Think You Know Which Gen Z Is What?

June 7, 2024

dinosaur30a_thumb_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

I had to look this up? A Gen Z was born when? A Gen Z was born between 1981 and 1996. In 2024, a person aged 28 to 43 is, therefore, a Gen Z. Who knew? The definition is important. I read “Shocking Survey: Nearly Half of Gen Z Live a Double Life Online.” What do you know? A nice suburb, lots of Gen Zs, and half of these folks are living another life online. Go to one of those hip new churches with kick-back names and half of the Gen Zs heads bowed in prayer are living a double life. For whom do those folks pray? Hit the golf club and look at the polo shirt clad, self-satisfied 28 to 43 year olds. Which self is which? The chat room Dark Web person or a happy golfer enjoying the 19th hole?

image

Someone who is older is jumping to conclusions. Those vans probably contain office supplies, toxic waste, or surplus government equipment. No one would take Gen Zs out of the flow, would they? Thanks, MSFT. Do you have Gen Zs working on your superlative security systems?

The write up reports:

A survey of 2,000 Americans, split evenly by generation, found that 46% of Gen Z respondents feel their personality online vastly differs from how they present themselves in the real world.

Only eight percent of the baby boomers are different online. New flash: If you ever meet me, I am the same person writing these blog posts. As an 80-year-old dinobaby, I don’t need another persona to baffle the brats in the social media sewer. I just avoid the sewer and remain true to my ageing self.

The write up also provides this glimpse into the hearts and souls of those 28 to 43:

Specifically, 31% of Gen Z respondents admitted their online world is a secret from family

That’s good. These Gen Zs can keep a secret. But why? What are they trying to hide from their family, friends, and co-workers? I can guess but won’t.

If you work with a Gen Z, here’s an allegedly valid factoid from the survey:

53% of Gen Zers said it’s easier to express themselves online than offline.

Want another? Too bad. Here’s a winner insight:

68 percent of Gen Zs sometimes feel a disconnect between who they are online and offline.

I think I took a psychology class when I was a freshman in college. I recall learning about a mental disorder with inconsistent or contradictory elements. Are Gen Zs schizophrenic? That’s probably the wrong term, but I think I am heading in the right direction. Mental disorder signals flashing. Just the Gen Z I want to avoid if possible.

One aspect of the write up in the article is that the “author” — maybe human, maybe AI, maybe Gen X with a grudge, who knows? — is that some explanation of who paid the bill to obtain data from 2,000 people. Okay, who paid the bill? Answer: Lenovo. What company conducted the study? Answer: OnePoll. (I never heard of the outfit, and I am too much of a dinobaby to care much.)

Net net: The Gen Zs seem to be a prime source of persons of interest for those investigating certain types of online crime. There you go.

Stephen E Arnold, June 6, 2024

Telegram May Play a Larger Role In Future Of War And Education

June 4, 2024

dinosaur30a_thumb_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

Telegram is an essential tool for the future of crime. The Dark Web is still a hotbed of criminal activity, but as authorities crack down on it the bad actors need somewhere else to go. Stephen Arnold, Erik Arnold, et al. wrote a white paper titled E2EE: The Telegram Platform about how Telegram is replacing the Dark Web. Telegram is Dubai-based company with nefarious ties to Russia. The app offers data transfer for streaming audio and video, robust functions, and administrative tools. It’s being used to do everything from stealing people’s personal information to being an anti-US information platform.

The white paper details how Telegram is used to steal credit, gift, debit, and other card information. The process is called “carding” and a simple Google search reveals where stolen card information buyable. The team specifically investigated the Altenens.is, a paywall website to buy stolen information. It’s been removed from the Internet only to reappear again.

Altenens.is hosts forums, a chat, places to advertise products and services related to the website’s theme. Users are required to download and register with Telegram, because it offers encryption services for financial tractions. Altenen.is is only one of the main ways Telegram is used for bad acts:

“The Telegram service today is multi-faceted. One can argue that Telegram is a next-generation social network. Plus, it is a file transfer and rich media distribution service too. A bad actor can collect money from another Telegram user and then stream data or a video to an individual or a group. In the Altenen case example, the buyer of stolen credit cards gets a file with some carding data and the malware payload. The transaction takes place within Telegram. Its lax or hit-and-miss moderation method allows alleged illegal activity on the platform. ”

Telegram is becoming more advanced with its own cryptocurrency and abilities to mask and avoid third-party monitors. It’s used as a tool for war propaganda, but it’s also used to eschew authoritarian governments who want to control information. It’s interesting and warrants monitoring. If you work in an enforcement agency or a unit of the US government, you can request a copy of the white paper by writing benkent2020 @ yahoo dot com. Please, mention Beyond Search in your request. We do need to know your organization and area of interest.

Whitney Grace, June 4, 2024

Encryption Battles Continue

June 4, 2024

dinosaur30a_thumb_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

Privacy protections are great—unless you are law-enforcement attempting to trace a bad actor. India has tried to make it easier to enforce its laws by forcing messaging apps to track each message back to its source. That is challenging for a platform with encryption baked in, as Rest of World reports in, “WhatsApp Gives India an Ultimatum on Encryption.” Writer Russell Brandom tells us:

“IT rules passed by India in 2021 require services like WhatsApp to maintain ‘traceability’ for all messages, allowing authorities to follow forwarded messages to the ‘first originator’ of the text. In a Delhi High Court proceeding last Thursday, WhatsApp said it would be forced to leave the country if the court required traceability, as doing so would mean breaking end-to-end encryption. It’s a common stance for encrypted chat services generally, and WhatsApp has made this threat before — most notably in a protracted legal fight in Brazil that resulted in intermittent bans. But as the Indian government expands its powers over online speech, the threat of a full-scale ban is closer than it’s been in years.”

And that could be a problem for a lot of people. We also learn:

“WhatsApp is used by more than half a billion people in India — not just as a chat app, but as a doctor’s office, a campaigning tool, and the backbone of countless small businesses and service jobs. There’s no clear competitor to fill its shoes, so if the app is shut down in India, much of the digital infrastructure of the nation would simply disappear. Being forced out of the country would be bad for WhatsApp, but it would be disastrous for everyday Indians.”

Yes, that sounds bad. For the Electronic Frontier Foundation, it gets worse: The civil liberties organization insists the regulation would violate privacy and free expression for all users, not just suspected criminals.

To be fair, WhatsApp has done a few things to limit harmful content. It has placed limits on message forwarding and has boosted its spam and disinformation reporting systems. Still, there is only so much it can do when enforcement relies on user reports. To do more would require violating the platform’s hallmark: its end-to-end encryption. Even if WhatsApp wins this round, Brandom notes, the issue is likely to come up again when and if the Bharatiya Janata Party does well in the current elections.

Cynthia Murrell, June 4, 2024

Telegram: No Longer Just Mailing It In

May 29, 2024

dinosaur30a_thumb_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

Allegedly about 900 million people “use” Telegram. More are going to learn about the platform as the company comes under more European Union scrutiny, kicks the tires for next-generation obfuscation technology, and become a best friend of Microsoft… for now. “Telegram Gets an In-App Copilot Bot” reports:

Microsoft has added an official Copilot bot within the messaging app Telegram, which lets users search, ask questions, and converse with the AI chatbot. Copilot for Telegram is currently in beta but is free for Telegram users on mobile or desktop. People can chat with Copilot for Telegram like a regular conversation on the messaging app. Copilot for Telegram is an official Microsoft bot (make sure it’s the one with the checkmark and the username @CopilotOfficialBot).

You can “try it now.” Just navigate to Microsoft “Copilot for Telegram.” At this location, you can:

Meet your new everyday AI companion: Copilot, powered by GPT, now on Telegram. Engage in seamless conversations, access information, and enjoy a smarter chat experience, all within Telegram.

image

A dinobaby lecturer explains the Telegram APIs and its bot function for automating certain operations within the Telegram platform. Some in the class are looking at TikTok, scrolling Instagram, or reading about a breakthrough in counting large numbers of objects using a unique numerical recipe. But Telegram? WhatsApp and Signal are where the action is, right? Thanks, MSFT Copilot. You are into security and now Telegram. Keep your focus, please.

Next week, I will deliver a talk about Telegram and some related information about obfuscated messaging at the TechnoSecurity & Digital Forensics Conference. I no longer do too many lectures because I am an 80 year old dinobaby, and I hate flying and standing around talking to people 50 years younger than I. However, my team’s research into end-to-end encrypted messaging yielded some interesting findings. At the 2024 US National Cyber Crime Conference about 260 investigators listened to my 75 minute talk, and a number of them said, “We did not know that.” I will also do a Telegram-centric lecture at another US government event in September. But in this short post, I want to cover what the “deal” with Microsoft suggests.

Let’s get to it.

Telegram operates out of Dubai. The distributed team of engineers has been adding features and functions to what began as a messaging app in Russia. The “legend” of Telegram is an interesting story, but I remain skeptical about the company, its links with a certain country, and the direction in which the firm is headed. If you are not familiar with the service, it has morphed into a platform with numerous interesting capabilities. For some actors, Telegram can and has replaced the Dark Web with Telegram’s services. Note: Messages on Telegram are not encrypted by default as they are on some other E2EE messaging applications. Examples include contraband, “personal” services, and streaming video to thousands of people. Some Telegram users pay to get “special” programs. (Please, use your imagination.)

Why is Telegram undergoing this shift from humble messaging app to a platform? Our research suggests that there are three reasons. I want to point out that Pavel Durov does not have a public profile on the scale of a luminary like Elon Musk or Sam AI-Man, but he is out an about. He conducted an “exclusive” and possibly red-herring discussion with Tucker Carlson in April 2024. After the interview, Mr. Pavlov took direct action to block certain message flows from Ukraine into Russia. That may be one reason: Telegram is actively steering information about Ukraine’s view of Mr. Putin’s special operation. Yep, freedom.

Are there others? Let me highlight three:

  1. Mr. Pavlov and his brother who allegedly is like a person with two PhDs see an opportunity to make money. The Pavlovs, however, are not hurting for cash.
  2. American messaging apps have been fat and lazy. Mr. Pavlov is an innovator, and he wants to make darned sure that he rungs rings around Signal, WhatsApp, and a number of other outfits. Ego? My team thinks that is part of Mr. Pavlov’s motivation.
  3. Telegram is expanding because it may not be an independent, free-wheeling outfit. Several on my team think that Mr. Pavlov answers to a higher authority. Is that authority aligned with the US? Probably not.

Now the Microsoft deal?

Several questions may get you synapses in gear:

  1. Where are the data flowing through Telegram located / stored geographically? The service can regenerate some useful information for a user with a new device.
  2. Why tout freedom and free speech in April 2024 and several weeks later apply restrictions on data flow? Does this suggest a capability to monitor by user, by content type, and by other metadata?
  3. Why is Telegram exploring additional network enhancements? My team thinks that Mr. Pavlov has some innovations in obfuscation planned. If the company does implement certain technologies freely disclosed in US patents, what will that mean for analysts and investigators?
  4. Why a tie up with Microsoft? Whose idea was this? Who benefits from the metadata? What happens if Telegram has some clever ideas about smart software and the Telegram bot function?

Net net: Not too many people in Europe’s regulatory entities have paid much attention to Telegram. The entities of interest have been bigger fish. Now Telegram is growing faster than a Chernobyl boar stuffed on radioactive mushrooms. The EU is recalibrating for Telegram at this time. In the US, the “I did not know” reaction provides some insight into general knowledge about Telegram’s more interesting functions. Think pay-to-view streaming video about certain controversial subjects. Free storage and data transfer is provided by Telegram, a company which does not embrace the Netflix approach to entertainment. Telegram is, as I explain in my lectures, interesting, very interesting.

Stephen E Arnold, May 29, 2024

Facebook Scams: A Warning or a Tutorial?

May 27, 2024

dinosaur30a_thumb_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

This headline caught my attention: “Facebook Marketplace’s Dirty Dozen: The 15 Most Common Scams and How to Avoid Them.” I had hopes of learning about new, clever, wonderfully devious ways to commit fraud and other larcenous acts. Was I surprised? Here’s a list of the “15 most common scams.” I want to point out that there is scant (a nice way of saying “No back up data”) for the assertions. (I have a hunch that this “helpful” write up was assisted with some sort of software, possibly dumb software.) Let’s look at the list of the dozen’s 15 scams:

  1. Defective or counterfeit gadgets. Fix: Inspection required
  2. Bait-and-switch. Fix: Don’t engage in interaction
  3. Fake payment receipts. Fix: What? I don’t understand
  4. Mouth-watering giveaways. Fix: Ignore
  5. Overpayment by a buyer. Fix: What? I don’t understand
  6. Moving conversations out of Facebook. Fix: Don’t have them.
  7. Fake rental posting. Fix: Ignore
  8. Advance payment requests. Fix: Ignore
  9. Asking for confirmation codes. Fix: Ignore
  10. Asking for car deposits. Fix: Say, “No”
  11. Requesting unnecessary charges. Fix: Ignore
  12. Mailing items. Fix: Say, “No”
  13. Fake claims of lost packages. Fix: What?
  14. Counterfeit money. Fix: What?
  15. Clicking a link to fill out more information. Fix: Don’t

My concern with this list is that it does not protect the buyer. If anything, it provides a checklist of tactics for a would-be bad actor. The social engineering aspect of fraud is often more important than the tactic. In the “emotional” moment, a would-be buyer can fall for the most obvious scam; for example, trusting the seller because the request for a deposit seems reasonable or buying something else from the seller.

image

Trying to help? The customer or the scammer? You decide. Thanks, MSFT Copilot. Good cartoon. In your wheelhouse, is it?

What does one do to avoid Facebook scams? Here’s the answer:

Fraudsters can exploit you on online marketplaces if you’re not careful; it is easy not to be aware of a scam if you’re not as familiar. You can learn to spot common Facebook Marketplace scams to ensure you have a safe shopping experience. Remember that scams can happen between buyers and sellers, so always be wary of the transaction practices before committing. Otherwise, consider other methods like ordering from Amazon or becoming a third-party vendor on a trusted platform.

Yep, Amazon. On the other hand you can avoid scams by becoming a “third-party vendor on a trusted platform.” Really?

The problem with this write up is that the information mixes up what sellers do with what buyers do. Stepping back, why is Facebook singled out for this mish mash of scams and tactics. After all, in a face-to-face deal who pays with counterfeit cash? It is the buyer. Who is the victim? It is the seller. Who rents an apartment without looking at it? Answer: Someone in Manhattan. In other cities, alternatives to Facebook exist, and they are not available via Amazon as far as I know.

Facebook and other online vendors have to step up their game. The idea that the platform does not have responsibility to vet buyers and sellers is not something I find acceptable. Facebook seems pleased with its current operation. Perhaps it is time for more directed action to [a] address Facebook’s policies and [b] bring more rigor to write ups which seem to provide ideas for scammers in my opinion.

Stephen E Arnold, May 27, 2024

Legal Eagles Get Some Tail Feathers Plucked about BitTorrent

May 27, 2024

dinosaur30a_thumb_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

One Finnish law firm thinks it should be able to cut one party in out of the copyright enforcement process—the rightsholders themselves. The court disagrees. TorrentFreak reports, “Court Rejects Law Firm’s Bid to Directly Obtain BitTorrent Users’ Identities.” Writer Andy Maxwell explains:

“Requirements vary from region to region but when certain conditions are met, few courts deny genuine copyright holders the ability to enforce their rights under relevant law. One of the most fundamental requirements is that the entity making the claim has the necessary rights to do so. … In an application submitted to Finland’s Market Court on March 15, 2024, the law firm Hedman Partners Oy sought a court order to compel an unnamed internet service provider to provide the personal details of an unspecified number of subscribers. According to Hedman’s application, all are suspected of sharing copyrighted movies via BitTorrent, without first obtaining permission from two Danish rightsholders; Mis. Label ApS and Scanbox Entertainment A/S. Hedman Partners are well known for their work in the piracy settlement business in Scandinavia. The company fully understands the standards required before courts will issue a disclosure order. However, for reasons that aren’t made clear, the law firm would prefer to deal with these cases from a position of greater authority. This application appears to have served as the testing ground to determine whether that’s possible under Finland’s Copyright Act.”

The short answer: It is not possible. For the long, legalese-laced answer, see the article. Why did Hedman Partners try the move? Maxwell points out settlement efforts spearheaded by aggressive third-party legal teams tend to bring in more cash. Ah, there it is. A decision in favor of the firm would certainly not have benefitted the BitTorrent users, he notes. We may yet see whether that is correct—Hedman Partners has until June 18 to appeal the decision to the Supreme Court.

Will law enforcement step in?

Cynthia Murrell, May 27, 2024

Wanna Be Happy? Use the Internet

May 13, 2024

dinosaur30a_thumbThis essay is the work of a dinobaby. Unlike some folks, no smart software improved my native ineptness.

The glory days of the Internet have faded. Social media, AI-generated baloney, and brain numbing TikTok-esque short videos — Outstanding ways to be happy. What about endless online scams, phishing, and smishing, deep fake voices to grandma from grandchildren needing money — Yes, guaranteed uplifts to sagging spirits.

image

The idea of a payoff in a coffee shop is silly. Who would compromise academic standards for a latte and a pile of cash. Absolutely no one involved in academic pursuits. Good enough, MSFT Copilot. Good enough.

When I read two of the “real” news stories about how the Internet manufactures happiness, I asked myself, “Exactly what’s with this study?” The PR push to say happy things about online reminded me of the OII or Oxford Internet Institute and some of its other cheerleading. And what is the OII? It is an outfit which receives some university support, funds from private industry, and foundation cash; for example, the Shirley Institute.

In my opinion, it is often difficult to figure out if the “research” is wonky due to its methodology, the desire to keep some sources of funding writing checks, or a nifty way to influence policies in the UK and elsewhere. The magic of the “Oxford” brand gives the outfit some cachet for those who want to collect conference name tags to bedeck their office coat hangers.

The OII is back in the content marketing game. I read the BBC’s “Internet Access Linked to Higher Wellbeing, Study Finds” and the Guardian’s “Internet Use Is Associated with Greater Wellbeing, Global Study Finds.” Both articles are generated from the same PR-type verbiage. But the weirdness of the assertion is undermined by this statement from the BBC’s rewrite of the OII’s PR:

The study was not able to prove cause and effect, but the team found measures of life satisfaction were 8.5% higher for those who had internet access. Nor did the study look at the length of time people spent using the internet or what they used it for, while some factors that could explain associations may not have be considered.

The Oxford brand and the big numbers about a massive sample size cannot hide one awkward fact: There is little evidence that happiness drips from Internet use. Convenience? Yep. Entertainment? Yep. Crime? Yep. Self-harm, drug use or experimentation, meme amplification. Yep, yep, yep.

Several questions arise:

  1. Why is the message “online is good” suddenly big news? If anything, the idea runs counter to the significant efforts to contain access to potentially harmful online content in the UK and elsewhere. Gee, I wonder if the companies facing some type of sanctions are helping out the good old OII?
  2. What’s up with Oxford University itself? Doesn’t it have more substantive research to publicize? Perhaps Oxford should  emulate the “Naked Scientist” podcast or lobby to get Melvin Bragg to report about more factual matters? Does Oxford have an identity crisis?
  3. And the BBC and the Guardian! Have the editors lost the plot? Don’t these professionals have first hand knowledge about the impact of online on children and young adults? Don’t they try to talk to their kids or grandkids at the dinner table when the youthful progeny of “real” news people are using their mobile phones?

I like facts which push back against received assumptions. But online is helping out those who use it needs a bit more precision, clearer thinking, and less tenuous cause-and-effect hoo-hah in my opinion.

Stephen E Arnold, May 13, 2024

A Look at Several Cyber Busts of 2023

May 8, 2024

Curious about cybercrime and punishment? Darknet data firm DarkOwl gives us a good run down of selective take downs in its blog post, “Cybercriminal Arrests and Disruptions: 2023 Look Back.” The post asserts law enforcement is getting more proactive about finding and disrupting hackers. (Whether that improvement is keeping pace with the growth of hacking is another matter.) We are given seven high-profile examples.

First was the FBI’s takedown of New York State’s Conor Fitzpatrick, admin of the dark web trading post BreachForums. Unfortunately, the site was back up and running in no time under Fitzpatrick’s partner. The FBI seems to have had more success disrupting the Hive Ransomware group, seizing assets and delivering decryption keys to victims. Europol similarly disrupted the Ragnar Locker Ransomware group and even arrested two key individuals. Then there were a couple of kids from the Lapsus$ Gang. Literally, these hackers were UK teenagers responsible for millions of dollars worth of damage and leaked data. See the write-up for more details on these and three other 2023 cases. The post concludes:

“Only some of the law enforcement action that took place in 2023 are described in this blog. Law enforcement are becoming more and more successful in their operations against cybercriminals both in terms of arrests and seizure of infrastructure – including on the dark web. However, events this year (2024) have already shown that some law enforcement action is not enough to take down groups, particularly ransomware groups. Notable activity against BlackCat/ALPHV and LockBit have shown to only take the groups out for a matter of days, when no arrests take place. BlackCat are reported to have recently conducted an exit scam after a high-profile ransomware was paid, and Lockbit seem intent on revenge after their recent skirmish with the law. It is unlikely that law enforcement will be able to eradicate cybercrime and the game whack-a-mole will continue. However, the events of 2023 show that the law enforcement bodies globally are taking action and standing up to the criminals creating dire consequences for some, which will hopefully deter future threat actors.”

One can hope.

Cynthia Murrell, May 8, 2024

Not Only Those Chasing Tenure Hallucinate, But Some Citations Are Wonky Too

April 26, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

I read “ChatGPT Hallucinates Fake But Plausible Scientific Citations at a Staggering Rate, Study Finds.” Wow. “Staggering.” The write up asserts:

A recent study has found that scientific citations generated by ChatGPT often do not correspond to real academic work

In addition to creating non-reproducible research projects, now those “inventing the future” and “training tomorrow’s research leaders” appear to find smart software helpful in cooking up “proof” and “evidence” to help substantiate “original” research. Note: The quotes are for emphasis and added by the Beyond Search editor.

image

Good enough, ChatGPT. Is the researcher from Harvard health?

Research conducted by a Canadian outfit sparked this statement in the article:

…these fabricated citations feature elements such as legitimate researchers’ names and properly formatted digital object identifiers (DOIs), which could easily mislead both students and researchers.

The student who did the research told PsyPost:

“Hallucinated citations are easy to spot because they often contain real authors, journals, proper issue/volume numbers that match up with the date of publication, and DOIs that appear legitimate. However, when you examine hallucinated citations more closely, you will find that they are referring to work that does not exist.”

The researcher added:

“The degree of hallucination surprised me,” MacDonald told PsyPost. “Almost every single citation had hallucinated elements or were just entirely fake, but ChatGPT would offer summaries of this fake research that was convincing and well worded.”

My thought is that more work is needed to determine the frequency with which AI made up citations appear in papers destined for peer review or personal aggrandizement on services like ArXiv.

Coupled with the excitement of a president departing Stanford University and the hoo hah at Harvard related to “ethics” raises questions about the moral compass used by universities to guide their educational battleships. Now we learn that the professors are using AI and including made up or fake data in their work?

What’s the conclusion?

[a] On the beam and making ethical behavior part of the woodwork

[b] Supporting and rewarding crappy work

[c] Ignoring the reality that the institutions have degraded over time

[d] Scrolling TikTok looking for grant tips.

If you don’t know, ask You.com or a similar free smart service.

Stephen E Arnold, April 26, 2024

Is This Incident the Price of Marketing: A Lesson for Specialized Software Companies

April 12, 2024

green-dino_thumb_thumb_thumbThis essay is the work of a dumb dinobaby. No smart software required.

A comparatively small number of firms develop software an provide specialized services to analysts, law enforcement, and intelligence entities. When I started work at a nuclear consulting company, these firms were low profile. In fact, if one tried to locate the names of the companies in one of those almost-forgotten reference books (remember telephone books), the job was a tough one. First, the firms would have names which meant zero; for example, Rice Labs or Gray & Associates. Next, if one were to call, a human (often a person with a British accent) would politely inquire, “To whom did you wish to speak?” The answer had to conform to a list of acceptable responses. Third, if you were to hunt up the address, you might find yourself in Washington, DC, staring at the second floor of a non-descript building once used to bake pretzels.

image

Decisions, decisions. Thanks, MSFT Copilot. Good enough. Does that phrase apply to one’s own security methods?

Today, the world is different. Specialized firms in a country now engaged in a controversial dust up in the Eastern Mediterranean has companies which have Web sites, publicize their capabilities as mechanisms to know your customer, or make sense of big data. The outfits have trade show presences. One outfit, despite between the poster child from going off the rails, gives lectures and provides previews of its technologies at public events. How times have changed since I have been working in commercial and government work since the early 1970s.

Every company, including those engaged in the development and deployment of specialized policeware and intelware are into marketing. The reason is cultural. Madison Avenue is the whoo-whoo part of doing something quite interesting and wanting to talk about the activity. The other reason is financial. Cracking tough technical problems costs money, and those who have the requisite skills are in demand. The fix, from my point of view, is to try to operate with a public presence while doing the less visible, often secret work required of these companies. The evolution of the specialized software business has been similar to figuring out how to walk a high wire over a circus crowd. Stay on the wire and the outfit is visible and applauded. Fall off the wire and fail big time. But more and more specialized software vendors make the decision to try to become visible and get recognition for their balancing act. I think the optimal approach is to stay out of the big tent avoid the temptations of fame, bright lights, and falling to one’s death.

Why CISA Is Warning CISOs about a Breach at Sisense” provides a good example of public visibility and falling off the high wire. The write up says:

New York City based Sisense has more than a thousand customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”

Let me highlight one other statement in the write up:

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers. It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.

This firm enjoys some visibility because it markets itself using the hot button “analytics.” The function of some of the Sisense technology is to integrate “analytics” into other products and services. Thus it is an infrastructure company, but one that may have more capabilities than other types of firms. The company has non commercial companies as well. If one wants to get “inside” data, Sisense has done a good job of marketing. The visibility makes it easy to watch. Someone with skills and a motive can put grease on the high wire. The article explains what happens when the actor slips up: “More than a thousand customers.”

How can a specialized software company avoid a breach? One step is to avoid visibility. Another is to curtail dreams of big money. Redefine success because those in your peer group won’t care much about you with or without big bucks. I don’t think that is just not part of the game plan of many specialized software companies today. Each time I visit a trade show featuring specialized software firms as speakers and exhibitors I marvel at the razz-ma-tazz the firms bring to the show. Yes, there is competition. But when specialized software companies, particularly those in the policeware and intelware business, market to both commercial and non-commercial firms, that visibility increases their visibility. The visibility attracts bad actors the way Costco roasted chicken makes my French bulldog shiver with anticipation. Tibby wants that chicken. But he is not a bad actor and will not get out of bounds. Others do get out of bounds. The fix is to move the chicken, then put it in the fridge. Tibby will turn his attention elsewhere. He is a dog.

Net net: Less blurring of commercial and specialized customer services might be useful. Fewer blogs, podcasts, crazy marketing programs, and oddly detailed marketing write ups to government agencies. (Yes, these documents can be FOIAed by the Brennan folks, for instance. Yes, those brochures and PowerPoints can find their way to public repositories.) Less marketing. More judgment. Increased security attention, please.

Stephen E Arnold, April 12, 2024

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta