DarkCyber for 8-25-20: Andrax Hacker Toolkit, NSO Group PR Push, Tor Under Attack, and Eagle Drone Killer
August 25, 2020
DarkCyber is a video news program produced by Stephen E Arnold, publisher of Beyond Search and DarkCyber. You can view this week’s program on YouTube or Facebook.
The program for August 25, 2020, contains four stories. The first focuses on a hacker’s toolkit called Andrax. The packager of this penetration testing bundle makes some bold claims. Security professionals who use highly-regard pentest systems from ImmunitySec are called “dumbs” and “lamers.” Clever or uninformed marketing? You have to determine the answer for yourself.
The second story summarizes highlights of Massachusetts Institute of Technology’s “Technology Review” interview with the founder of NSO Group. NSO Group–unlike most vendors of specialized software–has been the subject of media scrutiny. In the interview, the founder of NSO Group seems to suggest that he does not understand the intelware market. Even more interesting is MIT’s decision to publish the interview and give NSO Group more media exposure. DarkCyber asks a question others have not posed.
The third story reviews two surprising items of information from a Nusenu study or analysis. (Nusenu may be a security firm, a Web services vendor, or a single individual.) The first interesting revelation in the Nusenu report is that about 25 percent of Tor relay exit servers have been compromised by an unknown third party. The second juicy morsel is the identification of five Internet service providers who may be hosting Tor relay servers and other interesting services.
The final story zooms to a single eagle. The Michigan government learned that an expensive drone was destroyed by an eagle. If you want your own raptor to knock down surveillance drones, DarkCyber provides a company that will provide an organic c-UAS (counter unmanned aerial system).
Kenny Toth, August 25, 2020
Modern Technology Reporting: The New York Times Is Now a Pundit Platform
August 14, 2020
I was not sure if I would document my reaction to the August 13, 2020, page B5, as “Instagram Reels? No. Just No” and online under the title “We Tested Instagram Reels, the TikTok Clone. What a Dud.”
I reflected on an email exchange I had with another “real” journalist earlier this week. With plenty of time on my hands in rural Kentucky during the Rona Resurgence, I thought, “Yeah, share your thoughts, you Brontosaurian Boomer. “Real” journalists working for big name outfits need to have a social agenda, insights, wisdom, and expertise no other human possesses. Absolutely.
In my 50 year work career, I worked for three outfits with publishing interests. The first was CRM, the outfit which owned Psychology Today (edited by the interesting T. George Harris), Intellectual Digest, and a number of other properties. I did some project work for a marketing whiz who coined the phrase “Fotomat Where your photo matters” and John Suhler (yeah, the Suhler of Veronis Suhler). At meetings in Del Mar, Calif., a select group would talk and often drag in a so-called expert to hold forth on various topics. However, the articles which were commissioned or staff-written would not quote those at these meetings. Why? I have no idea. It was not a work practice. For me, it was how a reasonably successful magazine company operated.
Then I worked for Barry Bingham, Jr., who with his family owned most of the Courier-Journal & Louisville Times Company. There were other interests as well; for example, successful radio and TV stations, a direct mail operation, one of the first computer stores in Kentucky, a mail order business, and — believe it or not, the printing plant which cranked out the delightful New York Times Sunday Magazine. Plus, the NYT was then a family-owned operation. In my interactions with the NYT, my recollection is that the New York Times shared many of the old-fashioned work processes in use at the Courier-Journal. Was that the reason the Bingham papers won awards? One example is that the editorial writers wrote editorials. These were opinion pieces, personally vetted each day by Barry Bingham, Jr. The news people covered their beats. The reporters listened, gathered, analyzed, and wrote. No one quoted the man or woman across the desk in the alternately crazy and vacant newsroom. Also, the computer people (some of whom were decades ahead of systems people at other companies) did computery things. The printing people printed. Sure, there were polymaths and renaissance men and women, but people stayed in their lane.
My last publishing experience was in the Big Apple. I am not sure how I ended up on Bill Ziff’s radar, but I knew about him. He was variously described to me as a “publishing genius” and “Satan’s first cousin.” Dorothy Brown, the human resources vice president, eased my transition into the company from the Courier-Journal, telling me, “Just present facts. If Mr. Ziff wants your opinion, he will ask for it.” Good advice, Ms. Brown, good advice. (I heard the same thing when I did some consulting work for K. Wayne Smith, General, US Army.) The point is that management did management, which at Ziff included sponsoring a company race car. Advertising people collected money from advertisers dumped money in front of the building on Park Avenue South who wanted to appear in PC Magazine, Computer Shopper, and properties like PC Week. Once again, like the Ziff racing team, everyone stayed in their lanes. That meant that top flight reporters would report; executives dealt facts like Blackjack dealers in Las Vegas.
In these three experiences, I cannot recall an occasion on which the news people at these organizations interviewed one another.
The New York Times’ Brian X Chan interviewed the New York Times’ Taylor Lorenz. Now that’s interesting. Instead of picking up the phone and calling one of the wizards of punditry at a consulting firm, a firm developing short form video content, or an attorney monitoring Facebook’s interaction with regulators — the two ace reporters of “real” news interviewed themselves. Wow, that’s “real” work! Imagine. Scheduling a Zoom meeting.
It is one thing for a blog writer to take shortcuts. It is another thing for a newspaper which once generally tried to create objective news related to an event or issue to repeat office opinions. Was I annoyed? Nah, I think it is another indication that objectivity, grunting through the process of gathering information, sifting it, and trying to present a word picture that engages, illuminates, and explains is over.
In 2020, the New York Times runs inserts which are like propaganda posters stuck to the walls in my second grade classroom in Oxen Hill, Maryland, in 1950. The failure to present an objective assessment of the new Facebook knock off of TikTok was pure opinion. The reason? The New York Times’ “real” journalists see themselves as experts. Even the arrogant masters of the universe at an investment bank or a blue chip consulting firm try like the devil (maybe Bill Ziff) to get outsiders to provide “input.” A journalist may be a reporter, but the conversion of a reporter into an expert takes more than someone saying, “Wow, you guys know more about short form video than any other person within reach of a Zoom call” is misguided and a variant of what I call the high school science club management method. Yes, you definitely know more about Facebook’s short form video than anyone else within reach of a mobile phone or a Zoom connection.
I want to float a radical idea. Do some digging, some work. I think I can with reasonable confidence assert that John Suhler (my boss for my work at Veronis Suhler), Barry Bingham Jr. (the Courier-Journal owner), or Bill Ziff (the kin of Satan, remember?) would have the same viewpoint.
Just a suggestion, gentle reader: If a person wants me to respect their newspaper work as objective, informed, and professional, don’t replicate the filter-bubble, feedback loop of co-worker lunch room yip-yap: Research, sift, analyze, synthesize, and report.
Just my opinion, of course, but even Brontosauri can snort but that snort takes more effort than the energy expended presenting oneself as a wizard. Sorry, you pros are not in Merlin’s league.
Stephen E Arnold, August 14, 2020
Object Detection AI Offers Deal
August 13, 2020
Object detection AI are currently big projects in the technology community. AI developers are teaching computers using large datasets how to learn and reason like a human infant. It his hard to imagine that AI object detection software is available for consumers, but Product Hunt recently ranked Priceless AI as a number one product of the day.
Priceless AI describes itself as an, “‘all-you-can-eat’ image object detection at a fixed monthly price.” What is astonishing is how cheap Priceless AI is compared to its counterparts AWS Rekognition and Google Cloud Vision. AWS Rekognition starts at $5/month for 10,000 monthly predictions heading all the way to $8,200 for 10,000,000 images predictions. Google Cloud Vision, on the other hand, starts at $20 then goes up to $18,700. These prices are outrageous when Priceless AI stays at a simple $99 for any amount of image predictions a month.
How can they do this?
“How do you offer such a cheaper alternative to AWS Rekognition and Google Cloud Vision?
We do clever low-level optimization allowing us to make a more efficient use of the hardware.”
Priceless AI allows its customers to have more than one concurrent request and they can be used on as many clients/devices as wanted. The devices/clients need to be synchronized, because only the number of concurrent purchases are allowed.
Priceless AI wants to be as transparent as possible with customers, but they do keep some things secret:
“What model are you using to run object detection?
We can’t disclose the exact model, but we can tell you it’s a state-of-the-art deep convolutional neural network.”
Companies do need to try to keep the their secrets.
Whitney Grace, August 13, 2020
DarkCyber for August 11, 2020, Now Available
August 11, 2020
DarkCyber is a video news program about the Dark Web, cyber crime, and lesser known Internet services. The program for August 11, 2020, covers four stories. This week’s program is available on YouTube at this link. [Note below]
Stephen E Arnold, the producer of DarkCyber, illustrates how to jam Alexa’s surveillance components. When a white noise is not enough, Arnold points to a Web site which sells a wide array of jamming equipment. The video features a diagram of how a jamming device can disrupt mobile signals, Wi-Fi, and Bluetooth from a vehicle. If a basic mobile jammer is not suitable, Arnold provides information about a military-grade detection and jamming device with a comprehensive kill chain subsystem. Arnold reminds the viewer that use of some jamming devices can have unexpected consequences.
The second story addresses the TikTok dust up between the US and China. Arnold focuses on the trivializing of the TikTok threat by pundits. These individuals, in Arnold’s opinion, are not assessing the social engineering risks posed by a TikTok-type service. Data from a consumer app can pinpoint an individual who may be susceptible to cash inducements or threats to compromise the security of a workplace. TikTok videos may be silly, but the operators of the services are unlikely to be blind to the value of the data and its utility.
The third story considers iPhone hacking. Software, available via the regular Web, promises to hack an iPhone. If that approach does not work, there are hackers advertising iPhone hacking on the regular Internet. But what if the hack requires more aggressiveness? Arnold provides a link to a Dark Web site which makes clear that its operator will do anything for money. Can the iPhone be hacked? That depends on one’s willingness to believe information published on the Internet.
The final story focuses on the August 2020 Interpol report about cyber crime in the time of Covid. The report is available without charge, and its findings echo those of speakers at the 2020 National Cyber Crime Conference, held in July 2020. Arnold provides the url from which the new report can be downloaded without charge.
I wanted to point out that we will no longer post a copy of the video on Vimeo. That company sent an email demanding that Stephen E Arnold upgrade to a Pro account. Instead of saying, “We are raising prices,” Vimeo threatened Arnold with termination of his account because the free DarkCyber video is a commercial enterprise. Arnold wrote Vimeo twice pointing out that he retired in 2013, produces the video without financial support or sponsorship, and makes the content available to anyone interested in the Dark Web, cybercrime, and lesser known Internet services. Arnold told me,
“Millennial marketers at Vimeo thinks it is doing its job by making false accusations and then ignoring respectful questions about the fee change. Cancel culture to Vimeo, ‘You are history. This is your termination notice.’
We will give Facebook a whirl and include that url if the service allows easy access with a minimum of invasive surveillance, pop ups, and targeted advertising for WhatsApp.
Kenny Toth, August 11, 2020
TikTok: Our Way or the Huawei
August 4, 2020
Excitement ahead. There’s nothing like the Rona and a financial crisis to catch attention. But these may be also ran topics if the trade tension between China and the US is cranked up.
“China Accuses US of Outright Bullying over TikTok” reports that Wang Wenbin (Chinese official) allegedly said:
“The US, without providing any evidence, has been using an abused concept of national security… unjustifiably suppressing certain non-US companies.”
To add some zest, President Trump wants Microsoft to know that its okay to buy TikTok comes with a price tag? The figures are not available. Whatever the amount, a piece of the action goes to the US government.
That angle is likely to put some on edge. Yep, it seems that the US wants one way or its the Huawei for the only app in several years which may have a chance to generate traction in the wonderlands of Facebook and YouTube.
Stephen E Arnold, August 4, 2020
Twitch: Semantic Search Stream to Lure Gamers, Trolls, and Gals?
July 31, 2020
Amazon Twitch may be more versatile than providing the young at heart with hours of sophisticated content. There are electronic games, trolls (lots of trolls armed with weird icons), and what appear to be females.
Now Twitch will be moving along the content spectrum with the addition of a stream about semgrep. If you are not on a first name basis, semgrep is a semantic search thing. You can join in for free, no waiting rooms, and no big technical hurdles. I suppose one could create a lecture about semantic methods in TikTok 30-second videos which might be a first for the non-invasive, controversial app. Nah, go for Twitch. Skip YouTube and Facebook. Go Bezos bulldozer.
Navigate to https://twitch.tv and go to the jeanqasaur stream. The time on July 31, 2020? The show begins at 4 pm US Eastern time.
The program is definitely perceived by some as super important. A motivated semantic wizard posted a message on the TweetedTimes.com semantic page. Here’s what the message looks like:
DarkCyber’s suggestions:
- Do not become distracted by Raj recruiting, Bad Bunny, or Celestial Fitness. Keep your eye on the grep as it were.
- Sign up because Amazon wants you to be part of the family. Prime members may receive extra Bezos bucks somewhere down the line
- Exercise good grammar, be respectful, and keep your clothes on. Twitch banned SweetSaltyPeach who reinvented herself as RachelKay, Web developer, fashion model, and gamer icon. You may have to reincarnate yourself too.
- Avoid the lure of Animal Crossing Arabia II.
Stephen E Arnold, July 31, 2020
DarkCyber for July 28, 2020, Now Available
July 28, 2020
The July 28, 2020, DarkCyber is now available. You can view the program on YouTube or on Vimeo.
DarkCyber reports about online, cyber crime, and lesser known Internet services. The July 28, 2020, program includes six stories. First, DarkCyber explains how the miniaturized surveillance device suitable for mounting on an insect moves its camera. With further miniaturization, a new type of drone swarm becomes practical. Second, DarkCyber explains that the value of a stolen personal financial instrument costs little. The vendors guarantee 80 percent success rate on their stolen personally identifiable information or fullz. Third, SIM card limits are in place in South Africa. Will such restrictions on the number of mobile SIM cards spread to other countries or are the limits already in place, just not understood. Fourth, Coinbase bought a bitcoin deanonymization company. Then Coinbase licensed the technology to the US Secret Service. Twitter denizens were not amused. Fifth, Microsoft released a road map to a specific type of malware. Then two years later the story was picked up, further disseminating what amounts to a how to. DarkCyber explains where to download the original document. The final story presents DarkCyber’s view of the management lapses which made the Twitter hack a reality. Adult management is now imperative at the social media company doing its best to create challenges for those who value civil discourse and an intact social fabric.
The delay between our June 9, 2020, video about artificial intelligence composing “real” music and today’s program is easy to explain. Stephen E Arnold, the 76 year old wobbling through life, had the DarkCyber and Beyond Search team working on his three presentations at the US National Cyber Crime Conference. These programs are available via the NCC contact point in the Massachusetts’ Attorney General Office.
The three lectures were:
- Amazon policeware, which we pre-recorded in the DarkCyber format
- A live lecture about investigative software
- A live lecture about Dark Web trends in 2020.
Based on data available to the DarkCyber team, the septuagenarian reached about 500 of the 2000 attendees. Go figure.
Kenny Toth, July 28, 2020
Zoom, Zoom, Meet, Meet, and Trust, Well?
July 24, 2020
We evolved to be social creatures—long, long before Zoom or MS Teams existed. That is why, as Canada’s CBC declares, “Video Chats Short Circuit a Brain Function Essential for Trust—and That’s Bad for Business.” Journalist Don Pittis writes:
“Canadian research on ‘computer-mediated communication,’ begun long before the current lockdown, shows video chat is an inadequate substitute for real-life interaction. The real thing, dependent on non-verbal cues, is extraordinarily more effective in creating rapport and getting ideas across. Not only that, but the familiarity and trust we currently feel with coworkers during the lockdown’s remote calls rests on connections remembered from back when we sat at a nearby desk or met for lunch. As the lockdown stretches out and the mix of colleagues changes, it may be almost impossible to establish healthy trusting working relationships using remote video chat tools alone. That’s bad for business, said organizational behavior specialist Mahdi Roghanizad from Ryerson University’s Ted Rogers School of Business. The reason: getting a good reading on your fellow workers has been repeatedly shown to be essential for business efficiency, reaching common goals and establishing trust. It is why teams that worked remotely even before the pandemic lockdown always met periodically in person. The latest research shows human-to-human bonding is like a kind of intuitive magic.”
Researchers suggest several reasons for this “magic,” including pheromones, body language, and in-person eye contact. Some have found it is harder to detect when someone is lying across video. One social scientist, the University of Waterloo’s Frances Westley, likens video chat to talking with someone wearing sunglasses—it is less satisfying, and can even sap our energy.
For all these reasons, Pittis suspects the supposed work-from-home “revolution” may not last, as many had predicted. Businesses may find it more productive to summon workers back to the office once the danger is gone. In the meantime, Westley suggests, we should reinforce connections with the occasional (socially distanced, mask-augmented) in-person conversation.
Cynthia Murrell, July 24, 2020
Untangling Streaming: Responses to a Huge Web Search Fail
July 22, 2020
More and more users rely on a patchwork of internet streaming services for their video entertainment. Anyone who subscribes to several of these knows the time-wasting tedium of combing through different menus, each with a different UI, just to find something to watch. With even more proprietary streaming services on the horizon, it seems that problem is poised to grow. However, there are at least two apps that provide viable solutions—Reelgood and JustWatch. “These Two Underdog Apps Have Solved Streaming TV’s Biggest Headache,” Fast Company observes. Writer Jared Newman reports:
“Instead of making you bounce between disparate apps, both services can tell you what’s available on practically any streaming service. You can then add movies and shows to a watch list, get more suggestions based on your viewing habits, and even load their apps on your television to use as a centralized streaming menu. Compared to the app overload of most streaming devices, the universal guides offered by JustWatch and Reelgood seem like the ideal way to watch TV in the streaming era.”
Sounds helpful. But why does it take “underdog” apps to do what common sense suggests devices like Roku and Amazon Fire TV should already offer? There are several business reasons, we’re told, like Netflix’s resistance to the aggregation of its content or the fact that streaming services pay for placement on those platforms. As for Reelgood and JustWatch, they each have their own business models. It comes as no surprise that each involves user data. Newman writes:
“JustWatch says that … about 70% of its revenue comes from targeting users with movie trailers based on their viewing habits. For every movie or TV show users click on, JustWatch builds up a taste profile, then separates users into anonymized groups based on what they might like. Movie studios such as Universal and Paramount then give JustWatch a budget to target users with relevant video trailers on sites like Facebook and YouTube. … Reelgood, meanwhile, started from more of a Silicon Valley mindset of building up the product first and finding ways to monetize it later. Sanderson, a former ad product manager at Facebook, initially thought that would take the shape of recommendation-style targeted ads within the service, but lately the company’s been leaning more into selling access to its data.”
See the write-up for more on the business considerations and plans for each of these entities, big and small. There are other notable players in this arena, including TV Time, Simkl, Watchworthy, Wander, and VUniverse. It will be interesting to see where the market, and the technology, go from here.
Cynthia Murrell, July 22, 2020
Google, TikTok, and Seriousness
July 15, 2020
Short form video is in the news. TikTok captivates millions of eyeballs. Many of these eyeballs belong to Americans. Most of these Americans choose not to understand several nuances of “free” 30 second videos created, transmitted, viewed, and forwarded via a mobile device; to wit:
- Software for mobile phones can covertly or overtly suck up data and send those data to a control node
- Those data can be cross correlated in order to yield useful insights about the activities, preferences, and information flowing into and out of a mobile device equipped with an application. Maybe TikTok does this too?
- Those digital data can be made available to third parties; for example, advertising analytics vendors and possibly, just maybe, a country’s intelligence services.
The Information published one of those “we can’t tell you where we got these data but by golly this stuff is rock solid” stories. This one is called “TikTok Agreed to Buy More Than $800 Million in Cloud Services From Google.” Let’s assume that this story about the Google TikTok deal is indeed accurate. We learn:
Last week, though, word surfaced of a buzzy new customer for Google Cloud—TikTok, the app for sharing short videos that is the year’s runaway social media hit. The deal is a lucrative one for Google Cloud, The Information has learned. In a three-year agreement signed in May 2019, TikTok committed to buying more than $800 million of cloud services from Google over that period…
What’s with the Google? Great or lousy business judgment? Does Google’s approach to a juicy deal include substantial discounts in order to get cash in the door? Is the deal another attempt by the Google to get at least some of the China market which it masterfully mishandled by advising the Chinese government to change its ways?
Nope. The new Google wants to grow by locking down multi year contracts. The belief is that these “big deals” will give the Google Cloud the protein shake muscles needed to deal with the Microsofties and the Bezos bulldozer.
New management, new thinking at the GOOG, and there will be more of the newness revealed with each tweak of a two decades old “system.”
At the same time as the Information “real” news story arrived in the DarkCyber news center, a pundit published MBA type write up popped into our “real news” folder. This write up is “The TikTok War.”
Unlike the Information’s story, the Stratechery essay is MBA consultant speak, which is different from “real news.” The point of the 3,900 word consultant report is:
I believe it is time to take China seriously and literally…
There you go: An MBA consulting revelation. One should take China seriously and literally.
Okay. Insight. Timely. Incisive.
From this conclusion, TikTok’s service is no longer appropriate in the US. Banning is probably a super duper idea if I understand the TikTok War. (How does one fight a war by banning digital information? Oh, well, irrelevant question. What’s that truism about ostriches putting their heads in the sand? Also irrelevant.)
Let’s step back and put these two different TikTok articles in a larger context.
The Information wants everyone to know that a mysterious “source” has said that Google has a three year deal with TikTok. This is a surprise? Nope. Google is on the hunt for cash because after Google’s own missteps, it is faced with hard to control costs and some real live “just like Google” competitors; namely, Amazon, Apple, Facebook, and Netflix. There’s also the mounting challenges of political and social annoyances to add some spice to the Googlers’ day.
The MBA consultant analysis points out that China has to be taken seriously. Prior to TikTok, China was not taken seriously? I suppose TikTok is the catalyst for seriousness. More likely, the TikTok thing evokes MBA consultant outputs to confirm what many people sort of intuit but have not been able to sum up with a “now is the time” utterance.
In my lecture yesterday for the National Cyber Crime Conference, I presented a diagram of how Chinese telecommunications and software systems can exfiltrate information with or without TikTok.
Banning an app is another one of those “Wow, the barn burned and Alibaba built a giant data center where the Milking Shorthorns once stood” moments.
Sourceless revelations about Google’s willingness to offer a deal to a China centric TikTok and MBA consultant revelations that one should take China seriously warrants one response: The ship sailed, returned, built a giant digital port, and has refueled for a return journey. Ban away.
Stephen E Arnold, July 15, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
