It's Eric Woodward (dotcom)

A couple of weeks ago, I was lucky enough to receive an #email telling me how one of my email accounts (and the devices associated with it) had been hacked. What’s more, this email appeared to be “From” the hacked accounts, a feat designed to help me understand just how serious of a threat this hacker is.

And I do understand - they’re a joke.

Now, I am not disrespecting “real” #hackers , the kind who are perfectly capable of destroying my bank account, doxxing my children, and generally ruining my life, so please, don’t take this as some kind of a challenge. Instead, I’m disrespecting a “script kiddie”, someone who can’t actually hack, and instead spends their time trying to fake it by scaring people who don’t understand the shiny magic boxes we commonly call computers (or, more generally, “devices”).

Unfortunately for this lamer, I do understand these magic boxes enough to call their bluff, and have decided to post their weak-sauce attempt at extortion here (along with some commentary of my own). Although I’ve redacted the addresses that I received these messages from, I’ve kept most of the actual text of the messages intact, in hopes that someone searching for this text may come across this post and save themselves a truly unnecessary extortion payment.

The Email

From: [redacted-address]
To: [redacted-address]
Subject: [redacted-address] - this account has been hacked! Change all your passwords!

Hello!

Hi!

I have bad news for you.

Uh-oh.

19/07/2018 - on this day I hacked your operating system and got full access to your account [redacted-address]

Oh, noes! You hacked my operating system to get access to my email address?

Wait, how does that work?

It is useless to change the password, my malware intercepts it every time.

Wow, that’s some magical malware.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

I’ve always wondered how it was, so thanks for telling me.

By the way, I like how you use the generic term “device” - that must make it easier to mass-send bogus emails like this. I mean, which device associated with this email did you hack?

I only ask because… well, let’s not ruin the fun yet. 😉

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I’m talking about sites for adults.

I want to say - you are a big, big pervert. You have unbridled fantasy!!!

You know, I used to play bass for Unbridled Fantasy back in high school.

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.

Both my favorite intimate website and my “joys”, together in one picture? I gotta see this!

By the way, thanks for telling me how beautiful my “joys” look, it’s not often that I get a complement like that.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.

And I am strongly belive that you’re not much of a writer. Or a hacker.

I think $741 is a very small amount for my silence.
Besides, I spent a lot of time on you!

OK, this just got weird.

I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC

But, what if I don’t know to replenish a Bitcoin wallet?

You do not know how to replenish a Bitcoin wallet?
In any search engine write “how to send money to btc wallet”.
It’s easier than send money to a credit card!

I don’t know, send money to a credit card is pretty easy.

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes … it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your “joys”.

Well, it’s been over a week since I opened the “letter” (approximately 168 hours, by my math), and so far, no “joys”.

I want you to be prudent.

• Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
  
• Do not try to contact me (this is not feasible, I sent you an email from your account)
  
• Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

Yeah, here’s the thing about the email you “sent”: you didn’t actually send it, you just tried to send it (and you didn’t even bother to hide the source IP!), but my email handling rules caught it, flagged it, and dumped it into my #spam folder, which is why it took me over a week to notice it.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.

Well, you sure seem trustworthy, so I’m sure I can believe your “guarantee”. And your haxx0r “code of honor”.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don’t be mad at me, everyone has their own work.

Sure, if by “work” you mean “scaring technophobes from your parents’ basement”.

Farewell.

Bite me, lamer.

The Truth

Now, you may be asking yourself, “how does he know that his devices haven’t actually been hacked?” Well, in addition to all of the reasons raised above, there is one more I neglected to mention: the email account that this master haxx0r allegedly compromised isn’t even associated with any devices. It’s just a email address, plain and simple, and isn’t used for logging into any application or device anywhere on the #internet . What’s more, I’ve been sending out and posting resumes with this address for a few weeks now, and suspect that this is how this wannabe got their hands on it.

So, in the end, how can one try and minimize their exposure to hacking threats (especially fake ones)? Well, IANAHOSE, but these are some of the ways that I do it:

• For years, I’ve tried to diversify my accounts, using different emails for different sites, and keeping those email addresses separate from the accounts I use on actual devices.
  • To make this work, I had to buy a domain name (which costs about $10 / year) and setup a catch-all (or “wildcard”) address. That way, I can use anything I want for the “local-part” of the email address (aka the portion before the “@” symbol), and I’ll still get it at my main address (which I don’t typically share).
• Likewise, I diversify my passwords, using a different password for each site / device. The easiest way to do this is with a good password manager.
• I also try to keep good backups, so if my devices do get hacked, I can wipe and restore them (relatively) easily.
• Finally, as alluded to above, I have Sender Policy Framework (SPF) rules setup to work with my domain, which helps to prevent others from sending unauthorized emails from an account I own.

