The Orphaned Internet Domain Risk

I have clicked on company websites of social media acquaintances, and something is not right: Slight errors in formatting, encoding errors for special German characters.

Then I notice that some of the pages contain links to other websites that advertize products in a spammy way. However, the links to the spammy sites are embedded in this alleged company websites in a subtle way: Using the (nearly) correct layout, or  embedding the link in a ‘news article’ that also contains legit product information – content really related to the internet domain I am visiting.

Looking up whois information tells me that these internet domain are not owned by my friends anymore – consistent with what they actually say on the social media profiles. So how come that they ‘have given’ their former domains to spammers? They did not, and they didn’t need to: Spammers simply need to watch out for expired domains, seize them when they are available – and then reconstruct the former legit content from public archives, and interleave it with their spammy messages.

The former content of legitimate sites is often available on the web archive. Here is the timeline of one of the sites I checked:

Clicking on the details shows:

  • Last display of legit content in 2008.
  • In 2012 and 2013 a generic message from the hosting provider was displayed: This site has been registered by one of our clients
  • After that we see mainly 403 Forbidden errors – so the spammers don’t want their site to be archived – but at one time a screen capture of the spammy site had been taken.

The new site shows the name of the former owner at the bottom but an unobtrusive link had been added, indicating the new owner – a US-based marketing and SEO consultancy.

So my take away is: If you ever feel like decluttering your websites and free yourself of your useless digital possessions – and possibly also social media accounts, think twice: As soon as your domain or name is available, somebody might take it, and re-use and exploit your former content and possibly your former reputation for promoting their spammy stuff in a shady way.

This happened a while ago, but I know now it can get much worse: Why only distribute marketing spam if you can distribute malware through channels still considered trusted? In this blog post Malwarebytes raises the question if such practices are illegal or not – it seems that question is not straight-forward to answer.

Visitors do not even have to visit the abandoned domain explicitly to get hacked by malware served. I have seen some reports of abandoned embedded plug-ins turned into malicious zombies. Silly example: If you embed your latest tweets, Twitter goes out-of-business, and its domains are seized by spammers – you Follow Me icon might help to spread malware.

If a legit site runs third-party code, they need to trust the authors of this code. For example, Equifax’ website recently served spyware:

… the problem stemmed from a “third-party vendor that Equifax uses to collect website performance data,” and that “the vendor’s code running on an Equifax Web site was serving malicious content.”

So if you run any plug-ins, embedded widgets or the like – better check out regularly if the originating domain is still run by the expected owner – monitor your vendors often; and don’t run code you do not absolutely need in the first place. Don’t use embedded active badges if a simple link to your profile would do.

Do a painful boring inventory and assessment often – then you will notice how much work it is to manage these ‘partners’ and rather stay away from signing up and registering for too much services.

Update 2017-10-25: And as we speak, we learn about another example – snatching a domain used for a Dell backup software, preinstalled on PCs.

Bing Says We Are Weird. I Prove It. Using Search Term Poetry.

Bing has done so repeatedly:

Bing Places asks for this every few months.

In order to learn more about this fundamental confusion I investigated my Bing search terms. [This blog has now entered the phase of traditionally light summer entertainment.]

Rules:

  • Raw material: Search terms shown in Bing Web Master Tools for any of my / our websites.
  • Each line is a search term of a snippet of a search term – snippets must not be edited but truncation of phrases at the beginning or end is allowed.
  • Images: Random pick from the media library of elkement.blog or our German blog (‘Professional Tinkerers – Restless Settlers‘)

_______________________

you never know
my life and my work

is life just about working
please try to give a substantial answer

A substantial answer.

element not found
map random elkement

Random elkement, confused by maps.

so as many of you may know (though few of you may care)
my dedication to science

this can happen if
the internet is always a little bit broken

The internet is always a little broken

google translate repetetive glitch poetry

_______________________

So let’s hear what Google has to say!
Same rules, only for Google Search Console:

_______________________

so called art
solar energy poem

ploughing through
proof of carnot theorem
thermodynamics in a nutshell

Thermodynamics in a nutshell.

mr confused
why him?

