thirsty right now? I’m neither but I can go for a light meal right now, which is great because I got myself a chicken barbecue sandwich and a caramel macchiato from Starbucks as a treat for myself tonight :) I went through five video call meetings just for today alone, went through several breakdowns while at work, and am also on my period, so I thought I deserved a break.

When was the last time you ate something, and what did you eat? Literally just had a bite from my sandwich.

Have you ever seen the film Boondock Saints? Nope. Sounds nothing like my type of film.

Do you own a pair of gumboots? Nah. I don’t like walking in floods anyway, so I don’t plan on getting a pair.

What colour is your favourite mug? Copper.

How far away from your town/city is your state's capital city? I already live in my province’s capital.

Have you ever worked somewhere where you had to clean the toilets? I haven’t.

Do you know anyone named Doug? No, not really a common name here.

What cut of jeans is your favourite and why? Do mom jeans count as a cut? I’ve been all over those throughout 2020. They’re stylish and yet so comfy, which are two words that seldom go together.

Do you rate people's attractiveness on a scale of 1-10? Uhhhhhhhh unless a friend asked me to rate someone they know, I don’t really think in these terms.

Name a few of your favourite actors. Kate freaking Winslet. Also Kristen Stewart, Emma Stone, Audrey Hepburn, Brie Larson, Florence Pugh, and Eddie Redmayne. I’d name Timothée Chalamet but I have yet to see a work of his.

Do you collect anything, or have you ever? The first item I ever collected was notebooks. In my past relationship (is it obvious I’m not over it yet and probably never will be? Ha) I initially liked to collect receipts from places we went to and ate at. I’d also like to be able to grow a collection of wrestling memorabilia, particularly action figures and belts. It’s not really a life goal of mine but it’d still be a cool thing to achieve.

So, how has your week been so far? I mean it’s only Monday, so nothing much. I cried and broke down a lot today which wasn’t a good start, but tomorrow’s a holiday so no work; and for Thursday I was invited to the Christmas party of the department I initially interned at and apparently they’ll be sending over a Christmas kit over to my place so I’m looking forward to these! It’s super touching they remembered and still invited me even though I’m not a part of the team anymore, so I wouldn’t have missed the party for the world.

Is there anything that you could cry about right now? Definitely, and being on my period at the moment makes it so much easier to cry. But I already cried too much and too hard earlier today and it felt exhausting, so I’m trying to avoid it tonight.

How old were you when you learned how to tie your shoelaces? I was five. I probably would’ve made myself learn later but one of our ‘exams’ in kindergarten was to show that you know how to tie your shoelaces, so I had to ask my grandma to give me a crash course.

Have you ever slept in a car overnight? Why did you have to? Yeah. I had to pull several all-nighters in college and work at 24/7 coffee shops, but I usually gave up by around 2-3 AM and would sleep in the car by then.

When was the last time you used Facebook? Earlier this evening, but I couldn’t scroll too much because spoilers for Start Up are everyyyyyyfuckingwhere and I’m still several episodes away from the finale, which aired last night.

Do you have a PO Box or does your mail get sent straight to your house? Our mails and parcels get sent straight to our door.

Are you interested in entomology? Do you know what that is? Never been. I think it’s great that insects have a lot of capabilities and contributions that we often take for granted; but I personally find a great deal of them icky as well lol so I wouldn’t say I’m interested in this branch.

Have you ever had to claim insurance? What for? Hmm I don’t think so. Not my own nor my parents’. Do you like to listen to albums start-finish without skipping or shuffling? I’ll do this sometimes with my favorite albums, yes. Fuck knows how many times I listened to After Laughter from start to finish with no skips; it was my favorite for a while.

Do you have any unspoken enemies, or maybe frenemies? I’m not the biggest fan of Patrice, but it’s not something I broadcast to people because why would I? I’m sure she slightly does not like me too, so we’re even.

What was the last thing you broke? That would be my last phone charger cord. I’ve since had it replaced though.

Do you have a favourite state/province/territory in your country? Not necessarily an overall favorite but I do have a favorite place I’ve traveled to, which is Sagada. I need a second vacation to see if it still lives up to my expectations and if it would still be able to give me an experience as cathartic and therapeutic as my first trip there, but for the last five years it has sat on the throne.

How many vowels are in your street name? Is this question too mundane? Three. I mean I’ve never been asked this on a survey before, so I wouldn’t call it that.

What are your three top favourite flavours of ice cream? Cookies and cream, chocolate chip cookie dough, coffee.

How far away is the nearest Target? At least a couple thousand miles away.

Do you prefer Target, Kmart or Walmart? Idk and idc.

Have you ever farted in class or somewhere else you shouldn't have? No. I suppress my farts, even when I’m alone haha it’s just my least favorite bodily function.

What's your middle name? Would you change it? I’m not giving it away. I wouldn’t change it and I’m definitely not giving it up even if I get married. I’m keeping my middle name then just hyphenate my surname so that I get to keep all three names.

When was the last tie you wore heels? What was the occasion? September. Job interview for a position I didn’t really want but still chose to undergo because it was still an interview.

Do you find yourself lost for words often? I guess yeah, depression does tend to do that to me.

Did you share baths with your siblings/cousins when you were a child? Yep, I remember sharing the shower with my sister as late as when I was 10. Then puberty happened to me and I did not want to continue the practice anymore, haha.

Have you ever been a member of an online dating site? How did it go? I joined Tinder while I was in a relationship (she made an account as well at the time so it was fair game) literally just to people-watch. I wasn’t interested in cheating; I was just genuinely curious to see how the app worked. I put on a fake name, age, location and my profile photo was of a cat I saw in school so it was impossible to tell it was me.

Do you know what your neighbours even look like? I would not be able to recognize them if you lined them up with a bunch of other strangers, to tell you the truth. I’d probably be able to recognize the carpenters working on the house currently being constructed in front of ours though; they’re super nice and they’re crazy over Cooper haha.

How many siblings does your best friend have? Angela is an only child.

Do you put ketchup on your fries? No. Ketchup does not go anywhere near my fries.

Have you been lucky enough to make out with anyone in the past week? LOL lucky enough...but no, I haven’t done that in a while.

Have your parents ever worked in the agriculture business etc. on a farm? Neither have.

Do you have an ex that makes you angry with literally everything they do? No.

Are you easily susceptible to brain freeze? No but tooth sensitivity, yes. I have a certain tooth that acts up whenever I eat ice cream, and it can get soooo inconvenient and uncomfortable for a few seconds.

#survey #surveys

5 notes · View notes

mrskaspbrak-blog · 6 years

Note

The fact that you lied to Eddie for so many years is disgusting

People have been saying some really nasty things about me on this site. I just want to clear somethings up.1. I created an account on this site so I could talk to my son and know a little bit more about his life.2. Mr. Keene’s daughter is helping me with this, since i don’t know how to use my cellphone nor my computer.3. I love my son and everything I did was so protect him.Eddie was born premature and he had some breathing problems when he was only an infant, he had to stay in an incubator for a month or so. After that, I was always worried his breathing problems would come back, so I gave him an inhaler when he was 6 years old and told him to use it whenever he felt his breathing was failing.4. Eddie’s father died of cancer when Eddie was 5, I felt like my world was crashing down, I couldn’t get out of bed for weeks, thats when I started gaining weight. At that moment, I felt responsible for what happened to Frank (Eddie's father) and I couldn’t let something like that happen to my Eddie Bear. Ever.5. I love Eddie and I only want what’s best for him, I want him safe, always. I sometimes think Eddie should have better friends, but Eddie loves them and all I want is for Eddie to be happy. And free from danger.

- Sonia Kaspbrack

#reddie #it 2017 #eddie kaspbrak #sonia kaspbrak #the losers club

23 notes · View notes

storjblog · 6 years

Text

ETHWaterloo Hackathon Second Place Winner for Storj Challenge: BIT

Background

The Basic Identity Token (BIT) team participated in the recent ETHWaterloo hackathon, winning second place with their entry in our Storj Challenge competition, which was part of this hackathon. This blog will share some background on the BIT team and the app they built on top of Storj.

BIT’s inspiration is to increase accessibility to blockchain-based DApps

This year’s ETHWaterloo Hackathon ran from October 13-15. Here, four young hackers from the Waterloo region met up to form the BIT team, aiming to build an awesome app for the Storj Hackathon challenge. The team brought together people from diverse backgrounds - two University of Waterloo students: Jonathan Tsang (a computer science major with experience in game and web development) and Kaustav Haldar (a psychology major with a keen interest in ethereum solidity and blockchain applications), and two software engineers: Eddy Guo (interested in Node.js and Javascript programming) and Steve Veerman (CTO of Flexfinity, with experience in marketing and IT consulting). After some general discussions to refine their approach, the BIT team conceptualized the integration of identity into blockchain applications, namely decentralized apps (DApps).

BIT allows users to easily access DApps

BIT makes DApps more consumer-friendly by providing access to the apps through their Facebook login. This simplification is the key to making blockchain-based platforms like Storj and Toshi accessible to the average person, who is likely unfamiliar with the complexities of blockchain technology. The BIT DApp login process automatically associates a user-provided wallet address with an identity token, which BIT generates by verifying the user´s identity through personal information from their Facebook profile.

One advantage of using BIT is that it contributes to reducing distributed-denial-of-service (DDoS) attacks and spam by using Ethereum’s core blockchain technology. This can best be explained by comparing this process to how we currently surf the internet. Users can access any website on the internet by entering the URL in a browser to render the web page. Malicious users may want to hinder traffic on sites by performing a DDoS attack, resulting in an overload of the web server which may lead to a crash of the site. Traditional websites are vulnerable to such attacks because they lack identity authentication to validate who is a legitimate user versus a spammer or user with malicious intent. BIT, on the other hand, allows decentralized websites and apps to integrate identity validation, eliminating the threat of DDoS attacks.

BIT technological stack includes Storj

BIT is built primarily using JavaScript and Node.js, and leverages smart contracts written in Solidity. The BIT team also implemented a variety of libraries, such as Storj’s node bindings library and Toshi’s “headless bot client”.

BIT helps user retention with DApps

Blockchain and virtual token-based ecosystems are growing at an astonishing rate. However, the current barrier to entry is too high for a non-technical mainstream user, as this innovative technology based on complex cryptographic concepts is not easily assimilated. Regardless, many people rush into the space with little technical knowledge and can easily get discouraged from further participating. BIT removes this obstacle by providing people access to DApps via authentication, resulting in high user retention when using BIT-enabled DApps.

BIT authenticates user identity information

BIT prides itself to be very user-friendly. On almost any internet connected device, one can already connect to Facebook. BIT prompts the user to input an ERC20 compatible wallet address and then requests access to their personal information from their Facebook account. If approved, the user can access DApps like Storj, and gain access to perform actions within the app, such as uploading a file.

With BIT, people can take full advantage of blockchain technology using only a Facebook account. As shown by the BIT experimental features developed during the ETHWaterloo Storj Challenge, people can gain access to Storj to store files on the decentralized network, or to use DApps like Toshi.

The following is an end-user example of how someone would use the BIT app:

Step 1: Use Facebook to log into BIT

Step 2: Authenticate your profile. After this, BIT retrieves your email address and other personal informations to create your unique ID token.

Step 3: Input your address from MyEtherWallet or another ERC20 compatible wallet.

After completing these three simple steps, you can access Storj or Toshi. Here is a code snippet of how BIT accesses Storj to upload a file:

const storj = new libstorj.Environment({

bridgeUrl: ‘https://api.storj.io',

bridgeUser: ‘<email>‘,

bridgePass: ‘<passcode>’,

encryptionKey: ‘anana abandon abandon abandon

abandon abandon abandon abandon’,

logLevel: 0

});

BIT improvements include UI and intuitiveness:

There are two major areas BIT should address in the future: First, the user interface front-end should be overhauled to ensure it is fully functional and user-friendly. React has already been implemented in some parts of the GUI, but more improvements should be made to further improve intuitiveness. Features for the identity verification modules of the app also need further refinement. Currently, the name and email address is received from the identity token, but much more could be done to create an identity with useful applications. One such feature would be to make uploading and accessing files with Storj easier for the user. The integration would allow users to create a folder to upload and download files using their BIT accounts. This would help position BIT as a central hub of browsing where users can easily find all their files. Also, optimizing the Toshi integration for user login would add another convenient way to validate identity for BIT. The Storj and Toshi integrations are starting points to develop BIT into a comprehensive focal point for browsing DApps in web3.0.

Dapp Standard login tool

The BIT authentication feature is a great addition to any size DApp because it lets us scale up to more users through better accessibility, provided by allowing people to login to any DApps with their facebook identity. This lowers the barrier to entry into blockchain technology, driving adoption of the cryptocurrency ecosystem.

BIT wants to enable more social media networks

When creating the BIT project, a lot of people asked us why we chose to use Facebook, considering that it is widely seen as insecure and almost the exact opposite of a blockchain ledger. In our project, we implemented Facebook authentication as a proof of concept, making it possible to log in to all the features of a blockchain app with only a Facebook identity. In the future, we would like to implement all the most popular social media accounts for BIT authentication, including Twitter, Snapchat, WhatsApp, and more. All these apps have large user bases that most likely already include people interested in blockchain.

Ending Remarks

The crypto space is a new, emerging frontier. ETHWaterloo was just the beginning - we are the early adopters of this new tech and there is much more to come. To assemble 300 talented crypto-programmers, and organize them into teams to work on Ethereum related hacks, is sensational. We have never seen anything like it before.

Our BIT app was a challenging project, but in the end we pulled it off together, as a team. ETHWaterloo was one of the harder hackathons we've participated in because of its focus on Ethereum programming. Despite this obstacle, all of us had an amazing experience, and we hope to attend the again in the near future.

All code for our project can be found here:

https://github.com/kaustavha/ethwaterloo-bit

From left to right: BIT team courtesy of @benarnon on instagram

Jonathan Tsang, Steve Veerman, Kaustav Haldar, Eddy Guo

#hackathon #storj #ethereum #decentralized

1 note · View note

richardbantalaw · 5 years

Text

Family Asking for Accountability in Fatal Indiana Pedestrian Accident

In the wake of the death of 49-year-old Marilyn Butler in an auto-pedestrian accident, her family is now demanding someone be held responsible, reports WNDU News (/https://www.wndu.com/content/news/Sons-push-for-safety-improvements-after--493891021.html).

Butler, who worked as a cook at Jefferson Traditional School, was struck near Sunnymede and Eddy Streets in the City of South Bend, Indiana, in the early hours of September 17. At the time she was hit, she walking in either the northbound or southbound part of the roadway.

According to Edward Levy, a local businessman on Eddy Street, accidents in this area have become routine, and he's caught several of them on his property's cameras. This is the second fatal accident here in the last 15 months, and Levy aired his long-time concerns about safety in the wake of this second deadly collision. Levy said that people who want to cross naturally do not want to walk the stretch to Jefferson Street where the traffic lights are, so they try to cross the road wherever they can. There are, however, no curbs on Eddy Street to help protect pedestrians from drifting vehicles.

The crash that took Butler's life is still under investigation. Speed does not appear to be a factor, and the driver who struck Butler and set off a chain reaction that resulted in a four-car collision waited for police to arrive on the scene. Neither drugs nor alcohol are suspected to be a factor.

Emmanuel Butler, one of the victim's sons, pointed to the lack of crosswalks in the area as a factor in his mother's death. According to Emmanuel, his mother would take the early bus to get to her job before the school opened, and she would have been crossing the street after getting off of the bus at the time.

Nolan Vann, another of Butler's sons, says the family wants to see a designated crosswalk and one or two lights in the area to prevent something like this from happening again. Another son, Isaiah Butler, added that because Jefferson Traditional School sits on a busy street, yellow flashing lights like the kind often used for cars near schools could be the answer.

Family members held a vigil at the accident site to remember Butler, who enjoyed walking and exercise and would sometimes walk all the way to her job.

Vann said that someone needs to be held accountable for this preventable accident, whether it's the state or the school, and added that the family will pursue it.

Auto-pedestrian accidents are often devastating for the pedestrian because of the sheer difference in size and protection between the two. Even when a driver isn't speeding or impaired, as appears to be the case in the death of Marilyn Butler, the consequences of an auto-pedestrian accident can be heartbreaking for the victims and their families.

If you have been hurt in an auto-pedestrian accident, speak to a pedestrian accident lawyer Denver, CO relies on about your case soon as possible. You may be entitled to compensation for your losses and injuries associated with the accident.

Thank you to our friends and contributors at Richard J. Banta, P.C. for their insight into pedestrian accidents and personal injury claims.

#pedestrian accident lawyer denver co #denver co pedestrian accident lawyer #pedestrian accident lawyer

0 notes

sikoko · 7 years

Text

Attacked Over Tor

For over 6 months, I have been running a Tor Hidden Service that provides a front-end to the Internet Archive (archive.org). The hidden service is at: http://ift.tt/2klcViP (This link only works if you are on Tor.) From running my other services, I think I know how to make an optimized web server. FotoForensics, for example, is handling some pretty impressive network loads. In fact, my two main sites have only gone down a few times. There was the Body by Victoria blog entry, Boston Marathon bombing, World Press Photo, and the explicit denial of service attack. Beyond outages, I've had various attacks from dumb bots and big search engines. (I still haven't forgiven Google for abusing FotoForensics and submitting random words into search forms. Half of my current anti-attack code came about after attacks from Google.) With each of these service outages and issues, I learned, made changes, and improved the system's performance. None of my systems are completely bullet proof -- another large denial-of-service could knock these public sites offline. (Please don't do that.) But I'm no longer worried about having my services listed on the front-page of Reddit, Slashdot, or other major social networks. However, running this hidden service has been a learning experience. The problems that I'm experiencing with my Tor Hidden Service are similar but different from non-Tor services. They have the same basic causes -- bots and denial-of-service attacks -- but the Tor architecture introduces a serious problem. This problem leads to choke point on the hidden service server. Bad bots and attackers can create a bottleneck, resulting in a denial of service. Without rewriting the tor daemon or spawning dozens of parallel servers, there are few mitigation options.

