Another OSINT Blind Spot: Fake Reviews

November 9, 2022

Fraud comes in many flavors. Soft fraud is a mostly ignored branch of online underhandedness. Examples range from online merchants selling products which don’t work or are never shipped to phishing scams designed to obtain online credentials. One tributary to the Mississippi River of online misbehavior is the category “Fake Reviews.” These appear on many services; for example, Amazon. Some authors and publishers crank out suspicious reviews as a standard business practice. Those with some cash and a low level of energy just hire ghost promoters on Fiverr-like services.

I noted “Up to 30% of Online Reviews Are Fake and Most Consumers Can’t Tell the Difference.” The write up says:

The latest survey from Brand Rated shows nine out of ten consumers use reviews to help decide what to buy, where to eat and which doctor or dentist to see. Experts say that’s a problem because up to 30% of online reviews are fake. “My research shows that the review platforms are just saturated with fake reviews. Far more so than most people are aware of,” said [Kay] Dean [Founder of Fake Review Watch.]

Several questions, assuming the data are accurate:

  1. What incentives exist for bad actors to surf on this cloud of unknowing?
  2. How will smart software identify “fake content” and deal with it in a constructive way?
  3. How many of the individuals in this magical 30 percent will have difficulty making sense of conflicting technical or medical information?

Net net: Cyber crime (hard and soft) are entering a golden age. OSINT analysts, are you able to identify real and fake in a reliable way? Think carefully about your answer.

Stephen E Arnold, November 9, 2022

A Flashing Yellow Light for GitHub: Will Indifferent Drivers Notice?

November 9, 2022

I read “We’ve Filed a Law­suit Chal­leng­ing GitHub Copi­lot, an AI Prod­uct That Relies on Unprece­dented Open-Source Soft­ware Piracy. Because AI Needs to Be Bair & Eth­i­cal for Every­one.” The write up reports:

… we’ve filed a class-action law­suit in US fed­eral court in San Fran­cisco, CA on behalf of a pro­posed class of pos­si­bly mil­lions of GitHub users. We are chal­leng­ing the legal­ity of GitHub Copi­lot (and a related prod­uct, OpenAI Codex, which pow­ers Copi­lot). The suit has been filed against a set of defen­dants that includes GitHub, Microsoft (owner of GitHub), and OpenAI.

My view of GitHub is that it presents a number of challenges. On one hand, Microsoft is a pedal-to-the-metal commercial outfit and GitHub is an outfit with some roots in the open source “community” world. Many intelware solutions depend on open source software. In my experience, it is difficult to determine whether cyber security vendors or intelware vendors offer software free of open source code. I am not sure the top dogs in these firms know. Big commercial companies love open source software because these firms see a way to avoid the handcuffs proprietary code vendors use for lock in and lock down without a permission slip. These permissions can be purchased. This fee irritates many of the largest companies which are avid users of open source software.

A second challenge of GitHub is that it serves bad actors in two interesting ways. Those eager to compromise networks, automate phishing attacks, and probe the soft underbelly of companies “protected” by somewhat Swiss Cheese like digital moats rely on open source tools. Second, the libraries for some code on GitHub is fiddled so that those who use libraries but never check too closely about their plumbing are super duper attack and compromise levering vectors. When I was in Romania, “Hooray for GitHub” was, in my opinion, one of the more popular youth hang out disco hits.

The write up adds a new twist: Allegedly inappropriate use of the intellectual property of open source software on GitHub. The write up states:

As far as we know, this is the first class-action case in the US chal­leng­ing the train­ing and out­put of AI sys­tems. It will not be the last. AI sys­tems are not exempt from the law. Those who cre­ate and oper­ate these sys­tems must remain account­able. If com­pa­nies like Microsoft, GitHub, and OpenAI choose to dis­re­gard the law, they should not expect that we the pub­lic will sit still. AI needs to be fair & eth­i­cal for every­one.

This issue is an important one. The friction for this matter is that the US government is dependent on open source to some degree. Microsoft is a major US government contractor. A number of Federal agencies are providing money to companies engaged in strategically significant research and development of artificial intelligence.

The different parties to this issue may exert or apply influence.

Worth watching because Amazon- and Google-type companies want to be the Big Dog in smart software. Once the basic technology has been appropriated, will these types of companies pull the plug on open source support and god cloud commercial? Will attorneys benefit while the open source community suffers? Will this legal matter mark the start of a sharp decline in open source software?