Mr Confused

plastic cellar
sublime attic
in three sentences or fewer, explain the difference

Plastic tank - 'ice storage'

Sublime attic.

name the three common sources of heat for heat pumps
magic gyroscope
frozen herbs
mice in oven

Had contained frozen herbs. Isomorphic to folding of ice/water tank pond liner.

shapeshift vs kraken
tinkers construct slimey
you found that planet z should not have seasons

Slimey

the best we can hope for is that
tv is dangerous

what is the main function of the mulling phase?
you connect a packet sniffer to a switch

Connect a sniffer - to your heat pump

how to keep plastic water tank cool in summer
throwing boiling water into freezing air

Freezing air.

just elke
self employed physicist
the force is strong in me

The force is strong in me.

  _______________________

The Future of Small Business?

If I would be asked which technology or ‘innovation’ has had the most profound impact on the way I work I would answer: Working remotely – with clients and systems I hardly ever see.

20 years ago I played with modems, cumbersome dial-in, and Microsoft’s Netmeeting. Few imagined yet, that remote work will once be the new normal. Today I am reading about Industry 4.0, 3D printing, the Internet of Things, and how every traditional company has to compete with Data Krakens like Google and Amazon. Everything will be offered as a service, including heating. One consequence: Formerly independent craftsmen become preferred partners or subcontractors of large companies, of vendors of smart heating solutions. Creative engineering is replaced by calling the Big Vendor’s hotline. Human beings cover the last mile that robots or software cannot deal with – yet.

Any sort of customization, consulting, support, and systems integration might be automated in the long run: Clients will use an online configurator and design their systems, and possibly print them out at home. Perhaps someday our clients will print out their heat exchangers from a blueprint generated on Kraken’s website, instead of using our documentation to build them.

Allowing you to work remotely also allows everybody else in the world to do so, and you might face global competition once the barriers of language and culture have been overcome (by using ubiquitous US culture and ‘business English’). Large IT service providers have actually considered to turn their consulting and support staff into independent contractors and let them compete globally – using an online bidding platform. Well-known Data Krakens match clients and freelancers, and I’ve seen several start-ups that aspire at becoming the next matching Kraken platform for computer / tech support. Clients will simply not find you if you are not on the winning platform. Platform membership becomes as important as having a website or an entry in a business directory.

One seemingly boring and underappreciated point that works enormously in favor of the platforms is bureaucracy: As a small business you have to deal with many rules and provisions, set forth by large entities – governments, big clients, big vendors. Some of those rules are conflicting, and meeting them all in the best possible way does not allow for much creativity. Krakens’ artificial intelligence – and their lawyers and lobbyists – might be able to fend off bureaucracy better than a freelancer. If you want to sell things to clients in different countries you better defer the legally correct setup of the online shop to the Kraken Platform, who deals with the intricacies of ever evolving international tax law – while you become their subcontractor or franchisee. In return, you will dutiful sign the Vendor’s Code of Conduct every year, and follow the logo guidelines when using Kraken’s corporate identity.

In my gloomy post about Everything as a Service I came to the conclusion that we – small businesses who don’t want to grow and become start-ups – aspiring at Krakenhood themselves – will either work as the Kraken’s hired hands, or …

… a lucky few will carve out a small niche and produce or customize bespoke units for clients who value luxurious goods for the sake of uniqueness or who value human imperfection as a fancy extra.

My personal credo is rather a very positive version of this quote minus the cynicism. I am happy as a small business owner. This is just a single data-point, and I don’t have a self-consistent theory on this. But I have Skin in this Game so I share my anecdotes and some of the things I learned.

