Good New and Bad News: Smart Software Is More Clever Than Humanoids

September 11, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_thumb_thumb_thumbNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

After a quick trip to Europe, I will be giving a lecture about fake data. One of the case examples concerns the alleged shortcuts taken by Frank Financial in its efforts to obtain about $175 million from JPMorgan Chase. I like to think of JPMC as “the smartest guys in the room” when it comes to numbers related to money. I suppose wizards at Goldman or McKinsey would disagree. But the interesting swizzle on the JPMC story is that alleged fraudster was a graduate of Wharton.

That’s good news for getting an education in moral probity at a prestigious university.

9 11 computer beats human

A big, impressive university’s smart software beats smart students at Tic Tac Toe. Imagine what these wizards will be able to accomplish when smart software innovates and assists the students with financial fancy dancing. Thanks, Mother MJ. Deep on the gradient descent, please.

Flash forward to the Murdoch real news story “M.B.A. Students vs. ChatGPT: Who Comes Up With More Innovative Ideas?” [The Rupert toll booth is operating.] The main idea of the write up is that humanoid Wharton students were less “creative,” “innovative,” and “inventive” than smart software. What’s this say for the future of financial fraud. Mere humanoids like those now in the spotlight at the Southern District of New York show may become more formidable with the assistance of smart software. The humanoids were caught, granted it took JPMC a few months after the $175 million check was cashed, but JPMC did figure it out via a marketing text.

Imagine. Wharton grads with smart software. How great will that be for the targets of financial friskiness? Let’s hope JPMC gets its own cyber fraud detecting software working. In late 2022, the “smartest guys in the room” were not smart enough to spot synthetic and faked data. Will smart software be able to spot smart software scams?

That’s the bad new. No.

Stephen E Arnold, September 11, 2023

Why Encrypted Messaging Is Getting Love from Bad Actors

August 17, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

The easier it is to break the law or circumvent regulations, the more people will give into their darker nature. Yes, this is another of Arnold’s Laws of Online along with online data flows erode ethical behavior. I suppose the two “laws” go together like Corvettes and fuel stops, tattoos and body art, or Barbie and Ken dolls.

Banks Hit with $549 Million in Fines for Use of Signal, WhatsApp to Evade Regulators’ Reach” explains a behavior I noticed when I was doing projects for a hoop-de-do big time US financial institution.

Let’s jump back in time to 2005: I arrived for a meeting with the bank lugging my lecture equipment. As I recall, I had a couple of laptops, my person LCD projector, a covey of connectors, and a couple of burner phones and SIMs from France and the UK.

8 9 banker and mobiles

“What are you looking at?” queries the young financial analyst on the sell side. I had interrupted a young, whip-smart banker who was organizing her off-monitoring client calls. I think she was deciding which burner phone and pay-as-you-go SIM to use to pass a tip about a major financial deal to a whale. Thanks, MidJourney. It only took three times for your smart software to show mobile phones. Outstanding C minus work. Does this MBA CFA look innocent to you? She does to me. Doesn’t every banker have multiple mobile phones?

One bright bank type asked upon entering the meeting room as I was stowing and inventorying my gear after a delightful taxi ride from the equally thrilling New York Hilton, “Why do you have so many mobile phones?” I explained that I used the burners in my talks about cyber crime. The intelligent young person asked, “How do you connect them?” I replied, “When I travel, I buy SIMs in other countries. I also purchase them if I see a US outfit offering a pay-as-you-go SIM.” She did not ask how I masked my identity when acquiring SIMs, and I did not provide any details like throwing the phone away after one use.

Flash forward two months. This time it was a different conference room. My client had his assistant and the bright young thing popped into the meeting. She smiled and said, “I have been experimenting with the SIMs and a phone I purchased on Lexington Avenue from a phone repair shop.”

“What did you learn?” I asked.

She replied, “I can do regular calls on the mobile the bank provides. But I can do side calls on this other phone.”

I asked, “Do you call clients on the regular phone or the other phone?”

She said, “I use the special phone for special clients.”

Remember this was late 2005.

The article dated August 8, 2023, appeared 18 years after my learning how quickly bright young things can suck in an item of information and apply it to transferring information supposedly regulated by a US government agency. That’s when I decided my Arnold Law about people breaking the law when it is really easy one of my go-to sayings.

The write up stated:

U.S. regulators on Tuesday announced a combined $549 million in penalties against Wells Fargo and a raft of smaller or non-U.S. firms that failed to maintain electronic records of employee communications. The Securities and Exchange Commission disclosed charges and $289 million in fines against 11 firms for “widespread and longstanding failures” in record-keeping, while the Commodity Futures Trading Commission also said it fined four banks a total of $260 million for failing to maintain records required by the agency.

How long has a closely regulated sector like banking been “regulated”? A long time.

I want to mention that I have been talking about getting around regulations which require communication monitoring for a long time. In fact, in October 2023, at the Massachusetts / New York Association of Crime Analysts conference. In my keynote, I will update my remarks about Telegram and its expanding role in cyber and regular crime. I will also point out how these encrypted messaging apps have breathed new, more secure life into certain criminal activities. We have an organic ecosystem of online-facilitated crime, crime that is global, not a local stick up at a convenient store at 3 am on a rainy Thursday morning.

What does this news story say about regulatory action? What does it make clear about behavior in financial services firms?

I, of course, have no idea. Just like some of the regulatory officers at financial institutions and some regulatory agencies.

Stephen E Arnold, August 17, 2023

Microsoft and Russia: A Convenient Excuse?

August 14, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

In the Solarwinds’ vortex, the explanation of 1,000 Russia hackers illuminated a security with the heat of a burning EV with lithium batteries. Now Russian hackers have again created a problem. Are these Russians  cut from the same cloth as the folks who have turned a special operation into a noir Laurel & Hardy comedy routine?

Russia-Linked Hackers Behind Recent Wave of Microsoft Teams Phishing Attacks: Microsoft” reports:
In late May, the hacker team began its attempts to steal login credentials by engaging

users in Microsoft Teams chatrooms, pretending to be from technical support. In a blog post [August 2, 2023], Microsoft researchers called the campaign a “highly targeted social engineering attack” by a Russia-based hacking team dubbed Midnight Blizzard. The hacking group, which was previously tracked as Nobelium, has been attributed by the U.S. and UK governments as part of the Foreign Intelligence Service of the Russian Federation.

Isn’t this the Russia producing planners who stalled a column of tanks in its alleged lightning strike on the capital of Ukraine? I think this is the country now creating problems for Microsoft. Imagine that.

The write up continues:

For now, the fake domains and accounts have been neutralized, the researchers said. “Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack,” Microsoft said. The company also put forth a list of recommended precautions to reduce the risk of future attacks, including educating users about “social engineering” attacks.

Let me get this straight. Microsoft deployed software with issues. Those issues were fixed after the Russians attacked. The fix, if I understand the statement, is for customers/users to take “precautions” which include teaching obviously stupid customers/users how to be smart. I am probably off base, but it seems to me that Microsoft deployed something that was exploitable. Then after the problem became obvious, Microsoft engineered an alleged “repair.” Now Microsoft wants others to up their game.

Several observations:

  1. Why not cut and paste the statements from Microsoft’s response to the SolarWinds’ missteps. Why write the same old stuff and recycle the tiresome assertion about Russia? ChatGPT could probably help out Microsoft’s PR team.
  2. The bad actors target Microsoft because it is a big, overblown system/products with security that whips some people into a frenzy of excitement.
  3. Customers and users are not going to change their behaviors even with a new training program. The system must be engineered to work in the environment of the real-life users.

Net net: The security problem can be identified when Microsofties look in a mirror. Perhaps Microsoft should train its engineers to deliver security systems and products?

Stephen E Arnold, August 14, 2023

One More Reason to Love Twitter: Fake People and Malware Injection.

June 22, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

With regulators beginning to wake up to the threats, risks, and effects of online information, I enjoyed reading “Fake Zero-Day PoC Exploits on GitHub Push Windows, Linux Malware.” The write up points out:

Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named ‘High Sierra Cyber Security,’ who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research.


The tweeter thing is visualized by that nifty art generator Dezgo. I think the smart software captures the essence of the tweeter’s essence.

I noted that the target appears to be cyber security “experts”. Does this raise questions in your mind about the acuity of some of those who fell for the threat intelligence? I have to admit. I was not surprised. Not in the least.

The article includes illustrations of the “Python downloader.”

I want to mention that this is just one type of OSINT blindspot causing some “experts” to find themselves on the wrong end of a Tesla-like or Waymo-type self-driving vehicle. I know I would not stand in front of one. Similarly, I would not read about an “exploit” on Twitter, click on links, or download code.

But that’s just me, a 78 year old dinobaby. But a 30 something cyber whiz? That’s something that makes news.

Stephen E Arnold, June 22, 2023

Newsflash: Common Sense Illuminates Friendly Fish for Phishers

June 16, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Here’s a quick insider threat and phishing victim test: [a] Are you really friendly, fraternity or sorority social officer gregarious humanoid? [b] Are you a person who says “Yes” to almost any suggestion a friend or stranger makes to you? [c] Are you curious about emails offering big bucks, free prizes, or great deals on avocado slicers?

If you resonated with a, b, or c, researchers have some news for you.

Younger, More Extroverted, and More Agreeable Individuals Are More Vulnerable to Email Phishing Scams” reports:

… the older you are, the less susceptible you are to phishing scams. In addition, highly extroverted and agreeable people are more susceptible to this style of cyber attack. This research holds the potential to provide valuable guidance for future cybersecurity training, considering the specific knowledge and skills required to address age and personality differences.

The research summary continues:

The results of the current study support the idea that people with poor self-control and impulsive tendencies are more likely to misclassify phishing emails as legitimate. Interestingly, impulsive individuals also tend to be less confident in their classifications, suggesting they are somewhat aware of their vulnerability.

It is good to be an old, irascible, skeptical dinobaby after all.

Stephen E Arnold, June 16, 2023

Is This for Interns, Contractors, and Others Whom You Trust?

June 14, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]_thumb_thumbNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Not too far from where my office is located, an esteemed health care institution is in its second month of a slight glitch. The word in Harrod’s Creek is that security methods at use at a major hospital were — how shall I frame this — a bit like the 2022-2023 University of Kentucky’s’ basketball team’s defense. In Harrod’s Creek lingo, this statement would translate to standard English as “them ‘Cats did truly suck.”

6 12 temp worker

A young temporary worker looks at her boss. She says, “Yes, I plugged a USB drive into this computer because I need to move your PowerPoint to a different machine to complete the presentation.” The boss says, “Okay, you can use the desktop in my office. I have to go to a cyber security meeting. See you after lunch. Text me if you need a password to something.” The illustration for this hypothetical conversation emerged from the fountain of innovation known as MidJourney.

The chatter about assorted Federal agencies’ cyber personnel meeting with the institution’s own cyber experts are flitting around. When multiple Federal entities park their unobtrusive and sometimes large black SUVs close to the main entrance, someone is likely to notice.

This short blog post, however, is not about the lame duck cyber security at the health care facility. (I would add an anecdote about an experience I had in 2022. I showed up for a check up at a unit of the health care facility. Upon arriving, I pronounced my date of birth and my name. The professional on duty said, “We have an appointment for your wife and we have her medical records.” Well, that was a trivial administrative error: Wrong patient, confidential information shipped to another facility, and zero idea how that could happen. I made the appointment myself and provided the required information. That’s a great computer systems and super duper security in my book.)

The question at hand, however, is: “How can a profitable, marketing oriented, big time in their mind health care outfit, suffer a catastrophic security breach?”

I shall point you to one possible pathway: Temporary workers, interns, and contractors. I will not mention other types of insiders.

Please, point your browser to and read about the USB Rubber Ducky. With a starting price of $80US, this USB stick has some functions which can accomplish some interesting actions. The marketing collateral explains:

Computers trust humans. Humans use keyboards. Hence the universal spec — HID, or Human Interface Device. A keyboard presents itself as a HID, and in turn it’s inherently trusted as human by the computer. The USB Rubber Ducky — which looks like an innocent flash drive to humans — abuses this trust to deliver powerful payloads, injecting keystrokes at superhuman speeds.

With the USB Rubby Ducky, one can:

  • Install backdoors
  • Covertly exfiltrate documents
  • Capture credential
  • Execute compound actions.

Plus, if there is a USB port, the Rubber Ducky will work.

I mention this device because it may not too difficult for a bad actor to find ways into certain types of super duper cyber secure networks. Plus temporary workers and even interns welcome a coffee in an organization’s cafeteria or a nearby coffee shop. Kick in a donut and a smile and someone may plug the drive in for free!

Stephen E Arnold, June 14, 2023

Microsoft: Just a Minor Thing

June 6, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]_thumbNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Several years ago, I was asked to be a technical advisor to a UK group focused on improper actions directed toward children. Since then, I have paid some attention to the information about young people that some online services collect. One of the more troubling facets of improper actions intended to compromise the privacy, security, and possibly the safety of minors is the role data aggregators play. Whether gathering information from “harmless” apps favored by young people to surreptitious collection and cross correlation of young users’ online travels, these often surreptitious actions of people and their systems trouble me.

The “anything goes” approach of some organizations is often masked by public statements and the use of words like “trust” when explaining how information “hoovering” operations are set up, implemented, and used to generate revenue or other outcomes. I am not comfortable identifying some of these, however.

6 6 good deal

A regulator and a big company representative talking about a satisfactory resolution to the regrettable collection of kiddie data. Both appear to be satisfied with another job well done. The image was generated by the MidJourney smart software.

Instead, let me direct your attention to the BBC report “Microsoft to Pay $20m for Child Privacy Violations.” The write up states as “real news”:
Microsoft will pay $20m (£16m) to US federal regulators after it was found to have illegally collected

data on children who had started Xbox accounts.

The write up states:

From 2015 to 2020 Microsoft retained data “sometimes for years” from the account set up, even when a parent failed to complete the process …The company also failed to inform parents about all the data it was collecting, including the user’s profile picture and that data was being distributed to third parties.

Will the leader in smart software and clever marketing have an explanation? Of course. That’s what advisory firms and lawyers help their clients deliver; for example:

“Regrettably, we did not meet customer expectations and are committed to complying with the order to continue improving upon our safety measures,” Microsoft’s Dave McCarthy, CVP of Xbox Player Services, wrote in an Xbox blog post. “We believe that we can and should do more, and we’ll remain steadfast in our commitment to safety, privacy, and security for our community.”

Sounds good.

From my point of view, something is out of alignment. Perhaps it is my old-fashioned idea that young people’s online activities require a more thoughtful approach by large companies, data aggregators, and click capturing systems. The thought, it seems, is directed at finding ways to take advantage of weak regulation, inattentive parents and guardians, and often-uninformed young people.

Like other ethical black holes in certain organizations, surfing for fun or money on children seems inappropriate. Does $20 million have an impact on a giant company? Nope. The ethical and moral foundation of decision making is enabling these data collection activities. And $20 million causes little or no pain. Therefore, why not continue these practices and do a better job of keeping the procedures secret?

Pragmatism is the name of the game it seems. And kiddie data? Fair game to some adrift in an ethical swamp. Just a minor thing.

Stephen E Arnold, June 6, 2023

Need a Guide to Destroying Social Cohesion: Chinese Academics Have One for You

May 25, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_t[1]Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

The TikTok service is one that has kicked the Google in its sensitive bits. The “algorithm” befuddles both European and US “me too” innovators. The ability of short, crunchy videos has caused restaurant chefs to craft food for TikTok influencers who record meals. Chefs!

What other magical powers can a service like TikTok have? That’s a good question, and it is one that the Chinese academics have answered. Navigate to “Weak Ties Strengthen Anger Contagion in Social Media.” The main idea of the research is to validate a simple assertion: Can social media (think TikTok, for example) take a flame thrower to social ties? The answer is, “Sure can.” Will a social structure catch fire and collapse? “Sure can.”

5 19 social structure on fire

A frail structure is set on fire by a stream of social media consumed by a teen working in his parents’ garden shed. MidJourney would not accept the query a person using a laptop setting his friends’ homes on fire. Thanks, Aunt MidJourney.

The write up states:

Increasing evidence suggests that, similar to face-to-face communications, human emotions also spread in online social media.

Okay, a post or TikTok video sparks emotion.

So what?

…we find that anger travels easily along weaker ties than joy, meaning that it can infiltrate different communities and break free of local traps because strangers share such content more often. Through a simple diffusion model, we reveal that weaker ties speed up anger by applying both propagation velocity and coverage metrics.

The authors note:

…we offer solid evidence that anger spreads faster and wider than joy in social media because it disseminates preferentially through weak ties. Our findings shed light on both personal anger management and in understanding collective behavior.

I wonder if any psychological operations professionals in China or another country with a desire to reduce the efficacy of the American democratic “experiment” will find the research interesting?

Stephen  E Arnold, May 25, 2023

Those Mobile Phones Are Something, Are They Not?

May 23, 2023

Vea4_thumb_thumb_thumb_thumb_thumb_tNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

Apple, Google, Samsung, and a covey of Chinese mobile phone innovators have improved modern life. Imagine. People have a phone. No sharing  one telephone in a fraternity house, a cheap flat, or at an airport, just call, text, vlog, or swipe.

Are their downsides? For a quarter century the American Psychological Association was not sure. Now an outfit called Sapien Labs provides additional information about mobile phone usage.

For me, there were several highlights in the article “Kids Who Get Smartphones Earlier Become Adults With Worse Mental Health.”

First, the idea that young people who tap, swipe, and suck down digital information are unlikely to emulate Jonathan Edwards, Mother Teresa, or the ambiguous St. Thomas of Aquinas. The article states:

the younger the age of getting the first smartphone, the worse the mental health that the young adult reports today.

Obvious to some, but a scientific study adds more credence to the parent who says no to a child’s demand for a mobile phone or tablet.

Second, women (females) are more affected by the mobile phone. The study points out six categories of impact. Please, consult the article and the full study for the academic details. Again. No big surprise, but I wouldn’t ignore the fact that in some male cohorts, suicides are increasing. Regardless of gender, mobile phones appear to nudge some into wackiness or the ultimate solution to having friends make fun of one’s sneakers.

Third, I was surprised to learn that some young people get phones when they are five years old. I have seen very young children poking at an iPad in a restaurant or playing games on the parental unit’s mobile phones in an airport. I did not know the child had a phone to call his own. Good marketing by Apple, Google, Samsung, and Chinese outfits!

The study identifies a number of implications. Again, I am okay with those identified, but the cyber crime crowd was not discussed. My own perception is that mobile devices are the catalyst for a wide range of cyber crime. Once again, the unintended consequences of a mobile device have the capacity to enable some societal modifications that may be impossible to remediate.

Again: Nice work!

Stephen E Arnold, May 23, 2023

Is It Lights Out on the Information Superhighway?

April 26, 2023

Vea4_thumb_thumb_thumbNote: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.

We just completed a lecture about the shadow web. This is our way of describing a number of technologies specifically designed to prevent law enforcement, tax authorities, and other entities charged with enforcing applicable laws in the dark.

Among the tools available are roulette services. These can be applied to domain proxies so it is very difficult to figure out where a particular service is at a particular point in time. Tor has uttered noises about supporting the Mullvad browser and baking in a virtual private network. But there are other VPNs available, and one of the largest infrastructure service providers is under what appears to be “new” ownership. Change may create a problem for some enforcement entities. Other developers work overtime to provide services primarily to those who want to deploy what we call “traditional Dark Web sites.” Some of these obfuscation software components are available on Microsoft’s GitHub.

I want to point to “Global Law Enforcement Coalition Urges Tech Companies to Rethink Encryption Plans That Put Children in Danger from Online Abusers.” The main idea behind the joint statement (the one to which I point is from the UK’s National Crime Agency) is:

The announced implementation of E2EE on META platforms Instagram and Facebook is an example of a purposeful design choice that degrades safety systems and weakens the ability to keep child users safe. META is currently the leading reporter of detected child sexual abuse to NCMEC. The VGT has not yet seen any indication from META that any new safety systems implemented post-E2EE will effectively match or improve their current detection methods.

From my point of view, a questionable “player” has an opportunity to make it possible to enforce laws related to human trafficking, child safety, and related crimes like child pornography. The “player” seems interested in implementing encryption that would make government enforcement more difficult, if not impossible in some circumstances.

The actions of this “player” illustrate what’s part of a fundamental change in the Internet. What was underground is now moving above ground. The implementation of encryption in messaging applications is a big step toward making the “regular” Internet or what some called the Clear Web into a new version of the Dark Web. Not surprisingly, the Dark Web will not go away, but why develop Dark Web sites when Clear Web services provide communications, secrecy, the ability to transmit images and videos, and perform financial transactions related to these data. Thus the Clear Web is falling into the shadows.

My team and I are not pleased with ignoring appropriate and what we call “ethical” behavior with specific actions to increase risks to average Internet users. In fact, some of the “player’s actions” are specifically designed to make the player’s service more desirable to a market segment once largely focused on the Dark Web.

More than suggestions are needed in my opinion. Direct action is required.

Stephen E Arnold, April 26, 2023

Next Page »

  • Archives

  • Recent Posts

  • Meta