Stephen E Arnold, November 9, 2022

An Interesting NSO Related Action

November 9, 2022

In what sounds like the idea for a thriller/drama miniseries, The Times of Israel states that; “Former NSO CEO And Ex-Chancellor of Austria Establish New Cybersecurity Startup.” Sebastian Kurz, former Austrian chancellor, and ex-CEO of NSO Group Shalev Hulio established the new cybersecurity company Dream Security.

Hulio and Kurz formed Dream Security to protect critical infrastructures, such as energy, water, and oil facilities from cyber attacks. Dream Security will begin building a market in Europe. Kurz and Hulio raised $20 million in pre-seed funds from investors led by Dove Frances, who is an Israeli-American venture capitalist founder of the Group 11 investment firm. Other investors include entrepreneurs from the Israeli cybersecurity industry and early NSO Group investor Adi Shalev.

Founder Former Wayout Group CEO Gil Dolev will join Dream Security’s initial team.

Kurz and Hulio are concerned with infrastructures from their past work:

“Kurz told the publication that as Austrian chancellor, he ‘witnessed many attacks on governments as well as on manufacturing plants and energy installations, most of which were not published in the media. This has far-reaching implications for supply chains as well as regular energy supplies and public services such as water and hospitals.’

Hulio told Bloomberg he was leaving ‘the intelligence side, offensive side if you want, and move to the defensive side. We saw that the biggest challenge the cyber world is dealing with is critical infrastructure.’ He said the new company would focus on European markets ‘because I currently think that they have the biggest threats right now because of the geopolitical situation.’”

Both men’s reputations are covered with black marks . Kurz left politics because he was accused of a corruption scandal. At NSO Group, Hulio oversaw the development of the Pegasus spyware. Pegasus has been used by countries with poor human rights records to spy on “rabble rousers.” Apple and Facebook are pursuing lawsuits against NSO Group for breaking into their products and violating the terms of use. The European Union is investigating the use of Pegasus by its critics and the US Commerce Department blacklisted the company, then limited access to US components and technology.

Israel is also tightening restrictions on its cybersecurity companies. The number of countries that can buy Israeli cyber technology went from 100 down to 37.

It appears Dream Security is attempting to skirt Israeli restrictions by building a new company in Europe. The leaders are preaching they want to help people by protecting their infrastructures, but it would not be surprising if their plans were more nefarious.

Whitney Grace, November 9, 2022

Is This Another Squeal from a Twitter Dependent User?

November 8, 2022

The Ridiculous But Important Twitter Verification Debate, Explained” strikes me as another bleat from the old Twitter faction. The new and musk-scented tweeter has a revolutionary idea. If you are not following the “verification” issue; here’s the cited article’s presentation of the idea:

Musk says paid users would get a verification badge, and their tweets would get priority in replies, mentions, and searches; they’d also get to post longer videos, and they’d see fewer ads (but they’d still see ads). It probably shouldn’t even be called a “verification” badge anymore, either, as identity verification reportedly may not be necessary to get one (the money, it seems, is plenty and enough). And the blue check would no longer be a way to mitigate the spread of disinformation, as it was originally designed to be. Depending on who is willing to give Elon Musk $96 a year and what they have to say, it may well amplify it.

The old verification system, I learned from the write up:

… is not the status symbol people seem to think it is. It’s part of Twitter’s recognition that journalists are some of its most prolific users, that a lot of people use Twitter to keep up on the news those journalists tweet, and that it’s therefore important to all parties if they know whose word they can rely on.

Imagine. Now anyone willing to pay the Elon will receive a check. The “old” Twitter check mark was special. I noted this statement:

There are currently about 425,000 verified accounts, according to @verified. That’s enough for the blue check to no longer be the exclusive special symbol it was once seen as, but it’s also a small percentage of Twitter’s total user base, which Twitter has said is about 240 million monetizable (as in, actual people and not bots) daily active users.

This reminds me of Groucho Marx’ alleged quote about the value of a membership for a snazzy golf club: “I refuse to join any club that would have me as a member.”

I think Twitter is an unselective country club, but the check was something really special. But the tweeter thing is a relatively small service compared to Facebook or the Telegram Ukraine groups. I think buying a tweeter check mark is a way to make a small amount of money paid for a black hole sucking down money. That which was perceived to be special is now for sale, just like a Tesla without a wait list.