Always try to remember: No matter how scary an email may look, don’t believe everything that you read. Many (if not most) are from fakers just like this one, and are nothing more than poorly-weaponized spam. And, just like with regular spam, the only proper (and safe) way to react is to ignore it completely.

Way back in 1997, I released my first (and, so far, only) computer game, Camp Happy Island Massacre (hereafter referred to as #CHIM), a comedy-horror text game for the DOS operating system. Originally written while I was still in college, the game is about a cursed summer camp and the 3 surviving counselors who try to stop a horrific force before it claims them. I put it out for free (more-or-less) on the internet of 1997, and though it was never a huge success, I’ve always been proud of it.

Fast forward to 2018: although I’ve known about the Internet Archive’s MS-DOS Software Library for some time, I’d never really thought about the specifics of how it works until I read an article which talked about the Em-DOSBox project. Em-DOSBox is a port of DOSBox emulator which runs in the browser via the Emscripten JavaScript library. As I was reading the article, a thought struck me: could I get CHIM running in the browser?

I decided it was at least worth a shot, so I began with step 1, building Emscripten from source. That went off without an issue, so I moved on to the next step, building the DOSBox JS files, and that’s where I ran into my first snag: the only way I was able to get it to build was by disabling the “emterpreter sync” function (emconfigure --disable-sync ./configure). It complained about the lack of empterpreter sync, but it built, and that lead me to the next step, packaging the dosbox.js file for use in a browser via the ./packager.py command. Even though this seemed to work great, there was obviously something wrong with my resulting files, as the JavaScript engine in my browser kept throwing an error (“missing function in Module”). After toying around with it for a while, I found that, if I used ./repackager.py (the Emscripten-less version of the packager) to package my files, I could get an empty DOSBox window to come up, but it still wouldn’t load the actual EXE.

By this point, I was flummoxed, and was about to give up. And that’s when I found the answer: js-dos!

After 30 minutes with this tutorial (and some source viewing on a couple of js-dos game pages), I was able to get CHIM working.

But my work wasn’t finished yet. Even though I’d kept nearly all of the files for CHIM for the last 21 years (with the exception of the game’s original C++ source files, which were lost in a hard drive crash shortly after it was released), I hadn’t really messed with them much in the last decade, so there was some cleaning up to be done. I updated some of the questions (and answers) in the FAQ, replaced the license, and generally tried to clean up the supporting text files. And that’s when I ran into one last unexpected issue: text encoding.

You see, I had forgotten that, when I first wrote the game and the supporting files, I had used some primitive ANSI graphic characters in an attempt to enhance the look of it. And now, when I tried to view those files on my Linux laptop, those graphics came out… weird.

The fix was to convert the files from the “IBM-862” format to the modern UTF-8 format:

> iconv -f IBM862 -t UTF8 INTRO.TXT -o INTRO.UTF.TXT

This allowed me to edit the files in Mousepad (and serve them up with Nginx), while still keeping the graphics intact. Finally, I added the Unicode Byte Order Mark, which makes it display correctly in the browser, even when served from a file:// URL (you can add the BOM via Mousepad, under “Document -> Write Unicode BOM”).

So, if you’d like to try the game out, check it out here, and good luck - you’re gonna need it!

Recently, I was inspired by Aral Balkan’s concept of Web+ and his work with dats to add Dat protocol support to my own site(s). Since my experiences might be useful to others, I thought I’d share them here.

A #dat , or Dat #archive (as I understand it) is a sort-of cross between a Git repository and BitTorrent file share. It was initially developed for storing and sharing data in a decentralized way, and so makes for a great way to share an archive of static content (like a website).

To create and share a Dat archive, I needed to install the Dat protocol. Since it uses NodeJS, this is done via the Node Package Manager:

sudo npm install -g dat

I already had a directory in mind to share (the directory that holds the static files of my website), so sharing the dat was as simple as: going into that directory and typing the following commands:

# Enter the directory with the static files
> cd www

# Create the dat
> dat create

Welcome to dat program!
You can turn any folder on your computer into a Dat.
A Dat is a folder with some magic.

