I’m not here to argue the benefits or drawbacks of AI.

I’m here to point out that by including AI linkage in your development tools and not allowing it to be completely disabled, you’re making tools that I legally cannot use in my job. No, I will not be ignoring my legal responsibilities. No, your cleverness doesn’t get you around the laws of my country. If you want to follow a fad and make your product unusable by me, go for it — just be aware that I won’t be here to support you when you’re done with that fad and you’re on to the next thing. “Permanently unsuitable for use” isn’t just a reflection on a product, it’s a reflection on the thought process that went into that product and the people who made those decisions. Be better than that.

If you’re making a developer tool, make a developer tool. If you’re making a tool to vacuum peoples’ data into your “data lake” and resell it, then fuck you. Permanently. You’re just not good enough.

I deal with scammers all the time. Constantly. For whatever reason, they seem to gravitate to me. Whether face to face, by telephone, via text message, through email, social media, or any other form of communication, I’ve dealt with literally hundreds to thousands (900 – 2000 is my approximate guess, with padding on both sides). I guess I’ve learned a thing or two in those contacts.

I was griping in work chat and said:

What’s up with the scammers today? I’ve had one call on the phone and another trying to phish me through text. They’re definitely human in both cases, because they’re emotionally reactive to nuances. (Pissing people off is the true CAPTCHA.)

I guess I’d been doing it without really thinking about it, and just articulated it there for the first time.

Pissing people off is the true CAPTCHA. Human reactions are complex. By varying the level of nuance and how adversarial you are, you can easily provoke reactions that clearly show whether you’re dealing with a human or a chat script (which may be LLM-based, a CGI script from the ’90s, M-x doctor, or whatever).

One example is to question affiliation. A common script is for the wannabe to pose as a Bell/Telus employee on the phone. By them stating an affiliation outright at the beginning of the call, they give you the first rough edge to grab onto. Pushing back with “how can I verify you are a Bell/Telus employee?” is a good first strike. It’s gentle. A real Bell/Telus employee actually has training in how to respond to this. It doesn’t rattle them. I have only rarely had a scammer on the line who doesn’t give an inappropriate reaction to this. Watch for voices raised and angry/authoritative reactions, as these are some indications of a scammer on the other end of the line. Real Bell/Telus employees are well aware that their behaviour is being monitored and they would be censured or sanctioned for inappropriate behaviour with customers.

A second example is to question chain of custody of information. “This offer you’re telling me about is very interesting — where can I find out more about it online? Super cool.” A scammer is highly unlikely to be able to provide this kind of collateral information. It is plausible that scammers could both pose as agents of an organisation and use the organisation’s own collateral/deals/savings/events information in their scams, but I don’t think I’ve seen it yet. The closest I’ve experienced is being given references to web links that don’t exist or are clearly not the official, well-known site of the organisation they claim. (Confusingly, Blogspot is among the top places I’ve been directed to here — I can’t make sense of that other than to surmise that it’s easiest to get a Google account and Blogspot is the quickest route to getting words online?)

One other thing I tend to subtly put pressure on is chain of contact. Valid organisations have bidirectional communication with their customers. Customers can contact the company, not just the other way around. A valid Bell/Telus employee will happily tell you the methods to get in touch with another Bell/Telus employee to complete any valid business. Most scammers don’t have the faintest clue how to contact the company and will tend to tell you that you have to do it then or never, as no one else can do it for you. To think this situation all the way through, even if there was some small chance the call was actually from Bell/Telus, would you want to deal with a company that’s actually that dodgy? If they’re offering a deal, what must the stability of that deal be, if it’s only available via phone calls coming out of left field? How does any of that make sense, anyway?

Obviously, scammers want to play just outside their targets’ experience, knowledge, and comfort level. These methods do not rely on having the upper hand in the contact to be successful. Indeed, being willing to initiate an uncomfortable situation, however mild, can tell you a lot about the unknown caller. If you’re dealing with a real agent of a real organisation, they’ll actively appreciate that you’re making sure things are on the up-and-up. You’re helping them out in more ways than you know.

What’s the best thing to do if you get a scammer on the line? My favourite is to ask them to hold on for a sec while I get them the information they’re looking for (if they’re going into a spiel, I tell them I’m going to get my account number so we can act on this), mute the phone, and set it down while I go about my business. It’s the lowest-effort way to waste their time and resources.

It is possible to stop scammers. We simply have to make their business as difficult, inconvenient, stressful, exhausting, restrictive, uncertain, unprofitable, dangerous, unsatisfying, stigmatised, and otherwise unrewarding as possible. It’s not realistic to think that law enforcement or the government will address these issues. They have repeatedly refused to take even small steps toward beginning to mitigate the problem, let alone anything beyond that. They also won’t help you if you’re scammed. It’s all up to us, folks.

From reviewing web logs:

78.153.140.151 - - [02/May/2025:05:10:43 +0000] "GET /.env.xml HTTP/1.1" 404 3793 "-" "More Firefox 1.5.0.9 user agents strings -->>"

Perhaps if you’re going to source from a list of UAs, you shoud look at the list first and remove anything that doesn’t look like a UA. But thanks for making me laugh.

That’s the usual dreck from hostglobalplus, though. They’re one of my personal shoot-on-sight providers, so as soon as I see them in my logs I firewall off the whole netblock

Sleep has been pretty difficult for the last couple of weeks. It’s moderate effort to get to sleep, but if something wakes me up (like having to go to the bathroom) after a certain hour, I’m pretty much up for the day. This getting older business sucks sometimes.

One of my personal servers started losing disks in a hurry as I was reinstalling an OS — two in an hour. I think the RAID controller is gone. When I have some time with my better half outside the house (its full fans are loud) I will try to drop the “failed” disks back in and route around the failed RAID controller.

I also have a smaller server (in every respect, sadly — from 64GB DDR4 and 12TB of RAID10 down to 32GB DDR4 and 2GB of RAID1), so I’ve thrown PVE8 onto that and am building a couple of VMs on it. One’s a utility VM I’ll use for work, so I am more device-independent when I’m around the house. It’s a pain to unplug my work laptop and take it to another area of the house, but if I do most of the work on the VMs, I can grab the spare laptop and use that, instead.

My hope is that I can get the more powerful one up and going, as that could handle argus, too. I’ll probably move that to my virtualisation server at OVH, as it’s got enough room to make space for it.

Today’s a write-off for progress on mapping or tagging. Hopefully I’ll get some time on Sunday.

I’m trying another approach to mapping the address spaces (IPv4 and IPv6 now). It’s more or less the same process as before, but different classification criteria, and different grouping criteria. Single IPs are the order of the day, rather than ranges, and it’s all about confirmed contacts from each IP. I don’t know what it will turn up, but it’s interesting to see the patterns forming so quickly.

You can check out the IP ranges observed so far if you’re curious.

Note that these lists are not exhaustive. If I’m unsure about an entry (if it’s a bot, real person, etc.), I don’t add it.

I just noticed that I’m so in the habit of locking down ssh to my jumphost that I did it on my listeners, so I don’t have any ssh brute-force data yet. Oops. Unfiltered now, so expect to see some ssh brute force tags in the ranges above in the next day or two.