Let Us Not Quibble over Quibi

October 14, 2020

I am not a video type. Sure, we create a short video every couple of weeks. That’s part of our learning process and a flaccid attempt to keep some of the younger members of the team semi happy. One of the future video stars called my attention to “Apple Has No Interest in Purchasing Failing Short-Form Video Streaming Service Quibi.” My reaction was, “Bad Apple.” Not Apple the fun loving app store operator; bad apple as in the phrase “one bad apple spoils the barrel.” The Quibi thing is the exact opposite of TikTok: TikTok relies on user created content within a surveillance shell. Quibi produces 1980s Hollywood content in chunks of 10 minutes or less. No surveillance, no nation state lobbying to keep the programs flowing. No international PR visibility.

The loss of the Apple dream is not surprising. I recall reading “So Here Are the Real Reasons Quibi Failed.” To refresh your memory that May 2020 write up identified these Semel Yahooesque issues:

  1. Name quick bites to Quibi
  2. No sharing in the Rona era of sharing
  3. Mobile sharing.

The write up also dances around the subscription angle, which remains a problem or an opportunity.

The write up does nail the Quibi management team’s explanation of failure on a billion dollar scale: The pandemic.

The reasoning seems to be that Quibi was designed for people with jobs who commute and want Hollywood 1980s style content.

Maybe.

The reality boils down to many missteps, including the odd couple of Katzenberg and Whitman or more colloquially The Meg and Jeff’s Management Review YouTube program.

Who will care? Probably the investors and at least one of the DarkCyber research team. I am not that empathetic fan. The Quibi caregiver on the DarkCyber research team is, however, lamenting what looks like the streaming equivalent of the 2004 flop “The Alamo.” Remember it?

Stephen E Arnold, October 14, 2020

Bad Decisions Explained: Was This a Good Decision?

October 14, 2020

DarkCyber tracks a number of topics related to cyber crime. Why do some individuals abandon the straight and narrow and practice crime, regular or deluxe? The reasons are explained in “Common Causes of Very Bad Decisions.” Here’s an example of the reasons:

An innocent denial of your own flaws, caused by the ability to justify your mistakes in your own head in a way you can’t do for others.

DarkCyber’s jargon for this characteristic is HSSCMM or the high school science club management method. Could examples be found in the management actions at companies like Amazon, Apple, Facebook, or Google? The article does not illustrate each “cause.” That’s too bad.

Here’s another reason for a really terrible decision:

Too much extrapolation of past successes leads to overconfidence, stubbornness, and a narrow view of future risks.

It would have made the write more than an earthworm list if some examples had been included. But “color” and “case examples” are not part of the document. The reader is left to insert the missing information. In today’s business environment there so few bad decisions, the lack of detail is understandable.

Stephen E Arnold, October 14, 2020

Avaaz Facebook Report: Another Road Map for Bad Actors?

October 14, 2020

DarkCyber is intrigued by research reports which try to alert the public to an issue. Often the reports provide a road map for bad actors who are looking for a new method or angle to practice their dark arts. “Facebook’s Algorithm: A Major Threat to Public Health” may be a recent example of doing right going wrong.

Avaaz is, according to the organization’s Web site:

a global web movement to bring people-powered politics to decision-making everywhere.

A 33-page study, published in late August 2020, is available without charge at this link. The publication covers health misinformation through the lens of Facebook’s apparently flawed content curation mechanisms.

For bad actors (real or would be), the document explains:

  • The relationship between Web pages with “disinformation” and Facebook sites
  • The amplification function of content generators
  • Utility of a message output in multiple languages
  • The role of backlinks
  • A list of “gaps in Facebook’s” content curation method.

Interesting report and one which may help some individuals operate more effectively. Facebook’s content curation has some flaws. The company flagged a photograph of onions as salacious. No, really.

Stephen E Arnold, October 14, 2020

Dark Web Sites Losing Out to Encrypted Chat Apps?

October 14, 2020

With several Dark Web marketplaces falling to either law enforcement successes or to their own administrators’ “exit scams,” it was predicted vendors and buyers of illegal goods would shift to another alternative, one that promises end-to-end encryption. However, Bank Info Security explains “Why Encrypted Chat Apps Aren’t Replacing Darknet Markets.” To be sure, some criminals do use these apps, but they have been running into some disadvantages. Writer Mathew J. Schwartz specifies:

“One is the challenge of finding – or marketing – goods and services being provided via chat apps. Fear about the reliability of legitimate platforms – and of the risk of getting sold out – is another factor. ‘By trusting a legitimate third-party application’s encryption and anonymity policies, threat actors are placing their trust in non-criminals,’ the ‘Photon Research Team’ at digital risk protection firm Digital Shadows tells me. Criminals typically prefer to avoid such situations. … Chat platforms’ smaller scale can also be an unwelcome limitation for criminals because fewer customers means lower profits for sellers or chat-channel administrators. ‘Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach,’ Raveed Laeb and Victoria Kivilevich, respectively product manager and threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tell me. ‘Another limit is that many chat channels focus on one subject – meaning that one channel features drugs, another one offers enrolls and so on. Thus, it lowers potential profits for the channel’s admins,’ they say.”

It is true, legitimate encrypted apps have plenty of incentive to cooperate with the authorities. So why not build an alternative by criminals for criminals? Some have tried that, with networks like BlackBox, Phantom Secure, and EncroChat, all of which were summarily busted by law enforcement. There are likely more out there, but they may suffer the same fate.

In the end, it seems many dark-market vendors are sticking with the marketplaces. It makes sense in our view—we see the two avenues as complements to one another, anyway. Meanwhile, though, certain marketplaces are abandoning some of their traditional sellers: We’re told illegal drugs are being banned at these sites in favor of digitally transmittable products like malware, stolen databases, login credentials, and other cybercrime tools and services. There is the absence of complications caused by physical packages, but these products also exist in a grey area in many jurisdictions. (We note no mention is made of other items of high concern, like child pornography or weapons.) Schwartz supposes admins believe ceasing to market illegal drugs will make their sites smaller targets. Perhaps?

Cynthia Murrell, October 14, 2020

eBay: Sprinting Forward to Fight Online Sneaker Fraud

October 13, 2020

EBay Launches Sneaker Authentication Service to Combat Counterfeit Sales” caught one of the DarkCyber research team’s attention. When I read the forwarded email about this Verge article, I wondered why the title wasn’t “Ebay Sprints Forward with a Sneaker Authentication Service.” I then realized that eBay has been in business for 25 years and product fraud has been around at least that long on the service. One of my friends who used to work in a British security service worked as an adviser to eBay. I recall that he mentioned that eBay online crime was a “stunner.” I assumed he meant that the amount of online crime was enough to startle an experienced investigator.

According to the Silicon Valley “real” news write up:

Collectible sneakers are big business.

I recall instances of robbery and murder for a pair of gym shoes. Yeah, that is a “real” news factoid. Murder amps up the perceived value of this particular apparel sector.

Here’s how the quarter century old digital market will deal with fake gym shoes:

As with its previously-announced watch authentication service, eBay has partnered with a third-party company, Sneaker Con, to authenticate items. When a sale is made, the buyer ships the sneakers to an “authentication facility” where they’re inspected to make sure they match the listing’s title, description, and images. If they pass the inspection, an eBay tag is attached to them, and they’re sent on to the buyer. The same process covers returns, to stop unscrupulous buyers from trying to return fake sneakers to legitimate sellers.

Sprinting to the future or stepping up slowly? DarkCyber thinks eBay is doing the speed walking associated with 75 year olds. Interpretation: Move slowly. Maybe “Ebay Limps Forward with a Sneaker Authentication Service.”

Stephen E Arnold, October 13, 2020

Amazon Expands Data Monitoring

October 13, 2020

Here is an optimistic view of the future, at least for areas where residents can afford to purchase these gadgets. CNET reports, “Amazon Sidewalk Will Create Entire Smart Neighborhoods. Here’s What You Should Know.” Yes, Amazon’s vision of the smart home has grown to encompass the whole subdivision. Based on how many Echo devices are backward compatible with the new tech, the plan has been in the works for some time. But what, exactly, is this project about? Reporter Ry Crist writes:

“First announced in 2019, the effort is called Amazon Sidewalk, and it uses a small fraction of your home’s Wi-Fi bandwidth to pass wireless low-energy Bluetooth and 900MHz radio signals between compatible devices across far greater distances than Wi-Fi is capable of on its own — in some cases, as far as half a mile, Amazon says. You’ll share that bandwidth with your neighbors, creating a sort of network of networks that any Sidewalk-compatible device can take advantage of. Along with making sure things like outdoor smart lights and smart garage door openers stay connected when your Wi-Fi can’t quite reach them, that’ll help things like Tile trackers stay in touch if you drop your wallet while you’re out on a walk, or if your dog hops the fence. Maybe most noteworthy of all is that Amazon Sidewalk won’t require any new hardware, at least not for short-range benefits like easier device pairing. Instead, it’ll arrive as a free software update to the Echo speakers and Ring cameras people already have in their homes.”

To take advantage of those half-mile range 900MHz connections, though, one must have newer devices: a Ring Spotlight or Floodlight cam, the fourth generation Echo smart speaker, or Echo Show 10 smart display. (More will follow, of course.) These users will also contribute bandwidth to the cause, but Amazon was wise enough to provide an opt-out option. Not everyone’s community spirit will extend to their Wi-Fi connection, no matter how little bandwidth Sidewalk will use (which is very little, compared to streaming and other functions). Since the change will come in the form of a software update, anyone who wants to decline may have to be on the lookout for that update and find the appropriate checkbox.

Some users will have security concerns, and the company has worked to address them. The Sidewalk server only gets to see packets’ destination information, we’re told, but not any of the actual device data, which will travel under three layers of encryption. They promise to delete routing information every 24 hours. Here is the PDF of the company’s white paper addressing privacy and security for Sidewalk. Customers will have to trust Amazon to safeguard their data for Sidewalk to take off, it tells us. Considering how many have already incorporated the company’s digital potential spies into their homes, we think the project has a good chance at success.

Cynthia Murrell, October 13, 2020

Newspaper Search: Another Findability Challenge

October 13, 2020

Here is an interesting project any American-history enthusiast could get lost in for hours: Newspaper Navigator. I watched the home page’s 15-minute video, which gives both an explanation of the search tool’s development and a demo. Then I played around with the tool for a bit. Here’s what I learned.

Created by Ben Lee, the Library of Congress’ 2020 Innovator in Residence, The Newspaper Navigator is built on the Library of Congress’s Chronicling America, a search portal that allows one perform keyword searches on 16 million pages of historical US newspapers using optical character recognition. That is a great resource—but how to go about an image search for such a collection? That’s where Newspaper Navigator comes in.

Lee used thousands of annotations of the collection’s visual content, created by volunteers in the Library’s Beyond Words crowdsourcing initiative of 2017, to train a machine learning model to recognize visual content. (He released the dataset, which can be found here. He also created hundreds of prepackaged downloadable datasets organized by year and type, like maps, photos, cartoons, etcetera.) The Newspaper Navigator search interface allows users to plumb 1.5 million high-confidence, public-domain photos from newspapers published between 1900-1963. The app allows for standard search, but the juicy bit is the ability to search by visual similarity using machine learning.

Lee walks us through two demo searches—one that begins with the keyword “baseball” and with “sailboat.” One can filter by location and time frame, then hover over results to get more info on the image itself and the paper in which it appeared. Select images to build a Collection, then tap into the AI prowess via the “Train my AI Navigators” button. The AI uses the selected images to generate a page of similar images, each with a clickable + or – button. Clicking these tells the tool which images are more and which are less like what is desired. Click “Train my AI Navigators” again to generate a more refined page, and repeat until only (or almost only) the desired type of image appears. When that happens, clicking the Save button creates a URL to take one right back to those results later.

Lee notes that machine learning is not perfect, and some searches lend themselves to refinement better than others. He suggests starting again and retraining if results start refining themselves in the wrong direction.

The video acknowledges the potential marginalization issues in any machine learning project. Click on the Data Archaeology tab to read about Lee’s investigation of the Navigator dataset and app from the perspective of bias.

I suggest curious readers play around with the search app for themselves. Lee closes by inviting users to share their experiences through LC-Labs@loc.gov or on twitter @LC_Labs, #NewspaperNavigator.

Cynthia Murrell, October 13, 2020

Apple and AWS: Security?

October 13, 2020

DarkCyber noted an essay-style report called “We Hacked Apple for 3 Months: Here’s What We Found.” The write up contains some interesting information. One particular item caught our attention:

AWS Secret Keys via PhantomJS iTune Banners and Book Title XSS

The information the data explorers located potential vulnerabilities to allow such alleged actions as:

  • Obtain what are essentially keys to various internal and external employee applications
  • Disclose various secrets (database credentials, OAuth secrets, private keys) from the various design.apple.com applications
  • Likely compromise the various internal applications via the publicly exposed GSF portal
  • Execute arbitrary Vertica SQL queries and extract database information

Other issues are touched upon in the write up.

Net net: The emperor has some clothes; they are just filled with holes and poorly done stitching if the write up is correct.

Stephen E Arnold, October 13, 2020

Domains Seized: What Companies Assisted the US Government?

October 13, 2020

The Straits Times’s article “US Seizes Iran Propaganda Websites” reported:

The US has seized 92 web domains used by Iran, including four which purported to be genuine English language news sites…Four of them, with the domain names “newsstand7.com”, “usjournal.net”, “usjournal.us”, and “twtoday.net”, were “operated by or on behalf” of Iran’s Islamic Revolutionary Guard Corps to influence United States domestic and foreign policy…

The article included an interesting factoid; to wit:

The sites were identified first with intelligence from Google and then also with help from Twitter and Facebook…

Interesting?

Stephen E Arnold, October 13, 2020

Facebook and Encryption

October 12, 2020

A number of experts have pointed to the information about Facebook’s contribution to child exploitation, human trafficking, and related activities. A good example is Robert David Steele’s “Betty Boop: Facebook Responsible for 94% of 69 Million Child Sex Abuse Images Reported by US Tech Firms.”  DarkCyber notes “Five Eyes and Japan Call for Facebook Backdoor to Monitor Crime.” The point of that Nikkei Asia paywalled article is that encrypted messaging apps are conduits of information related to criminal activity.

Russia has taken some steps to deal with Telegram messaging traffic. Other countries, including Australia, Canada, England, New Zealand, and the United States express similar thoughts. Japan wants to “move closer” to these initiatives.

DarkCyber’s view is that the similarity of views among these countries is a response to a growing cyber crime challenge. The speed of instant messaging is one factor. The messaging apps’ growing robustness coverts what was Dark Web eCommerce within Tor to encrypted channels operating on the “open” Internet. Plus, the messaging apps allow users to create the equivalent of “chat groups” in which like minded individuals can share images and other information.

The call for a back door is getting louder. Providers of these software services may be reluctant to make changes. It is possible that change may be forced upon certain companies.

Stephen E Arnold, October 12, 2020

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta