Alphabetical Index

Alphabetical Index

All technologies mentioned in “Attack Surface” sorted alphabetically for quick reference.

A

Advanced Persistent Threat

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.

Learn more:

Adversarial perturbation

An “adversarial perturbation” is a change to a physical object that is deliberately designed to fool a machine-learning system into mistaking it for something else. (from an article written by Cory Doctorow)

Learn more:

Am I under arrest?

This and the following questions are part of the recommended procedure when interacting with police.

Learn more:

Android Developer’s mode

Masha uses USB to connect Tanisha’s phone to her laptop and manipulate software on her phone. She uses Android Developer’s mode and USB debugging for that. More:

Android rootkit

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. Rootkits exist for different operating systems, including Android. Masha just discovered a rootkit on Tanisha’s phone.

Learn more:

Anonymouth

Document anonymization tool written in Java. More:

Anti-Stingray

Tools to protect oneself from IMSI-catchers.

Learn more:

ARGs (Alternate Reality Games)

Interactive games that are usually played in real world mixed with multimedia and online services. Usually they use stories that are created and controlled by game designers.

Learn more:

Asterisk

An open source phone framework that can be used to build a Voice-over-IP or IP PBX system. Masha runs such a server on the cloud and uses it to route her calls. One of the examples: https://aws.amazon.com/marketplace/pp/Technology-Innovation-Lab-of-Texas-Asterisk-1770-A/B079Y7449R

Learn more:

B

Backdoor

A hidden method to access a computer or network device bypassing the normal authentication scheme, usually created as a part of the software running on that computer.

Learn more:

Bad spelling in check-in messages

Obviously Masha still uses an old, centralized version control system like Subversion, and not more modern, decentralized Git.

Learn more:

BadUSB

It is a way to use the microcontroller embedded in a USB device to inject malware in your computer. The most dangerous thing about it is that all the work is done by that microcontroller, invisible to the target computer’s CPU.

Learn more:

Baseband phone security

It was confirmed that the software that controls the baseband radio on smartphones can be compromised and can allow attackers to control other smartphone devices such as camera and microphone. More (some papers are a bit dated, but it’s quite possible some vulnerabilities described in them still exist):

Battlefield intelligence

Is described in the US Army document “Intelligence Preparation of the Battlefield”. More:

Bayesian inference

A method of statistical inference in which Bayes’ theorem is used to update the probability for a hypothesis as more evidence or information becomes available.

Learn more:

Binary Transparency

A method that allows users to verify that the piece of software they use is exactly the same used by other users, i.e. it was not substituted by a compromised version.

Learn more:

Blinkenlights

Usually refers to the diagnostic lights on computer’s front panels (in the old days). The term derives from the famous text dated as far back as 1955. + 

ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN `MIT` SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

Learn more:

Blogger

A blogging platform owned by Google. Created in 1999 by Pyra Labs. Written in Python.

Learn more:

Bootloader

A piece of software which normally starts at the early stages of computer start-up process, after executing the BIOS, but before the operating system starts. Its purpose is to load the operating system (hence the name). Bootloader integrity check is important to avoid a “boot attack”: type of attack that replaces the original bootloader and installs a bootloader that can intercept passwords, including those used for hard drive encryption.

Learn more:

BusyBox

A lightweight software suite with a set of Linux/Unix commands that is used in embedded devices (list: https://busybox.net/products.html). Can be downloaded and executed as a single binary (size ~1 MB).

Learn more:

BusyBox malware

Masha explains it pretty well: there are pieces of malware that can be executed on systems running BusyBox.

Learn more:

C

CALEA

A wiretapping bill, passed in 1994, as Masha explains it. More:

Caller ID spoofing

A method or tool that allows the caller to pretend that the call is coming from a different number. Masha uses it to read friends’ voicemails pretending she is calling from their numbers. Scammers use this method to pretend they are calling from the same area code – that way there is more chances that you pick the call. Sometimes scammers even pretend they are calling from the actual 800-number which belongs to IRS.

Learn more:

Catching password from key sounds

Different keys on the keyboard produce slightly different sounds so the recorded acoustic pattern of you typing in your password can be used to guess it. That’s why Masha does ““medium-loud AAAAAH”” when typing her password.

Learn more:

Citizen Lab

A laboratory based at University of Toronto which works on protecting human rights and privacy in cyberspace.

Learn more:

COINTELPRO

COINTELPRO (syllabic abbreviation derived from COunter INTELligence PROgram) (1956–present) is a series of covert and illegal projects conducted by the United States Federal Bureau of Investigation (FBI) aimed at surveilling, infiltrating, discrediting, and disrupting American political organizations.

Learn more:

CV dazzle

A type of camouflage used to hamper facial recognition software, inspired by dazzle camouflage used by warships.

Learn more:

D

Data-collecting light bulbs

Most likely Masha means this report: https://darkcubed.com/iot-security-technical. Short versions:

Dazzle mask

A mask that allows you to trick facial-recognition software into thinking you are not human. They may use reflective tapes, infrared lights, lenses, etc.

Learn more:

E

`EFF’s Surveillance Self-Defense Kit

Surveillance Self-Defense is a digital security guide that teaches you how to assess your personal risk from online spying. It can help protect you from surveillance by those who might want to find out your secrets, from petty criminals to nation states.

Learn more:

EL wire

Electroluminescent wire is a thin copper wire coated in a phosphor that produces light through electroluminescence when an alternating current is applied to it. More:

Enigmail

In the email header from Kriztina there is a phrase: +

Enigmail UNTRUSTED good signature from Kriztina kriztinak@riseup.net

That means she uses Enigmail to encrypt and digitally sign her messages. Enigmail works with several mail clients including Thunderbird and Evolution. The meaning of “Untrusted good signature” was explained on the Enigmail forum: +

GOOD means that Enigmail verified that the mail content matches the signature. Nobody tampered with the message. It reached you unmodified and only the ones that have the SECRET key it is signed with are able to perform that particular signature. UNTRUSTED means that although the message matches the signature, GnuPG cannot check whether the key belongs to the OWNER of the email address.

Learn more:

Everything after the slash

Masha says: “I itched to get their Google searches, but that was hard because Google had better security than every other service they visited – strong SSL certificates that hid everything after the slash, so all I could see from my vantage point was https://google.com/ – and then… nothing.” + This happens when you visit sites that use HTTPS (secure HTTP) and hence, use SSL/TLS certificates. Even if somebody (in this case Masha) intercepts the traffic between you and your provider, they will see only the domain name of the server you are accessing. Everything else in your URL (search queries, usernames, etc.) will be hidden. +

Learn more:

Executive order 12333

Executive Order 12333, signed on December 4, 1981 by U.S. President Ronald Reagan, was an Executive Order intended to extend powers and responsibilities of U.S. intelligence agencies and direct the leaders of U.S. federal agencies to co-operate fully with CIA requests for information.

Learn more:

EXIF metadata

Metadata stored in JPEG files that may include technical information about the photo like exposure, etc. and also geolocation of the photo if this feature is available (i.e. the photo is taken by a smartphone with GPS).

Learn more:

Exploit

A piece of software or a methodology (series of steps) that allows hackers to use a known vulnerability to get access to a target computer. More:

F

Facebook Tor Hidden Service

A site that allows access to Facebook through the Tor protocol. According to Alec Muffett “Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud. … it provides end-to-end communication, from your browser directly into a Facebook datacentre.” The address is facebookcorewwwi.onion where .onion is the common top-level domain name for sites in Tor network. You can enter this domain name in the Tor Browser’s address field. It won’t work in your normal (Chrome, Firefox, etc.) browser. More:

Faraday cage

An enclosure that blocks electromagnetic fields. Could be a room, a cabinet, a bag.

Learn more:

FOB

A Forward Operating Base (FOB) is any secured forward operational level military position, commonly a military base, that is used to support strategic goals and tactical objectives.

Learn more:

G

Garbage in, garbage out (GIGO)

This phrase was first used in November 1957 and is still quite popular among programmers and mathematicians. It’s related to the terms FIFO (first in, first out) and LIFO (last in, first out) that describe the behavior of the queue and stack data structures, respectively.

Learn more:

Google Glass

Smart glasses created by Google and first introduced in 2013. Masha calls them “long-abandoned”, but according to Wikipedia in 2017 and 2019 Google announced Google Glass Enterprise Edition and Enterprise Edition 2 respectively.

Learn more:

H

Hardware keylogger

A device used to log all keystrokes on a computer which is used to capture passwords.

Learn more:

Hashing

Masha explains it pretty well in the book.

Learn more:

Hoberman sphere

An isokinetic structure patented by Chuck Hoberman that resembles a geodesic dome, but is capable of folding down to a fraction of its normal size by the scissor-like action of its joints.

Learn more:

Hyperbolic discounting

It is well explained by Ange in the book. Hyperbolic discounting refers to the tendency for people to increasingly choose a smaller-sooner reward over a larger-later reward as the delay occurs sooner rather than later in time.

Learn more:

I

IED

Improvised explosive device. More:

IMSI-catcher

A device that can pretend to be a cell phone base station and make all phones in the nearest proximity to connect to it (because its signal stronger than the real cell towers that are farther away). That way it will be able to collect all information about the connected phones such as IMSI (international mobile subscriber identity), etc. Also it will be able to intercept phones’ traffic, voice and data using “man-in-the-middle” attack. Devices can be purchased online, as well as anti-IMSI-catchers. You can build one yourself, if you want (see the link below).

Learn more:

Infect your phone with WhatsApp message

Information Cascade

A pattern of information flow when you can see how information or decision coming from one person triggers the series of decisions or information passes from several other persons.

Learn more:

J

Jersey barrier

A Jersey barrier, Jersey wall, or Jersey bump is a modular concrete or plastic barrier employed to separate lanes of traffic.

Learn more:

K

Kettling

A police tactic for controlling large crowds.

Learn more:

L

Lidar

“Light radar” – a device that used laser light to scan the area and measure distances to objects, walls, etc. It is also used as an acronym of “light detection and ranging” and “laser imaging, detection, and ranging”. In the book Masha uses a drone to get “lidar outlines of all the human in the space”.

Learn more:

LiveJournal

A social network platform created in 1999 that used to be popular before Facebook and Twitter. In 2007 it was sold to Russian media company SUP Media. Written in Perl.

Learn more:

M

MAC address

Masha automatically corrects her boss when she says: “max address”. MAC stands for “media access control” and MAC address means the low-level address assigned to a network card. Sometimes MAC address is called “physical address” or “hardware address”. Usually it is represented as a series of hexadecimal numbers separated by colons, like this: 00:0a:95:9d:68:16. Usually MAC address identifies a physical device (computer or phone) pretty well (as opposed to IP address that could be different in different networks). MAC address can be changed by the OS, but that only stays until the next reboot.

Learn more:

Machine learning

Ange does a great job explaining machine learning as simple as possible.

Learn more:

Malware

Malicious software: software intentionally designed to cause damage to computer systems.

Learn more:

Malware attack on baseband radio

Baseband vulnerabilities give attackers the ability to monitor a phone’s communications, place calls, send premium SMS messages or cause large data transfers unbeknownst to the owner of the phone.

Learn more:

Man-in-the-middle attack

This is the category of attacks where the attacker injects something in the transmission channel (voice, data, etc.) that can listen to the traffic and potentially alter the traffic.

Learn more:

Microfiche

A sheet of flat film, 105x148 mm in size, that contains a set of microimages, usually of size 10x14 mm. It is used to store books, magazines, newspapers in a compact and durable form.

Learn more:

MIT Media Lab

A research lab at MIT famous for its inventions and projects in areas of human-computer interaction, artistic visualization, musical devices, sociable robots, etc.

Learn more:

MRE

The Meal, Ready-to-Eat – commonly known as the MRE – is a self-contained, individual field ration in lightweight packaging bought by the United States Department of Defense for its service members for use in combat or other field conditions where organized food facilities are not available.

Learn more:

MySpace

A social network that used to be the largest social networking site in the world (between 2005 and 2009).

Learn more:

N

NFC, Near-Field Communication

A set of communication protocols for communication between two electronic devices over a distance of 4 cm. Used in various types of key cards, passes. etc.

Learn more:

O

Openstreetmap

Wrongly called “Openstreetmaps” in the book. An open source alternative to Google Maps.

Learn more:

P

Paranoid Android

In the book it seems to be the Android-based OS for smartphones focused on security. The main feature of it is that you update it very often to make sure all known vulnerabilities are patched or at least there are no known exploits for them. Masha explains that you should always check the OS signatures to make sure you are actually installing the correct bits and not something created by the government hackers containing backdoors and loggers. Apparently there is such a project in real life, but it’s not specifically focused on security – it just uses the cool name.

Learn more:

ParanoidLinux

There is a project with this name (https://sourceforge.net/projects/linuxparanoid/) but it doesn’t seem to be active. Most likely what Masha means by ParanoidLinux is Tails (https://boingboing.net/2019/12/16/paranoid-linux-for-real.html).

Pastebin

A storage site where people can post pieces of code and other text information.

Learn more:

PGP

Pretty Good Privacy, a cryptographic method used for encryption and digital signing documents, emails, etc.

Learn more:

Public-private key cryptography

Again, Masha does a great job explaining the basics.

Learn more:

Pwned

Historically it’s a misspelled word “owned” (part of leetspeak) which is now used when somebody compromised your device (phone, computer) or your data and now you are pwned by bad guys. There is a site called “Have I been pwned?” which allows you to check if your personal data was leaked during one of the known data breaches.

Learn more:

PX

A type of retail store operating on United States military installations worldwide. Originally akin to trading posts, they now resemble department stores or strip malls. PX is US Army terminology. US Air Force uses Base Exchange (BX), US Navy uses Navy Exchange (NEX), Marine Corps calls it Marine Corps Exchange (MCX).

Learn more:

R

Raspi Altair 8800

Altair 8800 is one of the first personal computers which was introduced in 1974. For many people it has sentimental value – that’s why some people design and sell Altair emulators that use modern technologies such as Arduino and Raspberry Pi.

Learn more:

Red team

A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping.

Learn more:

Regular expressions

A (smart) way to search specific patterns or strings in text files. You can describe patterns like “one to three numbers followed by a dash followed by several capital letters, no more than 8.”

Learn more:

Reverse shell

A method to connect back to the attacking computer from the target computer. Because it is initiated from the target computer it can be a way to bypass a firewall or NAT service.

Learn more:

RFID (Radio-frequency identification)

A method of exchanging identification information over radio. It includes RFID tags and RFID readers. RFID tags can be passive (i.e. not containing any battery) and really cheap. They get the energy they need to operate from the reader that reads from them.

Learn more:

Riseup

Masha receives an email from Kriztina from her address at riseup.net. Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

RPG

Not a Role-Playing Game (here). A rocket-propelled grenade (often abbreviated RPG) is a shoulder-fired missile weapon that launches rockets equipped with an explosive warhead. Fun fact: The term “rocket-propelled grenade” is a backronym; it stems from the Russian language РПГ which stands for ручной противотанковый гранатомёт (transliterated as “ruchnoy protivotankovy granatomyot”, which has the initials “RPG”), meaning “handheld anti-tank grenade launcher”, the name given to early Russian designs. Typical range is around several hundred meters.

Learn more:

S

Safe Hex

The rules for safe computing.

Learn more:

Shift-tilt miniature

Tilt–shift photography (Masha incorrectly calls it “shift-tilt”) is the use of camera movements that change the orientation or position of the lens with respect to the film or image sensor on cameras. + Sometimes the term is used when the large depth of field is simulated with digital post-processing; the name may derive from a perspective control lens (or tilt–shift lens) normally required when the effect is produced optically.

Learn more:

Signal

A communication application which is considered to be the most secure for end-to-end encryption. Trusted and used by Edward Snowden, Jack Dorsey, Bruce Schneier. It uses the open-source Signal protocol. Works on iOS, Android, Linux, macOS, Windows

Learn more:

SIM-shaped tentacle

Most likely Masha uses a SIM extension cable similar to this: https://www.microsatacables.com/micro-sim-card-to-sim-card-extension-cable-msim-1175-ext

Stalkerware

Monitoring software or spyware that is used for stalking. The term was coined when people started to widely use commercial spyware to spy on their spouses or intimate partners.

Learn more:

Stylometry

A method to study linguistic style to find out who the author of the document is.

Learn more:

Sukey

Sukey is an organization which emerged in Britain on 28 January 2011, with the aim of improving communications among participants in the student demonstrations. Its immediate aim was to counteract the police tactics of kettling, by coordinating information electronically and transmitting it to the protesters, allowing them to avoid the police kettle.

Learn more:

T

Tails

A security-focused Linux distribution that aims at preserving privacy and anonymity. It usually loads from a live DVD or USB and provides Linux environment that is based on Tor network. Your browsing information is not stored anywhere unless you specifically instruct it to do so. Tails provides an emergency shutdown: when you pull the USB out of the slot, the system erases all computer memory and shuts itself down immediately.

Learn more:

Threat model

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.

Learn more:

Tunnel out

To use an SSH tunnel to get secure access to a remote box. Usually you use SSH tunneling to bypass firewalls that prohibit certain Internet services. More:

U

Unique identifiers of tire-pressure sensors

Tire-pressure sensors installed on most of the cars have unique ID numbers configured at the factory. More:

USB Port Physical Lock

There are several variants of such a device that physically blocks access to the USB port. Some of them have keys, some should be physically destroyed to get access to the port. Examples:

USB stick with keypad

Probably Marcus uses something like this: https://www.amazon.com/Encrypted-Certified-Protection-Encryption-16G/dp/B07JNDW5H7/

Usenet

A “prehistoric” social network that was created around 1980. The name comes from the term “users network”. It was used for discussions and asking questions. It has a hierarchical structure of topics called “newsgroups”. Even before Internet became widely available it used UUCP (Unix-to-Unix Copy) program to exchange posts and updates over telephone lines.

Learn more:

USG

USG is a USB firewall that can protect your computer from BadUSB.

Learn more:

Uslon prison

Apparently it’s an abbreviation from GULAG days, not a place: USLON: “Upravlenie Severnykh Lagerey Osobogo Naznacheniya”, Directorate of Northern Special-Significance Camps

Learn more:

W

WAP (Wireless Application Protocol)

A protocol that was used by cell phones to access the Internet in the early 2000s. WAP browser is an application that can display text and pictures on the phone’s screen. It was used before smartphones became widely available because it could work with really small screens and low transmission speeds of that time.

Learn more:

X

XML (Extensible Markup Language)

A markup language used by many applications to store and exchange information and documents.

Learn more: