hngopher.com

       [HN Gopher] Backdooring Your Backdoors - Another $20 Domain, Mor...
       ___________________________________________________________________
        
       Backdooring Your Backdoors - Another $20 Domain, More Governments
        
       Author : mooreds
       Score  : 228 points
       Date   : 2025-01-12 16:01 UTC (6 hours ago)
        
 (HTM) web link (labs.watchtowr.com)
 (TXT) w3m dump (labs.watchtowr.com)
        
       | Lammy wrote:
       | To avoid my comment being entirely a terminology nitpick I will
       | say this is very cool work that I would be too afraid of CFAA to
       | ever attempt. Especially funny to see four parasites on one
       | government domain. Do skiddies not excise other skiddies'
       | backdoors when pwning systems so they can have them all to
       | themselves?
       | 
       | > We then hooked that up to the AWS Route53 API, and just bought
       | them en-masse. Honestly, it's $20, and we've done worse with
       | more.
       | 
       | > We're incredibly grateful for the support of The Shadowserver
       | Foundation, who have agreed yet again to save us from our own
       | adventures and to take ownership of the domains implicated in
       | this research and sinkhole them.
       | 
       | I wish we could collectively stop using the terms "buy" and "own"
       | with regard to domains. Try "leased" or "rented". If they could
       | be bought then they wouldn't have been available again for this
       | exercise.
        
       | Its_Padar wrote:
       | Technically this is a dupe as this has been submitted twice
       | before in the last week
       | 
       | https://news.ycombinator.com/item?id=42658405
       | 
       | https://news.ycombinator.com/item?id=42633273
        
         | blendergeek wrote:
         | It only counts as a dupe if it received discussion/upvotes last
         | time.
        
         | catoc wrote:
         | The first link is also watchtwr, but a different post
        
       | Thorrez wrote:
       | I wonder what would happen if they exploited these webshells'
       | backdoors to delete the webshells...
        
         | abound wrote:
         | If you're the FBI (and maybe also have a court order), you can
         | do this [1]. If you're a grey hat hacker in Russia, you can
         | maybe do this [2]. If you're a random person in the US, you're
         | likely exposing yourself to a lot of (CFAA) risk.
         | 
         | As the authors of this post note, they were careful to only
         | receive + log traffic and not otherwise send interesting
         | responses/engage with the webshells.
         | 
         | [1] https://www.malwarebytes.com/blog/news/2024/02/fbi-
         | removes-m...
         | 
         | [2] https://www.zdnet.com/article/a-mysterious-grey-hat-is-
         | patch...
        
       | busymom0 wrote:
       | Slightly off topic but what's going on with the font for the "y"
       | character in this article? It sticks out like a sore thumb.
        
         | sosborn wrote:
         | It's the font design: https://abcdinamo.com/typefaces/favorit
        
           | busymom0 wrote:
           | Looks like the font provides an "alternative y" which looks
           | normal. But the default one has that ugly broken look.
        
         | npteljes wrote:
         | I think some fonts do this so that they have a distinguishing
         | feature. Fonts seem to be a very saturated market, so this
         | might help being noticed in a crowd of sameness and copycats,
         | and many people don't look at a font otherwise either, even
         | people who use them in designs.
         | 
         | I think the sticking out part is supposed to irritate somewhat,
         | but it still needs to make some sense, like a hot take. I
         | noticed some online personalities use the same strategy with
         | pronunciation, consciously and consistently mispronouncing
         | specific words, play up their accent. Media analysts also
         | recognize verbal tics as a trope, for similar effect.
         | 
         | Back to fonts, another site that I remember using a similar
         | thing is the Genius lyrics site. For a long time, while
         | establishing their presence, they used the square character
         | forms from the Programme font, which you can see on my link.
         | They still use Programme, but use the normal forms for some
         | time now though, presumably, because it was indeed irritating,
         | and it hurt legibility.
         | 
         | https://www.typewolf.com/programme
        
         | 8organicbits wrote:
         | I find this sort of thing bothers me often enough that I've
         | disabled downloadable_fonts. I think of the web as a place
         | where I read things, so custom fonts that hurt readability are
         | undesirable. I get why designers want a unique style, but I
         | rarely want that as an end user.
        
       | fn-mote wrote:
       | I loved this write up. Light-hearted. Conscious of the impact of
       | any disclosure. Everything substantiated, but not taking
       | themselves too seriously. Enjoying read, and at the same time
       | talking about a serious issue.
        
       ___________________________________________________________________
       (page generated 2025-01-12 23:00 UTC)