Cyber Security: Oxymoron?

May 9, 2022

I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”

The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.

What caught my attention is this statement in the excellent write up:

One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.

I also noted:

“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”

With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?

My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.

Stephen E Arnold, May 9, 2022

Cheerleading for the Google: A Soft Counter Howl

May 9, 2022

I have noted several posts which champion Google’s approach to smart software. I find it difficult to think about the cheerleading for Google’s “quantum supremacy” approach to its systems and methods. Dissent, disagree with the Jeff Deans of Google, or point out known flaws such as less useful results from a simple query — and what happens? The Google terminates people. The most recent example concerns a full fledged member of the Google High School science club. Dr. Satrajit Chatterjee suggested the emperor was wearing PR clothes. Yep, one can see things when the Big Dogs of Google parade around at conferences. For some “color” about Dr. Chatterjee’s misstep, check out this New York Times’ write up: “Another Firing Among Google’s A.I. Brain Trust, and More Discord.” (Paywall in place, but don’t complain to me.)

I read “Google AI Sparks a Revolution in Machine Learning.” Oh, really. I thought the Google’s machine learning was crafted from such methods as those presented by Dr. Christopher Ré, the Snorkel outfit, and the labors of engineers who recycle the original work of DeepMind. The novelty may be the PR, not the engineering.

The write up exclaims:

In all the hype around PaLM, people have not spent enough time understanding Google’s Pathways. But, when you do look into it, you will see that it is nothing short of a revolution. I’m not exaggerating.

See. “People” are not making an effort to understand the wonderfulness of Google’s method for reducing the cost of training machine learning models and then tuning those puppies with synthetic data. Why? “Real” data is increasingly difficult to get, even for the Google. Efficiency and cost reduction are the drivers. The PR push is designed to be a turbo charger.

Let’s take one small example of how the hype does not match what Google delivers. “Enterprise search” is a bound phrase. The idea is that if the bound phrase appears in a document, that document belongs in the search result set.

I get a sometimes daily and sometimes weekly summary of “important” and “relevant” documents sent to me via email. I use a competitive system as well, but the details of how that compares is not my concern. I want to focus on a result set of three:

enterprise search

NEWS

Global Enterprise Search Software Market â?? Recent Industry Trends and Projected Industry …

Express Journal

Global Enterprise Search Software Market â?? Recent Industry Trends and Projected Industry Growth 2021 â?? 2026. Admin Published: 8 minutes ago …

 

SYSTEM DEVELOPMENT SPECIALIST (ENTERPRISE SEARCH ENGINEER) – City of Toronto JobsCity of Toronto Jobs

Full Coverage

Flag as irrelevant

 

Desperate search for survivors in Cuba hotel blast; 27 dead – Beaumont Enterprise

Beaumont Enterprise

They checked the morgue, hospitals and if unsuccessful, they returned to the partially collapsed Hotel Saratoga, where rescuers used dogs to hunt for …
Flag as irrelevant

 

Enterprise applies The Trust Project standards to increase news transparency

Park Rapids Enterprise

These indicators are a collaborative, journalism-generated standard that help both readers and search engines assess the authority and integrity …

Notice that the bound phrase “enterprise search” is interpreted by Google’s smart software in these ways:

The first citation is to a junk-type market research report which purports to provide a look at the future of the enterprise search market. Keep in mind that this is a market which is dominated by open source options and a handful of vendors chasing niches; for example, Coveo and customer support and Fabasoft Mindbreeze the Microsoft market. Other vendors are just desperate to make sales and try to sell to another outfit, do and IPO, or get more financing. Enterprise search is a tough sector, and it is now almost a commodity.

The second citation is to a job posting in Toronto. What? No job posts in Berlin. I saw one the other day for an enterprise search engineer with NLP expertise. Plus there are “contact us” pleas from numerous vendors in the search-and-retrieve game just focusing on the law enforcement, intelligence, and business intelligence sectors.

The third citation is about the natural gas explosion in a hotel in Cuba. The separate words “search” and “enterprise” appear in the citation. The problem is that Google’s smart software ignored the bound phrase and did key word matching unaware of the location of words (title and body of article) and the order of the words. Enterprise before search, right? Not for Google’s smart software.

The fourth citation is interesting. Same problem. No bound phrase but the order of the disconnected words is close. Of the four citations, the results are incomplete because I get alerts on the subject from another outfit. But the Google results are 50 percent accurate.

That’s what I mean by Google’s methods generating results that a close enough for horseshoes: 50 percent accuracy. That’s a high water mark when a Google user relies on one of Android’s forthcoming medical outputs. Do you want to stand in front of a Google self driving car and see if that system is 50 percent accurate? I sure don’t.

Observations:

  1. Google wants its methods to become the one true way to implement machine learning and, hence, smart software. Disagree and you get fired. Just ask Dr. Chatterjee or Dr. Gebru.
  2. Some of Google’s methods can be used to deliver high-value outputs. A good example is Heron Systems’ smart software which virtually killed Animal in about 50 seconds. Just bits, gentle reader, no bullets killing a US Department of Defense Top Gun.
  3. The PR is disconnected from what the Google system is doing: In my view, Google wants to cut costs, eliminate insofar as possible the subject matter experts who build training sets and updates, and find methods that justify displaying endless Grammarly and Liberty Mutual ads to me when I watch a YouTube video about differential equations or Russian bloggers explaining that life is okay in St. Petersburg. (Sure it is.)

I have a suggestion. PR fluff needs to be labeled. Otherwise, you may be in the path of a self driving Waymo and your 50/50 chance may not work out as you assume. Advertisers, so far, remain unaware of what’s shakin’ with their expensive bacon.

Stephen E Arnold, May 9, 2022

MINDS Conference: Truly Baffling

May 6, 2022

I received a link to a conference in Finland, which is just around the corner from Harrod’s Creek, Kentucky. The outfit’s flier perched on a Google Drive, and I learned that the MINDS program is into talking about news, collaboration, and diversity. The sponsors of the conference in Helsinki are

  1. Ifragasätt, another consulting firm “supplies its customers with solutions for live-blogging/reporting and readers comments.
  2. Namia, apparently a consulting firm responsible for STT Spy Tool, STT Little Bird, STT Vault News Robotics and Data Platform and STT’s Crime Database, among others. (Although my research team follows intelware, the STT Crime Database was interesting because it seems to be a resource owned by the Finnish New Agency or “STT.”
  3. PicRights, a copyright enforcement entity which “Using state-of-the-art technology to identify infringements and a team of experienced staff to qualify them as enforceable, PicRights delivers actionable cases to the appropriate regional enforcement unit for settlement and collection of fees for the unlicensed uses.” (There are offices in many countries, just not in the US. What does that suggest, Mr. Higbee?)

If there are other sponsors, I did not spot them in the program.

My reaction to the line up of speakers is that considerable attention will be directed to the news opportunities created by the actions a certain nation state.

What’s interesting is that outputs about the dust up East of Helsinki does not talk about improper reuse of TikTok videos, tweets, and YouTube posts. In my lecture at the 2022 National Cyber Crime Conference, I commented about how a former CIA operator surfed open source information. The former CIA professional writes novels but discovered information about the yachts allegedly owned by Russians who have been sanctioned. The information comes in part from the YouTube videos of eSysman and other open sources. But the former CIA professional did not identify these sources in a Lawfare podcast featuring the information.

My thought is that the MINDS Conference agenda has hip-hopped over the recycling of information related to the misunderstanding roiling Europe and allowing real news organizations to reuse content.

I will never know. The flier which I referenced includes this statement:

PLEASE NOTE THAT ALL INFORMATION GIVEN DURING THE CONFERENCE IS CONFIDENTIAL AND MUST NOT LEAVE THE MINDS NETWORK

The shouting caps appear in the original flier. What’s the penalty if the graduate student speaking at the conference puts her / them ideas in a journal article.

My hunch is that with a crime database and a legal network among the sponsors, something really bad will happen.

Will that punishment be worse than ignoring improper use of individuals posting information as OSINT and hearing crickets from “real news” outfits about fair use?

Of course not. Leveraging OSINT for commercial gain is part of the “real news” game for some publishers. Secrecy is good for some geese. Let’s hope the graduate student does not miss the ALL CAPS message.

Stephen E Arnold, May 6, 2022

Steering Smart Software

May 6, 2022

Why is smart software in need of direction? The short answer is that drift fouls up the machinery. If the real world conformed to the lab, life would be easier.

To get a sense for the “opportunities” of steering, take a look at “Cross-Ethnicity/Race Generalization Failure of Behavioral Prediction from Resting-State Functional Connectivity.” Here’s a quick summary: AI makes errors.

For a glimpse of Google’s awareness of this “minor” problem, navigate to “A Loss Curvature Perspective On Training Instability in Deep Learning.” Here’s a quick summary: AI makes errors and we think we can automate around these.

Net net: Certain applications of machine learning to smart software work okay; for example, sorting bruised fruit and ad matching. Other applications? Not so much.

Stephen E Arnold, May 6, 2022

Does Samsung Sense a Crack in the Googleplex?

May 6, 2022

It seems someone does not have much confidence in the Google. SamMobile suggests, “If Google Can’t Do Android Anymore, Maybe it Should Be Left to Samsung.” Writer Adnan F. begins by observing how valuable Android is to Google, delivering a steady stream of users to its other (Android default) services like Gmail, YouTube, and Maps. He also concedes the company updates the OS regularly, but is underwhelmed by its efforts. Perhaps, he suggests, Google has been lured into a sense of complacency by its distinct lack of competitors for the not-Apple mobile device market. This is where, to Adnan F.’s mind, Samsung could come in. He writes:

“Samsung has clearly taken the lead in advancing the cause of Android, perhaps more so than Google itself. Then again, Samsung does happen to be the largest global vendor of Android devices. It may rely on Google for the OS but there’s no question that it’s Google that needs Samsung and not the other way around. Often it feels that a light bulb goes off at Google whenever it sees Samsung create a feature that Android should have had. Then it wastes no time in copying that feature. Here’s an example and here’s another, and in the immortal words of DJ Khaled, another one. Let’s not forget that several Android 12 features are copied from One UI and even from Samsung’s outdated TouchWiz UI!. Samsung’s One UI features are also being copied for Android 13. Today, Google went ahead and copied Samsung’s Smart Switch app. It’s as if Google is sitting in an exam and looking over the shoulder of the smart kid – that’s Samsung in this scenario – hoping to copy its work. Where it should have been Google taking the lead, it’s Samsung that’s influencing some of the major feature additions to Android.”

It is not an unreasonable suggestion. As the write-up points out, the two companies are close partners and have collaborated before. But would Google ever hand over the Android reins, even to a trusted friend? We are not so sure.

Cynthia Murrell, May 6, 2022

Facebook and Litigation: A Magnet for Legal Eagles

May 6, 2022

Facebook now called Meta is doing everything it can to maintain relevance with kids and attract advertisers. A large portion of Facebook’s net profits comes from advertising fees. Meta has not been entirely clear with its customers, because CNN Business explains in the story: “Facebook Advertisers Can Pursue Class Action Over Ad Rates” that the company lied about the ability of its “potential reach” tool.

San Francisco US District Judge James Donato ruled that millions of people and businesses that paid for Facebook ads and Instagram, a subsidiary, can sue as a group. Facebook’s fiasco started in pre-pandemic days:

“The lawsuit began in 2018, as DZ Reserve and other advertisers accused Facebook of inflating its advertising reach, by increasing the number of potential viewers by as much as 400%, and charging artificially high premiums for ad placements. They also said senior Facebook executives knew for years that the company’s “potential reach” metric was inflated by duplicate and fake accounts, yet did nothing about it and took steps to cover it up.”

Knowingly deceiving customers is a common business tactic among executives. They do not want to disappoint their investors, or lose face, or money. It is such a standard business tactic that many bigwigs do get away with it, but some are caught with hands so red that ghee would make a bull angry (along with their customers). Facebook argued that a class action lawsuit was not possible, because the litigants were too diverse. The litigants are large corporations and individuals with home businesses. Facebook claimed they would not know how to calculate images.

Judge Donato said it made more sense for Facebook’s irate customers to sue as a group, because “ ‘no reasonable person’ would sue Meta individually to recover at most a $32 price premium.”

Ticketmaster faced a similar scandal when they charged buyers absurd fees for tickets. The fees went directly into the pockets of the executives. Ticketmaster’s class-action lawsuit resulted in all plaintiffs reaching $3-4 Ticketmaster gift certificates for every ticket they bought. The gift certificates could not be combined and had expiration dates.

Big businesses should be held accountable for their actions, but the payoff is not always that great for the individual.

Whitney Grace, May 6, 2022

Google: Dark Patterns? Nope Maybe Clumsy Patterns?

May 5, 2022

Ah, the Google. Each day more interesting information about the business processes brightens my day. I just read a post by vort3 called “Google’s Most Ridiculous Trick to Force Users into Adding Phone Number.” The interesting segment of the post is the list of “things that are wrong” caught my attention. Here are several of the items:

You can’t generate app specific passwords if you don’t have 2FA enabled. That’s some artificial limitation made to force you into adding phone number to your account.

You can’t use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

Nowhere in announcements or help pages or in the Google Account interface they tell you that you can’t generate app passwords if you don’t have 2FA. The button is just missing and you wouldn’t even know it should be there unless you search on the internet.

Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.

Vort3 appears to not too Googley. Others chime into Vort3’s post. Some of the comments are quite negative; for example, JQPABC123 said:

The fastest way to convince me *not* to use a product is to attach a “Google” label to it. Nothing Google has to offer justifies the drawbacks.

Definitely a professional who might struggle in a Google business process interview. By this I mean, asking “What process?” is a downer.

The fix, according to CraftyGuy is, “Stop… using Google.”

The Beyond Search team thinks the Google is the cat’s pajamas because these are not Dark Patterns, they seem to be clumsy.

Stephen E Arnold, May 5, 2022

Meta (Formerly Zuckbook) Chases Another Digital Ghost

May 5, 2022

High school science club thinking is alive and well as Meta (formerly Zuckbook). Here’s a flashback to the Information Industry Association meeting in Boston in 1081. A wizard of sorts (Marvin Weinberger maybe?) pointed out that artificial intelligence was just around the corner. The conference was not far from an MIT building, so his optimism may have had some vibes from the pre-Epstein era at that institution.

No one said anything. There were just chuckles.

Flash forward to 2022: Synthetic data, handwaving, unexplainable outputs, Teslas which get confused, YouTube ad placement, etc. The era of AI has arrived in its close-enough-for-horseshoes glory.

Meta AI Is Building AI That Processes Language Like the Human Brain” explains:

Meta AI announced a long-term research initiative to understand how the human brain processes language. In collaboration with neuroimaging center Neurospin (CEA) and INRIA, Meta AI is comparing how AI language models and the brain respond to the same spoken or written sentences.

Significant advancements based on “valuable insights” will allow the Zuckbook to offer services that process language like the humanoid brain.

And the progress? Well, MIT is not involved. Human brains at that institution apparently misunderstood Jeffrey Epstein. The Zuckbook will not make that mistake one hopes.

Neurospin? Niftier than plain old AI? Absolutely.

Stephen E Arnold, May 5, 2022

Can You Leave Your AI Home Alone?

May 5, 2022

An article at ZDNet takes a brief but wide-ranging look at the current state of AI. The theme throughout the piece, titled “AI Can Be Creative, Ethical When Applied Humanly,” is that algorithms still cannot be left unsupervised. Writer Elleen Yu begins by exploring ways AI is being “creative,” long thought a talent limited to biological life forms. So far, examples mostly involve marketing campaigns and, of course, must be checked by humans before being implemented. Then there is the metaverse, the virtual world(s) seemingly perfect for algorithmic stewardship. Even there, AI requires transparency and human guidance when applying and enforcing rules. Yu’s highest stakes example, though, is the realm of law enforcement. She writes:

“Humans, too, cannot be removed from the equation where ethics are central to the AI discourse, such as in law enforcement. In making a decision, humans would consider the morals behind it, said David Hardoon, managing director at Aboitiz Data Innovation (ADI), the Singapore-based data science and AI arm of Philippine conglomerate, the Aboitiz Group. He also is chief data and AI officer for UnionBank Philippines. ‘Can AI help us make a decision? Yes. Can it decide the morality of a decision? Absolutely not. This distinction is important,’ said Hardoon, who was previously chief data office and data analytics head of Monetary Authority of Singapore. Commenting on why AI should be applied with care in certain areas such as law enforcement, he stressed the need to ensure the technology could be deployed in a robust manner. This currently was not the case, he said, pointing to the use of AI in facial recognition.”

Excellent example. Yu points to a 2017 study from MIT which found that darker-skinned females were 32 times more likely to be misclassified than lighter-skinned males. She also notes some of the most prominent tech companies acknowledge the problem:

“Vendors such as IBM, Microsoft, and Amazon have banned the sale of facial recognition technology to police and law enforcement, citing human rights concerns and racial discrimination. Most have urged governments to establish stronger regulations to govern and ensure the ethical use of facial recognition tools.”

Unfortunately, large as they are, those three companies are but a drop in the facial recognition bucket. With that and other AI tech currently in use by law enforcement, transparency has a lot of catching up to do. If the issues of bias could be resolved, and that is a big if, such tools could be a force for good with the right human oversight and accountability.

Cynthia Murrell, May 5, 2022

Open Source: Dietary Insights

May 5, 2022

One of the more benign news briefs about Russia these days concerns the eating habits of the country’s secret police. The Verge explains how delivery apps revealed Russian law enforcement’s food preferences: “Data Leak From Russian Delivery App Shows Dining Habits Of The Secret Police.” A massive data leak from Yandex Food, a large food delivery service in Russia, contained names, addresses, phone numbers, and delivery instructions related to the secret police.

Yandex Food is a subsidiary of the Russian search engine of the same name. The data leak occurred on March 1 and Yandex blamed it on the bad actions of one of its employees. The leak did not include users’ login information. The Roskomnadzor, the Russian government agency responsible for mass media, threatened Yandex with a 100,000 ruble fine and it also blocked a map containing citizen and secret police data.

Bellingcat researchers were investigating leads on the poisoning of Alexey Navalny, the Russian opposition leader. They searched the Yandex Food database collected from a prior investigation and discovered a person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. The individual used his work email to register with Yandex Food. They also searched for phone numbers linked to Russia’s Main Intelligence Directorate (GRU). Bellingcat found interesting information in the leak:

“Bellingcat uncovered some valuable information by searching the database for specific addresses as well. When researchers looked for the GRU headquarters in Moscow, they found just four results — a potential sign that workers just don’t use the delivery app, or opt to order from restaurants within walking distance instead. When Bellingcat searched for FSB’s Special Operation Center in a Moscow suburb, however, it yielded 20 results. Several results contained interesting delivery instructions, warning drivers that the delivery location is a military base. One user told their driver “Go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end,” while another said ‘Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!’”

The most scandalous information leaked from the Yandex Food breach was information about Putin’s former mistress and their “suspected daughter.”

While it is hilarious to read about Russian law enforcement’s eating habits, it is alarming when the situation is applied to the United States. Imagine all of the information DoorDash, Grubhub, Uber Eats, and other delivery services collect on customers. There was a DoorDash data leak in 2019 that affected 4.9 million people and it was much larger than the Yandex Food leak.

Whitney Grace, May 5, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta