Not only that, but he got me in touch with Spectrum and we had a sit down on how to link up the router to broadcast attackers back to Spectrum’s firewalls.  I must say, the past 2 weeks have been an absolute success.

Have a look at this.

This shows a few important things.  Firstly, you can see our ISP begin to throttle the incoming packets to hold the connection below 1gps so that our modem is never flooded.  Because net neutrality no longer exists, Spectrum Business now throttles connections from networks with poor reputations or known black holes and use a stricter RP Filter which means they’re aggressively fighting people that spoof IP addresses to carry out attacks.

I show a great example of the reputation filtering when I speed test the network based on the .com domain vs the .edu domain.  Edu and Gov are considered trustworthy networks and given the highest priority.  During the 100Gbps DDOS you can see that Spectrum allows about 5Mbps to come through from their own IP and over 200Mbps to come through on Duke’s network.

The second thing you see is even at 100,000 packets per second, the router still responds lightning fast.  The last router would choke at about 20,000 packets per second before the single core 600Mhz CPU maxed itself out at 100%.  At 100,000 PPS, this router’s 4 1.9Ghz cores are only at about 5% utilization.

I’ve tried a lot of attacks on this beast, and so far, I haven’t found any attack that will bring it down which is why I’m going to be deploying this router for our company.  I was an idiot and left it for about 2 days unsecured, but the only 2 things plugged directly into it was my home router and the printer.  So someone did get into it and reset the configuration as well as disable the printer’s network interface.  Easy enough to fix – quick restore on the router and re-enabling the printer’s interface and it was back up and running in about 3 minutes.

I believe that in the future this will make our company much harder to take offline.

The post New Router Testing appeared first on The Blog of Michael Wells.

Before I even start I want to make a few things clear.  First of all, I do not believe that any conservative or libertarian sent these bombs.  Usually, when a conservative sets out to do something, he or she does it.  Likewise, a libertarian is more likely to walk up and make it known what he or she is doing.

There are several things that lead me to believe this.  First of all, there were no post marks on the package which means the stamps were not voided.  This is very uncharacteristic of the US Post Offices.  Packages are postmarked at the office in which they are sent from.  Without this post mark, no other post office will relay the mail.  But even at that, the stamps don’t add up.  Aside for them being different sizes, they’re not accurate for the apparent weight of a pipe bomb.

Also, just today an astute twitter user found something interesting about one of the images CNN posted of the bomb.  It contains the ISIS flag.

But what if a conservative or Trump supporter did this?  Are they wrong?  Well, yes, but no.  Let’s sit down and think for a moment what conservatives have endured for the past two years:

• Beatings Antifa – Check
• Rape from BLM – Check
• Murder from both – Check

The fact is, conservatives and Trump supporters are persecuted in this county by the very violent left.  What’s worse, is main stream news doesn’t want to report this violence and if they do, it’s downplayed.  Instead of riots being called riots, they are called “protests” as if they were peaceful at any point in time.  For example, The Berkeley Riot was called a “protest” by almost every main stream news outlet, yet one of the “protesters” killed a a Milo fan by stabbing them to death.  Just four days ago a black male was shot to death because he joked about voting for Trump.  That bears repeating, he was murdered in cold blood because the attacker thought he was serious when he said he voted for Trump.

This is the first time in modern US history that a political party had to fear death for voting for a president.   The last time this happened, there was a war to free slaves.   Just like the last time, it was the Democrats perpetuating the violence.

So what if this is “as-is”?  What if a conservative or libertarian sent the bombs?  Well, the first thing we have to keep in mind is that not a single one detonated and the bombs were most obviously missing the trigger mechanisms (intentionally).

This is where I step in and remark, violence begets violence.  If conservatives and libertarians are actually pushing back, I salute them.   The moment an organized party, under orders from leaders (ie. “when they go low, kick them” or “there will be no civility”) to be violent to subvert the voting process or to persecute political dissidents, they have identified themselves as enemy combatants of the United States Constitution.  As a US Army Veteran, I’m compelled to state, for fact, that it is our duty to do exactly this.

The post The Serial Bomber and My Opinion appeared first on The Blog of Michael Wells.

We were relentlessly DDOSed for weeks.  The attacker contacted me several times during this time through alternative communications and even telephone.  All mediums used anonomyzers to hide his identity.  This was a game-changer for me.  Being Signal Corps in the US Army, combating network intrusions was my forte and I was over-confident in my company’s network security.  The servers and network was hardened very well, meaning that our client’s data was safe.  I had never anticipated that the network infrastructure available to my state was a single-point-of-failure or that a law would cripple my ability to defend against such an attack.

What is a DDOS attack?  DDOS stands for “Distributed Denial of Service” and is the big brother of the DOS attack or “Denial of Service”.  It’s important to first understand what DOS means before we get into what a DDOS is.  DOS’s are attacks from a single point which causes an information system to be unable to service other users while being inundated with requests made by the attacker.   These are easy to stop, you simply block the incoming IP address and you have successfully stopped the attack.   The ‘distributed’ part of DDOS means that the attack comes from several sources.  This makes the attack more difficult to stop because there are multiple origins.  The problem compounds itself when several thousand information systems work in tandem in botnets to focus an attack on just a handful of servers.  If it couldn’t get any worse, it does.  The attackers have found ways to disguise their junk packets meant to clog a network as legitimate DNS traffic by hijacking vulnerable DNS servers.

https://goldsborowebdevelopment.com/2018/05/network-improvements-net-neutrality/

The type of DDOS we experienced was DNS Amplification, for which our own Government states there is no way to mitigate without coordinated effort.  But what does that mean?  A coordinated effort means that the person that is being attacked must coordinate with their upstream providers (the ISP) to block the traffic from flooding the network.  There was just one little problem with that:  Net Neutrality.

Net Neutrality was a law passed in February 26th, 2015 and said that upstream providers could not discriminate against internet traffic regardless of its origins.  What this means is, our upstream provider could not legally help us to stop the incoming DDOS attacks.  I consulted our company attorney, Mr Harry Lorello in Goldsboro, North Carolina.  He characterized the law as “short-sighted, knee jerk reaction to corporatism” and stated the law needed changing.  Fortunately for me, his good friend George Holding was on his speed dial.  Within a few weeks I was in Congressman’s Holding’s office explaining exactly what happened to my company and how it inured such a high cost to my company and other companies associated with us and our network.  Congressman Holding created a coalition, he talked to other congressmen about my issue and within a few weeks they had introduced a bill to fully repeal Net Neutrality.  I might brag a little and even mention that it was rather awesome hearing the congressman on CSPAN mention my name and company name, but all-in-all, I wish it never happened.

We hear a lot of complaints from large corporations with large networks that Net Neutrality is bad and evil. But why?  These companies would have to better police their networks now that Net Neutrality is gone.  With the law out-of-the-way, ISP’s such as Level3 and AT&T can prioritize internet traffic based on the reputation of the network.  For instance, if Facebook allows its users to spam someone Facebook could gain a poor reputation and therefore all of Facebook’s servers could be given low priority for several back-bone ISP’s.  This is simply avoided by hiring staff to make sure people aren’t abusing your services.  Small businesses that rent networks have to do that already, why not the mega corporations?  The problem is, the cost analysis has never added up.  If a single network attacks my company, we could lose $700,000 which is about a quarter of our annual income.  That’s not a lot.  After payroll and taxes, I might see $70,000 of that which I can either spend on bills or reinvest into the company.  For Google to hire the staff to ensure their network doesn’t attack my company, it would cost them only 0.021% of their annual income.  Again, the cost analysis doesn’t add up.

While it didn’t help immediately, Net Neutrality was repealed just at the end of last year on December 14, 2017, about a month after the attacks stopped.  Even if it is unpopular, it does give me a sense of pride to put my name on the repeal of that law even if people have sour attitudes about it and scowl at me when I walk into board meetings in other companies.  But if we’re going to assign blame to it’s repeal, it is not my fault – this could have never happened without our friendly neighborhood script kiddy that resorted to DDOSing our network. I call the hacker a script kiddy because once someone resorts to using a free web application to take down a website, they obviously lack the aptitude to crack it, and that’s a fact.

In hindsight, I learned a lot from the experience.  I’ve been told that what doesn’t kill you makes you stronger, and I’m starting to believe that is true.  Today our servers are backed by 800Gbps DDOS protection.  While it is possible for our servers to be taken offline through another DNS Amplification DDOS attack, it would have to break world records and exceed the attacks on Sony and PlayStation.  Also, for our own office network, we have now two providers in which are actively filtering our traffic upstream since Net Neutrality was repealed.  I’ve also been assured that if we were DDOSed in the future, we likely wouldn’t even notice it because of the packet prioritization that is run at the peer exchange.

So, the next time someone tells  you how bad the repeal of Net Neutrality was, direct them to this story.

The post How One Hacker Repeals Net Neutrality appeared first on The Blog of Michael Wells.

Before we even start listing anything out here I invite any who are curious to run a criminal background check on me at any time:

Michael L Wells
113 Buttonwood Rd
Goldsboro, NC 27530
DOB: April 7, 1981

Credit score: 740
Criminal Records found: 0
Court Actions found: 0
Public Records found: 4 (one of which is my DD-214, another is a deed, one is a corporate certificate, and the other is the EIN certificate)

Just a funny side-story, because of this incident I have called the local law enforcement and as the sergeant said when he checked my own claims, “Well damn, you’re a rare one, an earnest boy scout, my record isn’t this clean!”

To which I replied while pulling my card out of my wallet and showing it to the officer, “Eagle Scout, year 2000, Tuscarora Council, Troop 45, Bill Clinton’s signature is on my card”.

The sergeant burst out in laughter, “Wow! This is surreal.  What is wrong with this guy?  The subject has to have some serious mental disorders to pull this on anyone especially on someone as clean as your record!”

But, let’s get started!

If you view the stylesheets on Eastern Office Furniture NC’s website, you will see that it’s attributed to GWD (Michael’s web development company) and that he has made an effort to replace every instance of the original authors license and name, effectively removing all credit to the author.

You should contact that client and ask her if the original source code and credits were disclosed to her because I can see on her account information page, it was.

This is prohibited in the GPL license and is without a doubt deliberate plagiarism.

The GPL website seems to say otherwise.

https://www.gnu.org/licenses/gpl-faq.en.html#RequiredToClaimCopyright

Here is where things begin to go terribly wrong — that is when someone starts to use big words that they don’t know the meaning of, like “GPL”. You see, GPL purposely allows you to change software any way you see fit and redistribute that software. While you can’t charge money for that software — ever, you can charge for the distribution of that software and the service in which you changed it. When a license tells you that you can change anything within the software as if it were your own, and redistribute that software so long as the original source code is disclosed to the recipient (which isn’t you btw), there can’t be plagiarism unless, of course you call having someone write social media posts on your behalf plagiarism, because that’s what’s going on here — the author has granted, by means of the GPLv3, rights for anyone to modify their software, including changing the credits, and the redistribution of those changes so long as the source code is distributed within it.

But that’s not even what we’re talking about here because our software is SaaS (Software as a Service) which means, by nature of the GPL we can completely sterilize the GPL code of any copyright bylines and credits so long as we don’t redistribute the code, and SaaS, is not a form of redistribution under the GPLv3 (it is under AGPL). But don’t take my word for it, see what this attorney has to say about it on her blog:  http://danashultz.com/blog/2010/03/05/saas-use-of-open-source-software-is-not-distribution-who-gnu/

In any theme/style one may aquire, there is more than just a single style-sheet that is used for WordPress.  You generally have multiple style sheets, a functions.php, home.php, single-post.php, header.php, etc.  Usually, our modifications come in the form of secondary (child) stylesheet changes as well as custom functions. But go ahead bub, keep claiming that nothing has changed because the default of the master theme (not the child which is in use) has no change (which is proper WordPress modding).

I’m guessing the client wanted a requirement that Michael design the website from scratch so he made an effort to conceal the fact that it was a publically available template/theme.

Another way things start to go wrong is when one tries to pass speculation off as fact. It is frankly none of your concern what this client wanted, nor is it of your concern how they got it. But I will just say this: A fully customized website underwritten by our copyright agent usually runs about $4,500 (starting) and not many used furniture stores or worm farmers can afford a website at that price. So in an effort to fit a budget, their budget, we provide alternatives and then from those alternatives we provide customizations.

A “hack” is attributed to countries or organizations based on the software used in the attack.

My fellow 74G’s and 74B’s on FB laughed at this, very hard. Our own government can make an attack to appear to be a Chinese or Russian aggression, quite easily. When a country like the United States still “controls” the roots of the internet (IANA, ICANN, etc) and can change internet routing at the flip of a switch, an attack can seem to come from the Mars Curiosity if they wanted (I hear the latency would be terrible).

As far as the signatures within the payload — we laughed even harder as if the US government or any other government couldn’t repurpose known malicious software.

If you’re “hacking” an e-mail server, you’re trying to use an exploit that a person authored.

So, is brute force the exploitation of a vulnerability that someone authored? No. It is not. You seem new to the cracking world, so let me try and help.

There are two easy vectors of attack on an email server, one being plain old IP interception. The other is keylogging. Both are quite easy if you know how to send someone a password protected ZIP archive with the executable inside. Once you have that, you have both the username and password of that user to give you unfettered access to that email server.

That randomtool1.c was written by a person, it has certain language signatures, stylistic paradigms, even borrowed code that can be attributed.

I highly doubt you’re a “forensic” anything. I am. And in the digital world, anything can be faked, cloned, duplicated, replicated, and attributed. I can write PHP code like:

if($amoron): echo $alwaysamoron; endif;

Or I can write PHP like:

if($amoron) {
 echo $alwaysamoron;
}

And depending upon the complexity of the code, I’m liable to write it either way. And I could easily throw off forensics by simply writing:

if($einIdiot) {
 echo $ImmereinIdiot;
}

But that must be a German National right? Wrong. And there is where your logic fails and your lunacy shines brightly.

As far as I can tell, the only software you know how to use is WordPress.

You’re right. My primary forte is WordPress plugins. Why re-invent the wheel? So yeah, if WordPress can handle it through plugins, why build a brand new php library? Oh, that’s right, my IQ shouldn’t be high enough to think like that, I guess.

But as far as your claim that I haven’t created any open source software… LOL.

Super CAPTCHA Security Suite – Hardened 3D CAPTCHA

And oh, wait a second…

http://ro.uow.edu.au/cgi/viewcontent.cgi?article=4088&context=eispapers

Overall, the success rate of attacking Super CAPTCHA was lower than
the rest. This is because the lines that are used to build Super CAPTCHA
are generated using Markov-chains. This gives rise to some randomness in the
lines, which makes it more difficult to distinguish between pixels that belong
to the parallel lines and those that belong to the characters. As such, using
larger distortion parameters for the lines will certainly make the CAPTCHA
more difficult to break.

Holy shit, how can someone with an IQ of 50 possibly have academic research on his software!!!

Now it comes down to all of the criminal accusations that were levied against me on the website and for that, I refer you to my opening statement.

But let’s not stop here, how about we begin to level the playing field a bit. Fire with fire, eye-for-an-eye, but instead of fabrications, I’m going to use facts.

Your domain is anonymous — which means you don’t want anyone knowing who you are. You know who else makes outlandish claims behind the cloak of privacy? The CIA, and what is the CIA’s job? Manipulation. Don’t think that anonymity and manipulation go hand-in-hand? Please, give me the name of a single CIA asset or operative on active duty.

I know that can be interpreted as a non-sequitur argument, so let’s look at that a little deeper.

Of course the basic registrar whois turns up basic ID Protection so this guy could be completely anonymous, however, there is something he doesn’t know.  Registrars have “reputation”, that is, how well they vet people and handle abuse complaints.  Obviously, he knew he would get legal abuse complaints and chose a registrar that doesn’t respond to abuse, at all, in fact, his registrar is responsible for many 419 scammer websites that are still online this very moment.

Which brings me to my final point:

While it was incredibly smart of you to remove the images of my children from your website (and other libelous materials that you’ve retracted in part), nothing can ever be truly deleted from the internet and as I already alerted you, CloudFlare had already been sent a Letter of Preservation and has already responded that the caches were preserved under ID#:2017-004821 which lays waiting for the court’s order of disclosure to arrive in their mailbox with the North Carolina Court seal affixed.

Not only did you commit a crime in that, and in your mob lynchings from manufactured claims and allegations, all of that provides irrefutable proof in a court’s eyes that you acted with the intent to do harm and with malice.  Not only do you have just me on your back, but now you have my company on your back, and two of my customers who have both joined the lawsuit.  If you don’t believe me, feel free to email Eastern Office once more and ask.

You know, us little companies, we don’t have much money to spend on attourneys, but we do have liability insurance on our companies and when someone makes accusations that become liabilities, guess who starts paying for our lawyers?    Good luck.

TL;DR: The only ones who chose anonymity are those with something to hide.  And no matter what this guy accuses me of, no matter the accusations, it is nothing compared to how subhuman he is by posting someone’s minor children on the internet without that parent’s consent to exploit them for personal gain and gratification. Because it merits repeating: SUBHUMAN.

The post TheTruth About Michael Wells appeared first on The Blog of Michael Wells.

But when you look at the new features list, there is, lets count… Ahh yes, 7 new features. What the HELL has Google been doing for the past year?  I tell you what happened.  Microsoft and Apple are jumping out of the phone game and joining the hybrid PC Game, and now Google has no rising bars to jump over.  That’s what is happening.

We saw this very same trend happen when AMD dropped the ball with Bulldozer, Intel, AMD’s competitor, has made zero technological breakthroughs since.  Where there is healthy competition there is always innovation and I think this latest release of Android 7.0 is a only a great demonstration of what Google can achieve when they have no competition.

The post So, I Guess Nougat Is Ok? appeared first on The Blog of Michael Wells.