On the attack

The first attacks against my Internet Archive hidden service began hours after the public announcement. A slew of bots all came in, trying to index the entire Internet Archive through my little hidden service. This is just insane -- the Internet Archive is massive, and Tor is slow. There is no way that it can pass all of the data. And it isn't like they were doing HTTP 'HEAD' requests -- no, they were doing 'GET' requests. I quickly wrote a couple of rules to detect these poorly behaved mirror-bots and block their access. This stopped most of the abuse. A few more rules stopped the vulnerability scanners and blind attackers who tried SQL-injection, overflows, and other malicious actions. Stopping these abuses sped up the response times for real users who wanted to access the Internet Archive over Tor. As far as how to stop them... I had discussed this with a couple of people at the Internet Archive. At their recommendation, I began to return HTTP 403 "Forbidden" responses. If your bot sees this kind of response, it should stop. And if you make changes so that your bot avoids the 403 response, then you are attacking the site. Please don't attack my sites. However, there's a few bots that have continued to attempt to mirror all of the Internet Archive through my little service. They ignore robots.txt, ignore HTTP 403 messages, continue to violate my terms of service. They have given me no other option but to use more active defenses.

On the defense

Today, only five bots are really appearing to be problems. I've named them after letters of the alphabet: Albert, Bobby, Chuck, Dennis, and Eddie. Of the 5 bots, Dennis and Eddie are very aggressive. But it wasn't until Eddie appeared (on April 20th) that I had to make more active defenses. (This is when I realized that Eddie was more than a mirror bot.) My first deterrence was very simple. All five bots accept gzip encoding. So, I sent them zip-bombs. A gzip data stream maxes out at about 1032:1 compression. I can create a file that is 100K, but that decodes into 1 gigabyte. A 200K file on the wire expands into 2 gigabytes on the recipient's end. Albert was first. He downloaded three of the 100K compressed zip bombs (that expanded into 1 gigabyte each) and stopped cold. This tells me that he unpacked them in memory, ran out of memory, and then crashed. It also means that he had about 2 gigs of RAM. So far (it's been a week), he hasn't been back. Bobby and Chuck were almost as fast. Bobby downloaded 8 of the 1 gig zip bombs and then vanished. Chuck could handle the 1 gig zip bombs, but couldn't handle a dozen of the two-gig bombs. With Albert, Bobby, and Chuck out of the way, I began to focus on Dennis and Eddie. (As an aside: Why do I refer to misbehaving bots as guys? I may not know the gender of the person(s) running these bots, but they are clearly being dicks.)

Dennis

With Dennis, I began to feed him different types of results. These allowed me to profile the system. Based on how it reacted, I could tell that Dennis was a single-threaded streaming bot. It downloaded content, saved it to a file, and then streamed the file into a parser. Dennis has a built-in one-second pause. If I respond as fast as possible, he would visit once a second. If I pause 2 seconds before responding, then he visits every 3 seconds. And whoever is running Dennis runs multiple instances at the same time. The problem with Dennis isn't that he's sucking up server resources. The problem is that he's trying to mirror the entire Internet Archive, and the Internet Archive has some really big files. This results in a resource issue related to my external bandwidth. Moreover, he has never accessed my robots.txt and ignores 403 errors. As an active deterrence, I tried to fill up his hard drive with zip bombs. However, he appears to store the compressed data (or he has more than a few terabytes of free disk space). When that failed, I went after his queue. The parser that Dennis uses looks for URLs and adds them to a queue. I won't give exact details here, but I found out how to crash his parser. Crashing his parser was all it took to make him stop. He did restart a few times, but gave up after repeated crashes. Oddly, when he eventually came back, he didn't start re-parsing his queue. Instead, he saw a "403 Forbidden" (with no URLs to parse) and stopped. My interpretation here is that I didn't just crash his parser. I also caused Dennis to flush his queue. (I wouldn't be surprised if the human user saw the crashes and manually flushed the queue before restarting.) This defense stopped Dennis for a few days. But he came back this morning, and he appears to have fixed his parsing problem. He's still ignoring 403 errors, still ignores robots.txt, but since he isn't downloading anything from the Internet Archive, he has been downgraded from an active threat to a nuisance. (And my counter-defense seems to take him down periodically.)

Eddie

Eddie is the newest and most aggressive of the misbehaved bots. I haven't been able to stop him, and he has the ability to impact regular users who want to access the hidden service. What I know about Eddie:

He is a very rapid bot. If I respond as fast as possible, then he can make 20-30 or more requests per second. Eddie accounts for over 70% of the requests to my hidden service over the last week.

He ignores all return codes. I've been sending him "403 Forbidden" responses for days, and he just continues.

He has a 10 second timeout. If I don't respond in 10 seconds, or if my response does not finish transmitting data within 10 seconds, then he disconnects and tries a different URL. Among other things, it means that I cannot send him the 10 gig zip bomb. Tor is a slow network -- after sending 700kb-800kb of the 1000kb data, he disconnects due to his timeout. It also means that he doesn't care about the response -- he only cares about making requests.

Normally I don't track requests. (My web logs don't even list the requested URL.) However, I can readily identify Eddie based on a half-dozen unique signatures. So for Eddie, I began logging his attacks. He requests some URLs that were never sent to him and he ignores all data that I send him. If I send him custom URLs for tracking, he never accesses the URLs. Here's a sample of the URLs that he requests:

GET /details/zx_ZZZ_UNK_Gol GET /search.php?query=collection%3Aetree+AND+format%3Amp3+AND+creator%3A%22The+Visions%22 GET /details/911?chan=PSC&time=200109161810 GET /bookmarks.php?add_bookmark=1&identifier=RockyJordan&mediatype=audio&title=Rocky+Jordan GET /details/911?chan=PSC&time=200109161820 GET /details/zx_Quondam_1989_Ocean_a2 GET /search.php?query=collection%3Aetree+AND+format%3Amp3+AND+creator%3A%22The+Vista+Stringband%22 GET /details/911?chan=PSC&time=200109161830 GET /search.php?query=collection%3Aetree+AND+format%3Amp3+AND+creator%3A%22The+Vital+Might%22 GET /details/zx_Sea_of_Zirun_1985_Gilsoft_International_a GET /details/911?chan=PSC&time=200109161840 GET /search.php?query=subject%3A%22A+Man+Named+Jordan%22 GET /details/zx_Spectrasmash_Intro_1983_Romik_Software_16K GET /search.php?query=collection%3Aetree+AND+format%3Amp3+AND+creator%3A%22The+Vivid+Tangerines%22 GET /details/911?chan=PSC&time=200109161850 GET /search.php?query=subject%3A%22A+Man+Called+Jordan%22 GET /details/911?chan=PSC&time=200109161900 GET /details/zx_ZZZ_UNK_Gyufa GET /search.php?query=collection%3Aetree+AND+format%3Amp3+AND+creator%3A%22The+Void%22 GET /search.php?query=subject%3A%22Casablanca%22

He looks like he's doing search engine abuse -- submitting random searches and looking at the results. And he looks like he's going after a couple of responses. This collection of random queries and random results makes Eddie very different from a mirroring bot. Eddie isn't mirroring. He wants to look like he's trying to crawl the Internet Archive, but that's a cover-up for his real purpose. (I'll get to his real purpose in a moment.)

He cycles through connections faster than my hidden service cycles through connections. He connects, sends some GET requests, and then disconnects. Each of Eddie's processes repeats this a few times per minute.

He has an extremely high bandwidth. I benchmarked my own Tor clients. He's faster than a Tor client going through the typical 3 Tor node chain. He's even faster than a 1-node Tor chain. I strongly suspect that Eddie is actually a high-speed Tor relay.

I mentioned that Tor is really slow. Requests to my hidden service go from Tor to me to the Internet Archive and back. Even with his rapid requests, Eddie doesn't make a dent in my bandwidth. So what is he doing? He's exploiting a vulnerability in the Tor daemon. The same Tor process that you use for relaying onto Tor is used on my server for relaying to my hidden service. It's the exact same code. Except with the hidden service, the Tor daemon does one more thing... it connects to my local web server. This is what the Tor code does: it forwards traffic from the Tor network to my own service. In this case, Eddie establishes a Tor connection to my service. (That's one network connection from Tor to me.) Then he sends a bunch of rapid open/close connections from the Tor client to my web server. If I had not optimized the connection timeouts on my local server, then he would rapidly consume all network ports. This is a resource exhaustion attack. And while many web servers are optimized to prevents this type of attack on the external network connection, few are configured to prevent this over the loopback adapter. If I delay my responses to Eddie by more than 2 seconds, then Eddie can consume enough ports that Tor begins to fail to allocate new ports. This prevents users on Tor from accessing my hidden service. If I had not previously altered my network timeouts, then he would have consumed all available ports almost immediately. Fortunately, Eddie hasn't been able to kill my hidden service, but he has been able to slow it down. I've spent the last few days optimizing both the internal and external connection and garbage collection settings. I've also been working to slow down Eddie. He had been hitting me at more than 20 connections per second. I've currently got him reduced to 4-8 requests per second (one second per parallel Eddie process). Fortunately, non-Eddie users are getting a fast response time.

Who is Eddie?

There's a saying in the computer security field: if you own the server, you own the user. The same holds true with Tor. I really do value anonymity and privacy. And the Tor Project has done a very good job making it hard to track systems. Having said that... it just means I have to work harder to find out who is attacking me. (And I have a very large toolbox of dirty tricks that I will use against attackers.) I've been working with a couple of people to track down Eddie. I'm not going to detail all of the magic that we had to conjure up in order to track him. But I'm pretty confident in the current findings. Eddie consists of 3-4 high-speed servers, all located in either Germany or France. While searching for him, Joe Klein and I noticed that there were an oddly high number of "Unnamed" high-speed Tor nodes in France and Germany. Of the current 604 unnamed Tor nodes (as seen on 2017-05-04), 159 are in the United States, 105 are in Germany, and 64 are in France. But when sorted by bandwidth, 15 of the top 30 are from France. Germany comes in second, with 7. Of these fastest nodes, three of them are very interesting. They are [185.170.41.8], [185.170.41.7], and [185.170.42.4]. (In the above graph, the suspicious nodes are the 1st, 2nd, and 5th lines.) Now, I want to be clear: I am not convinced that these servers are Eddie. While looking for Eddie, we found these Tor servers. And these Tor servers, by themselves, seem very odd. Among the odd things:

The TorStatus page has no country associated with the ASN information. In fact, of the 604 unnamed Tor nodes, only 6 have no ASN information -- three are hosted at "cloudatcost.com" (a cloud hosting provider), the other three are these unidentified addresses.

To find the ASN information, we had to look through other methods. According to MaxMind, they are part of AS395978. A six-digit ASN number means it was registered pretty recently. According to WHOIS, it was registered around 2017-03-12. Unfortunately, MaxMind labels them as part of an anonymous proxy network. Hurricane Electric says that AS395978 has only one peer: AS174 -- that's Cogent. Cogent mainly provides service in the United States and Europe.

The "First seen" dates (as recorded by TorStatus) are 2017-04-08, 2017-04-10, and 2017-04-27. The attacks from Eddie began on 2017-04-20 -- shortly after they were registered. The attacks picked up speed on 2017-04-27, when the third server came online.

The WHOIS information for each of the three suspicious Tor nodes claims to registered to Trump Tower in Panama. NOTE: Regardless of my feelings about Trump, I believe this registration information is fake and it isn't really related to him.

inetnum: 185.170.41.0 - 185.170.41.255 org: ORG-OA825-RIPE netname: OKSERVERS country: PA admin-c: OL2665-RIPE tech-c: OL2665-RIPE status: ASSIGNED PA mnt-by: CYBR-DMZ created: 2017-01-31T19:51:49Z last-modified: 2017-04-29T11:18:45Z source: RIPE organisation: ORG-OA825-RIPE org-name: OKSERVERS org-type: OTHER address: TRUMP TOWER abuse-c: ACRO1670-RIPE mnt-ref: CYBR-DMZ mnt-by: CYBR-DMZ created: 2017-03-12T11:26:43Z last-modified: 2017-03-12T11:26:43Z source: RIPE # Filtered

While these IP addresses have likely-fake WHOIS registration information, they are registered to a service provider in New York city: OkServers. Except that OkServers says that their servers are located in Romania -- not Germany. So this may also be fake registration information.

Because the registration appears fake and lacks contact information, I reached out to RIPE (the registration provider). They said that they are investigating. Meanwhile, they directed me to the address space owner: ORG-RNL23-RIPE. I don't know how RIPE found this (I saw ORG-RNL25-RIPE, not ORG-RNL23-RIPE), but if they say it's the owner, then I believe them. This registrant is named Reachable Network (Pty) LTD, they are based out of South Africa, and they serve Germany and England. Oddly, in the last 24 hours, the command 'whois ORG-OA823-RIPE' has changed to identify OKSERVERSORG in the Netherlands. And their registration record now says it was created on 2017-03-08 -- a few days before the other registration records.

organisation: ORG-OA823-RIPE org-name: OKSERVERSORG org-type: OTHER address: NL abuse-c: ACRO1670-RIPE mnt-ref: CYBR-DMZ mnt-by: CYBR-DMZ created: 2017-03-08T20:37:55Z last-modified: 2017-03-08T20:37:55Z source: RIPE # Filtered

So let's see... We have a registrant in South Africa who's service areas are Germany and England. They just changed names to a company in the Netherlands. They provide network addresses for a company in New York that has servers in Romania. These odd boxes trace to Germany/France and says that the registration is Trump Tower in Panama. And the timestamps in WHOIS report that everything is less than 2 months old. The registration information bounces between multiple countries and never actually identifies the source. And they were all registered recently. If you talk to any cybersleuths about identity theft, spam, online fraud, scams, and fronts, they will tell you that misleading registration and bouncing between countries is a big red flag. This is some type of front. And it's deep enough to either be organized crime or a nation-state.

Where's Eddie now?

Late last night, Eddie abruptly stopped. Here's the last log entries:

[04/May/2017:23:00:50 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:50 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:50 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:50 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:51 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:51 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:51 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:51 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:00:51 -0600] "" 403 31 "" "Eddie" [04/May/2017:23:10:03 -0600] "" 403 31 "" "Eddie"

As far as I can tell, there's nothing I was doing that would have caused him to stop. The time that he stopped is also interesting -- near the top of the hour. (Off by 50 seconds? That's probably clock drift.) Perhaps Eddie had actually been processing some of the junk I returned to him, hit a long-queued-up zip-bomb, and died. But I kind of doubt it. As I mentioned, Eddie was multiple processes on multiple servers. (I'm very confident about that). So my zip-bombs would have taken down one process at a time; there wouldn't be a sudden stop. Perhaps the owner of the bot checked the logs. 11pm in Colorado is 7am in France and Germany, and 8am in Moscow. Then again, a lot of denial-of-service attacks are programmed to start at a specific time and end at a specific time. Running for exactly 24 hours, exactly 48 hours, or exactly 1 week are common. I mentioned that the attack started on April 20th. It stopped almost exactly 2 weeks later. And then there's that correlation with three suspicious Tor nodes. Shortly after the attack stopped, the volume of traffic through those nodes dropped dramatically. In this graph, the suspicious Tor nodes are the first three lines. (I seriously doubt that my hidden service was the only one being attacked. I bet all of the attacks suddenly stopped.) So why would they be attacking my little Tor hidden service? Or more specifically, who would not want people to access the Internet Archive over Tor? This is where we dive into conspiracies. For example, the first French election was held on 2017-04-23 (right after the attack started), and the run-off will happen on 2017-05-07 (which is days after the volume of the attack increased). The attack stopped less than a day after President Obama endorsed French candidate Emmanuel Macron. Assuming that this attack was related to the French election, it could take a day for Le Pen supporters, or a nation-state trying to influence the election, to change tactics. (Like Donald Trump, Le Pen wants to restrict Internet access. Both Tor and the Internet Archive are threats because they promote an open Internet.)

A better mitigation option

Finally, there's one thing that the Tor Project could do to really help mitigate this situation. Right now and as far as I can tell, there's no way for a hidden service to shutdown a single connection. Closing the connection from my web server to the tor daemon does not close the connection from the daemon to the remote client. And restarting the tor daemon impacts all connections, not just the hostile one. If I could easily tear down the entire tunnel from the remote client to my hidden service, then the delay to rebuild the tunnel would mitigate the resource exhaustion attack. I'm not asking for a way for someone to arbitrarily close any connection; I want a way for the hidden service to control which connections to it are permitted. For example, if I see hostile activity from 127.0.0.1:12345, then I want to close the entire Tor connection associated with this port. This won't prevent the attacker from coming back over a different port, but it does delay the attacker by forcing him to renegotiate the entire tunnel.

Source: http://ift.tt/2qBaHOO

#computers

0 notes