The Future of Twitter Revealed
September 30, 2020
Twitter is an interesting outfit. Forbes (the capitalist tool, I believe) published “Bitcoin and Blockchain Are the Future of Twitter, CEO Jack Dorsey Reveals”. Twitter is an interesting outfit; for example, it has a new chief information security officer. That’s a good idea, maybe too late for some stakeholders, but it is a step forward.
Forbes reports:
Dorsey, who… said bitcoin is “probably the best” native currency of the internet, has previously gone as far as saying bitcoin has the potential to be the world’s sole currency by 2030…. Now, speaking at the virtual Oslo Freedom Forum 2020, Dorsey has said bitcoin and its underlying decentralized blockchain technology are the future of Twitter.
Forbes quotes Twitter’s top management Zen person as saying:
“The whole spirit of bitcoin, for instance, is to provide a trusted system in a distrusted environment, which is the internet,” Dorsey said…. Earlier this month, Dorsey told Reuters bitcoin is “probably the best” native currency of the internet due to bitcoin being “consensus-driven” and “built by everyone.”
Yep, trust.
A couple of observations:
- Twitter owns a payment system. Perhaps Mr. Dorsey’s confident assertion about the future is influenced by the method of communications and the beneficiary of the digital currency cheerleading?
- Twitter licenses its data selectively to commercial enterprises developing products and services to assist law enforcement and intelligence agencies. With Bitcoin generally perceived as a lubricant for illegal transactions, what’s Twitter’s goal? (Check out the Geospark Analytics – Twitter deal for some color. Geofeedia has not been as fortunate as the virtual intelware vendor.)
- How will enhanced Bitcoin capabilities assist bad actors in money laundering and other possibly questionable activities?
DarkCyber finds Twitter fascinating. A half-time CEO, a messaging system which can spark interesting social consequences, and a peculiar way of supporting law enforcement and other groups simultaneously.
Worth monitoring the dualism.
Stephen E Arnold, September 30, 2020
Scammers Have Better Technology But Not New Ideas
September 30, 2020
Scammers are opportunists. They use anything and everything to con people out of their valuables and the Internet is the best tool in a scammer’s toolbox. Scammers might be armed with advanced technology, but their scam ideas are not. Because scammers are not original, they are predictable but sophisticated. The Journal of Cyber Policy wrote about scammers in “New Techniques, Same Old Phone Scams.”
A classic scam technique are “too good to be true offers” such as free vacations or investment opportunities. Scam artists make robocalls with these offers and they used to be detectable because they were from out of state numbers. Spoof technology, however, makes these robocalls using local area numbers, making it harder to detect the scams. In 2019, the Federal Trade Commission reported that people $667 million to scammers, mostly they were paid with gift cards.
Scammers’ sophistication levels are rising too. There are entire call centers in Asia and Africa dedicated to making scam calls. These call centers masquerade as reputable businesses such as Apple, Amazon, PayPal, banks, etc., and attempt to convince people that an account has been breached, late on payments, or their identity (ironically) was stolen. Companies and banks never randomly email or call asking to confirm sensitive information. They advise people to delete the emails or hang up on callers.
Another new scam is calling people claiming that a relative is facing legal action. This scam calls entire members of a family and when the person in question calls the scammer it turns out they need to share their social security number and date of birth. It is an excellent tactic, because it questions people’s reputation and makes them believe they are in legal trouble.
Scammers are using the same tactics as they have for centuries, but being wise to their ways prevents theft:
“As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear — pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.”
This is why it is important to read and watch the news, so you are aware of potential threats.
Whitney Grace, September 30, 2020
Information Overload: Get Used to It
September 30, 2020
Modern humans have access to more information than any other generation before them. Better and more access to information is directly proportional to humanity’s technological progress. Scientific American’s article, “Unlimited Information Is Transforming Society” explores the correlation between technology and information.
Scientific and technological progress did not advance in the past as it does today. Any revelation was developed through craft traditions that contributed to humanity’s survival or daily tasks easier. Technology as we know it came about:
“In the late 1800s matters changed: craft traditions were reconstructed as “technology” that bore an important relation to science, and scientists began to take a deeper interest in applying theories to practical problems.”
Technology and science still did not work in tandem for years despite the parallels. For example, aviation was pioneered before scientists understand aeronautical science. The common belief was that machines weighing more than air could not fly.
What advanced science and technology the most in the past 175 years was the manipulation of energy and matter. The movement of energy and matter thus moved information and ideas. The best example of this is electricity, which led to then event of telecommunications devices, familiarly known as televisions, telegraphs, radios, and televisions. Electricity also changed manufacturing (moving factories away from water powered systems) and people’s daily lives from traveling to entertainment.
Computing would be the next big information mover and spreader. Nuclear energy and space travel were predicted to be the next big shake-ups, but the Cold War, a few nuclear meltdowns, and lack of funding for more space-related projects/earthly concerns were a few reasons they did not.
Everything is related (not in a conspiracy related way), but in how one sector of life affects another, such as electricity leading to television’s invention:
“That said, one change that is already underway in the movement of information is the blurring of boundaries between consumers and producers. In the past the flow of information was almost entirely one-way, from the newspaper, radio or television to the reader, listener or viewer. Today that flow is increasingly two-way—which was one of Tim Berners-Lee’s primary goals when he created the World Wide Web in 1990. We “consumers” can reach one another via Skype, Zoom and FaceTime; post information through Instagram, Facebook and Snapchat; and use software to publish our own books, music and videos—without leaving our couches.”
There is more information and access to it and this has also led to a more convenient way of life brought on by technological advances. Technology that also used to be available to a limited number of people, such as computers (remember big old monstrosities that took up entire building floors and processed 30 MB), are in the hands of children. Lines are blurring between the experts and the amateurs, public and private, male and female, etc. What does that mean for the future? One thing we do know is that we cannot predict that.
Whitney Grace, September 30, 2020
Thinking about Security: Before and Earlier, Not After and Later
September 30, 2020
Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”
Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:
“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”
Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.
Cynthia Murrell, September 30, 2020
Always: An Alluring Notion
September 30, 2020
DarkCyber ran a short video about a product called the Dronut. It looks like a small flying donut. You can get a link to the company, its patent document, and a snippet of the promotional video for your product at this link at the 10 minute 36 second point in the show.
I was interested in “Why You Should Be Very Skeptical of Ring’s Indoor Security Drone,” an article in IEEE Spectrum. My team and I have done lectures, briefings, and even a book chapter about Amazon’s policeware and intelware activities. I know first hand that no one, not even law enforcement and intelligence officers, care.
In fact, at one digital security conference last year in San Antonio, an attendee — an Air Force intel professional — summed up the attitude of the 100 people in the lecture hall:
My wife loves Amazon. The company may have some interesting technology, but, come on, even my kids depend on Amazon videos. Amazon is not an intelware player.
Not bad for a colonel’s analytic and content processing skills, right?
I am not going to rehash our research about Amazon’s intelligence related services. I want to focus on IEEE Spectrum’s write up; for example, this statement in the article:
Ring, the smart home company owned by Amazon, announced the Always Home Cam, a “next-level indoor security” system in the form of a small autonomous drone. It costs US $250 and is designed to closely integrate with the rest of Ring’s home security hardware and software. Technologically, it’s impressive. But you almost certainly don’t want one.
Clueless? Not completely. The Amazon surveillance drone is not marketed like the Dronut. Plus, the Amazon home surveillance drone is not a standalone product. The Always Home Cam provides the equivalent of a content acquisition “paint by numbers” module to the Amazon intelware infrastructure.
Little patches of data particularized and indexed by time, location, and other metadata can be cross correlated with other information. Some information is unique to Amazon; for example, the “signal” generated by processing payment history, video viewing, and product purchase information for an account holder. The cross-correlation (Amazon’s lingo from one of its blockchain related inventions) makes it possible to perform the type of analytic work associated with intelligence analysis software and subject matter experts.
The article notes:
Ring hasn’t revealed a lot of details on the drone itself, but here’s what we can puzzle out. My guess is that there’s a planar lidar right at the top that the drone uses to localize, and that it probably has a downward-looking camera as well. Ring says that you pre-map the areas that you want the drone to fly in, which works because the environment mostly doesn’t change. It’s also nice that you don’t have to worry about weather, and minimal battery life isn’t a big deal since you don’t need to fly for very long and the recharging dock is always close by. I like that the user can only direct the drone to specific waypoints rather than piloting it directly, which (depending on how well the drone actually performs) should help minimize crashes.
The author is either ignoring UAS characteristics of surveillance devices or unaware of those conventions. The write up does reference to the challenge of avoiding mobile cameras. The parallel between Amazon’s in home UAS and a telepresence robot misses the point. The data, not the device, are the story. At least the author reaches a reasonable conclusion:
But is it worth $250, questionably better security versus cheap static cameras, and a much larger potential for misuse or abuse? I’m not convinced.
If you are interested in a one hour briefing about Amazon’s policeware and intelware initiative, write benkent2020 at yahoo dot com. Someone on the DarkCyber team will respond with options and fees.
On the other hand, why not be like the intel colonel, “What’s the big deal?”
Stephen E Arnold, September 28, 2020
Google Will Not Play Baseball with a Mere Nation State
September 29, 2020
DarkCyber spotted an interesting article called “Google Slams Arbitration System in Australia’s New Media Code.” We have heard that Googlers are fans of college basketball, specifically the NCAA tournament. And some Googlers are true fans of cricket. Baseball? Those crazy rules. No thanks.
The write up reports:
The system being proposed is called ‘binding final-offer arbitration’, referred to in the US as ‘baseball arbitration’.
DarkCyber thinks baseball arbitration works like this:
- Side A and Side B cannot agree
- Each side writes up a best and final offer
- An objective entity picks one
- The decision is binding.
Google’s view is that the system is not fair. The write up includes this passage:
Google said it is happy to negotiate fairly and, if needed, see a standard dispute resolution scheme in place. “But given the inherent problems with ‘baseball arbitration’, and the unfair rules that underpin it here, the model being proposed isn’t workable for Google”. [The Google voice is that of Mel Silva, VP, Google Australia and New Zealand.
The issue seems to be that a US company is not going to play ball with a country. Which is more important for citizens of Australia?
Google appears to adopt the position that its corporate interests override the nation state’s. The country — Australia in this case — seems to hold the old fashioned, non Silicon Valley view that its interests are more important.
DarkCyber believes that Googlers will perceive Australia’s intransigence as “not logical.” Google is logical as evidenced by this article “Alphabet Promises to No Longer Bung Tens of Millions of Dollars to Alleged Sex Pest Execs Who Quit Mid-Probe.” Logical indeed.
Stephen E Arnold, September 29, 2020
Technical Debt: Making Something Ignored Understandable to Suits
September 29, 2020
I have been fortunate to have been on the edges of a several start ups; for example, The Point (Top 5% of the Internet), a system ultimately sold to CMGI / Lycos in the late 1990s. When the small team began work on the product, we used available servers, available software, and methods based on our prior experience. When we started work on The Point in 1994, the task seemed pretty simple: Use what we know and provide an index to curated Web sites. At that time, it was possible to scan a list of new Web sites select ones which seemed promising. This was at first a manual process, but the handful of people working on this figured out ways to reduce the drudgery.
I learned (as one of the resources for hardware, software, and money) that those early decisions were both similar to established business economics and quite different in others. Let me give one brief example and then address the information in “Most Technical Debt Is Just Bullsh*t.”
For The Point one of the wizards on my team used Paradox. I know the Georgia Tech grade and Westinghouse Science winner asked me and I just grunted. Who cared? This was a mere test of an idea, not a project for an outfit like Thomson Corporation or the US government. My partner and I had worked on a CD of bird songs, and The Point seemed similar to that effort. Who knew in 1994? I sure did not.
That Paradox decision created technical debt. The database was okay, but it was not designed for multiple humans and software systems to update the files on a continuous basis. We could not do real time because the cheapo Sparc server I had was designed to run an indexing system called STAR. We figured out how to make Paradox work, but those early decisions had lasting impact.
I realized that making a database decision was similar to Henry Ford’s River Rouge. That concrete and building built at one end of the giant complex was not going anywhere. First, Mr. Ford was busy making cars. Second, Mr. Ford needed the resources to be directed at making more cars. Third, Mr. Ford had to make decisions about now problems, not problems that were not fully understood at the time of making fresh decisions. As a result, River Rouge became a giant thing that was mostly unchanged and unchangeable. The same observation can be made about Google-type companies. (Think of new features as software wrappers, not changes to the plumbing.)
That’s technical debt. The focus, resources, and understanding to change what has been put in place and actually working is not a hot topic for a robust discussion of “Let’s do this over again.” Nope.
The Louwrentius article dances around this reality in my opinion; for example, recasting Ward Cunningham, who coined the bound phrase, the write up states: Technical debt exists:
as a form of prototyping. To try out and test design/architecture to see if it fits the problem space at hand. But it also incorporates the willingness to spend extra time in the future to change the code to better reflect the current understanding of the problem at hand.
The write up ends with this statement:
Although Cunningham meant well, I think the metaphor of technical debt started to take on a life of its own. To a point where code that doesn’t conform to some Platonic ideal is called technical debt. Every mistake, every changing requirement, every tradeoff that becomes a bottleneck within the development process is labeled ‘technical debt’. I don’t think that this is constructive. I think my friend was right: the concept of technical debt has become bullshit. It doesn’t convey any better insight or meaning. On the contrary, it seems to obfuscate the true cause of a bottleneck. At this point, when people talk about technical debt, I would be very skeptical and would want more details. Technical debt doesn’t actually explain why we are where we are. It has become a hollow, hand-wavy ‘explanation’. With all due respect to Cunningham, because the concept is so widely misunderstood and abused, it may be better to retire it.
My personal view is:
- Technical debt is a bad way to say, “A software product or service is like a building that can either be a money loser or be torn down.” As long as it works — generates revenue — do as little as possible to keep the revenue flowing.
- Technical debt is fungible. It is like the poorly designed intake infrastructure for River Rouge. The bricks and concrete are not going away without significant investment and disruption.
- Technical debt is poorly understood. Humans are not very good at not knowing what one does not know. I suppose that Paradox-like. Who knew?
The good news is that CMGI’s check cleared the bank and The Point is now mostly forgotten like its technical debt. Who paid it off? I didn’t.
Stephen E Arnold, September 29, 2020
Hacking a Mere Drone? Up Your Ante
September 29, 2020
So many technology headlines are the stuff that science fiction is made of. The newest headline is a threat is something not only out of science fiction but also from the suspense genre says Los Angeles Air Force Base: “SMC Team Supports First Satellite Hacking Exercise.”
For a over the year, the Space and Missile Systems Center (SMC) experts in ground and satellite technology led a satellite hacking exercise. The event culminated in the Space Security Challenge 2020: Hack-A-Sat. The Special Programs Directorate and the Enterprise Corps Cross Mission Ground and Communications cyber operations team combined their forces for the exercise:
“This challenge asked security researchers, commonly known as hackers, from across the country and around the world to focus their skills and creativity in solving cybersecurity challenges on space systems. These white-hat ethical hackers are members of the research and security communities focused on legally and safely finding vulnerabilities for many different types of systems. This challenge focused on bridging the gap between space, cyber and security communities and growing these ecosystems.”
DEF CON controlled the exercise environment so the teams could practice their skills safely and securely. The competitors explored the satellite system, including the radio frequency communications, ground segments, and satellite bus. The Hack-A-Sat was basically war games with code. The purpose was to expose the experts to new systems they otherwise might not have access to.
The teams want to practice their skills in simulations and Hack-A-Sat events in preparation for real life events. The more real life scenarios the experts experience the more prepared they are to troubleshoot system errors and emergencies.
The Hack-A-Sat event is part of the future mission to the moon and defending the
United States from enemy threats. However, if the United States can undertake these exercises, bad acting countries can as well. It would be horrible if authoritarian governments discovered how to hack US satellites. The metaphor is scary but apt: could the equivalent of a 9/11 terror attack happen by satellite hacks?
Whitney Grace, September 29, 2020
Pastebin: And Its Purpose Is?
September 29, 2020
DarkCyber noted “Pastebin Adds Burn After Read and Password Protected Pastes to the Dismay of the Infosec Community.”
Here’s the passage one of the DarkCyber researchers noted before sending the item to me:
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
“And the purpose of pastesites is?” is a question the write up does not answer. On the surface, sharing snips of text seems innocent enough.
The write up notes:
While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
There are some other interesting use cases too. Years ago, DarkCyber learned about pastesite flexibility in information provided by Recorded Future, the predictive analytics outfit. Among the more interesting functions of Pastebin in particular and the dozens of other text hosting outfits was providing ONION addresses for unusual and interesting Dark Web destinations, among other types of content.
There’s a common sense suggestion in the write up too: Block pastesites.
Some law enforcement and intelligence professionals have a passing interest in Pastebin and similar sites. Pastebin has an Abuse Management and Threat Analysis team ready to assist LE and intel professionals with their requests. Sometimes the requests require documents, authorizations, and explanations. Speedy response is possible. But how “speedy” is speedy? That’s another good question ignored by the write up.
Stephen E Arnold, September 29, 2020
FinTech to TechFin: What Is With the Word Position Swap
September 29, 2020
I read an interesting essay called “A Look At The Power Shift From FinTech To TechFin.” I think the main idea is that banks are in the danger zone just as newspapers were and Main Street retail stores are.
I circled this passage:
With millennials becoming more and more comfortable using smartphones to pay for Uber, AirBnB, Amazon etc, the need for customer disintermediation arose and was well addressed by the FinTechs who had no overheads of physical distribution and were sitting on a lot of data. The ability to use non-traditional financial data, utilize SMS, utility bill payments and shopping history to build more accurate credit scoring helped the FinTech prove to be a credible challenge to the traditional lenders.
Okay. Thumbtypers on the march.
We also noted:
There is a need for an urgency to reposition and reinvent the traditional FinTech models as both, the customer expectation, as well as the landscape, is changing at lightning speed. There definitely would be tremendous action in the entire financial services space, including FinTech startups, within the next 2 years.
Several observations:
- Big shoulder financial outfits may such oxygen out of the space; for example, Goldman and Apple
- Regulators could — although it seems unlikely — might curtail monopolistic behavior in both banks and the rarified world of the FAANGs
- Consumers like those who pay a penalty for being 99 percenters might propel social pushback with more momentum.
Yes, there is a need for adaptation. I am not sure a marketing pitch is going to get the result the author views as necessary.
Stephen E Arnold, September 29, 2020