The FCC Springs into Action Regarding IS Ps
October 10, 2022
The easiest way to describe the COVID-19 pandemic is that it sucked. People died, paychecks were cut, pandemic pets were returned to shelters, and now no one wants to leave their houses. An even worse side effect is that bad actors filed false claims with US government offices to receive relief funds. Light Reading explains how bad actors took advantage of of the Affordable Connectivity Program (ACP): “FCC Inspector General Says ‘Dozens’ Of ISPs Claimed Fraudulent ACP Funds.”
The FCC Office of Inspector General (OIG) noted that a dozen broadband providers (ISPs) fraudulently enrolled for ACPs. The bad-acting ISPs enrolled a single individual multiple times for ACP reimbursements amounting to thousands of dollars. The scams were conducted in Texas, Ohio, Alabama, and Oklahoma; the latter turned out to be the worst offender. ISPs are responsible for ensuring which households are eligible under the ACP rules. The government is cracking down on fraud:
“Following the release of the report, the Wireline Competition Bureau published a public notice outlining new steps it’s implementing to “limit opportunities for waste, fraud, and abuse” with the ACP. As per the notice, the Universal Service Administrative Company (USAC) is improving the measures it uses to verify BQPs [benefit qualifying person] as well as instituting processes to hold payments and de-enroll households that used the same BQP.”
A total of $14.2 billion was allotted to the ACP, but less than half of that amount is reaching those who truly need the assistance:
“According to an ACP dashboard from the Institute for Local Self-Reliance (ILSR) and Community Networks, just 13 million qualifying households in the US are enrolled out of an eligible 37 million, or 36.5% of the population. That includes 40% of eligible Oklahomans, where the FCC report cites its most egregious example of ACP fraud.”
ACP funding is predicted to run out by March 2025 and if enrollment is boosted by 50% that money is gone by April 2024.
The ACP needs more funds and needs to weed out fraudulent claims. At the rate the US government acts, it is going to take a long time to do either. It will probably be faster than Mexico’s, France’s, and India’s notoriously slow governments.
Whitney Grace, October 10, 2022
Open Source Intelligence: Tool Browsing One at a Time
October 8, 2022
The research team for my forthcoming monograph about the invisible Web uses a number of open source intelligence tools. The problem we are solving is reducing the difficulty associated with learning a new OSINT tool. Whenever you have a moment, click on the OSINTFix button, and take a look at what we consider a useful resource. When you spot a tool you like, just bookmark it.
I want to point out that one of the popular sections in our lectures is profiles of OSINT tools. One click displays a tool. What do these tools do? Some make it easy to find where an email address been used Others provide domain information. Some make it easy to automate certain queries or making it easier to search Google. There are more than 3,000 tools in our database.
Click on the button, and the service will open a new tab in your browser showing the OSINT tool, software, resource, or service. Note that some tools are not free. Please, notice that there are no ads, no embarrassing Guardian- and Vox-like pleas for for money, and no dark patterns.
Stephen E Arnold, October 10, 2022
The Confessions of Saint Ad-gustine
October 7, 2022
I read an interesting and at times amusing “confession.” A crime? No, more like soft fraud.
The write up is called “A Lot of Waiting, Watching and Partying while Rome burns’: Confessions of an Ad Tech Exec on the Third-Party Cookie Delay.”
I learned:
Ad tech is probably the least customer empathetic industry… it seems like there are a lot of agencies not asking pointed questions because they don’t want pointed answers. It’s kind of like, “I didn’t hear that,” like they want to take things at face value out of either ignorance or self preservation.
Perhaps the fraud is not that soft: Less Charmin and more casino. The players are the house (co-owned by some well known Big Tech outfits), the middle facilitators (the anonymous ad tech expert perhaps), and the people with money to buy ads stuffed in front of the users who presumably will buy something).
The write up presents:
But it feels like you’re in the middle of a river with a very strong current heading in a very specific direction. At best, you’ll be able to hold on to this rock for a while. It’s not like where it was before. You’re never going to be able to get to where you were before. Anyone that tells you they can get you there is probably lying or doing something illegal. It’s only a matter of time before you fall asleep and let go of the rock.
I think this means people or something will die or just smash a leg or jaw. Death of injury. Nice.
Is there a bright spot in online advertising? Sure, it wouldn’t be an anonymous revelation without some hope. Saint Augustine counted on a higher power, maybe a bit like a Google-type outfit?
Here’s the cloud with the silver lining:
It’s not all doom and gloom. There are people doing interesting things, working to incrementally fix stuff. But it’s only a matter of time. People aren’t going to be like, “You know what? Less privacy is a great idea!” Consumers are never going to do that. No one is ever going to be happy about that. I would like the industry to get over its own delusions and meaningfully embrace something that works for publishers, works for ad tech companies, works for advertisers and level-set expectations as a new norm.
Moving. Will the confessions of Saint Ad-gustine be studied for centuries? Sure, ad tech wizards are into centuries as long as the inventory is sold and replenished in seconds.
Stephen E Arnold, October 7, 2022
The New York Times Discovers Misinformation
October 7, 2022
Fake news, misinformation, and conspiracy theories are never going to stop. In the past, fake news was limited to rumors, gossip, junk rags at the grocery store check-out counter, and weird newsletters. Now this formerly niche “news” industry is a lucrative market with the Internet and constant need to capture audiences. The New York Times braved the media trenches to discover new insights about this alluring and dangerous field in: “A Journey Into The Misinformation Fever Swamps.”
Several New York Times writers make their living tracking news fraudsters, such as Tiffany Hsu, Sheera Frenkel, and Stuart A. Thompson. The conversation between the author and these three centers around hot topic issues. When it comes to the new 2022 election cycle, the same misinformation spread during the 2016 election is circling. The topics include voter fraud and how foreign powers are interfering with the election process.
What the three interviewees and the author found alarming is how predominant misinformation is and how bad actors exploit it for profit. It is alarming how much power misinformation yearly gains:
“America’s own disinformation problem has only gotten much worse. About 70 percent of Republicans suspect fraud in the 2020 presidential election. That’s millions and millions of people. They are extremely devoted to these theories, based on hardly any evidence, and will not be easily swayed to another perspective. That belief created a cottage industry of influencers, conferences and organizations devoted to converting the conspiracy theory into political results, including running candidates in races from election board to governor and passing laws that limit voting access.
And it’s working.’
There is mutual agreement that social media companies are not in a good place with misinformation, but they should be responsible for moderating information posted on their platforms. Social media platforms assisted the spread of misinformation during COVID and the past two elections. They should invest in content moderation programs to keep facts clear.
Content moderation programs walk the fine line between freedom of speech and censorship, but the old example of crying wolf is apt. It would be great if loudmouth Karens and Kevins were shut down.
Whitney Grace, October 7, 2022
ISPs: The Tension Is Not Resolved
October 7, 2022
The deck is stacked against individual consumers, but sometimes the law favors them such as in a recent case in Maine. The Associate Press shared the good news in the story, “Internet Service Providers Drop Challenge Of Privacy Laws.” Maine has one of the strictest Internet privacy laws and it prevents service providers from using, selling, disclosing, or providing access to consumers’ personal information without their consent.
Industry associations and corporations armed with huge budgets and savvy lawyers sued the state claiming the law violated their First Amendment rights. A judge rejected the lawsuit, protecting the little guy. The industry associations agreed to pay $55,000 the state accrued protecting the law. The ACLU helped out as well:
“Supporters of Maine’s law include the ACLU of Maine, which filed court papers in the case in favor of keeping the law on the books. The ACLU said in court papers that the law was ‘narrowly drawn to directly advance Maine’s substantial interests in protecting consumers’ privacy, freedom of expression, and security.’
Democratic Gov. Janet Mills has also defended the law as “common sense.”
Maine is also the home of another privacy law that regulates the use of facial recognition technology. That law, which came on the books last year, has also been cited as the strictest of its kind in the U.S.”
This is yet another example of corporate America thinking about profits over consumer rights and protections. There is a drawback, however: locating criminals. Many modern criminal cases are solved with access to a criminal’s Internet data. Bad actors forgo their rights when they commit crimes, so they should not be protected by these laws. The unfortunate part is that some people disagree.
How about we use this reasoning: the average person is protected by everyone that participates in sex trafficking, pedophilia, and stealing tons of money are not protected by the law. The basic black and white text should do to the truck
Whitney Grace, October 7, 2022
Russia: Inconsistent Cyber Attack Capabilities
October 7, 2022
Do you remember that Microsoft’s president Brad Smith opined that the SolarWinds’ misstep required about 1,000 engineers? I do. Let’s assume those engineers then turned their attention to compromising Ukraine as part of a special military operation.
“Failure of Russia’s Cyber Attacks on Ukraine Is Most Important Lesson for NCSC” presents information I found interesting about Mr. Smith’s SolarWinds’ remark. [The NCSC is the United Kingdom’s National Cyber Security Council.’
Here’s the key passage from the write up:
Ukrainian cyber defences, IT security industry support and international collaboration have so far prevented Russian cyber attacks from having their intended destabilising impact during Russia’s invasion of Ukraine.
The write up also points out that a cyber content marketing campaign designed to undermine Ukraine’s leadership was also not effective.
Okay, but, Mr. Smith said that Russia was able to coordinate the efforts of 1,000 individuals to breach SolarWinds’ security and create considerable distress among some in commercial enterprises and other organizations.
How could Ukraine resist this type of capable force? I have no idea. I prefer to flip the information around and ask, “Why did SolarWinds’ security yield so easily?” Did Russia put more effort into breaching SolarWinds than fighting a kinetic war? Yeah, sure it did.
Maybe the 1,000 programmer idea was hand waving and blame shifting? Microsoft cannot make printers work. Why would Microsoft security be much better?
Stephen E Arnold, September 2022
LinkedIn: What Is the Flavor Profile of Poisoned Data?
October 6, 2022
I gave a lecture to some law enforcement professionals focused on cyber crime. In that talk, I referenced three OSINT blind spots; specifically:
- Machine generated weaponized information
- Numeric strings which cause actions within a content processing system
- Poisoned data.
This free and public blog is not the place for the examples I presented in my lecture. I can, however, point to the article “Glut of Fake LinkedIn Profiles Pits HR Against the Bots.”
The write up states:
A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.
LinkedIn is a Microsoft property, and it — like other Microsoft “solutions” — finds itself unable to cope with certain problems. In this case, I am less interested in “human resources”, chief people officers, or talent manager issues than the issue of poisoning a data set.
LinkedIn is supposed to provide professionals with a service to provide biographies, links to articles, and a semi-blog function with a dash of TikTok. For some, whom I shall not name, it has become a way to preen, promote, and pitch.
But are those outputting the allegedly “real” information operating like good little sixth grade students in a 1950s private school?
Nope.
The article suggests three things to me:
- Obviously Microsoft LinkedIn is unable to cope with this data poisoning
- Humanoid professionals (and probably the smart software scraping LinkedIn for “intelligence”) have no way to discern what’s square and what’s oval
- The notion that this is a new problem is interesting because many individuals are pretty tough to track down. Perhaps these folks don’t exist and never did?
Does this matter? Sure, Microsoft / LinkedIn has to do some actual verification work. Wow. Imagine that. Recruiters / solicitors will have to do more than send a LinkedIn message and set up a Zoom call. (Yeah, Teams is a possibility for some I suppose.) What about analysts who use LinkedIn as a source information?
Interesting question.
Stephen E Arnold, October 6, 2022
The Push for Synthetic Data: What about Poisoning and Bias? Not to Worry
October 6, 2022
Do you worry about data poisoning, use of crafted data strings to cause numerical recipes to output craziness, and weaponized information shaped by a disaffected MBA big data developer sloshing with DynaPep?
No. Good. Enjoy the outputs.
Yes. Too bad. You lose.
For a rah rah, it’s sunny in Slough look at synthetic data, read “Synthetic Data Is the Safe, Low-Cost Alternative to Real Data That We Need.”
The sub title is:
A new solution for data hungry AIs
And the sub sub title is:
Content provided by IBM and TNW.
Let’s check out what this IBM content marketing write up says:
One example is Task2Sim, an AI model built by the MIT-IBM Watson AI Lab that creates synthetic data for training classifiers. Rather than teaching the classifier to recognize one object at a time, the model creates images that can be used to teach multiple tasks. The scalability of this type of model makes collecting data less time consuming and less expensive for data hungry businesses.
What are the downsides of synthetic data? Downsides? Don’t be silly:
Synthetic data, however it is produced, offers a number of very concrete advantages over using real world data. First of all, it’s easier to collect way more of it, because you don’t have to rely on humans creating it. Second, the synthetic data comes perfectly labeled, so there’s no need to rely on labor intensive data centers to (sometimes incorrectly) label data. Third, it can protect privacy and copyright, as the data is, well, synthetic. And finally, and perhaps most importantly, it can reduce biased outcomes.
There is one, very small, almost miniscule issue stated in the write up; to wit:
As you might suspect, the big question regarding synthetic data is around the so-called fidelity — or how closely it matches real-world data. The jury is still out on this, but research seems to show that combining synthetic data with real data gives statistically sound results. This year, researchers from MIT and the MIT-IBM AI Watson Lab showed that an image classifier that was pretrained on synthetic data in combination with real data, performed as well as an image classifier trained exclusively on real data.
I loved the “seems to show” phrase I put in bold face. Seems is such a great verb. It “seems” almost accurate.
But what about that disaffected MBA developer fiddling with thresholds?
I know the answer to this question, “That will never happen.”
Okay, I am convinced. You know the “we need” thing.
Stephen E Arnold, October 6, 2022
High-Speed Internet in Rural America? No, the Map Is Not the Territory
October 6, 2022
One would expect the United States government to have a detailed map of the country’s broadband services. A map of this nature provides valuable information and insights for many federal departments. Ars Technica reports differently in the article: “FCC Has Obtained Detailed Broadband Maps From ISPs For The First Time Ever.”
The Federal Communications Commission Chairwoman Jessica Rosenworcel stated that her organization has conducted a years-long process of collecting the necessary information to create an exhaustive broadband map. This map contains extensive location-by-location information on precisely where all broadband services are available.
Past broadband service maps were based on the Form 477 data-collection program that counted one census block as broadband accessible even if only one location was served. The new maps will help distribute funds from the Broadband Equity, Access, and Deployment program that Congress established in the Infrastructure Investment and Jobs Act.
Rosenworcel is determined to close the availability gap for Internet services, especially in rural and under-serviced areas. The first edition of the map will then be constantly updated based on new data:
“The FCC is continuing to improve the location dataset’s accuracy ‘through additional data sources, such as LIDAR data and new satellite and aerial imagery sources, as they become available,’ Rosenworcel wrote. The FCC also set up a process for broadband providers to submit new data as they upgrade and expand networks. ‘When the first draft is released, it will provide a far more accurate picture of broadband availability in the United States than our old maps ever did,’ Rosenworcel wrote. ‘That’s worth celebrating. But our work will in no way be done. That’s because these maps are iterative. They are designed to be updated, refined, and improved over time.’”
It is almost the end of 2022, the Internet has been around since the mid-1990, and the US government is finally getting around to a detailed ISP map? Why did it take so long? It makes sense that when the technology was new it was hard to collect data, but it could still have been done. They could have used telephone records when the Internet was still on dial-up, then when it transitioned to other services they could have asked companies to submit their data. If companies refused to share their data, that is when the government would impose fees and subpoena the information.
The information could have been overlaid, then with big data, all these algorithms could have been used to analyze the information. Automation might have been installed to keep the map updated. Surely it would have been cheaper compared to other federal programs. I bet they have detailed broadband maps in other countries, especially the smaller ones with high standards of living. Or not. Bureaucracy is notoriously slow everywhere.
Whitney Grace, October 6, 2022
Amazon: An Ecosystem in Which Some Bad Actors Thrive
October 6, 2022
Wow! Who knew? I must admit that I have developed what I call a “Hypothetical Ecommerce Crime Ecosystem.” Because I am an old, dinobaby, I have not shared my musings in this semi entertaining Web log. I do relatively few “public” talks. I am careful not to be “volunteered” for a local networking meet up like those organized by the somewhat ineffectual “chamber of commerce” in central Kentucky. Plus, I am never sure if those with whom I speak are “into” ecosystems of crime. Sure, last week I gave a couple of boring lectures to a few law enforcement, crime analysts, and government senior officials. But did the light bulbs flashing during and after my talk impair my vision. Nah.
I did read a write up which nibbles around the edges of my diagram for my hypothetical crime ecosystem. “There’s an Underground Market Where Secondhand Amazon Merchant Accounts Are Bought and Sold for Thousands of Dollars” asserts as 100 percent actual factual:
An Insider investigation revealed a thriving gray market for secondhand Amazon seller accounts. On Telegram and forums like Swapd and PlayerUp, thousands of brokers openly sell accounts, with prices ranging from a few hundred bucks for a new account to thousands of dollars apiece for years-old accounts with established histories. … The accounts sometimes steal random people’s identities to disguise themselves, and sellers are using these fake credentials to engage in questionable behavior on Amazon, Insider found — including selling counterfeit textbooks. The people’s whose names and addresses are being stolen are sometimes then sent hundreds of returns by unhappy customers.
Is there other possibly inappropriate activity on the Amazon giant bookstore? The write up says:
Merchants have used shady tactics like submitting false fraud reports targeting rivals, or bribing Amazon employees to scuttle competitors. Others peddle counterfeit or shoddily produced wares. Amazon bans fraudulent sellers, along with other accounts they’re suspected of owning, and blacklists their business name, physical location, and IP address.
Okay, but why?
My immediate reaction is money. May I offer a few speculations about such ecosystem centric behavior? You say, No. Too bad. Here are my opinions:
- Amazon does basic cost benefit analyses. The benefit is the amount of money Amazon gets to keep. The cost is the sum of the time, effort, and direct outflow of cash required to monitor and terminate what might be called the Silicon Valley way. (Yeah, I know Amazon like Microsoft is in some state in the US Northwest, but the spirit of the dudes and dudettes in Silicon Valley knows no geographic boundaries. Did you notice the “con” in “silicon.” Coincidence?
- Bad actors know a thriving ecosystem when they see one. Buy stolen products from a trusted third party, and who worries to much about where the person in the white van obtained them. Pay the driver, box ‘em up, and ship out those razors and other goods easily stolen from assorted brick-and-mortar stores in certain US locations; for example, the Walgreen’s in Tony Bennett’s favorite city.
- The foil of third party intermediaries makes it easy for everyone in the ecosystem to say, “Senator, thank you for the question. I do not know the details of our firm’s business relationship. I will obtain the information and send a report to your office.” When? Well, maybe struggling FedEx or the Senate’s internal mail system lost the report. Bummer. Just request another copy, rinse, and repeat. The method has worked for a couple of decades. Don’t fix it if the system is not broken.
What’s interesting about my “Hypothetical Ecommerce Crime Ecosystem” in my opinion is:
- Plausible deniability is baked in
- Those profiting from exploitation of the Amazon money rain forest have zero incentive or downside to leave the system as it is. Change costs money and — let’s face it — there have been zero significant downsides to the status quo for decades. Yep, decades.
- Enforcement resources are stretched at this time. Thus, what I call “soft fraud” is easier than ever to set up and embed in business processes.
Is the cited article correct? Sure, I believe everything I read online, including Amazon reviews of wireless headphones and cheap T shirts.
Is my analysis correct? I don’t know. I am probably wrong and I am too old, too worn out, too jaded to do much more than ask, “Is that product someone purchased on Amazon an original, unfenced item?”
Stephen E Arnold, October 6, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