What about verification? Why not use false personas and scout around for one one those Voyager Labs-type intelware systems. Some permit the use of persona templates so that an identity can be deployed, verified, and used to interact with either humanoids or other software systems. Online verification is tough. Do you need evidence? Check out the lengths online services are going to determine that the entity logging in is actually the “real” registered entry. By the way, some verification methods required on certain ghost sites are like math problems in a Differential Calculus class.

In the era of dinobabies, if one published an article in a magazine, that article represented a writer, probably a hard charging English major, and a published (either loved like Barry Bingham senior or hated like the charming Mr. Hearst). Thus, if a reader were offended, there was, in theory, a throat into which one’s legal eagles could sink their talons. In the largely unregulated digital space, anonymity, false personas, content robots, and mixes of methods are ghosts. Legal eagles want to drop from the sky, seize their prey, and empty either wallets or blood vessels. Big disappointment: Software robots can be operated by an enterprising programmer in Romania. What legal eagle wants to jet to Bucharest and contemplate the patron saint of lawyers – Vlad the Impaler? Very few I surmise.

The anonymity thing is important to those who want to become a star, a thought leader, a dominant force in less than 200 words, and an influencer. Imagine this: A “real” journalist suggesting to a CIA professional that the real journalist could become a spy. That’s a great idea. The type of person who craves fame in Tweeterville wants those with a check to be special. If anyone can buy a check, then the value of the digital fame chaser goes down.

I don’t have a dog in the Fail Whale world. It is fun to identify the noises made by those who want to catch the Elon bird’s song which sounds a great deal like musical motifs from Mozart’s Requiem in D Minor.

Stephen E Arnold, November 8, 2022

Sepana: A Web 3 Search System

November 8, 2022

Decentralized search is the most recent trend my team and I have been watching. We noted “Decentralized Search Startup Sepana Raises $10 Million.” The write up reports:

Sepana seeks to make web3 content such as DAOs and NFTs more discoverable through its search tooling.

What’s the technical angle? The article points out:

One way it’s doing this is via a forthcoming web3 search API that aims to enable any decentralized application (dapp) to integrate with its search infrastructure. It claims that millions of search queries on blockchains and dapps like Lens and Mirror are powered by its tooling.

With search vendors working overtime to close deals and keep stakeholders from emulating Vlad the Impaler, some vendors are making deals with extremely interesting companies. Here’s a question for you? “What company is Elastic’s new best friend?” Elasticsearch has been a favorite of many companies. However, Amazon nosed into the Elastic space. Furthermore, Amazon appears to be interested in creating a walled garden protected by a moat around its search technologies.

One area for innovation is the notion of avoiding centralization. Unfortunately online means that centralization becomes an emergent property. That’s one of my pesky Arnold’s Laws of Online. But why rain on the decentralized systems parade?

Sepana’s approach is interesting. You can get more information at https://sepana.io. Also you can check out Sepana’s social play at https://lens.sepana.io/.

Stephen E Arnold, November 8, 2022

Hi, Mom, I Got a D in Math and Science This Term

November 8, 2022

I have never earned a D grade. In the cow town public high school, the grading system was simple: 93 to 100 = A, 83 to 93 = B, 70 to 82 = C, and 60 to 69 = D. Below 60, say “Hello” to an F, you loser you.

Almost 30% of People Redo or Refine Google Searches, Study Says” reports:

This 30% number comes from 9.7% of users who engaged in a “Google Click,” meaning they clicked on images or something in a carousel after making a query. For these people, they may have actually found what they were looking for. Another 17.9% of users made modifications to “Google Keyword,” or ways to modify their original query. This totals to 27.6%, which was then rounded up by SEMRush.

Should we “trust” the source and its math? Heck no. But the interesting point is that quite a few Google users find that Google search is in the D category.

With the surge of “close enough for horse shoes” and “good enough” thinking, the result is not particularly surprising. In my own experience, I now have to work harder than ever to obtain accurate, useful, relevant information. I routinely cycle through Mojeek, Swisscows, Yandex, and a number of other systems. For me, Google is in the D Minus or F category. The for fee alternatives are disappointing because the depth of their coverage is similar to a child’s plastic wading pool.

What’s this mean? Finding on point information is taking more time which translates into direct costs. That ad supported model is super, isn’t it? “D” does the job.

Stephen E Arnold, November 8, 2022

Quantum Computing: PR and a Business Idea for the Google

November 8, 2022

Quantum Winter Is Coming” converts the Sabine Hossenfelder video “The Quantum Hype Bubble Is About To Burst” into text. I read the text; you may find the video more appropriate for your learning method. The key point in the Hossenfelder analysis is that quantum computing is a thing, just not what the marketers have said it is. I do want to call attention to one statement in the video because I think it highlights an important facet of today’s research mechanisms; to wit:

…big companies have another way to make money from quantum computers, namely by renting them out to universities. And since governments are pouring money into research, that’s quite a promising way to funnel tax money into your business. Imagine the LHC was owned by Google and particle physicists had to pay to use it.

You may not have a quantum chip in your next mobile phone, but my hunch is that most research-centric universities will have a pay-to-use deal with Google-type outfits. What if these virtuous cycles fail to deliver a reproducible or high value output?

Here’s my answer to the question:

  1. The use information can be applied to online advertising
  2. Each “breakthrough” leads to a greater need for research, government funding kicks in, marketers get to work, the cycle repeats
  3. Progress is easier to achieve when the underlying technology appears to create an enhanced or new weapon.

Stephen E Arnold, November 8, 2022

Free and Useful OSINT Resource

November 8, 2022

For anyone interested in OSINT resources, here is a free eBook from low-profile intelware vendor Babel Street: Cybersecurity Insiders hosts “Open Source Intelligence (OSINT) Use Cases.” As the name implies, the volume describes practical applications of OSINT tools. The description reads:

“Businesses must be continually ready to mitigate all types of commercial and corporate risks. Some risks are known and easy to spot, but many are unknown and constantly evolving – your organization must be prepared to manage all of them or face serious consequences. A robust open-source intelligence (OSINT) platform is the answer. It combines publicly available information (PAI) data sources, with curated data streams, and filters to generate the actionable intelligence required to enhance protection or take action. This eBook includes twelve use cases exploring how OSINT tools help generate insights needed to drive improvements across:

  • Cyber risk management
  • Brand risk management
  • Operational risk management
  • Due diligence”

The book opens with a summary of how OSINT works and how it can be used. One notable use case is the very physical Event and Venue Protection under the otherwise BI-centered Brand Risk Management. One must provide some basic information before downloading the free resource, including name, company, email address, and phone number. Once registered with Cybersecurity Insiders, though, one has access to the site’s considerable roster of free cybersecurity resources. This includes another volume from Babel Street, “Best Practices for Using Publicly Available Information in Global Risk Management.” The firm’s clients include both government agencies and private enterprises. Not coincidentally, its AI analytics platform can assist organizations with the use cases described in the book. Based outside DC in Reston, Virginia, Babel Street was founded in 2009.

Cynthia Murrell, November 8, 2022

DYOR and OSINT Vigilantes

November 7, 2022

DYOR is an acronym used by some online investigators for “do your own research.” The idea is that open source intelligence tools provide information that can be used to identify bad actors. Obviously once an alleged bad actor has been identified, that individual can be tracked down. The body of information gathered can be remarkably comprehensive. For this reason, some law enforcement, criminal analysts, and intelligence professionals have embraced OSINT or open source intelligence as a replacement for the human-centric methods used for many years. Professionals understand the limitations of OSINT, the intelware tools widely available on GitHub and other open source software repositories, and from vendors. The most effective method for compiling information and doing data analysis requires subject matter experts, sophisticated software, and access to information from Web sites, third-party data providers, and proprietary information such as institutional knowledge.

If you are curious about representative OSINT resources used by some professionals, you can navigate to www.osintfix.com and click. The site will display one of my research team’s OSINT resources. The database the site pulls from contains more than 3,000 items which we update periodically. New, useful OSINT tools and services become available frequently. For example, in the work for one of our projects, we came across a useful open source tool related to Tor relays. It is called OrNetStats. I mention the significance of OSINT because I have been doing lectures about online research. Much of the content in those lectures focuses on open source and what I call OSINT blind spots, a subject few discuss.

The article “The Disturbing Rise of Amateur Predator=Hunting Stings: How the Search for Men Who Prey on Underage Victims Became a YouTube Craze” unintentionally showcases another facet of OSINT. Now anyone can use OSINT tools and resources to examine an alleged bad actor, gather data about an alleged crime, and pursue that individual. The cheerleading for OSINT has created a boom in online investigations. I want to point out that OSINT is not universally accurate. Errors can creep into data intentionally and unintentionally. Examples range from geo-spoofing, identifying the ultimate owner of an online business, and content posted by an individual to discredit a person or business. Soft fraud (that is, criminal type actions which are on the edge of legality like selling bogus fashion handbags on eBay) is often supported by open source information which has been weaponized. One example is fake reviews of restaurants, merchants, products, and services.

I urge you to work through the cited article to get a sense of what “vigilantes” can do with open source information and mostly unfiltered videos and content on social media. I want to call attention to four facets of OSINT in the context of what the cited article calls “predator-hunting stings”:

First, errors and false conclusions are easy to reach. One example is identifying the place of business for an online service facilitating alleged online crime. Some services displace the place of business for some online actors in the middle of the Atlantic Ocean or on obscure islands with minimal technical infrastructure.

Second, information can be weaponized to make it appear that an individual is an alleged bad actor. Gig work sites allow anyone to spend a few dollars to have social media posts created and published. Verification checks are essentially non-existent. One doesn’t need a Russia- or China-system intelligence agency; one needs a way to hire part time workers usually at quite low rates. How does $5 sound.

Third, the buzz being generated about OSINT tools and techniques is equipping more people than ever before to become Sherlock Holmes in today’s datasphere. Some government entities are not open to vigilante inputs; others are. Nevertheless, hype makes it seems that anything found online is usable. Verification and understanding legal guidelines remain important. Even the most scrupulous vigilante may have difficulty getting the attention of some professionals, particularly government employees.

Fourth, YouTube itself has a wide range of educational and propagandistic videos about OSINT. Some of these are okay; others are less okay. Cyber investigators undergo regular, quite specific training in tools, sources, systems, and methods. The programs to which I have been exposed include references to legal requirements and policies which must be followed. Furthermore, OSINT – including vigilante-type inputs – have to be verified. In my lectures, I emphasize that OSINT information should be considered background until those data or the items of information have been corroborated.

What’s the OSINT blind spot in the cited article’s report? My answer is, “Verification and knowledge of legal guideless is less thrilling than chasing down an alleged bad actor.” The thrill of the hunt is one thing; hunting the right thing is another. And hunting in the appropriate way is yet another.

DYOR is a hot concept. It is easy to be burned.

Stephen E Arnold, November 7, 2022

Microsoft and Security: Customers! Do Better

November 7, 2022

I have a hunch that cyber security is like Google in the early 2000s. Magic, distractions, and blather helped disguise the firm’s systems and methods for generating revenue. Now (November 4, 2022) the cyber security sector may be taking a page or two from the early Google game plan. Who can blame the cyber security vendors, all 3000 to 7000 of them in the US alone. The variance is a result of the methodology of the business analysts answering the question, “How many companies are chasing commercial, non profit, and government prospects. Either number makes it clear that cyber security is a very big business.

Now stick with me: What operating system and office software is used by about two thirds of the organizations in the United States. The answer, if I can believe the data from my research team, is close enough for horse shoes. Personally, I would peg the penetration of Microsoft software at closer to 90 percent, but let’s go with the 67 percent, plus or minus five percent. That means that cyber security vendors have to provide security for companies already obtaining allegedly secure software and services from Microsoft.

With cyber crime, breaches, zero days, etc, etc going up with dizzying speed, what’s the message I carry away? The answer is, “Cyber security is not working.”

I read “Microsoft Warns Businesses to Up Their Security Game against These Top Threats.” The article then identifies security as a problem. The solution, if I understand the article, is:

Microsoft suggests throughout the MDDR that organizations implement a number of its products into its tech stack to protect against and deal with threats, such as its Security Service Line for support throughout a ransomware attack, and Microsoft Defender for Endpoint for cloud-based protection.

If you are not familiar with MDDR the acronym stands for the Microsoft Digital Defense Report. Presumably Microsoft’s crack security experts and the best available cyber consultants crafted the methods summarized in the article.

The irony is that Microsoft’s own products and services create a large attack surface. Microsoft’s own security tools seem to have chinks, cracks, and gaps which assorted bad actors can exploit.

Net net: Perhaps Microsoft should do security better. Aren’t customers buying solutions which work and do in a way that protects business information and processes? Perhaps less writing about security and more doing security could be helpful?

Stephen E Arnold, November 7, 2022

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta