Mashapedia: Technologies of Attack Surface by Cory Doctorow

which allows hackers to exploit it. More:

Interactive games that are usually played in real world mixed with multimedia and online services. Usually they use stories that are created and controlled by game designers. More:

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. More:

An "adversarial perturbation" is a change to a physical object that is deliberately designed to fool a machine-learning system into mistaking it for something else. (from an article written by Cory Doctorow) More:

This and the following questions are part of the recommended procedure when interacting with police. More:

Masha uses USB to connect Tanisha’s phone to her laptop and manipulate software on her phone. She uses Android Developer’s mode and USB debugging for that. More:

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. Rootkits exist for different operating systems, including Android. Masha just discovered a rootkit on Tanisha’s phone. More:

Document anonymization tool written in Java. More:

Tools to protect oneself from IMSI-catchers. More:

An open source phone framework that can be used to build a Voice-over-IP or IP PBX system. Masha runs such a server on the cloud and uses it to route her calls. One of the examples: https://aws.amazon.com/marketplace/pp/Technology-Innovation-Lab-of-Texas-Asterisk-1770-A/B079Y7449R More:

A hidden method to access a computer or network device bypassing the normal authentication scheme, usually created as a part of the software running on that computer. More:

Obviously Masha still uses an old, centralized version control system like Subversion, and not more modern, decentralized Git. More:

It is a way to use the microcontroller embedded in a USB device to inject malware in your computer. The most dangerous thing about it is that all the work is done by that microcontroller, invisible to the target computer’s CPU. More:

It was confirmed that the software that controls the baseband radio on smartphones can be compromised and can allow attackers to control other smartphone devices such as camera and microphone. More (some papers are a bit dated, but it’s quite possible some vulnerabilities described in them still exist):

Is described in the US Army document "Intelligence Preparation of the Battlefield". More:

A method of statistical inference in which Bayes' theorem is used to update the probability for a hypothesis as more evidence or information becomes available. More:

A method that allows users to verify that the piece of software they use is exactly the same used by other users, i.e. it was not substituted by a compromised version. More:

Usually refers to the diagnostic lights on computer’s front panels (in the old days). The term derives from the famous text dated as far back as 1955.

ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENSPEEPERS!
DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKEN.
IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.
ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.

A blogging platform owned by Google. Created in 1999 by Pyra Labs. Written in Python. More:

A piece of software which normally starts at the early stages of computer start-up process, after executing the BIOS, but before the operating system starts. Its purpose is to load the operating system (hence the name). Bootloader integrity check is important to avoid a "boot attack": type of attack that replaces the original bootloader and installs a bootloader that can intercept passwords, including those used for hard drive encryption. More:

Masha says she played this “game” with Kriztina and her friends. The point is to distinguish bots from real people in social networks. Apparently, it’s not that easy, if you read the Twitter’s blog post below. There are online tools that can help with that, but they very accurate. More:

A lightweight software suite with a set of Linux/Unix commands that is used in embedded devices (list: https://busybox.net/products.html). Can be downloaded and executed as a single binary (size ~1 MB). More:

Masha explains it pretty well: there are pieces of malware that can be executed on systems running BusyBox. More:

A wiretapping bill, passed in 1994, as Masha explains it. More:

COINTELPRO (syllabic abbreviation derived from COunter INTELligence PROgram) (1956–present) is a series of covert and illegal projects conducted by the United States Federal Bureau of Investigation (FBI) aimed at surveilling, infiltrating, discrediting, and disrupting American political organizations. More:

A type of camouflage used to hamper facial recognition software, inspired by dazzle camouflage used by warships. More:

A method or tool that allows the caller to pretend that the call is coming from a different number. Masha uses it to read friends' voicemails pretending she is calling from their numbers. Scammers use this method to pretend they are calling from the same area code — that way there is more chances that you pick the call. Sometimes scammers even pretend they are calling from the actual 800-number which belongs to IRS. More:

Different keys on the keyboard produce slightly different sounds so the recorded acoustic pattern of you typing in your password can be used to guess it. That’s why Masha does “medium-loud AAAAAH” when typing her password. More:

A laboratory based at University of Toronto which works on protecting human rights and privacy in cyberspace. More:

CryptoParty (Crypto-Party) is a grassroots global endeavor to introduce the basics of practical cryptography such as the Tor anonymity network, key signing parties, disk encryption and virtual private networks to the general public. The project primarily consists of a series of free public workshops. More:

Most likely Masha means this report: https://darkcubed.com/iot-security-technical. Short versions:

A mask that allows you to trick facial-recognition software into thinking you are not human. They may use reflective tapes, infrared lights, lenses, etc. More:

A system of book keeping where every entry to an account requires a corresponding and opposite entry to a different account. The double-entry has two equal and corresponding sides known as debit and credit. More:

Surveillance Self-Defense is a digital security guide that teaches you how to assess your personal risk from online spying. It can help protect you from surveillance by those who might want to find out your secrets, from petty criminals to nation states. More:

Electroluminescent wire is a thin copper wire coated in a phosphor that produces light through electroluminescence when an alternating current is applied to it. More:

Metadata stored in JPEG files that may include technical information about the photo like exposure, etc. and also geolocation of the photo if this feature is available (i.e. the photo is taken by a smartphone with GPS). More:

In the email header from Kriztina there is a phrase:

Enigmail UNTRUSTED good signature from Kriztina <kriztinak@riseup.net>

GOOD means that Enigmail verified that the mail content matches the
signature. Nobody tampered with the message. It reached you unmodified
and only the ones that have the SECRET key it is signed with are able
to perform that particular signature.
UNTRUSTED means that although the message matches the signature, GnuPG
cannot check whether the key belongs to the OWNER of the email address.

Masha says: "I itched to get their Google searches, but that was hard because Google had better security than every other service they visited — strong SSL certificates that hid everything after the slash, so all I could see from my vantage point was https://google.com/ — and then…​ nothing."

Executive Order 12333, signed on December 4, 1981 by U.S. President Ronald Reagan, was an Executive Order intended to extend powers and responsibilities of U.S. intelligence agencies and direct the leaders of U.S. federal agencies to co-operate fully with CIA requests for information. More:

A piece of software or a methodology (series of steps) that allows hackers to use a known vulnerability to get access to a target computer. More:

A Forward Operating Base (FOB) is any secured forward operational level military position, commonly a military base, that is used to support strategic goals and tactical objectives. More:

A site that allows access to Facebook through the Tor protocol. According to Alec Muffett "Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud. …​ it provides end-to-end communication, from your browser directly into a Facebook datacentre." The address is facebookcorewwwi.onion where .onion is the common top-level domain name for sites in Tor network. You can enter this domain name in the Tor Browser’s address field. It won’t work in your normal (Chrome, Firefox, etc.) browser. More:

An enclosure that blocks electromagnetic fields. Could be a room, a cabinet, a bag. More:

Fibonacci numbers, the sequence where each next number is a sum of the two previous. They have a lot of interesting features, they are found in nature, etc. More:

A branch of mathematics that studies different strategies in various types of games. Games here are played in different fields such as economics, social studies, etc. More:

This phrase was first used in November 1957 and is still quite popular among programmers and mathematicians. It’s related to the terms FIFO (first in, first out) and LIFO (last in, first out) that describe the behavior of the queue and stack data structures, respectively. More:

Smart glasses created by Google and first introduced in 2013. Masha calls them “long-abandoned”, but according to Wikipedia in 2017 and 2019 Google announced Google Glass Enterprise Edition and Enterprise Edition 2 respectively. More:

So far there are only several reports of such hacks and none of them has turned violent yet. But still some possibilities are described in this paper:

A device used to log all keystrokes on a computer which is used to capture passwords. More:

Masha explains it pretty well in the book. More:

An isokinetic structure patented by Chuck Hoberman that resembles a geodesic dome, but is capable of folding down to a fraction of its normal size by the scissor-like action of its joints. More:

It is well explained by Ange in the book. Hyperbolic discounting refers to the tendency for people to increasingly choose a smaller-sooner reward over a larger-later reward as the delay occurs sooner rather than later in time. More:

Improvised explosive device. More:

A device that can pretend to be a cell phone base station and make all phones in the nearest proximity to connect to it (because its signal stronger than the real cell towers that are farther away). That way it will be able to collect all information about the connected phones such as IMSI (international mobile subscriber identity), etc. Also it will be able to intercept phones' traffic, voice and data using "man-in-the-middle" attack. Devices can be purchased online, as well as anti-IMSI-catchers. You can build one yourself, if you want (see the link below). More:

A pattern of information flow when you can see how information or decision coming from one person triggers the series of decisions or information passes from several other persons. More:

A Jersey barrier, Jersey wall, or Jersey bump is a modular concrete or plastic barrier employed to separate lanes of traffic. More:

A police tactic for controlling large crowds. More:

"Light radar" — a device that used laser light to scan the area and measure distances to objects, walls, etc. It is also used as an acronym of "light detection and ranging" and "laser imaging, detection, and ranging". In the book Masha uses a drone to get "lidar outlines of all the human in the space". More:

A social network platform created in 1999 that used to be popular before Facebook and Twitter. In 2007 it was sold to Russian media company SUP Media. Written in Perl. More:

Masha automatically corrects her boss when she says: “max address”. MAC stands for “media access control” and MAC address means the low-level address assigned to a network card. Sometimes MAC address is called “physical address” or “hardware address”. Usually it is represented as a series of hexadecimal numbers separated by colons, like this: 00:0a:95:9d:68:16. Usually MAC address identifies a physical device (computer or phone) pretty well (as opposed to IP address that could be different in different networks). MAC address can be changed by the OS, but that only stays until the next reboot. More:

A research lab at MIT famous for its inventions and projects in areas of human-computer interaction, artistic visualization, musical devices, sociable robots, etc. More:

Mine-Resistant Ambush Protected is a term for United States military light tactical vehicles produced as part of the MRAP program that are designed specifically to withstand improvised explosive device (IED) attacks and ambushes. More:

The Meal, Ready-to-Eat – commonly known as the MRE – is a self-contained, individual field ration in lightweight packaging bought by the United States Department of Defense for its service members for use in combat or other field conditions where organized food facilities are not available. More:

Ange does a great job explaining machine learning as simple as possible. More:

Malicious software: software intentionally designed to cause damage to computer systems. More:

Baseband vulnerabilities give attackers the ability to monitor a phone’s communications, place calls, send premium SMS messages or cause large data transfers unbeknownst to the owner of the phone. More:

This is the category of attacks where the attacker injects something in the transmission channel (voice, data, etc.) that can listen to the traffic and potentially alter the traffic. More:

A sheet of flat film, 105x148 mm in size, that contains a set of microimages, usually of size 10x14 mm. It is used to store books, magazines, newspapers in a compact and durable form. More:

A social network that used to be the largest social networking site in the world (between 2005 and 2009). More:

A set of communication protocols for communication between two electronic devices over a distance of 4 cm. Used in various types of key cards, passes. etc. More:

Wrongly called "Openstreetmaps" in the book. An open source alternative to Google Maps. More:

Pretty Good Privacy, a cryptographic method used for encryption and digital signing documents, emails, etc. More:

A type of retail store operating on United States military installations worldwide. Originally akin to trading posts, they now resemble department stores or strip malls. PX is US Army terminology. US Air Force uses Base Exchange (BX), US Navy uses Navy Exchange (NEX), Marine Corps calls it Marine Corps Exchange (MCX). More:

In the book it seems to be the Android-based OS for smartphones focused on security. The main feature of it is that you update it very often to make sure all known vulnerabilities are patched or at least there are no known exploits for them. Masha explains that you should always check the OS signatures to make sure you are actually installing the correct bits and not something created by the government hackers containing backdoors and loggers. Apparently there is such a project in real life, but it’s not specifically focused on security — it just uses the cool name. More:

There is a project with this name (https://sourceforge.net/projects/linuxparanoid/) but it doesn’t seem to be active. Most likely what Masha means by ParanoidLinux is Tails (https://boingboing.net/2019/12/16/paranoid-linux-for-real.html).

A storage site where people can post pieces of code and other text information. More:

Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to deny knowledge of or responsibility for any damnable actions committed by others in an organizational hierarchy because of a lack or absence of evidence that can confirm their participation, even if they were personally involved in or at least willfully ignorant of the actions. If illegal or otherwise-disreputable and unpopular activities become public, high-ranking officials may deny any awareness of such acts to insulate themselves and shift the blame onto the agents who carried out the acts, as they are confident that their doubters will be unable to prove otherwise. The lack of evidence to the contrary ostensibly makes the denial plausible (credible), but sometimes, it makes the denial only unactionable. More:

Again, Masha does a great job explaining the basics. More:

Historically it’s a misspelled word “owned” (part of leetspeak) which is now used when somebody compromised your device (phone, computer) or your data and now you are pwned by bad guys. There is a site called “Have I been pwned?” which allows you to check if your personal data was leaked during one of the known data breaches. More:

A method of exchanging identification information over radio. It includes RFID tags and RFID readers. RFID tags can be passive (i.e. not containing any battery) and really cheap. They get the energy they need to operate from the reader that reads from them. More:

Not a Role-Playing Game (here). A rocket-propelled grenade (often abbreviated RPG) is a shoulder-fired missile weapon that launches rockets equipped with an explosive warhead. Fun fact: The term "rocket-propelled grenade" is a backronym; it stems from the Russian language РПГ which stands for ручной противотанковый гранатомёт (transliterated as "ruchnoy protivotankovy granatomyot", which has the initials "RPG"), meaning "handheld anti-tank grenade launcher", the name given to early Russian designs. Typical range is around several hundred meters. More:

Altair 8800 is one of the first personal computers which was introduced in 1974. For many people it has sentimental value — that’s why some people design and sell Altair emulators that use modern technologies such as Arduino and Raspberry Pi. More:

A red team is a group that helps organizations to improve themselves by providing opposition to the point of view of the organization that they are helping. More:

A (smart) way to search specific patterns or strings in text files. You can describe patterns like "one to three numbers followed by a dash followed by several capital letters, no more than 8." More:

A method to connect back to the attacking computer from the target computer. Because it is initiated from the target computer it can be a way to bypass a firewall or NAT service. More:

Masha receives an email from Kriztina from her address at riseup.net. Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

Most likely Masha uses a SIM extension cable similar to this: https://www.microsatacables.com/micro-sim-card-to-sim-card-extension-cable-msim-1175-ext

The rules for safe computing. More:

Not a CCTV camera produced by Shenshen Sectec Co. (http://www.sectec.com.cn/)

More:

Tilt–shift photography (Masha incorrectly calls it “shift-tilt”) is the use of camera movements that change the orientation or position of the lens with respect to the film or image sensor on cameras.

A communication application which is considered to be the most secure for end-to-end encryption. Trusted and used by Edward Snowden, Jack Dorsey, Bruce Schneier. It uses the open-source Signal protocol. Works on iOS, Android, Linux, macOS, Windows More:

Monitoring software or spyware that is used for stalking. The term was coined when people started to widely use commercial spyware to spy on their spouses or intimate partners. More:

A method to study linguistic style to find out who the author of the document is. More:

Sukey is an organization which emerged in Britain on 28 January 2011, with the aim of improving communications among participants in the student demonstrations. Its immediate aim was to counteract the police tactics of kettling, by coordinating information electronically and transmitting it to the protesters, allowing them to avoid the police kettle. More:

A security-focused Linux distribution that aims at preserving privacy and anonymity. It usually loads from a live DVD or USB and provides Linux environment that is based on Tor network. Your browsing information is not stored anywhere unless you specifically instruct it to do so. Tails provides an emergency shutdown: when you pull the USB out of the slot, the system erases all computer memory and shuts itself down immediately. More:

Masha calls it “technology debt”, but “technical debt” is more common. Masha explains it pretty well: sometimes you create a solution to quickly achieve your short-term goals, but in the long run this solution keeps you from doing it the “right way”. The longer you postpone re-doing it properly, the bigger it grows and the harder it is to “pay off” your technical debt. More:

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized. More:

By using the Tor Browser you can visit web sites without letting them know your location or your actual IP address. More about Tor (including questions "is it legal?"):

To use an SSH tunnel to get secure access to a remote box. Usually you use SSH tunneling to bypass firewalls that prohibit certain Internet services. More:

There are several variants of such a device that physically blocks access to the USB port. Some of them have keys, some should be physically destroyed to get access to the port. Examples:

Probably Marcus uses something like this: https://www.amazon.com/Encrypted-Certified-Protection-Encryption-16G/dp/B07JNDW5H7/

USG is a USB firewall that can protect your computer from BadUSB. More:

Masha explains it very well. Apparently, there are “Ulysses pact” applications and other technologies to help you keep your promises. More:

Tire-pressure sensors installed on most of the cars have unique ID numbers configured at the factory. More:

A "prehistoric" social network that was created around 1980. The name comes from the term "users network". It was used for discussions and asking questions. It has a hierarchical structure of topics called "newsgroups". Even before Internet became widely available it used UUCP (Unix-to-Unix Copy) program to exchange posts and updates over telephone lines. More:

Apparently it’s an abbreviation from GULAG days, not a place: USLON: "Upravlenie Severnykh Lagerey Osobogo Naznacheniya", Directorate of Northern Special-Significance Camps More:

A protocol that was used by cell phones to access the Internet in the early 2000s. WAP browser is an application that can display text and pictures on the phone’s screen. It was used before smartphones became widely available because it could work with really small screens and low transmission speeds of that time. More:

A markup language used by many applications to store and exchange information and documents. More:

Usually spelled entirely in caps, this abbreviation originates from the typo you get when you strike the shift key in order to type OMFG, but you miss and hit the z instead. From here: