Hello, Lawmakers in Greece. Have You Heard about Open Source Software?
December 15, 2022
I read a story from an outfit which makes quoting one of the stories risky business. The write up in question is “As Wiretap Claims Rattle Government, Greece Bans Spyware.” The article presents as real news — allegedly the old fashioned kind when newspapers were arbiters of truth via stringers — that Greece outlaws what it calls commercial spyware. For a number of years, I have used the term “intelware” to describe the specialized services and software provided to government agencies by commercial enterprises and open source developers.
The article does the normal handwaving associated with products and services which have been available since the mid 19th century. Those early systems chugged along within products from Bell, Systems Development Corporation, and others. I have found the bland names fascinating. Systems Development Corporation? What could be better? If you read Jill Lepore’s techno-noir history, you will know more than you ever wanted to know about Simulmatics. There’s a descriptive company name for you, right?
What happens when a government bans specialized services and software? Some interesting things; for example, it may be tough to know when warships from a friendly country are converging on a critical island. What if a country on Greece’s border gets frisky with its Soviet era tanks and artillery? The answer is, “License those specialized software and systems. Now!”
In terms of the ban on commercial intelware, what’s Greece going to do with the open source version of Maltego or one of dozens of other tools which can ingest digital content and output useful facts. What happens when one of those open source intelware tools requires an extension of functions?
The answer is to hire a consulting firm, hopefully not one affiliated with a certain jewelry store in Athens, to create bespoke code. Once that’s done, won’t government entities use these tools to protect citizen and monitor potential threats?
The answer is, “You bet your life.” The secret word is “politicians.” I am not sure of Greek’s elected officials or the people reporting on the world of intelware understand the difference between handwaving and getting a particular job done.
And the story. Oh, objective and an example of publicizing the considered viewpoints of elected officials.
Stephen E Arnold, December 15, 2022
Intelware Explained: On Reddit, Not the Gray Lady
December 9, 2022
Goodness gracious, real media is chasing the intelware sector. Nothing like a slow reaction to a specialized services sector that is what? – 25 or more years old? Yeah, real news.
I want to direct your attention to a Reddit post by FjorgVanDerPlorg. You can — at least as of December 9, 2022, at 740 US Eastern time — read his quite useful summary of how intelware pivots around a certain government’s investments in surveillance and information gathering systems.
Here’s the link. Due to the importance of the information in FjorgVanDerPlorg’s post, I have a holiday gift for you. My research team has summarized the Reddit post as a series of dot points just like those for which some blue chip advisory firms charge big bucks.
Very useful article because:
- Entities are identified
- Source of technologies identified
- Use cases referenced.
Who will pay attention to FjorgVanDerPlorg? Some with it real journalists who are now covering an interesting story related to specialized software and services. Speedy. Sure. It’s only been three decades or more since intelware became available to certain government entities.
Stephen E Arnold, December 2022
Three Constants: Death, Taxes, and NSO?
December 8, 2022
I know the special action is interesting to some. Plus, there’s a volcanic eruption outputting. And there is the Twitter saga, the NGX drama, and exciting World Cup. (Did Spain lose to Japan to avoid Seleção Brasileira? Of course not.)
But poking through the PR fumes and rising near the flocks of legal eagles circling for prey is the NSO Group. Navigate to “Why We’re Suing NSO Group.” You will learn that El Faro, a real news outfit in the pace-setting Republic of Salvador, and its taking action against NSO Group. The company has become the touchstone for allegedly unlawful surveillance of individuals.
The write up asserts:
Beginning in June 2020, at least 22 people associated with El Faro were the targets of spyware attacks. Over a period of about 18 months, their iPhones were accessed remotely and surreptitiously, their communications and activities monitored, and their personal data stolen. Many of these attacks occurred when the journalists were communicating with confidential sources, and reporting on abuses by the Salvadoran government.
The legal action is described this way:
the Knight Institute filed suit against NSO Group on behalf of 15 of the El Faro employees whose iPhones were infected with Pegasus spyware….Our complaint explains that NSO Group’s development and deployment of the spyware violated, among other laws, the Computer Fraud and Abuse Act, which prohibits accessing computers without authorization. We argue that our case belongs in a U.S. court because the spyware attacks violated U.S. law, because they were intended to deter journalism that is important to hundreds of thousands of American readers, and because NSO Group’s development and deployment of Pegasus involved deliberate and sustained attacks on the U.S. infrastructure of U.S. technology companies—including Apple, which itself sued NSO Group last year, contending that the spyware manufacturer had damaged its business and harmed its users.
Death, taxes, and NSO—Are these three constants of modern life?
Stephen E Arnold, December 8, 2022
Google and Crypto: Solana Should Anyone Ask
November 18, 2022
I read “Google Cloud Just Became a Solana Validator.” The article explains what Google has chosen to reveal to those who follow the company via “real” journalists; namely:
Google’s cloud computing division Google Cloud announced on Saturday that it’s now running a validator on the Solana blockchain, and will soon add features aimed at welcoming Solana developers and node runners.
No big deal. Amazon has blockchain-related services and a handful of patents pertaining to its digital currency inventions. No big deal either.
The write up says:
Google Cloud also announced it’s now indexing Solana data and adding it to its BigQuery data warehouse, a move that will “make it easier for the Solana developer ecosystem to access historical data.” The feature will launch in the first quarter of 2023, Mittal said. Mittal added that Google Cloud is bringing its credits program to “select startups in the Solana ecosystem” with up to $100,000 in Cloud Credits available for applicants.
Ah, more functionality.
What’s not in the write up? How about deanonymization functionality?
Stephen E Arnold, November 18, 2022
An Interesting NSO Related Action
November 9, 2022
In what sounds like the idea for a thriller/drama miniseries, The Times of Israel states that; “Former NSO CEO And Ex-Chancellor of Austria Establish New Cybersecurity Startup.” Sebastian Kurz, former Austrian chancellor, and ex-CEO of NSO Group Shalev Hulio established the new cybersecurity company Dream Security.
Hulio and Kurz formed Dream Security to protect critical infrastructures, such as energy, water, and oil facilities from cyber attacks. Dream Security will begin building a market in Europe. Kurz and Hulio raised $20 million in pre-seed funds from investors led by Dove Frances, who is an Israeli-American venture capitalist founder of the Group 11 investment firm. Other investors include entrepreneurs from the Israeli cybersecurity industry and early NSO Group investor Adi Shalev.
Founder Former Wayout Group CEO Gil Dolev will join Dream Security’s initial team.
Kurz and Hulio are concerned with infrastructures from their past work:
“Kurz told the publication that as Austrian chancellor, he ‘witnessed many attacks on governments as well as on manufacturing plants and energy installations, most of which were not published in the media. This has far-reaching implications for supply chains as well as regular energy supplies and public services such as water and hospitals.’
Hulio told Bloomberg he was leaving ‘the intelligence side, offensive side if you want, and move to the defensive side. We saw that the biggest challenge the cyber world is dealing with is critical infrastructure.’ He said the new company would focus on European markets ‘because I currently think that they have the biggest threats right now because of the geopolitical situation.’”
Both men’s reputations are covered with black marks . Kurz left politics because he was accused of a corruption scandal. At NSO Group, Hulio oversaw the development of the Pegasus spyware. Pegasus has been used by countries with poor human rights records to spy on “rabble rousers.” Apple and Facebook are pursuing lawsuits against NSO Group for breaking into their products and violating the terms of use. The European Union is investigating the use of Pegasus by its critics and the US Commerce Department blacklisted the company, then limited access to US components and technology.
Israel is also tightening restrictions on its cybersecurity companies. The number of countries that can buy Israeli cyber technology went from 100 down to 37.
It appears Dream Security is attempting to skirt Israeli restrictions by building a new company in Europe. The leaders are preaching they want to help people by protecting their infrastructures, but it would not be surprising if their plans were more nefarious.
Whitney Grace, November 9, 2022
DYOR and OSINT Vigilantes
November 7, 2022
DYOR is an acronym used by some online investigators for “do your own research.” The idea is that open source intelligence tools provide information that can be used to identify bad actors. Obviously once an alleged bad actor has been identified, that individual can be tracked down. The body of information gathered can be remarkably comprehensive. For this reason, some law enforcement, criminal analysts, and intelligence professionals have embraced OSINT or open source intelligence as a replacement for the human-centric methods used for many years. Professionals understand the limitations of OSINT, the intelware tools widely available on GitHub and other open source software repositories, and from vendors. The most effective method for compiling information and doing data analysis requires subject matter experts, sophisticated software, and access to information from Web sites, third-party data providers, and proprietary information such as institutional knowledge.
If you are curious about representative OSINT resources used by some professionals, you can navigate to www.osintfix.com and click. The site will display one of my research team’s OSINT resources. The database the site pulls from contains more than 3,000 items which we update periodically. New, useful OSINT tools and services become available frequently. For example, in the work for one of our projects, we came across a useful open source tool related to Tor relays. It is called OrNetStats. I mention the significance of OSINT because I have been doing lectures about online research. Much of the content in those lectures focuses on open source and what I call OSINT blind spots, a subject few discuss.
The article “The Disturbing Rise of Amateur Predator=Hunting Stings: How the Search for Men Who Prey on Underage Victims Became a YouTube Craze” unintentionally showcases another facet of OSINT. Now anyone can use OSINT tools and resources to examine an alleged bad actor, gather data about an alleged crime, and pursue that individual. The cheerleading for OSINT has created a boom in online investigations. I want to point out that OSINT is not universally accurate. Errors can creep into data intentionally and unintentionally. Examples range from geo-spoofing, identifying the ultimate owner of an online business, and content posted by an individual to discredit a person or business. Soft fraud (that is, criminal type actions which are on the edge of legality like selling bogus fashion handbags on eBay) is often supported by open source information which has been weaponized. One example is fake reviews of restaurants, merchants, products, and services.
I urge you to work through the cited article to get a sense of what “vigilantes” can do with open source information and mostly unfiltered videos and content on social media. I want to call attention to four facets of OSINT in the context of what the cited article calls “predator-hunting stings”:
First, errors and false conclusions are easy to reach. One example is identifying the place of business for an online service facilitating alleged online crime. Some services displace the place of business for some online actors in the middle of the Atlantic Ocean or on obscure islands with minimal technical infrastructure.
Second, information can be weaponized to make it appear that an individual is an alleged bad actor. Gig work sites allow anyone to spend a few dollars to have social media posts created and published. Verification checks are essentially non-existent. One doesn’t need a Russia- or China-system intelligence agency; one needs a way to hire part time workers usually at quite low rates. How does $5 sound.
Third, the buzz being generated about OSINT tools and techniques is equipping more people than ever before to become Sherlock Holmes in today’s datasphere. Some government entities are not open to vigilante inputs; others are. Nevertheless, hype makes it seems that anything found online is usable. Verification and understanding legal guidelines remain important. Even the most scrupulous vigilante may have difficulty getting the attention of some professionals, particularly government employees.
Fourth, YouTube itself has a wide range of educational and propagandistic videos about OSINT. Some of these are okay; others are less okay. Cyber investigators undergo regular, quite specific training in tools, sources, systems, and methods. The programs to which I have been exposed include references to legal requirements and policies which must be followed. Furthermore, OSINT – including vigilante-type inputs – have to be verified. In my lectures, I emphasize that OSINT information should be considered background until those data or the items of information have been corroborated.
What’s the OSINT blind spot in the cited article’s report? My answer is, “Verification and knowledge of legal guideless is less thrilling than chasing down an alleged bad actor.” The thrill of the hunt is one thing; hunting the right thing is another. And hunting in the appropriate way is yet another.
DYOR is a hot concept. It is easy to be burned.
Stephen E Arnold, November 7, 2022
What Is Better Than Biometrics Emotion Analysis of Surveillance Videos?
October 27, 2022
Many years ago, my team worked on a project to parse messages, determine if a text message was positive or negative, and flag the negative ones. Then of those negative messages, our job was to rank the negative messages in a league table. The team involved professionals in my lab in rural Kentucky, some whiz kids in big universities, a handful of academic experts, and some memorable wizards located offshore. (I have some memories, but, alas, these are not suitable for this write up.)
We used the most recent mechanisms to fiddle information from humanoid outputs. Despite the age of some numerical recipes, we used the latest and greatest. What surprised everyone is that our approach worked, particularly for the league table of the most negative messages. After reviewing our data, we formulated a simple, speedy way to pinpoint the messages which required immediate inspection by a person.
What was our solution for the deployable system?
Did we rely on natural language processing? Nope.
Did we rely on good old Reverend Bayes? Nope.
Did we rely on statistical analysis? Nope.
How did we do this? (Now keep in mind this was more than 15 years ago.)
We used a look up table of keywords.
Why? It delivered the league table of the most negative messages more than 85 percent of the time. The lookups were orders of magnitude faster than the fancy numerical recipes. The system was explainable. The method was extensible to second order negative messages with synonym expansion and, in effect, a second pass on the non-really negative messages. Yep, we crept into the 90 percent range.
I thought about this work for a company which went the way of most lavishly funded wild and crazy start ups from the go to years when I read “U.K. Watchdog Issues First of Its Kind Warning Against ‘Immature’ Emotional Analysis Tech.” This article addresses fancy methods for parsing images and other content to determine if a person is happy or sad. In reality, the purpose of these systems for some professional groups is to identify a potential bad actor before that individual creates content for the “if it bleeds, it leads” new organizations.
The article states:
The Information Commissioner’s Office, Britain’s top privacy watchdog, issued a searing warning to companies against using so-called “emotional analysis” tech, arguing it’s still “immature” and that the risks associated with it far outweigh any potential benefits.
You should read the full article to get the juicy details. Remember the text approach required one level of technology. We used a look up table because the magical methods were too expensive and too time consuming when measured against what was needed: Reasonable accuracy.
Taking videos and images, processing them, and determining if the individual in the image is a good actor or a bad actor, a happy actor or a sad actor, a nut job actor or a relative of Mother Teresa’s is another kettle of code.
Let’s go back to the question which is the title of this blog post: What Is Better Than Biometrics Emotion Analysis?
The answer is objective data about the clicks, dwell time, and types of indexed content an individual consumes. Lots of clicks translates to a signal of interest. Dwell time indicates attention. Cross correlate these data with other available information from primary sources and one can pinpoint some factoids that are useful in “knowing” about an individual.
My interest in the article was not the source article’s reminder that expectations for a technology are usually over inflated. My reaction was, “Imagine how useful TikTok data would be in identify individuals with specific predilections, mood changes plotted over time, and high value signals about an individual’s interests.”
Yep, just a reminder that TikTok is in a much better place when it comes to individual analysis than relying on some complicated methods which don’t work very well.
Practical is better.
Stephen E Arnold, October 27, 2022
A Data Taboo: Poisoned Information But We Do Not Discuss It Unless… Lawyers
October 25, 2022
In a conference call yesterday (October 24, 2022), I mentioned one of my laws of online information; specifically, digital information can be poisoned. The venom can be administered by a numerically adept MBA or a junior college math major taking short cuts because data validation is hard work. The person on the call was mildly surprised because the notion of open source and closed source “facts” intentionally weaponized is an uncomfortable subject. I think the person with whom I was speaking blinked twice when I pointed what should be obvious to most individuals in the intelware business. Here’s the pointy end of reality:
Most experts and many of the content processing systems assume that data are good enough. Plus, with lots of data any irregularities are crunched down by steamrolling mathematical processes.
The problem is that articles like “Biotech Firm Enochian Says Co Founder Fabricated Data” makes it clear that MBA math as well as experts hired to review data can be caught with their digital clothing in a pile. These folks are, in effect, sitting naked in a room with people who want to make money. Nakedness from being dead wrong can lead to some career turbulence; for example, prison.
The write up reports:
Enochian BioSciences Inc. has sued co-founder Serhat Gumrukcu for contractual fraud, alleging that it paid him and his husband $25 million based on scientific data that Mr. Gumrukcu altered and fabricated.
The article does not explain precisely how the data were “fabricated.” However, someone with Excel skills or access to an article like “Top 3 Python Packages to Generate Synthetic Data” and Fiverr.com or similar gig work site can get some data generated at a low cost. Who will know? Most MBAs math and statistics classes focus on meeting targets in order to get a bonus or amp up a “service” fee for clicking a mouse. Experts who can figure out fiddled data sets take the time if they are motivated by professional jealousy or cold cash. Who blew the whistle on Theranos? A data analyst? Nope. A “real” journalist who interviewed people who thought something was goofy in the data.
My point is that it is trivially easy to whip up data to support a run at tenure or at a group of MBAs desperate to fund the next big thing as the big tech house of cards wobbles in the winds of change.
Several observations:
- The threat of bad or fiddled data is rising. My team is checking a smart output by hand because we simply cannot trust what a slick, new intelware system outputs. Yep, trust is in short supply among my research team.
- Individual inspection of data from assorted open and closed sources is accepted as is. The attitude is that the law of big numbers, the sheer volume of data, or the magic of cross correlation will minimize errors. Sure these processes will, but what if the data are weaponized and crafted to avoid detection? The answer is to check each item. How’s that for a cost center?
- Uninformed individuals (yep, I am including some data scientists, MBAs, and hawkers of data from app users) don’t know how to identify weaponized data nor know what to do when such data are identified.
Does this suggest that a problem exists? If yes, what’s the fix?
[a] Ignore the problem
[b] Trust Google-like outfits who seek to be the source for synthetic data
[c] Rely on MBAs
[d] Rely on jealous colleagues in the statistics department with limited tenure opportunities
[e] Blink.
Pick one.
Stephen E Arnold, October 25, 2022
TikTok: Tracking Humanoids? Nope, Never, Ever
October 21, 2022
I read “TikTok Denies It Could Be Used to Track US Citizens.” Allegedly linked to the cheerful nation state China, TikTok allegedly asserts that it cannot, does not, and never ever thought about analyzing log data. Nope, we promise.
The article asserts:
The social media giant said on Twitter that it has never been used to “target” the American government, activists, public figures or journalists. The firm also says it does not collect precise location data from US users.
Here’s a good question: Has notion of persistent cookies, geospatial data, content consumption analytics, psychological profiling based on thematics have never jived with TikTok data at the Surveillance Soirée?
The answer is, according to the Beeb:
The firm [TikTok] also says it does not collect precise location data from US users. It was responding to a report in Forbes that data would have been accessed without users’ knowledge or consent. The US business magazine, which cited documents it had seen, reported that ByteDance had started a monitoring project to investigate misconduct by current and former employees. It said the project, which was run by a Beijing-based team, had planned to collect location data from a US citizen on at least two occasions.
Saying is different from doing in my opinion.
Based on my limited experience with online, would it be possible for a smart system with access to log data to do some high-value data analysis? Would it be possible to link the analytics’ output with a cluster of users? Would be possible to cross correlate data so that individuals with a predicted propensity of a desired behavior to be identified?
Of course not. Never. Nation states and big companies are fountains of truth.
TikTok. Why worry?
Stephen E Arnold, October 21, 2022
Cy4Gate Named As Big Player In AI Industry
October 21, 2022
There are famous industry awards: Academy Award, Golden Globe, Emmy, Pulitzer, Newbery Award, Caldecott Medal, Nobel Prize, Peabody Award, etc. These are associated with entertainment, science, and literature. Lesser-known industry awards are hardly heard of outside of their relevant fields, but they still earn bragging rights. Cy4Gate recently won bragging rights in AI: “Cy4Gate Mentioned As A Representative Provided In 2022 Gartner innovation Insight For Composite AI Report.”
Gartner is a renowned research company and anyone who gets a compliment from them is at the top of their game. Cy4Gate won recognition in AI as a “Representative Provider for Composite Artificial Intelligence solutions. Composite artificial intelligence is a combination of several machine learning algorithms (i.e.e deep neural network, natural language processing, computer vision, and speech recognition) to make big data analysis more effective and efficient without the need for relevant computation capabilities. Cy4Gate earned this notoriety for its years of development and research in AI applications.
“Since its establishment, Cy4gate has considered as decisive the use of AI in innovative ways, to ensure its products the ability to perform at excellent levels even in highly complex, uncertain and ambiguous contexts. Within these application areas, the enormous amount of data generated by the consistent increase of interconnected devices can be profitably used to adopt appropriate and timely decisions, and to reduce margins of error.”
Cy4Gate’s products, specializing in cyber security and intelligence, are believed to have a competitive advantage over their rivals. Other AI companies in the cyber security and intelligence field rely on single AI algorithms instead of combining them into composite artificial intelligence. Based on their advances and recognition, Cy4Gate established a new division of the company: the Data and Artificial Intelligence Center of Competence. It is part of the engineering department.
Whitney Grace, October 21, 2022