Chasing digital badness. Sr. Researcher @citizenlab @UofT @munkschool. Fmr.Ed. @SecPlanner. Tweets mine.
Or find me on Mastodon: https://t.co/YPRqnoBtce
46 subscribers
Nov 14 • 7 tweets • 5 min read
Whoa: NSO Group allegedly rolled a @WhatsApp exploit to implant #Pegasus spyware even after WhatsApp sued them.
This previously-unrevealed "Erised" vector was later disabled by #WhatsApp.
These un-redacted filings are quite the read. Even some footnotes have scoops. 1/2/ We learn that NSO Group had at least three @whatsapp exploits: Heaven, Eden & Erised.
The first, called Heaven, was active some time prior to Sept-Dec 2018. It worked by using manipulated messages to direct targeted devices to a malicious WhatsApp relay controlled by NSO Group.
Heaven was ultimately disabled by changes made in Sept & December 2018 by WhatsApp.
WILD: actual photo of Musk-hired door knockers being driven around #Michigan.
This group of mostly-black workers were driven in the back of a truck with no seats.
They say they were flown in, given unrealistic goals, and threatened with their lodging being cut off & being forced to pay their own way home if they couldn't meet them.
Some didn't even know which candidate they were working for.
Article by @JakeLahut wired.com/story/elon-mus…
Working to help the richest man in the world get his preferred candidate into office, folks.
Oct 26 • 5 tweets • 3 min read
I'm excited for the #HarrisWalz plan to massively expand medicare to cover in-home care.
Beautiful. So many families are are helping loved ones get through hurdles with dignity & independence. At home.
Oh wait, you hadn't heard about this?
A study shows major broadcast networks mostly ignored the policy announcement on the day she made it. apnews.com/article/harris…
Home health care is ruinously expensive.
But as everyone knows, it's often better for seniors to get help in their homes.
A study found that this new #HarrisWalz #medicare benefit is likely to help more than 14 million beneficiaries.
A "PRO-ISRAEL TEAM WE CAN TRUST" designed to look like a #HarrisWalz campaign ad is micro-targeted to areas with a high muslim population around Dearborn, Michigan.
Meanwhile, same Musk-backed PAC has a "WHY PANDER TO PALESTINE?" ad micro-targeted to areas in Pennsylvania.
NEW: sprawling AI bot army found attacking #HarrisWalz & dems, supporting Trump and GOP.
Researchers at @ClemsonUniv spotted & mapped the network.
It wasn't hard for them to conclude that an LLM was being used: they found tweets that leaked the prompts.
Which also helps makes the partisan objectives of the campaign crystal clear...
READ: open.clemson.edu/cgi/viewconten… 2/ Beyond targeting the national election, specific Senate & House races were also a focus of efforts. As were specific figures like @SenatorBaldwin, who was apparently a perennial target.
Oct 5 • 10 tweets • 5 min read
CATASTROPHIC: Chinese hackers massively wiretapped 🇺🇸USA by compromising the interception portals mandated under US law.
Remember this the next time a government demands encryption backdoors.
READ: wsj.com/tech/cybersecu…
Manufacturers of networking and phone gear must follow specific standards for 'lawful interception' in different jurisdictions (e.g. CALEA & ETSI's standards)
But as we learn time & time again, the scope of potential access & harm almost never matched by efforts to detect & block malicious use.
Oct 3 • 7 tweets • 4 min read
BREAKING: @Microsoft & @TheJusticeDept take simultaneous action against 🇷🇺Russian FSB-backed hacking group.
#StarBlizzard/ #ColdRiver has been targeting a wide swath of US officials & civil society.
Sweet moment because civil society played a key role in the lawsuit. Thanks to @NonprofitISAC & our partner @accessnow, voices of victims from our collaborative investigation into the spear phishing operation were included. 1/ 2/ Back in August we @citizenlab alongside our partners
@accessnow w/@DeptFirst, Arjuna Team & RESIDENT.ngo published a collaborative investigation into Russian gov-backed phishing.👇
Investigators will eventually identify any consumer product that persistently records people's activities.
One day, they'll show up, requesting access.
If the data is consistently helpful, they'll stop asking & start demanding.
Once this happens enough the company will probably create a law enforcement portal to simplify access & save customers the trouble...🧵2/ So many companies build consumer products with inherent pervasive surveillance collection without planning for the inevitable moment when demands begin coming in.
If you collect it, the demands will always come.
When you don't anticipate this moment in how you balance your design decisions, you expose yourself & your consumers to a lot of pressure. And introduce society to new kinds of surveillance.
It's an ethical conundrum in societies with a rule of law and judicial oversight.
And it is entirely more ominous when your product reaches countries that have none of that.
Aug 25 • 5 tweets • 3 min read
WARNING: Account impersonating the popular @harris_wins now has a blue check.
Top result is a copycat with 72k+ followers that spreads inflammatory falsehoods.
Genuine account isn't even the first search result. Please report: ❌@kamala_wins47 2/ This copycat regularly & misleadingly claims censorship to request amplification.
Over 200k people saw this particular misinformation, thousands more amplified it.
The account should never have been verified, and it astonishes me that @Safety hasn't pulled it yet.
Aug 25 • 6 tweets • 2 min read
Misunderstandings about #Telegram & encryption are already shaping the conversation about Pavel Durov's detention. So, here's a primer.
Telegram is often seen as an "encrypted messenger" but for many users it functions a lot more like an unencrypted social network. 1/2/ Remember, most #Telegram features are not end-to-end-encrypted, e.g.:
No e2e encrypted by default:
❌Regular messages
Never e2ee:
❌ Groups
❌Channels
E2ee only when you opt into:
✅ Secret chats
If you see an❌ this means that Telegram can/could access the contents.
Aug 21 • 7 tweets • 4 min read
NEW: Researchers find microplastics in human brains.
Moreover, shards of microplastics in autopsied brain tissue increased between samples collected in 2016 vs. 2024.
Frontal cortex tissue (executive function, learning & memory, judgement...) concentrations were 7-30x those previously found in livers & kidneys.
Incredibly alarming potential implications for #AlzheimersDisease, dementia, blood brain barrier health etc.
Caveats: early days in methodology for spotting & characterizing these particle loads & understanding their impacts on brain health.
And that's just focusing on the physical particles.
There's a whole second disturbing tier of questions around what potentially toxic compounds like plasticizers will leach from #microplastics, especially as the particle size gets smaller.
Dust in the atmosphere? Yep. The ocean? Yep. Creatures in it? Yep. Ocean breezes by the seashore? Yep.
Now our brains.
It's like the radioisotopes from atmospheric nuclear testing. Only there's no test ban in sight, and more are pouring into the ecosystem with every moment.
But the impact on us and our world are shockingly ill- understood.
Aug 14 • 13 tweets • 10 min read
NEW: sophisticated phishing targets Russia's perceived enemies around the globe.
Targets were sent credible approaches pretending to be friends & colleagues.
Here's why we say 🇷🇺#Russia's spies are responsible 1/🧵
Collaboration between us @citizenlab & @accessnow, with @DeptFirst, Arjuna Team &
People saying a lot of things about Gov. Tim Walz.
Like that he's a map nerd.
And as a map nerd, I was skeptical.
Until I spotted an @Esri* tote bag being loaded into his motorcade yesterday.
Rumor: confirmed.
*(ESRI: Biggest maker of Geographic Information Systems software)2/ “A geographically illiterate member of the United States Congress is a very scary proposition,” he said.
Website backed by billionaire solicits detailed info with a "Register to Vote" button.
But won't send voters to genuine voter registration sites if they are in a battleground state.
Oh, and the billionaire is Elon Musk.
By @schwartzbCNBC cnbc.com/2024/08/02/elo…
WOW: Here's Elon Musk's America PAC bait-and-switch voter registration page.
It showed me: "Voter Registration It takes less than two minutes to register"
I entered information saying I was from Michigan and it solicited a lot of detailed personal information
Then it was over. It did not send me to an official voter registration page.
Jul 26 • 4 tweets • 1 min read
You've been non-consensually opted into training Twitter / X's Grok AI.
Want to opt out?
✅Go here:
-or-
✅Navigate to: Settings ➡️ Privacy & Safety ➡️ Grokx.com/settings/grok_…
I'm hearing a lot of feedback from people struggling to opt out of Grok data sharing in on the mobile app.
Some report having success with the web version.
Again, not good. Regulators are surely paying attention.
Jul 12 • 10 tweets • 5 min read
STAGGERING: Nearly all @ATT customers' text & call records breached.
An unknown entity now has an NSA-level view into Americans' lives.
Damage isn't limited to AT&T customers.
But everyone they interacted with.
Also a huge national security incident given government customers on $T. 1/
By @MattEganCNN &@snlyngaas cnn.com/2024/07/12/bus… 2/ From @ATT's SEC filing. None of this is remotely reassuring.
Making matters worse, it looks like some of the data has cell site information.
That means broad stroke location information that can be translated into intelligence about peoples' locations and movements.
2/ OF COURSE. Material allegedly surreptitiously collected by this parallel intelligence service... was then used in harassment campaigns.
This pipeline of technical surveillance to disinformation is achingly familiar to anyone that has lived under authoritarianism.
Jul 10 • 5 tweets • 3 min read
IMPORTANT: has @Apple sent you a mercenary spyware threat notification?
Latest round just went out.
Take them seriously. Get expert help.
If you a journalist, activist, dissident etc. I suggest you ✅contact @accessnow's helpline. 1/ accessnow.org/help/2/ In my experience, @Apple's mercenary spyware threat notifications do several things:
✅ Help users take action to secure themselves
✅ Impose cost on spyware companies & customers
✅ Keep us researchers busy investigating cases