Lucky Ukraine: A Data Bomb Test Site

June 26, 2020

Russia surprised the world when Putin ordered his soldiers to invade Ukraine and annex Crimea. Putin’s actions against the Ukraine are not the only modern war stories circling Russia. The Small Wars Journal examines how the Great Bear could be conducting a futuristic warfare using technology: “Russia In Ukraine 2013-2016: The Application Of New Type Warfare Maximizing The Exploitation Of Cyber, IO, and Media.”

Russia could be masters of cyber and information warfare tp support militaristic/political objectives against domestic and international enemies. The thesis study reads logically, but also Russia’s recent actions support it:

“The Russians were able to use Ukraine operations as a test for New Generation Warfare (NGW) to enhance the deep battle concept. Russia has adeptly executed deep battle, creating time and space to effectively employ limited ground forces and special operations to achieve desired effects. The employment of the cyber domain created windows of opportunity for success and simultaneous execution of offensive and defensive tasks across the strategic and operational levels and other domains. Additionally, the cyber capabilities employed allowed the Russians to achieve three critical strategic effects; 1) troop levels were minimized through integrated cyber operations and operational advantage gained; 2) Russian leadership maintained plausible deniability through effective cyber and information operations delaying international intervention; 3) cyber operations achieved desired effects and kept the threshold for violence below an international outcry for intervention or interference allowing the Russians to achieve the strategic objective to control key terrain in Ukraine.”

While Russia remains the punch line for jokes about international affairs, the country is not a laughing matter as history shows. Under Putin’s leadership, Russia proves to be masterful at manipulating multiple information sources: TV, Internet, radio, etc. to cover their rears while executing desired. Russia has invested capital in homegrown technology, instead of relying on foreign made.

Russia used its cyber forces to overwhelm the Ukraine with malware and disinformation through media channels to annex the Crimean territory. It was a brilliant, mostly bloodless tactic, because Ukraine does not have the technology nor physical forces to fend off the Great Bear. Smaller countries, especially in Eastern Europe and Asia, remain sitting ducks if the enter Russia’s crosshairs.

The biggest issue is proving Russia’s culpability and whether the country will be held accountable. Russia’s more militaristic past still casts shadows on its current society, but Russian citizens are not in favor of being a military power again. Like the rest of the world, they want to live a steady, peaceful life.

Whitney Grace, June 26, 2020

NSO Group: More Publicity than Lady Gaga?

June 22, 2020

I want to note briefly the story “Days After New Human Rights Policy, NSO Client Hacked an Activist.” It is clear that the “real news” outfit Motherboard Vice is paying close attention to intelware vendor NSO Group. What’s interesting is that the “real news” hounds have not sniffed around the shoes of other vendors of specialized services. There are hundreds of them, and many of these companies mark their territory with fascinating information. There are videos on YouTube of drones identifying cows about the cross the border into the US. Facial recognition systems with accuracy rates below 50 percent. There are information services which index more contraband sources than a dedicated 15 year old can locate in a month from his parents’ basement.

The NSO beat is predictable. Specialized company licenses technology to a country or shady and mysterious organization. System is used to reveal information. “Real news” outfits report on this terrible transgression. Repeat.

The current story states:

Just three days after controversial surveillance vendor NSO Group announced its new human rights policy, saying that clients can only use the company’s products to combat serious crime and to ensure that they’re not used to violate human rights, a likely Moroccan government agency hacked the phone of a human rights defender using NSO malware, according to a new technical report from Amnesty International.

DarkCyber’s view is that when specialized software vendors hire sales professionals, those sales professionals are like beavers. Beavers do what beavers do; that is, gnaw through trees and build a dam to create a cash pile.

Net net: There are other vendors to monitor. DarkCyber is suffering from NSO Group fatigue. News flash: Other vendors are larger, have more interesting products, and service larger customers. Maybe expand your view to cover intelware without the fixation and repetition of the NSO Group story? Hint: Most specialized software vendors remain true to their corporate vision and, like leopards, rarely change their spots. How about a cross between a beaver and a leopard? What’s that animal do? Bite journalists? Possibly.

Stephen E Arnold, June 22, 2020

NSO Group and Its Covid Tracker

May 30, 2020

As the COVID-19 virus globally spread, people want know where it is, when an individual was infected, and other pertinent information. Two week self-imposed isolation periods are mandatory for most potential carriers, but that is not enough to ease worried minds. TechCrunch reports that, “A Passwordless Server Run By Spyware Maker NSO Sparks Contact-Tracing Privacy Concerns.”

NSO is an Israeli company known for making mobile hacking tools. The company developed a COVID-19 app that tracks carriers. A security researcher discovered NSO’s content-tracing project “Fleming” online, he contacted them and NSO removed it. Fleming most likely contained fake data. The project was most likely a demonstration of NSO’s technology, but it still causes concern that people’s personal data is kept in a centralized database without proper security measures. The Israeli government has not approved usage of Fleming yet.

When the COVID-19 outbreak worsened in March, the Israeli government granted its security service Shin Bet unprecedented access to collecting mobile phone data to track potential infections. Fleming was one of two systems the government working on and NSO said it used location data purchased from data brokers. Data brokers sell data amassed from apps that collect and sell user data.

Content-tracking apps are beneficial during the pandemic, but an individual’s privacy should be taken into consideration. There are ways to have these apps and protect privacy rights:

“Most countries are favoring decentralized efforts, like the joint project between Apple and Google, which uses anonymized Bluetooth signals picked up from phones in near proximity, instead of collecting cell location data into a single database. Bluetooth contact tracing has won the support of academics and security researchers over location-based contact-tracing efforts, which they say would enable large-scale surveillance.”

NSO has possible ties to the Middle East, including an allegation that the Saudi Arabian government used the company’s Pegasus software to compromise Jeff Bezo’s cell phone. There is also a current legal battle that NSO built a hacking tool for Facebook’s WhatsApp. NSO Group is a provider of specialized services to government entities.

Whitney Grace, May 30, 2020

4iQ Amps Up Its Marketing

May 28, 2020

It is all about volume. Though most of us delete the ubiquitous “sextortion” emails with little thought but a passing sense of distaste, enough victims fork over Bitcoin to make it a lucrative scam. 4iQ’s blog examines the tactic in, “Demystifying ‘Sextortion’ & Blackmail Scams.”

Lest you, dear reader, are so fortunate as to be unfamiliar with such emails, the post includes examples. Dripping scorn for those who would exploit fears and threaten people during a pandemic, writer ClairelfEye explains these deceivers purchase real email addresses and passwords stolen in one of the large-scale data breaches that have become all too common. They then leverage this information to convince marks they possess more, very personal, details. She writes:

“I reached out to my social networks to see if this is widespread, and sure enough, many people confirmed that they — or someone they know — have received these types of scams in the past five weeks. … While most people get annoyed, roll their eyes and delete these blackmail e-mails, this is a numbers game. There will be a few people that fall for these low-level scams. Out of the many sextortion scams forwarded to me by friends and family, one [Bitcoin] address received 0.270616 BTC, which equals $2,082.03 USD as of April 27, 2020.”

Regarding the data breaches that make this scam possible, ClairelfEye explains:

“Working at 4iQ, I am almost too aware of data breaches happening on a daily basis. We investigate, validate and report on breached data every day. In fact, I can probably accurately surmise that this scammer got my email and clear text password in the 1.4 billion clear text credentials trove our breach hunters found back in 2017. Same goes for many of the forwarded scam emails I received. Interesting to see this information run full circle.”

The author’s colleague Alberto Casares, she tells us, is aggregating, investigating, and reporting on these extortion attempts. To participate, receivers of such emails can send them to Dubbing itself the “Adversary Intelligence Company,” 4iQ offers consumer protection products and curates and normalizes compromised identities to help combat fraud and other crimes. Founded in 2016, the company is based in Los Altos, California.

Another specialized services firm amps up its marketing. This quest for sales and venture funding may be a trend.

Cynthia Murrell, May 28, 2020

Policeware Marketing: Medium Blog Post a Preferred Channel

May 27, 2020

Just a short note. Sintelix, a developer of policeware, published a white paper called “Sintelix – The Text Intelligence Solution.” The document is available on Medium, a popular publishing platform. The white paper / product description is about 1,500 words in length. The article contains illustrations, diagrams, and lists. One of the DarkCyber team said, “It reads like a product brochure.” I thought the information was useful. The Sintelix decision to use Medium is one additional example of the stepped up marketing policeware and intelware vendors are taking. Shadowdragon is using Twitter to promote its policeware system. Palantir Technologies’ CEO has used public forums and video to explain use cases for its investigative and analytic system. LookingGlass has moved forward with online demonstrations and webinars for potential licensees of its cyber system.


  1. Tradition has dictated that vendors of specialized services developed for law enforcement and intelligence agencies market via personal contacts or restricted/classified events. The fierce competition for available government contracts may be forcing a change.
  2. Face-to-face events like breakfasts, brown bag presentations, and lectures for LE and intel professionals may be difficult to supplement with online-only initiatives. Plus, there is the danger of webinar fatigue or the sign up and no show problem. Security is also a consideration because some attendees may not be whom they purport to be on registration form.
  3. Expanded visibility like that achieved by NSO Group may have unexpected consequences. Some government procurement processes shy away from high-profile vendors. As a result, obtaining information about the activities of a Leidos, for example, is difficult. Increased visibility may repel some potential customers.

The shift in marketing, no matter how minor, is important. The downstream consequences of visibility are difficult to predict because conference organizers, procurement processes, customers who prefer face-to-face interactions, and similar pre Rona methods may no longer work as well.

Stephen E Arnold, May 27, 2020

Palantir Technologies: A Very Unusual Emission from a Specialized Services Firm

May 26, 2020

The PR battle among the firms providing specialized services to law enforcement and intelligence entities has taken an unusual turn. If you send email to an outfit like BlackDot, you will probably be ignored. The same non response holds true for the vast majority of firms delivering solutions that put bad actors at a disadvantage. Sure, there are less low profile uses of these technologies, but applications like eDiscovery do not capture the attention of the real media.

DarkCyber spotted “Our Product Is Used on Occasion to Kill People’: Palantir’s CEO Claims Its Tech Is Used to Target and Kill Terrorists.” DarkCyber has noted that NSO Group has found itself in the PR spotlight due to allegations from Facebook and assertions about an NSO professional using the firm’s system for personal activities. But the “kill people” thing is sure to catch the attention of the hundreds of specialized service firms’ attention.


What’s even more interest catching is that one of the senior managers of Palantir Technologies serves as a member of the Axel Springer shareholder committee. What’s an Axel Springer? The company owns Business Insider, the “real news” outfit which reported Mr. Karp’s rather intriguing statement about a use case for Gotham and other Palantir modules.

The story also provides a link to a video from an outfit called Axios, presumably to buttress the “true fact” of Mr. Karp’s statement.

For a low profile outfit to offer this alleged admission about software’s link to termination with extreme prejudice may have some downstream consequences. With low profile companies like Shadowdragon publicizing its system on Twitter, will PR become the go-to marketing method in the future?

Making sales is one thing, but some government customers are wary of specialized services vendors who hum the 1960s song “Talk Too Much.” Some licensees can consult the “seeing stone” or just hit Philz and listen for some Palantirian chatter.

Stephen E Arnold, May 26, 2020

Banjo: Pressured into Playing a Sad Tune

May 1, 2020

DarkCyber has noted NSO Group’s PR challenge. That low profile provider of policeware is tangled in litigation with Facebook. Years ago Geofeedia made headlines and never quite bounced back.

Policeware and intelware vendors traditionally have operated with a low profile. Most of the vendors offer a “contact” option, but the vendors respond only if the person wanting contact is a “legitimate” actor.

Banjo was no different. Two inquiries DarkCyber made were ignored. Now information about Banjo is plentiful. Deseret News reports that Banjo has ceased operations. The New York Post (hardly a bellwether for the policeware/intelware sector) reports “Banjo App CEO Damien Patton Reportedly Has KKK Past, Helped in Synagogue Shooting”. This article recycles the original report from Medium on April 28, 2020. Even the “real news” outfit Boing Boing jumped on the story.

What’s interesting is that SoftBank invested $100 million in the Banjo outfit. Its due diligence failed to make a connection between Mr. Patton’s past and his role as a policeware/intelware startup. Did SoftBank rely on the same professionals which assisted Hewlett Packard in its assessment of Autonomy?

Several observations:

  1. PR can have a major impact on a policeware/intelware vendor. This is an important point because dozens of specialist vendors primarily chasing LE and intel contracts are doing more marketing. Is Madison Avenue the right street to take.
  2. SoftBank has to figure out what to do with Banjo. DarkCyber assumes that other investors will be doing some thinking as well. Is there a way forward for the company.
  3. The “reason” for missing the bus with regard to Mr. Patton’s biography is a misspelling. That’s quite an interesting assertion. Shouldn’t an investigator, analyst, or researcher note that court documents still have Mr. Patton’s last name spelled correctly. Is “good enough” research the new normal?

Net net: There is good PR and bad PR. Which category does the tale of the misspelling tell?

Stephen E Arnold, May 1, 2020

Policeware and Intelware: Change Underway, Pushback Likely

April 29, 2020

Law enforcement and intelligence are tricky subjects. For decades, the work of government employees and the specialized firms supporting sensitive operations have worked to stay out of the headlines. The spotlight was for rock stars and movie icons, not for investigators, security, and intelligence professionals.

Most of the companies in what I call the policeware and intelware markets have to and prefer to work with people who have been in their foxhole. The result has been the equivalent of a stealth market sector. The clients — traditionally government agencies — like the low profile approach as well. Many of the activities of these professionals and the firms supporting their operations are in a position of considerable risk.

But that seems to be changing. Recent examples include:

Cellebrite’s Covid campaign. The idea is that specialized mobile phone analysis tools can assist with the pandemic. You can read about this in “Cellebrite Pitching iPhone Hacking Tools As a Way to Stop COVID-19.”

A lone wolf employee. You can learn that the NSO Group finds itself in the middle of another PR issue. You can read about this challenge in “NSO Employee Abused Phone Hacking Tech to Target a Love Interest.”

A little known past of a high profile innovator. The somewhat unusual company Banjo finds itself in the spotlight over the allegations made about the firm’s founder. You can read about this in “CEO of Surveillance Firm Banjo Once Helped KKK Leader Shoot Up a Synagogue.”

These examples — if accurate and verifiable — suggest that Silicon Valley attitudes have penetrated the developers of policeware and intelware.

The majority of the companies providing specialized services are probably operating in a reasonably responsible way. Today policeware and intelware have become a multi billion dollar a year market. Most people will never encounter outfits with names like Elbit, Gamma or iCarbon X, and hundreds of others.

The fact is that the behaviors of a small number of companies is causing the policeware and intelware vendors to become the stuff of the talking heads on televised news programs, the launch pad for tweets and blog posts, and a source of embarrassment for the government entities relying on these companies and their products.

What troubles DarkCyber is that an increasing number of vendors of specialized services have realized that many government functions cannot operate without their expertise, products, and engineering. Consequently, what I call “high school science club management” has pushed aside the traditional methods of generating revenue.

Now policeware and intelware vendors offer podcasts, assuming that investigators and intelligence professionals have the time and interest to listen to marketing information about the latest and greatest in graph generation, analytics, and visualization.

There are experts who want to build their own book and training businesses. In the last three days, I have received a half dozen email blandishments to attend this free webinar or download that list of OSINT tools.

What’s next?

Google online advertising to get me to license Blackdot, Qwarie, and Vesper technology?

Here’s the problem:

There are too many companies chasing available policeware and intelware dollars. Established vendors capture the significant projects; for example, Darpa awarded a hefty machine learning contract to BAE Systems, one of the go-to vendors of advanced technology to defense, law enforcement, and intelligence entities.

But every dominant vendor like BAE Systems, there are dozens, if not hundreds, of smaller firms vying to contract. These smaller firms usually work within the procedures which began taking shape in World War II, largely influenced by countries like Britain and several others.

The new companies appear to support the Facebook- and Google-type approach to business. From move fast and break things to digital misdirection, the approach to generating revenue from LE and intel related products and services is shifting. Forget the low profile, off the radar approach. Today it is big trade show booths, podcasts, videos, webinars, and increasingly Madison Avenue style marketing.

Not surprisingly, the three examples cited in this essay are quite different. Cellebrite is virtue signaling. NSO Group is struggling with a lone wolf action. Banjo is dealing with a founder’s youthful dalliance with distasteful activities.

It is indeed risky to generalize. Nevertheless, something is happening within the policeware and intelware market sector. I cannot recall a cluster of news events about LE and intel service providers which startle and surprise in a triple tap moment.

Is there a fix? I want to be positive. Other firms in this sector have an opportunity to assess what their staff are doing with products and services of a quite special nature. Like the nuclear industry, great management effort is needed on an ongoing basis to ensure that secrets remain secret.

The nuclear industry may not be perfect. But at this moment in time, policeware and intelware vendors may want to examine the hiring, management, and institutional approaches in use for decades.

Regulation may be useful, but policeware and intelware is a global activity. Self-control, ethical behavior, and tight management controls are necessary. Easy to say but tough to do because of the revenue pressure many of these vendors face. Plus, outsourcing means that government agencies often cannot do their work without third party support. There is a weird symbiosis visible today: Funding sources, technologists, enforcement officers, procurement professionals, and managers with an MBA.

Bad actors love these revelations. Each item of information that reveals capabilities, weaknesses, and methodologies helps those who would undertake criminal or deleterious activities.

Unless the vendors themselves button up, the unmentionables will be exposed and flap in the wind.

Stephen E Arnold, April 29, 2020

Facebook Chokes NSO Group: Will NSO Group Tap Out?

April 27, 2020

Facebook has become a digital world unto itself. From the insouciance demonstrated during the Cambridge Analytica matter to the cheerful attempt to create a global currency, Facebook has was some might call digital schnorrer. Take data and do what’s necessary to get as much as possible for nothing. Pay for data? Nah. Testify so elder statesmen can understand? Nah. Make it easy for consumers to manage their free Facebook accounts? Nah.

These are fascinating characteristics of a social media company eager to bring people together. But the company has another characteristic, and it is one that certainly surprised the hapless researchers at DarkCyber.

Cyberscoop reported that the Facebook legal eagles are doubling down on the bet that they can squeeze the NSO Group. Is it for cash? Is it for power? Is it to make darned clear that Facebook is more powerful than a company which develops specialized software for government agencies? DarkCyber doesn’t know, but it is clear, if the information in “Facebook: NSO Group Used U.S.-Based Servers in Operations against WhatsApp” is accurate, Facebook is ready to rumble.

The write up states:

In court documents, Facebook-owned WhatsApp claims NSO Group used a server run by Los Angeles-based hosting provider QuadraNet “more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.”

The article points out that:

The filing is a blow to NSO Group’s claims that its signature product, Pegasus, isn’t capable of running operations in the United States.

What’s remarkable is that the lawsuit has become increasingly high profile. Dust ups related to what DarkCyber calls intelware and third parties usually keep a lower profile. A good example is the efforts expended to keep the lid on the interesting litigation between Analyst’s Notebook and Palantir Technologies. This matter, if mentioned at a conference, evokes the question, “What? When?”

The Facebook NSO Group dispute is getting media traction. Cyberscoop includes the full 35 page document via link in its article.

DarkCyber’s view is:

  1. There are some ironic factors in Facebook’s pursuit of this matter; for example, allegedly Facebook wanted to license NSO Group’s Pegasus. Is Facebook a bride left at the alter?
  2. Is Facebook trying to deflect attention from its own data policies? ( It is helpful to keep in mind that Facebook has to pay $5 billion for its Cambridge Analytica adventure.)
  3. Facebook’s own behaviors have been troubling to some individuals due to its own privacy and data actions; for example, exposing friends of friends without oversight to Facebook partners.
  4. Facebook’s shift from the privacy procedures users assumed were in place to a more Wild West approach to data as the social media firm sought to expand its revenues and user base.

Intelware companies are not new, but they are small compared to today’s Facebook. Intelware companies are like some flowers which die in direct sunlight. A special climate controlled environment is necessary for survival.

Facebook may be waking up to the fact that certain government agencies want access to Facebook data. Specialized firms, not just NSO Group, have the ability to work around, under, and through whatever shields Facebook puts in place to keep Facebook data for Facebook. And when Facebook does play nice with government agencies, Facebook plays by its own rules and brings the ball and the referee to the game.

DarkCyber’s perception is that Facebook was and is offended by what it thinks NSO did or does. DarkCyber assumes that Facebook wants it own NSO Group-style capabilities and is defending itself in order to be the Facebook everyone knows and loves.

With the Facebook – NSO Group matter moving forward, the path each company, the lawyers, and possibly government officials will explore will be interesting to chart.

Plus who knows whether Facebook is fighting hard to protect its customers or fighting another battle.

Also, NSO Group may, like a WWE star, have a masked helper waiting in the wings eager to join the fray.

Stephen E Arnold, April 27, 2020

Palantir Technologies: Getting the NSO Treatment

April 24, 2020

Rupert Murdoch’s real news outfit published “Data Firm Palantir Saw Crisis Coming, Still Faces Pain.” If you want the online version, you will have to pay. The dead tree version of the story is on B5 of the April 22, 2020, edition of the WSJ which is sometimes delivered to me in rural Kentucky.

Enough about the real news outfit. I want to run down some of the assertions made about Palantir. Assertions, I wish to add, from anonymous sources or people close to the vendor of intelware, not verifiable sources.

I highlighted these factoids from the article:

First, Palantir does a lousy job of sharing its financial information. How does the Wall Street Journal get its revenue estimate from 2019? How does the WSJ know that $100 million in costs have be removed from the firm’s operating budget? Easy. People “close to the company” and two unnamed “investors.”

Second, Palantir is pulling back from its rumored initial public offering after the November elections. Palantir has pulled back or put off an IPO for many years. But now Covid enters the picture.

Third, Palantir is providing “a single source of truth about the rapidly evolving situation.” The situation is making sense of pandemic data and the individuals who are infected or infecting. This is a contentious issue. High profile publicity like that the NSO Group has experienced is not a sales booster in some cases.

There are some other factoid assertion like rumors in the write up, but I want to address the three points I selected from the WSJ write up.

  1. With regard to sharing its financial data, privately-held companies are not obligated to share financial data. Palantir does, but it may not be the data investors or employees want to see. Palantir is in the secrecy business, and it is tough for specialist firms to tell anyone anything. This is not something unique to Palantir. Write Blackdot for information. Let me know how that goes, please.
  2. The pullback from an IPO is nothing new. Palantir took shape in 2003. Let’s see. That’s almost 17 years ago. If the firm were in a position to crank out those facing IPO documents and go through the stellar Securities & Exchange Commission process and then hit the road to chat up the market makers, Palantir and its big money backers would have volunteered to drive the minivan from meeting to meeting. There’s a reason why the Palantir IPO is unlikely to happen. Hypothetically the company is concerned about revealing data. Another hypothetical is that companies selling policeware and intelware are not loved by some investors. Check out Verint, please. How much information does the company actually provide about its specialized services? Yeah, about as much as Siemens.
  3. Third, Palantir pitches the single source of truth idea. But that’s marketing, and it is not a tagline that makes potential buyers say, “Hey, I get it.” To make a Palantir-type sales takes time. The reason is that there are not as many customers for these specialized products as some people like high-flying investors assume. Palantir is more than 15 years old, and Herzliya, Israel is chock-a-block with start ups that are spry, hungry, and equipped with better-faster-cheaper specialized solutions. The sales problem is baked into the specialized software sector. Not even IBM can keep some cyber intelligence sheep in line. South Africa selected an intelware vendor from Poland, not the once proud nation of Big Blue.

So what?

From DarkCyber’s point of view, the Wall Street Journal could dive into more substantive aspects of Palantir and actually identify where the information originates. Even middle school students have to provide a footnote even if it is to Wikipedia. That may garner a C. But no verifiable sources? That’s nosing into the murky land of failure.

Stephen E Arnold, April 24, 2020

Next Page »

  • Archives

  • Recent Posts

  • Meta