It seems to me yesterday that I connected The Smith Agent to my Twitter account, perhaps more out of curiosity than out of wanting to do something useful, and today the account has exceeded 200,000 tweets 🙂
How fast these kids grow up!
To celebrate the milestone I decided to write an updated post compared to the previous one in which I told a little about what happens under the hood of the project.
Let’s talk a little about the various components that make up the project.
Zefiro collects information related to internet domains. This process leads to the production of lists of recently registered domains.
Scirocco collects information from Certificate Transparency Logs. This information is useful for identifying new domains and subdomains.
Watson uses Certificate Transparency Logs data to identify domains registered in the last few hours. For its operation this component uses agents distributed in various datacenters around the world.
Miniluv uses data from Zefiro, Scirocco and Watson to select new domains and distribute this information to subscribers, both internal and external to the solution.
Smith Core orchestrates the functioning of the Smith agents by dividing the work on the various distributed components.
Hammer takes care of keeping monitoring active on sites that have some characteristics and that are therefore entrusted to his care.
The Smith agent are in charge of checking the context of the domain, hosting and the contents that the site displays. This information helps to create a score that identifies the possible danger of the site. If the threat is certainly identified, the Twitter report will report the words “Threat …”, if the threat is in doubt the words will be “Possible threat …”. For its operation this component uses agents distributed in various datacenters around the world.
All these components are based on .NET (Framework and Core), the databases are managed by SQL Server. The operating systems used are Windows 2019 and Linux Ubuntu.
One of the main objectives of the platform is the collection of phishing kits and malware.
Currently these files are saved but in the future (hopefully near) they will be shared to create IoCs and datasets to be used for training artificial intelligence models useful for improving threat discovery techniques. The idea is to improve the ability to discover threats using the information contained in threats already discovered.
Another future evolution of the platform will be the integration with email services to report malicious and compromised accounts in order to reduce damage and speed up investigations, as is already the case with some service providers or partners who deal with managing these reports when relevant to them.
The project starts from the desire to monitor the Internet in search of threats but also in search of situations that are not correlated with each other but which, with time or with support, may be at the basis of larger and currently unpredictable phenomena.
The first phase of the project deals with timely monitoring: the solution monitors the domains that are registered, collects information on registrations and hosting and checks the contents of the sites. This step allows you to quickly identify the different types of cyber threats. The collected data can be used for investigations and analyzes.
When a threat (present or probable) is identified, this is reported to security companies who send it to the specific blacklist and then a tweet is produced which is published on my profile: https://twitter.com/ecarlesi
The analysis of the data collected during this phase can be used as a history to identify patterns that allow forecasts on future scenarios.
The second phase of the project aims to produce evidence of phenomena deriving them from patterns discovered by the analysis performed by the components operating in phase one.
Currently, approximately 250000-300000 second-level domains are registered every day. Many of these domains are used to carry out cyber threats: spam, phishing, c2c, etc.
The information that can be acquired through the WHOIS service is not really useful in most cases. In fact, due to the anonymization options, the data are too generic and do not allow to be traced back to the real owner of the domain.
The only fact that is currently taken into account by the solution is the company that registered.
Not all providers have the same reputation. Users who make massive registrations, for example, tend to use cheaper providers who therefore see their reputation lower than others and consequently we attribute a lower initial score to registrations made with these companies.
Another indicator that is taken into consideration by the solution is that linked to the SSL certificate, its issuer and its duration.
This first information collected contributes to the production of a score that is associated with each domain. This score is added to that produced by the subsequent phases and thus contributes to the overall evaluation of the domain.
The main analysis phase is the one where the contents of the website are analyzed. The contents are downloaded and analyzed to verify that there is clearly dangerous or potentially dangerous content. The verification of the contents is based on a database of signatures which is enriched daily and which in the future will be able to learn from the analysis history.
The solution is based on several underlying systems which interacting allow to implement the required logic. The following paragraphs describe the main systems and their roles.
Zefiro
The Zefiro project was born from the idea of having active monitoring of the domains that are registered. This monitoring allows you to “see what happens in the world” before this actually happens (the purchase of the Internet domain, in fact, turns out to be one of the first activities that are carried out when starting a project). The project fulfills this requirement: to receive notification of domains that are registered in a short time, on average a few (10-16) hours.
This component was developed using .NET Framework 4.7 and runs on Windows 2019 using a SQL Server 2019 database. The evolution of this project will be in its rewrite using .NET Core.
Currently the component writes its logs into files. In the future, these files will have to flow into a logs management platform to allow more immediate monitoring and the creation of alerts in the face of logged events.
Miniluv
This project uses information related to the domain (domain name, WHOIS, HTTPS certificate and more) to associate a risk score to each domain name. This score is used later to alter the normal monitoring mode. The domains with a score below a certain threshold are sent via a notification to the subscribers of a specific mailing list.
This component was developed using .NET Framework 4.7 and runs on Windows 2019 using a SQL Server 2019 database. The evolution of this project will be in its rewrite using .NET Core.
Currently the component writes its logs into files. In the future, these files will have to flow into a logs management platform to allow more immediate monitoring and the creation of alerts in the face of logged events.
Smith
The Smith project implements the logic of monitoring and orchestrates the agents who perform the scans. Each scan produces a report which is saved by Smith and used for statistics and future model training.
The sending of reports to companies in the sector concludes the processing phase in the event that a threat (current or probable) is found. The report is then converted into a tweet and posted to my Twitter account.
The Server component was developed using ASP.NET Core and runs on Linux machines using a SQL Server 2019 database. We currently have three instances in three virtual machines managed by the same physical host. In the future, these services will need to be on physical hardware to improve performance.
The Agent component was developed using .NET Core and runs on Linux machines. Communication with servers takes place via HTTPS calls. We currently have nine instances each on a dedicated virtual machine. The machines are spread across two providers on four continents. The current load on these machines is 90% and to stay below this threshold it was necessary to limit some components, penalizing overall performance.
Currently the component writes its logs into files. In the future, these files will have to flow into a logs management platform to allow more immediate monitoring and the creation of alerts in the face of logged events.
Premetto subito che non ho nulla contro Fastweb, anzi; è il mio provider preferito e questo post cita Fastweb solo come esempio.
Ho notato che Fastweb invia SMS contenenti link al proprio sito. Questa modalità di comunicazione non è a mio avviso corretta, soprattutto perché tende a educare male i propri utenti.
Dato che sappiamo bene come l’utente tenda a non capire chi gli stia scrivendo ed allo stesso tempo ami cliccare in modo compulsivo su qualsiasi link gli compaia, penso che sarebbe il caso di evitare di inviare link che rafforzino questa tendenza insana.
Penso che sarebbe più saggio impegnarsi a non inviare mai link ai propri utenti e ricordare questo agli stessi, magari chiudendo ogni comunicazione con una frase tipo “Ricordati che non ti invieremo mai link, quindi non dovrai mai aprire link che pensi possano arrivarti da noi”. Almeno in caso di incidente si potrò dire al cliente “te l’avevamo detto”.
Ovviamente per poter smettere di inviare link ai propri utenti si renderà necessario avere un sito internet funzionante e soprattutto con un motore di ricerca che faccia il proprio mestiere.
After trying a couple of cases for my YI Action Cam I decided to try to print one for use with the GoPro chest mount.
With the classic one that you buy on Amazon, while recording mountain bike videos, I experienced two problems: a loud background rustle and a limit in the useful inclination.
Using the classic case, the sound problem I think is due to a rustling that occurs inside the case. Use this printed case leaves the microphone exposed instead.
Talking about “good” referring to a pandemic may be out of place but I am firmly convinced that there is good in everything.
I think the good thing about this pandemic lies in the demonstration that we are insignificant to the universe.
We are fragile beings whose existence hangs by a thread; faced with serious problems there are no weapons, supremacies or gods to help us. We have to help ourselves.
We must improve and be more efficient, more educated and progressive. Only progress can save us.
I really like the project, especially the filter fixing mechanism, it is very robust and does not require you to touch the inside of the mask. The opening is very wide and the filter allows a good air flow. From this point of view it seems to me the best. Completed the print, the mask is very clean and does not require cleaning or further activities.
However, there are two (really) minor problem: it is the slowest to print and (at least on my face) it does not have an excellent seal. The first one is not a problem, the second one is easily solved with a little rubber positioned as a gasket.
With the outbreak of the COVID-19 pandemic it has become very difficult to find masks here in Italy. I read that in some countries toilet rolls have disappeared from the shelves, in the bad luck I was lucky, 3D printing a mask is certainly easier than printing a roll of toilet paper and the result will not be painful!
Having no experience in the medical field, I decided first of all to study a little to understand how a mask works and which are the best materials to use, especially as regards the filter material. The masks that I produced and of which I write here are in PLA, there are better materials as we will see later, for these tests, however, this material has proved more than suitable.
What I report here is personal experience, a homemade experiment, do not entrust your health to these tests!
First of all I invite you to read some articles that have been useful to understand a little better what a mask is and how it works:
Before I started designing a mask from scratch I searched the Internet for some existing projects. I found several ready-made projects, some good, some a little less. Since I am not going to criticize the work of people who have worked to help us, in this article I report my experiences with the projects that I think are the best and that I can recommend.
The first project is that of Copper 3D. The project is done very well and the site illustrates the problems and many solutions well, there are many tips and that’s why I have listed it in the list above. I advise you to take a careful look at it. Copper 3D guys recommend printing this mask with PLACTIVE®️ and MDflex®️ and not with PLA for several good reasons. As said before I used the PLA but shortly I want to buy a roll of the recommended material and procede as recommended. The project is very well done and once printed the template is immediately very robust. The printing phase required a bit of work, since with my Dremel I had to print the supports and this produce an object that needed to remove a lot of support material. Despite the cleaning post printing phase, a lot of material stille remain inside the mask.
I tried to print without support (knowing it would make a mess) but it didn’t work. The mask has two lateral supports for the elastic that are very wide but not printable with my Dremel without the print supports. I therefore decided to modify the project to change the supports for the elastic bands, making them compatible with my printer and allowing me to print without printing support. In addition to the supports I added a hole in the surface of the filter to improve the air flow.
During my tests I created a post on my Facebook account to share my experience and at a certain point my big friend Milko told me about the project he was using. He sent me the project and I printed it. It is an excellent project, very simple and quick to print, does not require post-print cleaning and is also comfortable to wear. The only thing that would perhaps be useful is to add a gasket on the edge to improve the seal and make it even more comfortable.
After trying 6 models of masks and having found two valid ones, I decided to move on to the more complicated and delicate phase, the choice of material to build the filter. After studying the problem throughout Saturday, the choice fell on Miele HyClean bags for vacuum cleaners. I bought them on Amazon and they arrived the next day. There are 5 bags inside the package and with each one you should be able to make at least 30 filters. The only precaution to keep when cutting the filters is to leave at least 3-4 millimeters of access, so that you can position it comfortably within the space that both masks provide. The installation of the filter takes a few seconds and is very easy.
As I said before, I am not familiar with biological viruses (I’m much more skilled about computer viruses), however this experience has made me reflect on the fact that changing the filters requires a minimum of attention. The filter we remove from the mask is potentially contaminated, so it is necessary to remove it without touching it with bare hands and throw it in a safe place to avoid contaminating the environment. After disassembling the used filter, before assembling the new one, I think it may be wise to clean the mask. You can do it in different ways: the first (and in my opinion more comfortable) is to put it in the microwave oven (I tried for a minute and the mask has not been damaged), the second is using some disinfectant (alcohol or other). Since I am not familiar with disinfectants, I invite you to look elsewhere for the best solution. The only suggestion I can give is that if you decide to use alcohol, wash it well afterwards!
Once the mask is printed and the filter is mounted, the last step is to mount the elastic bands. At the beginning I wanted to use the classic flat elastic used for bra, unfortunately on Amazon I did not find anything with fast delivery (it would arrive in 2-3 weeks, at least). So I decided to use something I had at home. After a few minutes of research, a two-centimeter-tall elastic appear so I finished the masks.
Once you put on the mask with the filter you immediately notice the difference in ease that you try to inhale. In fact, at the beginning the situation was annoying and it reminded me of the first time I did a scuba dive. You have to give yourself five minutes to get used to it. After a while you get used to it. In these days I have tried the two models on the rare occasions when I left the house to take the dogs for a walk or to do the shopping. The tests lasted 1-2 hours, in this period I have always kept the masks and I have not encountered any problems (apart from talking on the phone).
I hope this report of my experience will be useful to you. It served me to learn something new and also to distract me a little in this quarantine period.
For advice, suggestions or anything else you can write to me using the references on the side.
Update – 11/04/2020
To make the mask more comfortable or inserted in a sponge seal, this in addition to improving comfort also improves the seal.
Emiliano Carlesi's blog 
You must be logged in to post a comment.