Your dat is ready!
We will walk you through creating a 'dat.json' file.
(You can skip dat.json and get started now.)

Learn more about dat.json: https://github.com/datprotocol/dat.json

Ctrl+C to exit at any time
Title: It's Eric Woodward (dotcom)
Description: Dat for the site running at https://www.itsericwoodward.com/.
Created empty Dat in /home/eric/www/.dat

Now you can add files and share:
* Run dat share to create metadata and sync.
* Copy the unique dat link and securely share it.

dat://3dccd6e62ea8e2864fb66598ee38a6b4f4471137eebc23ddff8d81fc0df8dbbc

# Share the newly-created dat
> dat share

And that’s it. 😃

To verify that I was sharing it, I pointed my web browser to https://datbase.org/, entered my DAT URL in the search box at the top-left of screen, pressed ENTER, and, lo and behold, my website came up.

Another way to verify that a DAT URL is being actively shared is to view it through the Beaker Browser, a special web-browser-like application used for viewing dats. To get it, I went to https://beakerbrowser.com/install/, and downloaded the AppImage file for Linux (no link provided here because the Beaker Browser still in pre-release, and any image that I point to from here will probably be old by the time anyone reads this).

Then, I launched it:

# Make it executable

> chmod a+x beaker-browser-0.8.0-prerelease.7-x86_64.AppImage

# Launch the AppImage

> ./beaker-browser-0.8.0-prerelease.7-x86_64.AppImage

After a few moments, the application came up, at which point I entered my dat URL into the Beaker Browser’s address bar, hit the ENTER key, and just like that, my website came up.

Unfortunately, unless your data is wildly popular (and thus located across multiple hosts in the swarm), it is only shared for as long as the dat share command is running on your machine. So, to make the files permanently available via Dat, I had to create a service file that would run the dat share automatically. To do this, I created file in /etc/systemd/system called dat-share-web.service, which looked like this:

[Unit]
Description=DAT Share for It's Eric Woodward (dotcom)
After=network.target

[Service]
User=eric
Type=simple
WorkingDirectory=/home/eric/www
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ExecStart=/usr/bin/node /usr/local/lib/node_modules/dat/bin/cli.js share
Restart=always

# Output to syslog
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=dat-share-www

[Install]
WantedBy=multi-user.target

After I turned-off my existing DAT share, I started the new service, like this:

# Start the service
> sudo systemctl start dat-share-www

# Enable the service
> sudo systemctl enable dat-share-www

Now, my Dat archive will be served 24x7, even after I restart the server.

Everything worked great, but there was one more thing that I wanted to try: I had noticed that, in addition to Aral’s site being available at a usual DAT address (dat:// plus a 64-charactercode), it was also available at his own domain name (dat://ar.al/). After a quick search, I found that what I was looking for was DAT over DNS, which can be implemented one of two ways: either via DNS TXT records or by placing a file with a link to the DAT at a specific “well known” location. Since the second option is the one that the DAT project seems to recommend (and it was dead simple to add), that’s what I did. So now, if you launch the Beaker Browser and open the site dat://www.itsericwoodward.com/, it will take you to the DAT version of my site. Neat!

The DAT protocol is a simple but powerful way to share static content, and can help add a layer of redundancy to a website. Hopefully, your experiences in using it will be as positive as mine.

References:

• https://docs.datproject.org/install
• https://docs.datproject.org/tutorial
• http://awesome.datproject.org/
• https://forum.ind.ie/t/running-a-dat-share-as-a-service-with-systemctl-ubuntu-etc/2181

Every now and then, my laptop (running #Ubuntu 18.04) would freeze up: all the screens would lock, and although my mouse cursor was still on the screen, it was completely unable to interact with anything. After 30-40 seconds, everything would start moving again and return to normal.

The very first thing that I usually did when I get control of my system back was to run the top command, and what I frequently saw was SyncThing, an open source application that I use for backups, pegging 100% or higher on my CPU usage:

Now, I knew that this wasn’t supposed to happen, and until I could figure out what was triggering the sudden jump in utilization, I decided to try and limit SyncThing’s consumption via some other way.

Fix #1 - CPU Limit

First, I tried CPU Limit, a utility designed to put a hard limit on the CPU usage for a process, which I installed and used as outlined here:

# Install CPU Limit
> sudo apt install cpulimit

• I edited the syncthing.service file to make my ExecStart directive look like this:

# Limit SyncThing to no more than 50% of the available processor
ExecStart=/usr/bin/cpulimit -v -l 50 /usr/bin/syncthing -- -no-browser -no-restart -logflags=0

• Finally, I restarted the SyncThing service:

# Reload the service files
> systemctl daemon-reload
# or use `systemctl --user daemon-reload` for user-specific services

# Restart the SyncThing service
> systemctl restart syncthing.service
# or use `systemctl --user restart syncthing.service` for user-specific services

This worked for a while, but apparently broke after I updated SyncThing from v0.14.43 to v0.14.50 (the service file kept crashing out).

And that’s when I switched to…

Fix #2 - IO Nice

The IO Nice utility (part of the util-linux package in Debian and Ubuntu) allows system users / admins to adjust the scheduling class for an application, which indicates when the process should run: in real-time, as a best-effort (but giving way real-time applications), or only when the system is otherwise idle.

# Install util-linux
> sudo apt install util-linux

• again, I edited the syncthing.service file, but this time, I made my ExecStart directive look like this:

# We want syncthing to be run as a "best-effort" application
ExecStart=/usr/bin/ionice -c 2 /usr/bin/syncthing -no-browser -no-restart -logflags=0

• Finally, I restarted the SyncThing service (aain):

# Reload the service files
> systemctl daemon-reload
# or use `systemctl --user daemon-reload` for user-specific services

# Restart the SyncThing service
> systemctl restart syncthing.service
# or use `systemctl --user restart syncthing.service` for user-specific services

It’s been a little over a month since I made this change, and I haven’t experienced a laptop freeze-up since. I did have a similar problem with SyncThing on the machine that I’m backing up to, and wound up implementing the IO Nice limit on that box, too (with the same result).

I’ll update this post (again) if I run into any other issues with SyncThing.

As I mentioned before, I have recently ended my employment relationship with a certain telecommunications entertainment company, and while I don’t want to be seen as someone who bad mouths their former employer, the truth is that they had some policies in place that prevented me from voicing my opinions on certain topics while I was working for them. This is not me complaining so much as explaining why I feel the need to make the following statements now, as opposed to when they were somewhat more relevant to current events.

• Net Neutrality is a good thing, and it needs to be re-instated ASAP - the major ISPs in the US have proven time and again that they can’t be trusted, and that they will use every opportunity to try and take advantage of their customers. IMHO, this is a result of the total lack of competition outside of the top 30-50 markets (and sometimes, even within them, meaning that most customers in the US only have one or maybe two competing ISPs available (and who knows how many are in the same position I am, where only one offers actual high-speed internet, with the other limited to offering DSL). This is why we need #NetNeutrality .

• Targeted #advertising is not a good thing - I’m not a huge fan of surveillance capitalism in general, but I have a particular distaste for targetted advertising, mostly because of the (unintended?) side effects that we see all around us (filter bubbles, fake news, weaponized misinformation, etc.). That having been said, I do still have a number of Google products in my house, primarily because they are useful devices to have, and (IMHO) that usefulness justifies the data that Google can scrape about me from them. However, to suggest that targetted advertising itself is so useful that we should allow advertisers to collect data about us is, to me, not only the height of arrogance (assuming that these offers are so good that we’ll beg them to take our information), but (because those ads track you further) become something of a circular argument: we need to collect this data, so we can show you better ads, which will track you further, so we can collect more data, so we can show you better ads, which will track you further…

• Media conglomeration is not a good thing - there was a time when various arms of the federal government would actually move in order to stop dangerous potential monopolies from forming, but with a few exceptions, that hasn’t happened much lately (even though it should). IMHO, telecommunication companies, as gateways to content, should be barred from owning entertainment companies that produce said content (or, if not barred, at least forced to operate those companies at arm’s length) in order to help guarantee competition.

• Donald Trump is an unhinged, narcissistic ass-clown who is incapable of telling the truth, and who will go down as one of the worst (but hopefully not last) US presidents in history - I don’t think I need to elaborate on this one.

I may have more to add to these someday soon, but for now, the above statements will have to do.