• Home
• About
• Writers
• Landscape
• Wizards Index
• Fraud
• Wanna Be Like Larry?

 Subscribe

News Flash from the Past: Bad Actors Use New Technology and Adapt Quickly

No AI. Just a dinobaby working the old-fashioned way.

NBC News is on top of cyber security trends. I think someone spotted Axios report that bad actors were using smart software to outfox cyber security professionals. I am not sure this is news, but what do I know?

“Criminals, Good Guys and Foreign Spies: Hackers Everywhere Are Using AI Now” reports this “hot off the press” information. I quote:

The hackers included an attachment containing an artificial intelligence program. If installed, it would automatically search the victims’ computers for sensitive files to send back to Moscow.

My goodness. Who knew that stealers have been zipping around for many years? Even more startling old information is:

LLMs, like ChatGPT, are still error-prone. But they have become remarkably adept at processing language instructions and at translating plain language into computer code, or identifying and summarizing documents.  The technology has so far not revolutionized hacking by turning complete novices into experts, nor has it allowed would-be cyberterrorists to shut down the electric grid. But it’s making skilled hackers better and faster.

Stunning. A free chunk of smart software, unemployed or intra-gig programmers, and juicy targets pushed out with a fairy land of vulnerabilities. Isn’t it insightful that bad actors would apply these tools to clueless employees, inherently vulnerable operating systems, and companies too busy outputting marketing collateral to do routine security updates.

The cat-and-mouse game works this way. Bad actors with access to useful scripting languages, programming expertise, and smart software want to generate revenue or wreck havoc. One individual or perhaps a couple of people in a coffee shop hit upon a better way to access a corporate network or obtain personally identifiable information from a hapless online user.

Then, after the problem has been noticed and reported, cyber security professionals will take a closer look. If these outfits have smart software running, a human will look more closely at logs and say, “I think I saw something.”

Okay, mice are in and swarming. Now the cats jump into action. The cats will find [a] a way to block the exploit, [b] rush to push the fix to paying customers, and [c] share the information in a blog post or a conference.

What happens? The bad actors notice their mice aren’t working or they are being killed instantly. The bad actors go back to work. In most cases, the bad actors are not unencumbered by bureaucracy or tough thought problems about whether something is legal or illegal. The bad actors launch more attacks. If one works, its gravy.

Now the cats jump back into the fray.

In the current cyber crime world, cyber security firms, investigators, and lawyers are in reactive mode. The bad actors play offense.

One quick example: Telegram has been enabling a range of questionable online activities since 2013. In 2024 after a decade of inaction, France said, “Enough.” Authorities in France arrested Pavel Durov. The problem from my point of view is that it took 12 years to man up to the icon Pavel Durov.

What happens when a better Telegram comes along built with AI as part of its plumbing?

The answer is, “You can buy licenses to many cyber security systems. Will they work?”

There are some large, capable mice out there in cyber space.

Stephen E Arnold, August 18, 2025

Party Time for Telegram?

No AI. Just a dinobaby and a steam-powered computer in rural Kentucky.

Let’s assume that the information is “The SEC Quietly Surrendered in Its Biggest Crypto Battle.” Now look at this decision from the point of view of Pavel Durov. The Messenger service has about 1.35 billion users. Allegedly there are 50 million or so in the US. Mr. Durov was one of the early losers in the crypto wars in the United States. He has hired a couple of people to assist him in his effort to do the crypto version of “Coming to America.” Will Manny Stoltz and Max Crown are probably going to make their presence felt.

The cited article states:

This is a huge deal. It creates a crucial distinction that other crypto projects can now use in their own legal battles, potentially shielding them from the SEC’s claim of blanket authority over the market. By choosing to settle rather than risk having this ruling upheld by a higher court, the SEC has shown the limits of its “regulation by enforcement” playbook: its strategy of creating rules through individual lawsuits instead of issuing clear guidelines for the industry.

What will Telegram’s clever Mr. Durov do with its 13 year  old platform, hundreds of features, crypto plumbing, and hundreds of developers eager to generate “money”? It is possible it won’t be Pavel making trips to America. He may be under the watchful eye of the French judiciary.

But Manny, Max, and the developers?

Stephen E Arnold, August 14, 2025

Guess Who Coded the Official Messaging App of Russia

This blog post is the work of an authentic dinobaby. Sorry. No smart software can help this reptilian thinker.

The Bloomberg story title “Russia Builds a New Web Around Kremlin’s Handpicked Super App” caused me to poke around in the information my team and I have collected about “super apps,” encrypted messaging services, and ways the Kremlin wants to get access to any communication by Russian citizens and those living in the country and across the Russian Federation. The Bloomberg story is interesting, but I want to add some color to what seems to be a recent development.

If you answered the question “Guess who coded the official messaging app of Russia?” by saying, “Pavel and Nikolai Durov,” you are mostly correct. The official messaging act is a revamped version of VKontakte, the the Facebook knock off coded by Pavel and Nikolai Durov. By 2011, Kremlin authorities figured out that access to the content on a real time social media service like VK was a great way to stamp out dissent.

The Durovs did not immediately roll over, but by 2013, Pavel Durov folded. He took some cash, left Nikolai at home with mom, and set off to find a place for hospitable to his views of freedom, privacy, security, and living a life not involving a Siberian prison. Pavel Durov, however, has a way of attracting attention from government officials outside of Russia at this time. He is awaiting trial in France for a number of alleged online crimes, including CSAM. (CSAM is in the news in the US recently as well.)

Ongoing discussions with VK and an “integrator” have been underway for years. The Kremlin contracted with Sber and today’s VK to create a mandatory digital service for Russian citizens and anyone in the country buying a mobile phone in Russia. The idea is that with a mandatory messaging app, the Kremlin could access the data that Pavel Durov refused to produce.

The official roll out of the “new”, government-controlled VK service began in June 2025. On September 1, 2025, the new VK app must be pre-installed on any smartphone or tablet sold in the country. Early reports suggested that about one million users had jumped on the “new” messaging app MAX. Max is the post-Durov version of VKontakte without the Pavel Durov obstinacy and yapping about privacy.

The Russian online service https://PCNews.ru published “Ministry of Digital: Reports That the MAX Messenger Will Be Mandatory for Signing Electronic Documents Are Not True.” The write up reports that the “official” messaging service “MAX” will not be required for Russian is not true.

Earlier this week (July 28, 2025):

… the [Russian] government of the Kemerovo region is officially switching to using the Russian MAX messenger for all work communications. Before this, the national messenger began to be implemented in St. Petersburg, as we have already reported, Novosibirsk and Tatarstan. Depending on the region, the platform is used both in government structures and in the field of education. In Russia they want to ensure free and secure transfer of user data from WhatsApp and Telegram instant messengers to the Russian MAX platform. From September 1, 2025, the Max messenger will have to be pre-installed on all smartphones and tablets sold in Russia. In late June 2025, the developers announced that over one million users had registered with Max.

This means that not everything the Kremlin requires will reside on the super app MAX. From a government security vantage point, the decision is a good one. The Kremlin, like other governments, has information it tries hard to keep secret. The approach works until something like Microsoft SharePoint is installed or an outstanding person like Edward Snowden hauls off some sensitive information.

The Russians appear to be quite enthusiastic about the new government responsive super app. Here’s some data to illustrate the level of the survey sample’s enthusiasm.

“The Attitude of Russians Towards the National  Messenger Has Become Known” reports:

• 55% of respondents admitted that they would like their data to be stored on Russian servers
• 85% communicate with loved ones using messaging apps
• 49% watch the news
• 47% of respondents use instant messengers for work or study
• 38% of respondents supported the idea of creating a Russian national messenger
• 26% answered that they rather support it
• 19% of respondents admitted that they were indifferent to this topic.

Other findings included:

• 36% of Russians named independence from the departure of foreign services among the advantages of creating a domestic messenger
• 33% appreciate popularization of Russian developments
• 32% see a positive from increasing data security
• 53% of respondents liked the idea when in one service you can not only communicate, but also use government services and order goods.

Will Russians be able to circumvent the mandatory use of MAX? Almost anything set up to cage online users can be circumvented. The Great Firewall of China after years of chatter does not seem to impede the actions of some people living in China from accessing certain online services. At this time, I can see some bright young people poking around online for tips and tricks related to modern proxy services, commodity virtual private networks, and possibly some fancy dancing with specialized hardware.

What about Telegram Messenger, allegedly the most popular encrypted messaging super app in Russia, the Russian Federation, and a chunk of Southeast Asia? My perception is that certain online habits, particularly if they facilitate adult content, contraband transactions, and money laundering are likely to persist. I don’t think it will take long for the “new” MAX super app to be viewed as inappropriate for certain types of online behavior. How long? Maybe five seconds?

Stephen E Arnold, July 30, 2025

Indiscriminate Scanning: Hello, Telegram, This Is for You

This blog post is the work of an authentic dinobaby. Sorry. No smart software can help this reptilian thinker.

I read a version of the message the European Union is sending to Pavel Durov. This super special human is awaiting trial in France for a couple of minor infractions. Yep, minor as in CSAM. Oh, the French judiciary tossed in a few other crimes.

The EU, following France’s long overdue action, is mustering some oomph, according to “The EU Could Be Scanning Your Chats by October 2025 – Here’s Everything We Know”:

Denmark kicked off its EU Presidency on July 1, 2025, and, among its first actions, lawmakers swiftly reintroduced the controversial child sexual abuse (CSAM) scanning bill to the top of the agenda. Having been deemed by critics as Chat Control, the bill aims to introduce new obligations for all messaging services operating in Europe to scan users’ chats, even if they’re encrypted.

After a three year hiatus, the EU is in “could” and “try” mode. The write up says:

As per its first version, all messaging software providers would be required to perform indiscriminate scanning of private messages to look for CSAM – so-called ‘client-side scanning’. The proposal was met with a strong backlash, and the European Court of Human Rights ended up banning all legal efforts to weaken encryption of secure communications in Europe.

Where does Telegram fit into this “could” initiative?

Telegram semi-encrypts. The idea is that the user’s Messenger mini app encrypts a message, adds routing, and whisks the contents to the user… sort of. Telegram has a command-and-control node which receives the encrypted message, the header, assorted metadata, and then decrypts the message in the Telegram command-and-control center. Why? Good question.

Telegram does support complete end-to-end encryption. The command-and-control center just hands off the encrypted message. There is no slam dunk information available about Telegram’s sucking up the metadata for these EE2E messages which may contain text, rich media, or other content objects.

How will Telegram interpret this “could” move? My view is that the French judiciary may have some ways to realign Mr. Durov’s thinking. I understand that France has some lovely prison facilities like the facilities at the French Foreign Legion headquarters and the salubrious quarters in Africa. I would not suggest these are five star hotel type detainment structures, but Mr. Durov’s attorneys may convince him to reconsider his position as a French citizen under the watchful eye of the French legal system.

Stephen E Arnold, August 29, 2025

Telegram: Is Now in the USA and Armed with Crypto Services

This blog post is the work of an authentic dinobaby. Sorry. No smart software can help this reptilian thinker.

Telegram in the US is so yesterday. The company is 13 years old. The founder is awaiting trial in France for some charges related to a dozen or more French laws and regulations. The TONcoin has been in the lower tier of the crypto currencies for more than a year. The firm released yet another programming language in the hopes of luring more developers to its platform.

But two allegedly accurate facts about this firm founded by Pavel Durov, the fellow who created the “Russian version of Facebook.” I spotted these in an online publication called TechCrunch. “Telegram’s Crypto Wallet Launches in the US” reports:

Telegram is expanding access to its crypto wallet for its 87 million users in the U.S.

The article includes an assertion that 100 million Telegram Messenger users have activated their crypto wallets. Furthermore, these 100 million people execute 334,000 transactions on the Nikolai Durov-Level1 blockchain every 24 hours. That works out to about 13,900 per hour or 231 per second. No benchmark data from other blockchain services are included in the write up.

My team and I estimated that the Telegram Messenger eGame “Hamster Kombat” attracted about 300 million Telegram users. The “points” in that game were HAMSTR crypto tokens. STAR tokens, a Telegram invented device, were also involved. In order to “cash in” these points for other crypto, the Messenger wallets may have been required for some of these “moves.”

The numbers, like most Telegram user data, are soft and difficult to verify.

Several observations:

1. The TON Foundation indicated at the Gateway Conference in 2024 that there were about five million users of Telegram in the US in 2023. The jump to 87 million users is notable and either [a] an indication that Telegram Messenger is a bigger player in the US than believed or [b] Telegram and the TON Foundation are exaggerating their data
2. If Telegram does have more than one billion users, the active use of the Telegram crypto wallet is a rather dismal 10 percent of the user base. With Telegram working to build out its crypto services, the “success” of the firm is either [a] disappointing or [b] another bogus number.
3. The eGame Hamster Kombat drew three times the number of Telegram users than the Messenger crypto wallet. This means that either [a] the crypto “play” mounted by Telegram after the US SEC investigation in 2020 and 2021 is moving at a snail’s pace or [b] the reported figures are incorrect.

Net net: Verifiable data about Telegram, its proxies, and its business activities are fuzzy. One fact is verifiable: Pavel Durov, the “owner” of Telegram Company, is awaiting trial in France for a number of serious charges.

Stephen E Arnold, July 29, 2025

Thanks, Google: Scam Link via Your Alert Service

This blog post is the work of an authentic dinobaby. Sorry. No smart software can help this reptilian thinker.

July 20, 2025 at 926 am US Eastern time: The idea of receiving a list of relevant links on a specific topic is a good one. Several services provide me with a stream of sometimes-useful information. My current favorite service is Talkwalker, but I have several others activated. People assume that each service is comprehensive. Nothing is farther from the truth.

Let’s review a suggested article from my Google Alert received at 907 am US Eastern time.

Imagine the surprise of a person watching via Google Alerts the bound phrase “enterprise search.” Here’s the landing page for this alert. I received this message:

The snippet says “enterprise search platform Shenzhen OCT Happy Valley Tourism Co. Ltd is PRMW a good long term investment [investor sentiment]. What happens when one clicks on Google’s AI-infused message:

My browser displayed this:

If you are not familiar with Telegram Messenger-style scams and malware distribution methods, you may not see these red flags:

1. The link points to an article behind the WhatsApp wall
2. To view the content, one must install WhatsApp
3. The information in Google’s Alert is not relevant to “Nova Wealth Training Camp 20”

This is an example a cross service financial trickery.

Several observations:

1. Google’s ability to detect and block scams is evident
2. The relevance mechanism which identified a financial scam is based on key word matching; that is, brute force and zero smart anything
3. These Google Alerts have been or are now being used to promote either questionable, illegal, or misleading services.

Should an example such as this cause you any concern? Probably not. In my experience, the Google Alerts have become less and less useful. Compared to Talkwalker, Google’s service is in the D to D minus range. Talkwalker is a B plus. Feedly is an A minus. The specialized services for law enforcement and intelligence applications are in the A minus to C range.

No service is perfect. But Google? This is another example of a company with too many services, too few informed and mature managers, and a consulting leadership team disconnected from actual product and service delivery.

Will this change? No, in my opinion.

Stephen E Arnold, July 20, 2025

Scattered Spider: Operating Freely Despite OSINT and Specialized Investigative Tools. Why?

No smart software to write this essay. This dinobaby is somewhat old fashioned.

I don’t want to create a dust up in the specialized software sector. I noted the July 2, 2025, article “A Group of Young Cybercriminals Poses the Most Imminent Threat of Cyberattacks Right Now.” That story surprised me. First, the Scattered Spider group was documented (more or less) by Trellix, a specialized software and services firm. You can read the article “Scattered Spider: The Modus Operandi” and get a sense of what Trellix reported. The outfit even has a Wikipedia article about their activities.

Last week I was asked a direct question, “Which of the specialized services firms can provide me with specific information about Telegram Groups and Channels, both public and private?” My answer, “None yet.”

Scattered Spider uses Telegram for some messaging functions, and if you want to get a sense of what the outfit does, just fire up your OSINT tools or better yet use one of the very expensive specialized services available to government agencies. The young cybercriminals appear to use the alias @ScatteredSpiderERC.” There is a Wikipedia article about this group’s activities.

So what? Let’s go back to the question addressed directly to me about firms that have content about Telegram. If we assume the Wikipedia write up is sort of correct, the Scattered Spider entity popped up in 2022 and its activities caught the attention of Trellix. The time between the Trellix post and the Wired story is about two years.

Why has a specialized services firm providing actionable data to the US government, the Europol investigators, and the dozens of others law enforcement operations around the world? Isn’t it a responsible act to use that access to Telegram data to take down outfits that endanger casinos and other organizations?

Apparently the answer is, “No.”

My hunch is that these specialized software firms talk about having tools to access Telegram. That talk is a heck of a lot easier than finding a reliable way to access private Groups and Channels, trace a handle back to a real live human being possibly operating in the EU or the US. I would suggest that France tried to use OSINT and the often nine figure systems to crack Telegram. Will other law enforcement groups realize that the specialized software vendors’ tools fall short of the mark and think about a France-type of response?

France seems to have made a dent in Telegram. I would hypothesize that the failure of OSINT and the specialized software tool vendors contributed to France’s decision to just arrest Pavel Durov. Mr. Durov is now ensnared in France’s judicial bureaucracy. To make the arrest more complex for Mr. Durov, he is a citizen of France and a handful of other countries, including Russia and the United Arab Emirates.

I mention this lack of Telegram cracking capability for three reasons:

1. Telegram is in decline and the company is showing some signs of strain
2. The changing attitude toward crypto in the US means that Telegram absolutely has to play in that market or face either erosion or decimation of its seven year push to create alternative financial services based on TONcoin and Pavel Durov’s partners’ systems
3. Telegram is facing a new generation of messaging competitors. Like Apple, Telegram is late to the AI party.

One would think that at a critical point like this, the Shadow Server account would be a slam dunk for any licensee of specialized software advertising, “Telegram content.”

Where are those vendors who webinars, email blasts, and trade show demonstrations? Where are the testimonials that Company Nuco’s specialized software really did work. “Here’s what we used in court because the specialized vendor’s software generated this data for us” is what I want to hear. I would suggest that Telegram remains a bit of a challenge to specialized software vendors. Will I identify these “big hat, no cattle outfits”? Nope.

Just thought that a reminder that marketing and saying what government professionals want to hear are easier than just talking.

Stephen E Arnold, July 2025

Proton Move: What about the TON Foundation?

Surveillance laws are straight out of dystopian novels and they’ve become a reality. Proton mail is a popular alternative to Gmail and in response to a controversial spying bill they’re not happy says TechRadar: “"We Would Be Less Confidential Than Google" – Proton Threatens To Quit Switzerland Over New Surveillance Law."

Switzerland’s new surveillance law would require all social networks, VPNs, and messaging apps to identity and retain user data. Currently only mobile networks and ISPs are only required to do this. Proton mail provides users with VPN and encrypted email services. They’re not happy about this potential new law and they’ve threatened to leave Switzerland.

Proton’s CEO said:

“In an interview with RTS (Radio Télévision Suisse) on May 13, 2025, Proton CEO Andy Yen slammed the proposed amendment as a ‘major violation of the right to privacy’ that will also harm the country’s reputation and its ability to compete on an international level. ‘This revision attempts to implement something that has been deemed illegal in the EU and the United States. The only country in Europe with a roughly equivalent law is Russia,’ said Yen…. ‘’I think we would have no choice but to leave Switzerland,’ said Yen. ‘The law would become almost identical to the one in force today in Russia. It’s an untenable situation. We would be less confidential as a company in Switzerland than Google, based in the United States. So it’s impossible for our business model.’”

The new law would add three new types of information and two types of monitoring. Other tech companies and leaders are against the law.

Switzerland is the bastion of neutrality in Europe. In Zug, Switzerland, the TON Foundation (aka ONF and The Open Network Foundation) works to build support for Telegram’s blockchain, its Telegram-developed crypto currency, and its realigned management team. Will Swiss regulators take a more proactive approach to this interesting non-governmental organization?

Here’s a left-field idea: What if the Proton is a dry-run for some Telegram-related action?

Whitney Grace, June 17, 2025

Telegram, a Stylish French Dog Collar, and Mom Saying, “Pavel Clean Up Your Room!”

Just a dinobaby operating without AI. What do you expect? A free newsletter and an old geezer. Do those statements sound like dorky detritus?

Pavel Durov has a problem with France. The country’s judiciary let him go back home after an eight month stay-cation. However, Mr. Durov is not the type of person to enjoy having a ring in his nose and a long strand of red tape connecting him to his new mom back in Paris. Pavel wants to live an Airbnb life, but he has to find a way to get his French mom to say, “Okay, Pavel, you can go out with your friends but you have to be home by 9 pm Paris time.” If he does not comply, Mr. Durov is learning that the French government can make life miserable: There’s the monitoring. There’s the red tape. There’s the reminder that France has some wonderful prison facilities in France, North Africa, and Guiana (like where’s that, Pavel?). But worst of all, Mr. Durov does not have his beloved freedom.

He learned this when he blew off a French request to block certain content from Telegram into Romania. For details, click here. What happened?

The first reminder was a jerk on his stylish French when the 40 year old was told, “Pavel, you cannot go to the US.” The write up “France Denies Telegram Founder Pavel Durov’s Request to Visit US” reported on May 22, 2025:

France has denied a request by Telegram founder Pavel Durov to travel to the United States for talks with investment funds, prosecutors…

For an advocate of “freedom,” Mr. Durov has just been told, “Pavel, go to your room.”

Mr. Durov, a young-at-heart 40 year old with oodles of loving children, wanted to travel from Dubai to Oslo, Norway. The reason was for Mr. Durov to travel to a conference about freedom. The French, those often viewed as people who certify chickens for quality, told Mr. Durov, “Pavel, you are grounded. Go back to your room and clean it up.”

Then another sharp pull and in public, causing the digital poodle to yelp. The Human Rights Foundation’s PR team published “French Courts Block Telegram Founder Pavel from Attending Oslo Freedom Forum.” That write up explained:

A French court has denied Telegram founder Pavel Durov’s request to travel to Norway in order to speak at the Oslo Freedom Forum on Tuesday, May 27. Durov had been invited to speak at the global gathering of activists, hosted annually by the Human Rights Foundation (HRF), on the topic of free speech, surveillance, and digital rights.

I interpret this decision by the French judiciary as making clear to Pavel Durov that he is not “free” and that he may be at risk of being sent to a summer camp in one of France’s salubrious facilities for those who don’t like to follow the rules. He is a French citizen, and I assume that he is learning that being allowed to leave France is not a get-out-of-jail free card. I would suggest that not even his brother, the fellow with two PhDs or his colleagues in his “core” engineering team can come up with what I call the “French problem.” My hunch is that these very intelligent people have considered that the French might expand their scope of interest to include the legal entities for Telegram and the “gee, it is not part of our operation” TON Foundation, its executives, and their ancillary business interests. The French did produce some nifty math about probabilities, and I have a hunch that the probability of the French judiciary fuzzifying the boundary between Pavel Durov and these other individuals is creeping up… quickly.

Pavel Durov is on a bureaucratic leash. The French judiciary have jerked Mr. Durov’s neck twice and quite publicly.

The question becomes, “What’s Mr. Durov going to do?” The fellow has a French collar with a leasch connecting him to the savvy French judiciary?

Allow this dinobaby to offer several observations:

1. He will talk with his lawyers Kaminski and learn that France’s legal and police system does indeed have an interest in high-quality chickens as well as a prime specimen like Pavel Durov. In short, that fowl will be watched, probed, and groomed. Mr. Durov is experiencing how those ducks, geese, and chickens on French farms live before the creatures find themselves in a pot after plucking and plucking forcefully.
2. Mr. Durov will continue to tidy Telegram to the standards of cleanliness enforced at the French Foreign Legion training headquarters. He is making progress on the money laundering front. He is cleaning up pointers to adult and other interesting Telegram content which has had 13 years to plant roots and support a veritable forest of allegedly illegal products and services. More effort is likely to be needed. Did I mention that dog crates are used to punish trainees who don’t get the bed making and ironing up to snuff? The crates are located in front of the drill field to make it easy for fellow trainees to see who has created the extra duties for the squad. It can be warm near Marseille for dog crates exposed to the elements.
3. The competition is beginning to become visible. The charming Mark Zuckerberg, the delightful Elon Musk, and the life-of-the-AI-party Sam Altman are accelerating their efforts to release an everything application with some Telegram “features.” One thing is certain, a Pavel Durov does not have the scope or “freedom” of operation he had before his fateful trip to Paris in August 2024. Innovation at Telegram seems to be confined to “gifts” and STARS. Exciting stuff as TONcoin disappoints

Net net: Pavel Durov faces some headwinds, and these are not the gusts blasting up and down the narrow streets of Dubai, the US, or Norway. He has a big wind machine planted in front of his handsome visage and the blades are not rotating at full speed. Will France crank up the RPMs, Pavel? Do goose livers swell under certain conditions? Yep, a lot.

Stephen E Arnold, June 4, 2025

When Unicode Characters Masquerade as ASCII

Curl founder and lead developer Daniel Stenberg suggests methods for “Detecting Malicious Unicode.” The advice comes after human reviewers missed look-alike characters that had been swapped in for regular letters. We learn:

“In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts. In a later presentation, he could show us how not a single human reviewer in the team nor any CI job had spotted or remarked on one of the changes he included: he replaced an ASCII letter with a Unicode alternative in a URL. This was an eye-opener to several of us and we decided we needed to up our game.”

Since such swaps cannot be detected by human eyeballs alone, special software is needed. Stenberg found GitHub’s abilities lacking, though apparently the organization is on the case. Fellow curl dev Victor Szakats found Gitea at least highlights “ambiguous Unicode characters,” but Stenberg wanted more than that. So he made a detection tool himself. He writes:

“We have implemented checks to help us poor humans spot things like this. To detect malicious Unicode. We have added a CI job that scans all files and validates every UTF-8 sequence in the git repository. In the curl git repository most files and most content are plain old ASCII so we can “easily” whitelist a small set of UTF-8 sequences and some specific files, the rest of the files are simply not allowed to use UTF-8 at all as they will then fail the CI job and turn up red. … The next time someone tries this stunt on us it could be someone with less good intentions, but now ideally our CI will tell us.”

Ideally. We think if these swaps are being identified by "researchers," cybersecurity vendors need to address the issue.

Cynthia Murrell, June 4, 2025

Next Page »

• 

• Search the site

•  

  Subscribe to Beyond Search

  • 
  • 
   
  • 
   
  
  Feature archive
  News archive
   
  
  
  Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.

• Categories

  • 3D-Printing
  • Acquisition
  • Advertising
  • Aggregation
  • AI
  • Alexa
  • algorithms
  • Amazon
  • Amazonia
  • Analytics
  • Appliance
  • Applications
  • Audio
  • Augmented Reality
  • Big data
  • Bing
  • Bitcoin
  • Bitext
  • Book review
  • Business intelligence
  • Business process
  • Business strategy
  • Censorship
  • Cloud computing
  • Company Profile
  • Conferences
  • Connectors
  • Consulting
  • Consumer
  • Content processing
  • Copyright
  • Corporate Concerns
  • Cost
  • Crawl
  • Crowdfunding
  • cryptocurrency
  • Customer support
  • Cyber OSINT
  • cybercrime
  • cybersecurity
  • Dark Web
  • DarkCyber
  • Data
  • Data mining
  • Database
  • Deepfakes
  • Digital Assistant
  • Digital Library
  • E2EE
  • ECommerce
  • EDiscovery
  • Editorial opinion
  • Education
  • Emoticons
  • Enterprise
  • Enterprise search
  • Entity extraction
  • Ethics
  • Facebook
  • Faceted search
  • Factualities
  • Feature
  • Federated search
  • Financial
  • Fogint
  • Google
  • Governance
  • Government
  • Hackers
  • healthcare
  • IBM Watson
  • Image search
  • Indexing
  • Infrastructure
  • Innovation
  • Integration
  • intelware
  • Interface
  • Internet
  • Interview
  • Investment
  • law enforcement
  • Legal matters
  • Library automation
  • Management
  • Marketing
  • Mathematics
  • Metadata
  • Microsoft
  • Mobile
  • Natural language processing
  • News
  • NGIA
  • Online (general)
  • Open Access
  • Open source
  • OSINT
  • Osint Radar
  • Overflight
  • Palantir
  • Patents
  • Personnel
  • Podcast
  • Policeware
  • Portals
  • Predictive coding
  • Privacy
  • Profile
  • Publishing
  • Quotation
  • Real time search
  • Reference tool
  • Rich media
  • Robot Writer
  • Search
  • Search enabled applications
  • search engine
  • Search quality
  • Security
  • Semantic
  • Sentiment analysis
  • SEO
  • SharePoint
  • Short Honks
  • Smart Technology
  • Social
  • Social Media
  • software
  • Statistics
  • Taxonomy
  • Technology
  • Text analytics
  • Text processing
  • Tools
  • Tor
  • Training
  • Translation
  • Twitter
  • Uncategorized
  • Unstructured Data
  • User experience
  • User Interface
  • Vertical search
  • Video
  • visualization
  • Voice search
  • Voice technology
  • Web 3
  • Web Services
  • Webinar
  • Windows
  • Work flow
  • XML
  • Yahoo

• Archives

  Archives Select Month August 2025 July 2025 June 2025 May 2025 April 2025 March 2025 February 2025 January 2025 December 2024 November 2024 October 2024 September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 December 2023 November 2023 October 2023 September 2023 August 2023 July 2023 June 2023 May 2023 April 2023 March 2023 February 2023 January 2023 December 2022 November 2022 October 2022 September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 February 2022 January 2022 December 2021 November 2021 October 2021 September 2021 August 2021 July 2021 June 2021 May 2021 April 2021 March 2021 February 2021 January 2021 December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 5

• Recent Posts

  • News Flash: Google Does Not Care about Publishers
  • What Cyber Security Professionals “Fear”
  • Cyber Security: Evidence That Performance Is Different from Marketing
  • The Risks of Add-On AI: Apple, Telegram, Are You Paying Attention?
  • Inc. Magazine May Find that Its MSFT Software No Longer Works

• Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org