Why deleting stuff is hard

To demonstrate some functionality I added a random newsite to an account with about 50 urls. Within minutes, the ShadowTrackr had found hosts, related urls, hosts for the related urls, certificates, and more. It was all fine until I noticed the lack of a delete button. I naively implemented a delete button for the urls and hosts under settings and clicked it. The random newsite was gone. And within a few minutes appeared again. Since the related host and some subdomains were still in the system, the pay level domain was easily found again and automatically added.

Against better judgement, I manually deleted the hosts and subdomains and quickly deleted the url. Again, within minutes all reappeared. It was even worse than the situation than I started with: you can only delete the url's and hosts you add manually and the orginal url now appeared as a related asset found by the system (without a delete button). Adding delete buttons for related assets is useless, since they are related and will always be rediscovered. It turns out deleting an asset was much harder than I thought, so I tried putting the issue on my todo list and started working on other stuff. I just couldn't figure out what the proper delete implementation should be.

Off course, users will notice a problem like this and start complaining (as they should). I had to implement a way to delete assets, but I couldn't decide how it should work. Should I blindly delete all related assets? Including ones that might be shared with other urls or hosts? Should related messages be deleted from the timeline too? That would mean that you might miss historical data on an attack targeted at you just because your server changed its ip address.

Since I can't come up with an implementation that works for all users in all circumstances, there is now a delete button with two checkboxes. One is for deleting related messages from the timeline, and the other is for aggresively deleting related assets. It might be a bit too aggresive and delete the shared server that also hosts your other websites, but I figured (and tested) these will be found again from related assets. I expect the solution with the optional checkboxes will work for everyone, but please let me know if you have problems.

Monitoring Bitcoins, Ethereum and Zcash wallets

I've been planning to do something with digital currencies for a while and after WannaCry and this week's Petya outbreak developed balance monitoring straight away. There's a couple of reasons why this is useful.

If you have a stash of bitcoins for speculation or as emergency fund to pay ransoms (no you shouldn't, but I'm not judging), you will want to know when something happens to it. Digital currency disappearing without your approval is a strong indicator of either fraud or an evil hacker on your system. You can now configure ShadowTrackr to send a push notification to your iPhone when the balance of a certain Bitcoin, Ethereum or Zcash wallet changes.

You can also use this as a digital booby trap that fires when your VIP is hacked. Just leave (the keys to) a small amount on the VIP's laptop and make sure he knows not to touch it. If you see changes on the blockchain with the address of these canarycoins and it was not your VIP, then for sure the VIP's laptop is compromised. Not every evil hacker steals bitcoins of course, so it doesn't detect every breach. But I think it's still useful because this trick has about zero false positives.

So, why did WannaCry and Petya prompt me to do this now? To be honest, I was just curious how many victims would pay the ransom.

The ShadowTrackr iPhone app is live

It’s a very simple app. For the most part it’s just a webview with the website in it. The top part of the page is stripped and replaced with an iOS native searchbar. This gives a much better user experience than a html search bar. I’ve also stripped out the menu options and put these in a drop down menu to save some screen real estate. The more space is left for the actual content the better of course.

So why did I write a hybrid app instead of a native one or just a webapp? The main reason is notifications. I’ve been playing with this for a while and found it to be one of the most useful features of ShadowTrackr. I am eating my own dog food and am a daily user of ShadowTrackr. But I just don’t want to be looking at the timeline all day every day. I check it when I want to find information for a post mortem, to see what settings on what servers can be improved, or just to check in and see what’s happening.

When certain keywords appear on pastebin or in the news, I want to know immediately. The same goes for critical security changes. I want to know when a good SSL certificate goes bad, when one of my servers appears on a blacklist, or when my dns server suddenly allows zone transfers. The push notifications appear on my iPhone and I’ll decide if I want to check them out in detail in the app or just leave them. I'm often the first to know when something relevant happens online.

The security settings are hardcoded by me and the system will send a notification if I have set it for that particular event. You can’t change this yourself like you can for keywords. But it’s open for discussion and if several users sent me requests for different settings I’ll see what I can do.

One last thing to mention is that I really got annoyed by midnight notifications and I’m too lazy to switch them all off each night and on again each morning. So, I added the possibility to set the start and end time of your working day (under settings -> notifications). If set, notifications will only be send between specified times.

Here's the iOS app

And yes, there will be an Android app too :-)