The VexDB Robotics state championship rounds take place this weekend across the nation, bringing together teams of middle and high school students who can program machines to do almost anything.
In Maryland, the state championships for both high school and middle school will be concluded today at Sollers Point Technical High School in Dundalk, and the Illinois state championships take place at Niles North High School in Skokie.
Student teams, which have advanced from regional competitions to compete at the state level, bring together skills in engineering design, mechanical engineering and construction, and computer programming in order to create robots that do something useful.
The Laurel Legobots from Murray Hill Middle School in Maryland will also be at a state competition for their robotics team this weekend, the Columbia Flier reports. One sixth grader sits at the computer, coding new programs, while another adjusts the robot’s limbs and wheels, writes Kate Magill. “The two banter, debating what codes will get the robot to move accurately.”
“We get to do these cool projects,” she quoted one fifth grader from Gorman Crossing Elementary School as saying about the team. “It’s really unique. No other groups let you build and let you solve real world problems and learn to be a team.”
Getting a robot to do what you want in new situations is bordering on artificial intelligence, but it still takes good old-fashioned computer programming, much of which is written in C++ or Java.
The team from Fenwick High School in Oak Park, Illinois, will be in Skokie today, showing off their clawbot, a very popular design at VexDB competitions. According to Kimberly Wood in that school’s student newspaper, robots are complex machines that “are made through high-technological computer programming. … The sheer determination and intelligence of the team shows what can be done when brilliant minds come together. Though they did not take home a trophy, they took back knowledge that will last a lifetime,” she wrote about that team’s appearance at a Wisconsin contest.
There’s a national competition to follow for all the state champs, and there’s even a world competition. But for now, high school and middle school students will compete at the state level. They’ll be in Cherry Hill, New Jersey; in Pomona, California; at Michigan State University in East Lansing; and in Englewood, Colorado.
Bots, which are software robots, not mechanical ones, have taken some heat in recent months as a result of their use by Russian organizations aimed at steering the outcome of political life in the US.
The Voxitatis bot (Voxitatis-bot/1.0)
As we have reported, Voxitatis has programmed a bot to scan the student newspapers at about 3,000 high schools across America and the official websites of schools and public school districts in Illinois and Maryland.
I think of this as a “bot for good,” since our purpose in employing a bot is to advance the mission of excellent student journalism.
Bots have gotten a bad name with Russia’s meddling in the US election, as it has been reported that teams of programmers used bots to establish fake accounts on social networks and post comments, under screen names and profiles that made them look American, that generally bad-mouthed opinions expressed on both sides of any debate on the social network.
And the server we use for the Voxitatis bot has been under attack as well—from Russia, the Ukraine, China, Korea, and even Mexico and the Netherlands.
The above output shows the last 100 attempts to break in to our server, and those 100 attempts spanned less than one minute. Since February 1, we have documented 1.1 million attempts on the part of bots, most of them coming from Russia and China, to break into our system using what is known as a “brute force” or “dictionary” assault.
They try to login to the system as “root,” which is a special user on Unix systems that can do anything on the system he or she wants to do. Once they guess the password and log in, they can then change the root password, delete all the users’ logins, and basically hold the system hostage until I pay them money to get access back to my system.
Using bots in this way is a crime, so these people aren’t in the US. But if they break in by randomly trying root passwords until they guess correctly, it could potentially cost me a lot of money. And since I work in education, I don’t have all that much money.
Protect your own server
Let this experience serve as a warning to budding coders out there: The internet is a jungle, and it is filled with criminals who will stop at nothing to attack you and attempt to violate your server and destroy the integrity of the good work you do.
Disable the root login
The first step I took to protect my intellectual property is to disable the root login. This means, even if the Russian bots guess the root password correctly, the system won’t let them log in. On my server, this was accomplished by changing a single line in a configuration file for ssh (the shell that sends a login prompt whenever a connection is established on a certain port). Everyone who operates a Unix server should disable the root login on the first day.
Before you do that, you have to put at least one user in the wheel group and add that user to the list of accounts that can switch user to root so you can still do all those things you need to be “root” to do. This is done differently on different flavors of Linux, so I would urge you to check your hosting provider’s help documents.
Use very strong passwords
Much has been written about strengthening passwords using numbers, capital and lowercase letters, and special symbols. But hackers typically use random character generators when trying to break into a system. That means a capital letter is just as weak or strong as a lowercase letter.
Upon considering this subject, I’ve come to the conclusion that passwords are better if they’re just longer. One technique could be to take the first letter of the words of your favorite quote and use that as your password. I like, “Live as if you were to die tomorrow. Learn as if you were to live forever.” Mahatma Gandhi said that. A password could be: LaiywtdtLaiywtlf.
Cut off the IP addresses
But disabling the root login won’t stop the bots from trying—they’ll just keep thinking they haven’t guessed the right password yet. This bombardment can really slow down a server (I didn’t exactly buy the most powerful server in the cloud).
It is possible to use a piece of software that’s freely available to check the logs, like the one I posted above, for IP addresses that keep entering bad passwords and then not let connections from those IP addresses even attempt to log in anymore.
Two good examples of such a program are denyhosts and fail2ban. Denyhosts is a python script that works mainly with people who try to login using an ssh connection, and fail2ban is a package that can also ban malicious hosts from trying to login through your web server, such as to your WordPress administrative account. Both of them run as daemons in the background, monitoring attempted logins and adding IP addresses to /etc/hosts.deny or ~/www/.htaccess.
Since yesterday, 358 IP addresses have been added to my /etc/hosts.deny list. That means 358 different computers from around the world tried to break into my server and steal my property since last night.
That’s the bad news. The good news is that the load average on the machine is back to where it ought to be, since I’m the only one running programs on it.
Try changing the default port for ssh or httpd
Bots are persistent but usually not very innovative. The ssh port is usually port 22, so some writers and system administrators have advised changing it to an unused port on your server. An analogy for this would be making an upper story window the only way into your house. As long as you know which window to go in, there’s no issue, and everybody else who tries to break in through your front door will be thwarted.
You can look into doing this, but keep in mind that there are sniffers out there that can, with a single command, determine which port is being used for ssh on your server. If you decide to try this approach, you may have to check /etc/services to find an unused port, and you may also have to reconfigure your firewall or SELinux, if you use either of those.
Don’t use easy login names
The last way you want to create an account on a Unix server is with just your first name. If I scan the record for bad login attempts, I can find thousands of attempts to login as “jenny,” “peter,” “pi,” “admin,” and so on. The “root” account is pretty much guaranteed to exist, so that is, by far, the most common guess used by bots. But there’s a chance that the “jenny” account could be set up to switch user to “root.” And “jenny” might not have as good a password.
I recommend using a non-word as your login. Bots aren’t likely to guess this. Maybe your middle name preceded by a strange letter, like “ddonna.”
There is plenty of advice out there as to other techniques you can employ to keep your computer out of the hands of the Russian and Chinese criminals, including the use of keys instead of passwords and the use of a direct connection to the server instead of a connection through the internet. But these five have proved to be substantial for most users. Bots are looking for easy targets, and shutting them down will turn your server into a hard target.