Journal Entries By Tag: #hacking

Assorted journal entries with the tag #hacking.

My Cyberdeck

TL;DR — My custom "computer" from a future that never was...

👓 6 minutes

Posted: August 14, 2043

After spending the last few months collecting parts, I was finally able to piece together my new cyberdeck over this weekend, and I must say, I’m pretty pleased with the result. Most of the equipment I used is vintage (or, as some might call it, “outdated junk”), but it supports a number of different data formats and interaction modes, making it handy for a variety of uses.

The main unit is a Tec<Net Walkabout T4 portable terminal with an upgraded Sino-Logic 16 processor (replacing the original 12-core version). Additionally, I ripped out the old port interface module and replaced it with a new one from OdaCom that supports USB-6X, SimStims, about 12 different kinds of ISO-chips, TriD, and even HDMI-Classic (so I can plug it in to any of the old displays in my workshop). Unfortunately, the original display on the Walkabout was cracked, and since I wanted it to be portable, I had to replace the screen with a 20-year-old (pre-merger) Samsung Android that I hardwired into the display adapter. I mean, it’s only a Super AMOLED screen (so, only 2D content), but it’ll work for now (maybe I’ll have better luck the next time I go to the E-Cyc center).

The cyberdeck, running a shell.

Software-wise, I decided to stick with what I know, and that was EncomOS. I’ve been using that particular flavor of GNU/Linux since the Meta / Microsoft merger and the Zuckerberg Affair, and since I already had root access to the Walkabout, it was an easy update to make.

As I said, I’m very happy with the end result, but I honestly I don’t know if I’m finished yet. I was going to put a GPL Stealth Module in it, But I may wait until I actually need it (especially since the crypto-cops tend to hassle anyone carrying one anymore). Likewise, I could replace the display with a short-throw holoview, or even plug a set of Thompson Eye-Phones in to the Hub, but I’m comfortable enough in both shell and 2D GUI to get by without VR for most activities (plus, since the optical data cord is hot swappable, I can always plug in the Eye-Phones in when I want the full XR experience).

I’ve embedded some more images below, in case you want to see more. As I said, I’m quite happy with the finished product, and have already started thinking about what to add to the next version.

I’ll keep sharing updates on any future improvements I make to it.

The cyberdeck, booted into self-test mode.

OK, it obviously isn’t 2043 (yet), but the images above are real, and I really did “build” a cyberdeck (several years ago, in fact).

At present, the “brains” of the device is a Samsung Galaxy s23 smartphone, connected via USB-C to a hub. The hub, in turn, is connected to a TeckNet Heavy Duty back-lit keyboard via a USB cable and is physically attached to it via silicon and Sugru. A 2600 mAh power bank that I picked up cheap a few years ago is also glued to the keyboard, and a metal brace is attached to both the keyboard and power bank, giving it some stability, as well as a place for the phone mount to attach (via magnets).

Middle view showing power bank and USB modem.
Left side-view showing the modem’s phone jack.

The hub has 2 USB-3 ports (one of which is dedicated to the keyboard, but that’s OK), a TF card slot, an SD card slot, a USB-C charging port, and an HDMI port. Overall, the device is lighter than a notebook but more tactile than a glass screen, and sits very easily on my lap.

Right side-view showing USB hubs, one with an HDMI out, and the other with an ethernet port.

I had originally intended to attach both the USB hub and phone mount to the keyboard via some kind of tab-and-slot sliding mechanism (not unlike how Joy-Cons attach to the Nintendo Switch), but I couldn’t find the hardware I would need to implement it. Still, if I do another one, I’d like to explore that as an option, making the whole device more modular (being able to swap out different USB hubs for different needs, and maybe alternate mounts, so I could use a tablet instead of my phone).

I built it over the past couple of years, and actually went through several updates along the way (improving the hubs and phone holster).

Early prototype build.
WIP on the 'deck.

I’m sharing it now because I’m entering the Hackaday Cyberdeck contest (my entry). This post is mostly the same info that’s over there.

Of course, it’s not perfect - it’s not as durable as I’d like it to be, and it’s not exactly easy to carry. My hope had been to mount the whole thing to either some kind of metal frame or plate (a la a hiking backpack, but smaller), providing some much need structural support (and stable grips to hold on to), but I could never find what I was looking for. Plus, I built it before my current obsession with mechanical keyboards, so while the keyboard is nice, it doesn’t have quite the desired click.

But, all-in-all, it was a fun project to put together, and it’s come in handy more thana few times (when I was between machines, or waiting on repairs).

How well does it work?

Overall, I think it works well. Although the small screen limits some of its functionality, the relative simplicity of a phone-based system does lend itself to certain tasks, like journaling and shell-based interfaces (like MOSH), two things I like to use it for. A previous iteration of this design was powered by an S9 which even ran a web server (a virtual machine running nginx and nodeJS), and the keyboard was useful for direct access to the shell.

At the end of the day, the phone is a very powerful device in-and-of-itself, and the added functionality that comes fromt he hubs (whether for extra memory, peripherals, or even an external monitor

Plus, because it’s a Samsung phone, plugging it into a monitor activates DEX mode, a Desktop-like EXperience (see what they did there?) with multiple windows, background apps, and touchscreen controls (or support for an external mouse, if that’s your thing).

[picture of the keyboard hooked up to an external monitor, running dex]

Running DEX on the 'deck.

Of course, it still has some practical issues - running the external monitor drains the battery from the phone, even when plugged in.

But the overall experience, as far as I’m concerned, is quite #cromulent.

I even wrote most of this post on it.

Cyberdeck as writing machine.
WIP on this blog entry.

Does it support VR?

It does, or it did, sort of, but not for long.

Given that the phone is the brain of the “device”, any USB-C compatible phone can be plugged into it. The previous brains for the device were a Samsung Galaxy S9 and S10, each of which could plug into a Samsung Gear VR.

Unfortunately, Samsung discontinued it, so it doesn’t work with the s20 (the current brain) or later. I keep hoping that these devices will somehow get “opened up” with later non-standard firmwares and enable something like the failed Project DayDream to live up to it’s full potential.


In the end, I haven’t used it much - it’s too unwieldy to take anywhere, and if I’m honest, I don’t do alot of mobile computing where it would be useful. I had planned to address the first issue by mounting the device on a metal frame, and maybe I will if I ever work on a v2, but for now, it remains sans handle or reinforcing structure.

And so it mostly sits, collecting dust… just a souvenir from a future that never was.

Atari BASIC Colleen (an 8-Bit emulator) running on the cyberdeck.
Termux (a shell emulator) running on the cyberdeck.

Hacked - Extortion Wall of Shame

TL;DR — I've received even more emails telling me that I've been hacked. Since I still don't believe their empty threats, I'm posting their bitcoin addresses.

👓 2 minutes

Since my last few posts about script-kiddies and the fake extortions they try to commit, I’ve received upwards of 50 such emails, each with a different bitcoin address, and many with slight differences in text, style, or form, but all basically the same: an email from myself (gasp) claiming that I have been hacked, that some nondescript OS or “device” I own has some magical virus installed on it, and that, if I don’t pay the hacker a ransom in bitcoin, my life will be ruined.

However, I know from past experience that these messages are little more than spam, sent out en masse in hopes that they can rope in some poor sucker who falls for this. I know most of these are bogus from the beginning because the email I use for my phone is completely unrelated to the ones that keep receiving these messages. Other times, the email will make vague references to programs I don’t even have installed, again betraying their carbon-copied nature. In truth, I have never paid ransom, even though I’ve personally received dozens of these messages, and my life has yet to be ruined by these lamers.

So, as a public service, I have included the bitcoin addresses for these script-kiddies, in hopes that some other would-be victim finds this page (possibly through a web search) and learns that they, too, can ignore this BS.

All addresses listed here have been reprinted as they were received.

====== BEGIN WALL OF SHAME ======
====== UPDATED: 2024-01-02 ======
1MQj3F Sm2kcent MBiDfNZj AMP4VYf QRriC
12aJgkbT9o zAZnVwiKDg76 FNpS6FcCeVvS

======= END WALL OF SHAME =======

Again, if you received an ominous email about your device being hacked and it uses one of these bitcoin addresses, just know that I received one of those messages, too, and I never paid. Since I’m still here, posting this, obviously none of their doomsday prophecies came to pass - no mass email to my contacts, no embarassing footage, no ruined life… and no hacked device.

Hacked!? Again!?

TL;DR — I've received some more emails telling me that I've been hacked. Since I still don't believe them, I thought I'd make fun of another one instead.

👓 3 minutes

Since my last post about script-kiddies using spam to try and commit fake extortion, I’ve recevived plenty of other threatenting emails from lamers, so here’s another one from the (spam) vault:

From: [redacted-address]
To: [redacted-address]
Subject: Security Warning. Third party accessed to [redacted-address].


I’m is very good coder.

Just not much of a writer, apparently.

I am known by my nickname finn29.

Look, man - I’ve known The Finn since 1984. And you, sir, are not The Finn.

I hacked this mailbox more than six months ago,
through it I infected your operating system with a virus (trojan) created by me and have been spying for you a very long time.

Somehow, I find this hard to believe.

I understand it is hard to believe, but you can check it yourself.
I’m sent this e-mail from your account. Try it yourself.

No, “you’re” didn’t send this email from my account. In fact, if I had to guess, you tried to send it from your parents’ basement (which I have the IP for, by the way), but my SPF rules caught it, flagged it, and dumped it into my spam folder. As they should have.

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer
and automatically saved access for me.

I think you’ve been watching too much CSI: Cyber.

I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

Oh noes, all of the contacts stored on my computer? What is this, 1998?

I was most struck by the intimate content sites that you occasionally visit.
You have a very wild imagination, I tell you!

I do, actually, but not in the way you want.

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.
Oh my god! You are so funny and excited!

I don’t even know what to say to that.

I think that you do not want all your contacts to get these files, right?
If you are of the same opinion, then I think that $643 is quite a fair price to destroy the dirt I created.

$600 to erase the pictures and videos you don’t have? What a bargain!

Send the above amount on my BTC wallet (bitcoin): 19kXyFbvetft819v4QV5g9vzrjwNqRtvgA
As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Well, you seem trustworthy, so I’m sure I can believe your “guarantee”.

Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it!

I’ve spent the last 10 minutes trying to figure out what he’s saying here, but I just can’t make sense of it.

Since reading this letter you have 48 hours!
After your reading this message, I’ll receive an automatic notification that you have seen the letter.

Doubtful, since it’s now been 96 hours since you sent the message, and my contacts still haven’t received anything from you. I mean, me. Whatever.

I hope I taught you a good lesson.
Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere!
Good luck!

Indeed, you have taught me a lesson: how not to extort money from someone.


TL;DR — I recently received an email telling me that I've been hacked. Since I don't believe it, I thought I'd make fun of it instead.

👓 6 minutes

A couple of weeks ago, I was lucky enough to receive an #email telling me how one of my email accounts (and the devices associated with it) had been hacked. What’s more, this email appeared to be “From” the hacked accounts, a feat designed to help me understand just how serious of a threat this hacker is.

And I do understand - they’re a joke.

Now, I am not disrespecting “real” #hackers , the kind who are perfectly capable of destroying my bank account, doxxing my children, and generally ruining my life, so please, don’t take this as some kind of a challenge. Instead, I’m disrespecting a “script kiddie”, someone who can’t actually hack, and instead spends their time trying to fake it by scaring people who don’t understand the shiny magic boxes we commonly call computers (or, more generally, “devices”).

If you really wanna be a fake hacker, this book will tell you how!

Unfortunately for this lamer, I do understand these magic boxes enough to call their bluff, and have decided to post their weak-sauce attempt at extortion here (along with some commentary of my own). Although I’ve redacted the addresses that I received these messages from, I’ve kept most of the actual text of the messages intact, in hopes that someone searching for this text may come across this post and save themselves a truly unnecessary extortion payment.

The Email

From: [redacted-address]
To: [redacted-address]
Subject: [redacted-address] - this account has been hacked! Change all your passwords!



I have bad news for you.


19/07/2018 - on this day I hacked your operating system and got full access to your account [redacted-address]

Oh, noes! You hacked my operating system to get access to my email address?

Wait, how does that work?

It is useless to change the password, my malware intercepts it every time.

Wow, that’s some magical malware.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

I’ve always wondered how it was, so thanks for telling me.

By the way, I like how you use the generic term “device” - that must make it easier to mass-send bogus emails like this. I mean, which device associated with this email did you hack?

I only ask because… well, let’s not ruin the fun yet. 😉

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I’m talking about sites for adults.

I want to say - you are a big, big pervert. You have unbridled fantasy!!!

You know, I used to play bass for Unbridled Fantasy back in high school.

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I made a screenshot of your joys (using the camera of your device) and joined all together.
It turned out beautifully, do not doubt.

Both my favorite intimate website and my “joys”, together in one picture? I gotta see this!

By the way, thanks for telling me how beautiful my “joys” look, it’s not often that I get a complement like that.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.

And I am strongly belive that you’re not much of a writer. Or a hacker.

I think $741 is a very small amount for my silence.
Besides, I spent a lot of time on you!

OK, this just got weird.

I accept money only in Bitcoins.
My BTC wallet: 1H9bS7Zb6LEANLkM8yiF8EsoGEtMEeLFvC

But, what if I don’t know to replenish a Bitcoin wallet?

You do not know how to replenish a Bitcoin wallet?
In any search engine write “how to send money to btc wallet”.
It’s easier than send money to a credit card!

I don’t know, send money to a credit card is pretty easy.

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes … it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your “joys”.

Well, it’s been over a week since I opened the “letter” (approximately 168 hours, by my math), and so far, no “joys”.

I want you to be prudent.

  • Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
  • Do not try to contact me (this is not feasible, I sent you an email from your account)
  • Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

Yeah, here’s the thing about the email you “sent”: you didn’t actually send it, you just tried to send it (and you didn’t even bother to hide the source IP!), but my email handling rules caught it, flagged it, and dumped it into my #spam folder, which is why it took me over a week to notice it.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
This is a hacker code of honor.

Well, you sure seem trustworthy, so I’m sure I can believe your “guarantee”. And your haxx0r “code of honor”.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don’t be mad at me, everyone has their own work.

Sure, if by “work” you mean “scaring technophobes from your parents’ basement”.


Bite me, lamer.

The Truth

Now, you may be asking yourself, “how does he know that his devices haven’t actually been hacked?” Well, in addition to all of the reasons raised above, there is one more I neglected to mention: the email account that this master haxx0r allegedly compromised isn’t even associated with any devices. It’s just a email address, plain and simple, and isn’t used for logging into any application or device anywhere on the #internet . What’s more, I’ve been sending out and posting resumes with this address for a few weeks now, and suspect that this is how this wannabe got their hands on it.

So, in the end, how can one try and minimize their exposure to hacking threats (especially fake ones)? Well, IANAHOSE, but these are some of the ways that I do it:

  • For years, I’ve tried to diversify my accounts, using different emails for different sites, and keeping those email addresses separate from the accounts I use on actual devices.
    • To make this work, I had to buy a domain name (which costs about $10 / year) and setup a catch-all (or “wildcard”) address. That way, I can use anything I want for the “local-part” of the email address (aka the portion before the “@” symbol), and I’ll still get it at my main address (which I don’t typically share).
  • Likewise, I diversify my passwords, using a different password for each site / device. The easiest way to do this is with a good password manager.
  • I also try to keep good backups, so if my devices do get hacked, I can wipe and restore them (relatively) easily.
  • Finally, as alluded to above, I have Sender Policy Framework (SPF) rules setup to work with my domain, which helps to prevent others from sending unauthorized emails from an account I own.

Always try to remember: No matter how scary an email may look, don’t believe everything that you read. Many (if not most) are from fakers just like this one, and are nothing more than poorly-weaponized spam. And, just like with regular spam, the only proper (and safe) way to react is to ignore it completely.

The People vs. John Deere

TL;DR — John Deere argues that farmers don't own their tractors, and this does not bode well for our IoT future.

👓 less than 1 minute

Over at Wired, iFixit’s Kyle Wiens (@kwiens) points out that #DMCA abuse extends well beyond preventing you from jailbreaking your PS3 and into the world of… farm machinery?

In a particularly spectacular display of corporate delusion, John Deere—the world’s largest agricultural machinery maker —told the Copyright Office that farmers don’t own their tractors. Because computer code snakes through the DNA of modern tractors, farmers receive “an implied license for the life of the vehicle to operate the vehicle.”

It’s John Deere’s tractor, folks. You’re just driving it.

I find this particularly worrisome with regards to the #InternetOfThings, and the possibility of forced vendor lock-in on even the most trivial of items (“I’m sorry, sir, you’ll have to call a certified Moen plumber to fix your leak.”)

Welcome to the future. Fight to make it better.