Years ago I officially declared my retirement from IT Security and global corporations – to plan special heat pump systems for private home owners instead. Today we indeed work on such systems, and the inside joke of doing this remote-only – ‘IT-style’ – has become routine. Clients find us via our blog that is sometimes mistaken for a private fun blog and whose writing feels like that. I have to thank Kraken Google, begrudgingly. A few of my Public Key Infrastructure clients insisted on hiring me again despite my declarations of looming ignorance in all things IT. All this allows for very relaxed, and self-marketing-pressure-free collaborations.

  • I try to stay away, or move farther away from anything strictly organized, standardized, or ‘platform-mediated’. Agreements are made by handshake. I don’t submit any formal applications or replies to Request for Proposals.
  • “If things do not work without a written contract, they don’t work with a contract either.”
  • I hardly listen to business experts, especially if they try to give well-meant, but unsolicited advice. Apply common sense!
  • Unspectacular time-tested personal business relationships beat 15 minutes of fame any time.
  • My work has to speak for itself, and ‘marketing’ has to be a by-product. I cannot compete with companies who employ people full-time for business development.
  • The best thing to protect your inner integrity is to know and to declare what you do not want and what you would never do. Removing the absolute negatives leaves a large area of positive background, and counter the mantra of specific ‘goals’ this approach lets you discover unexpected upsides. This is Nassim Taleb’s Via Negativa – and any career or business advice that speaks to me revolves around that.
  • There is no thing as the True Calling or the One and Only Passion – I like the notion of a Portfolio of Passions. I think you are getting to enjoy what you are learning to be good at – not the other way around.
  • All this is the result of years of experimenting in an ‘hyperspace of options’ – there is no shortcut. I have to live with the objection that I have just been lucky, but I can say that I made many conscious decisions whose ‘goal’ was to increase the number of options rather than to narrow them down (Taleb’s Optionality).

So I will finally quote Nassim Taleb, who nailed as usual – in his Facebook post about The New Artisan:

Anything you do to optimize your work, cut some corners, squeeze more “efficiency” out of it (and out of your life) will eventually make you hate it.

I have bookmarked this link for a while – because sometimes I need to remind myself of all the above.

Taleb states that an Artisan …

1) does things for existential reasons,
2) has some type of “art” in his/her profession, stays away from most aspects of industrialization, combines art and business in some manner (his decision-making is never fully economic),
3) has some soul in his/her work: would not sell something defective or even of compromised quality because what people think of his work matters more than how much he can make out of it,
4) has sacred taboos, things he would not do even if it markedly increased profitability.

… and I cannot agree more. I have lots of Sacred Taboos, and they have served me well.

Ploughing Through Theoretical Physics Textbooks Is Therapeutic

And finally science confirms it, in a sense.

Again and again, I’ve harped on this pet theory of mine – on this blog and elsewhere on the web: At the peak of my immersion in the so-called corporate world, as a super-busy bonus miles-collecting consultant, I turned to the only solace: Getting up (even) earlier, and starting to re-read all my old mathematics and physics textbooks and lecture notes.

The effect was two-fold: It made me more detached, perhaps more Stoic when facing the seemingly urgent challenges of the accelerated world. Maybe it already prepared me for a long and gradual withdrawal from that biosphere. But surprisingly, I felt it also made my work results (even ;-)) better: I clearly remember compiling documentation I wrote after setting up some security infrastructure with a client. Writing precise documentation was again more like casting scientific research results into stone, carefully picking each term and trying to be as succinct as possible.

As anybody else I enjoy reading about psychological research that confirms my biases one-datapoint-based research – and here it finally is. Thanks to Professor Gary for sharing it. Science says that Corporate-Speak Makes You Stupid. Haven’t we – Dilbert fans – always felt that this has to be true?

… I’ve met otherwise intelligent people, after working with management consultant, are convinced that infinitely-malleable concepts like “disruptive innovation,” “business ecosystem,” and “collaborative culture” have objective value.

In my post In Praise of Textbooks with Tons of Formulas I focused on possible positive explanations, like speeding up your rational System 2 ((c) Daniel Kahneman) – by getting accustomed to mathematics again. By training yourself to recognize patterns and to think out of the box when trying to find the clever twist to solve a physics problem. Re-reading this, I cringe though: Thinking out of the box has entered the corporate vocabulary already. Disclaimer: I am talking about ways to pick a mathematical approach, by drawing on other, slightly related problems intuitively – in the way Kahneman explains the so-called intuition of experts as pattern recognition.

But perhaps the explanation is really as simple as that we just need to shield ourselves from negative effects of certain ecosystems and cultures that are particularly intrusive and mind-bending. So this is my advice to physics and math graduates: Do not rely on your infamous analytical skills forever. First, using that phrase in a job application sounds like phony hollow BS (as unfortunately any self-advertising of social skills does). Second, these skills are real, but they will decay exponentially if you don’t hone them.

6 volumes on all of Theoretical Physics - 1960s self-consistent series by my late professor Wilhelm Macke

Where to Find What?

I have confessed on this blog that I have Mr. Monk DVDs for a reason. We like to categorize, tag, painstakingly re-organize, and re-use. This is reflected in our Innovations in Agriculture …

The Seedbank: Left-over squared timber met the chopsaw.

The Nursery: Rebirth of copper tubes and newspapers.

… as well as in my periodical Raking The Virtual Zen Garden: Updating collections of web resources, especially those related to the heat pump system.

Here is a list of lists, sorted by increasing order of compactification:

But thanks to algorithms, we get helpful advice on presentation from social media platforms: Facebook, for example, encouraged me to tag products in the following photo, so here we go:

“Hand-crafted, artisanal, mobile nursery from recycled metal and wood, for holding biodegradable nursery pots.” Produced without crowd-funding and not submitted to contests concerned with The Intersection of Science, Art, and Innovation.

Social Debt (Tech Professional’s Anecdotes)

I have enjoyed Ben Horowitz’ book The Hard Thing About Hard Things. Farnamstreet’s review is perfect so I will not attempt at writing one. I will focus on one idea I found most intriguing.

I read Horowitz’ book as an account of dealing with hard decisions in general, about having to decide alone, about personal accountability, about having to pick the lesser of two evils.

The idea that stuck with me in particular is Management Debt, and Horowitz also blogged about this.

… management debt is incurred when you make an expedient, short-term management decision with an expensive, long-term consequence.

You accumulate Management Debt if you try to fix an organizational issue quickly by acting inconsistently. Horowitz’ example: You might give an employee a raise in order to stop her from leaving the company. But she had discussed her plans with another employee who then wonders why she stayed; so she feels pressed to explain the reason to him. Then others learn how to blackmail you in order to get a raise, etc..

From my short stint as a manager I am familiar with such situations but I rather like to extend the concept to Social or Political Debt. I believe that we, as human social animals, tend to focus on resolving the conflict right in front of you, rather than considering seemingly abstract consequences in the future.

I am thinking of the expert bombarded with all kinds of requests. As a professional it is hard to avoid them: People who to want to pick your brain and just like to have 5 minutes so you can glance over their problems. For free. Trying to help all of them – on top of working with paying clients – would be the equivalent of trying to copy a full book at the photocopier but yielding to anybody who wants to copy just a single page.

As a fallible human you might give in to the most intrusive requester just to get rid of him or her. You think that explaining your seemingly cold-hearted rationale would take more time and would be more emotionally taxing than just fulfilling the request.

But those people will return with more problems, and their acquaintances will, too. You have incurred debt, and there is interest rate. The moment of refusal might be difficult though, in particular with requests in the blurry area between business and private. How to say No to that alleged or self-declared old friend?

I am a believer in 1) Stating clearly what you don’t want and don’t do (rather than focusing on the positive) without feeling the need to explain yourself and 2) “Principles” – a short list of your values, or guiding principles you always follow. Both need need to be ingrained in your mind so that you react accordingly in case you receive those e-mails and calls out of the blue.

The paradoxical or sad thing is that explanations are most often futile. There are many good reasons – both ethical and business-wise – for not jumping onto such requests. The obvious one being limited time and treating all clients equal, but the best one in my point of view being the value of true expertise: Based on years of experience you might only need five minutes to solve a problem that requires somebody else doing days of research. That’s exactly why those first minutes might be the most valuable.

I am speaking from experience although such things fortunately did happen to me rarely. But when they did, it was freaking me out. I once got a call from an unknown lawyer who was in the middle of installing his very own Public Key Infrastructure; he started asking technical questions before introducing himself. I tried to explain that I was actually charging people for such services, and that I assumed he did not do legal counselling for free either. His response was that he was maintaining all his IT stuff by himself – just this topic was too complicated for him so he needed advice. So services should be free if a professional solves a particularly tricky problem. This defies common sense.

I also thought I had a killer argument, non-refutable. I am actually providing technical information on ‘the internet’ – the same sort of answers or materials I would charge clients for. The difference is that I am not obligated to do this, so I pick this case by case. I believe in open-source-style sharing in a community of like-minded members. I am a believer in demonstrating skills in real time instead of showing off certificates – it goes without saying this might include giving away some valuable advice for demo purposes at the start of a business relationship.

Unfortunately, this demo-for-business argument that is used too often by people who want to milk your know-how forever – just testing how far they can go – without ever really considering a ‘business relationship’. As soon as you tell them the answer to the next question will not be free of charge anymore, they suddenly stop asking.

Fortunately, I get enough feedback by providing so much detailed information for free!!. A few people who don’t get it would not shatter my confidence. Interestingly, people who still challenge me (But then you don’t have time for me??) are those whom I would not consider part of any ‘sharing’ communities or get their spirit in the slightest. I think all those issues belong in the category: Either you get it immediately and communication is based on tacit understanding what is normal and appropriate – or all explanations are in vain.

Many years ago I had been asked literally if I would like to work for free. Corporations send out request for proposals and ask for lots of free concepts and presentations – until they have gathered enough know-how from all the potential vendors invited so that finally they have learned enough from the ‘pitches’ and can do the whole project on their own. Finally I had my antennas finely tuned to all your typical manipulations methods (I have already told X you will do [unpaid honorable engagement] Y – if you don’t, this will get me into serious troubles!). Many people are driven by short-term impulses, not by malice (I have to solve this problem or my boss will kill me!) and they respond to logical arguments: What would you say if you were a paying client and find out that I do free consulting for other people at random? Some manipulators are hopeless cases though, especially if they think they provide something in return that is actually less than useless to you.

Horowitz’ war stories resonated with me more than I expected. He emphasizes dealing with organizationally or psychologically difficult issues head-on. I read his advice as: Better act sooner than later, better state the ugly truth upfront. Better take some decision at all, even if it is just 55% versus 45%. Communicate clearly, don’t use fluffy phrases. Sometimes people explicitly appreciated my way of saying No immediately and unambiguously, instead of endless dithering and not trying to hurt anybody which seems to have become fashionable in times of Networking and You Will Always Meet Two Times.

wine-clarity

Searching my own images for own that would represent both mental clarity as well as difficult decisions – I zoomed in this one immediately. (Vineyards close to my home village, evening at the beginning of May.)

Although this is tagged with ‘rant’ it should not be interpreted as what I actually consider pointless and energy-draining – endless rants about common practices in your industry sector that you cannot change but have to live with. I am in the Love It, Change It, Or Leave It camp. I have also been writing about the past, and often a single annoying event of that sort had made me shift gears.

I believe the best – and most productive – way to cope with weird requests is to either: Respond clearly and immediately using a standardized I-don’t-do reply, then ignore them as an accidental, misguided question that just happened to end up in your inbox; or: to analyze if an aspect of your previous communication might have invited such inquiries, and improve your future communications. And don’t aim at being liked by anybody, anytime.

When I Did Social Engineering without Recognizing It

I planned to read something about history this summer.

Then I picked the history of hacking. My favorite was Kevin Mitnick’s autobiography – the very definition of a page-turner.

The book is free of hardcore technical jargon and written for geeks and lay audience alike. Readers are introduced to the spirit of a hacker in the older sense of the word: Mitnick’s hacks were motivated by the thrill of exploring systems but he never gained financially.

Kevin Mitnick successfully obtained the latest source code of cell phones,

reports on security vulnerabilities in operating systems, and legitimately looking birth certificates of deceased children to setup new identity – due to his combination of technical skills and mastery of social engineering. He got people to reveal corporate information they should not. Pieces of information are seemingly innocuous in their own rights – a name of server, a corporate directory of employees – but it helps the social engineer to learn the lingo and pose as a trusted insider.

Computer-police

I adhere to the conventions re hackneyed images (Wikimedia).

I often had been called way too honest – and thus not getting anywhere in life, professionally. So I was asking myself:

Could I con people into breaking rules? The intuitive answer was of course No.

But then the following anecdote emerged from a dark corner of my mind.

A long time ago I had worked as an IT Infrastructure Manager – responsible for quite a colorful IT environment run partly by subversive non-official admins. I actually transitioned into that role from supporting some of the latter. One of the less delightful duties was to keep those subversive elements from building rogue websites and circumvent the bureaucratic corporate content management system – by purchasing internet domains like super-fancy-product-name.com and hosting these services where they figured I would not find it.

I also had to clean up legacy mess.

One time we had to migrate an internet domain hosted on behalf of an Another Very Important Organization to one of their servers. Routine stuff, had the domain been under our control. But it was tied to a subversive website a department had once set up, working with an external marketing consultancy. The consulting company was – as per the whois records – the official owner of the domain.

Actually the owner listed was not even that company was a person employed by that company but not working for them anymore. I consulted with the corporate lawyers in it would have been a legal knot hard to disentangle.

However, I had to transfer the stuff right now. Internet domains have a legal owner and an administrative and a technical contact. The person able to do the transfer is the latter but he or she must not do it unless instructed to do so.

I tracked down and the technical contact and called him up. The tech-c’s phone number is public information, very easy to find back then – nowadays you might need a tiny bit of social engineering to obtain it.

I explained the whole case to him – the whole truth in all details. He was a helpful network administrator working for a small internet provider. Having to deal with a typical network admin’s predicament immediately built a kind of bond. This is one of the things that makes working in IT infrastructure management enjoyable – in a job you are only noticed if something goes wrong. (The rest of the time you are scolded for needing too much money and employing too much personnel).

The result was that the domain was technically transferred to the intended target organization’s server immediately. But: If somebody asks you how this has been done – it wasn’t me!

This is the same concluding remark uttered by an admin in another telco later – whom I had convinced to provide me some password of a company. Also that inquiry of mine and reasons given were true and legitimate as I was doing it on behalf of a client – the password owner.

In both cases there was a third party, a client or colleague or employer, who was quite happy with the results.

But there weren’t any formal checks involved – people did not ask me for a verifiable phone number to call me back or wanted to talk to my boss or to the client. If I just had fabricated the stories I would have managed to get a domain transferred and obtain a hosting customer’s password.

Rusty and Crusty PadlockThe psychologically interesting part of my job was that I didn’t have real power to tell departments what they must or must not do. I could just persuade them.

I think this is an aspect very common to many corporate jobs today – jobs with with grand titles but just a bunch of feeble dotted lines to the rest of the corporate universe and its peripheral contractors’ satellites – some of which you never meet face-to-face.

Combine that with an intricate tangle of corporate guidelines and rules – many of them set up to enforce security and compliance. In some environments people hardly get their jobs done without breaking or bending a subset of those rules.

Social engineering in some sense is probably what makes companies still being able to function at all.