John Scott-Railton Profile picture
Chasing digital badness. Sr. Researcher @citizenlab @UofT @munkschool. Fmr.Ed. @SecPlanner. Tweets mine. Or find me on Mastodon: https://t.co/YPRqnoBtce
46 subscribers
Nov 14 7 tweets 5 min read
Whoa: NSO Group allegedly rolled a @WhatsApp exploit to implant #Pegasus spyware even after WhatsApp sued them.

This previously-unrevealed "Erised" vector was later disabled by #WhatsApp.

These un-redacted filings are quite the read. Even some footnotes have scoops. 1/Image 2/ We learn that NSO Group had at least three @whatsapp exploits: Heaven, Eden & Erised.

The first, called Heaven, was active some time prior to Sept-Dec 2018. It worked by using manipulated messages to direct targeted devices to a malicious WhatsApp relay controlled by NSO Group.

Heaven was ultimately disabled by changes made in Sept & December 2018 by WhatsApp.

storage.courtlistener.com/recap/gov.usco…Image
Image
Image
Image
Oct 31 4 tweets 2 min read
WILD: actual photo of Musk-hired door knockers being driven around #Michigan.

This group of mostly-black workers were driven in the back of a truck with no seats.

They say they were flown in, given unrealistic goals, and threatened with their lodging being cut off & being forced to pay their own way home if they couldn't meet them.

Some didn't even know which candidate they were working for.

Article by @JakeLahut
wired.com/story/elon-mus…Image Working to help the richest man in the world get his preferred candidate into office, folks. Image
Oct 26 5 tweets 3 min read
I'm excited for the #HarrisWalz plan to massively expand medicare to cover in-home care.

Beautiful. So many families are are helping loved ones get through hurdles with dignity & independence. At home.

Oh wait, you hadn't heard about this?

A study shows major broadcast networks mostly ignored the policy announcement on the day she made it.
apnews.com/article/harris…Image
Image
Home health care is ruinously expensive.

But as everyone knows, it's often better for seniors to get help in their homes.

A study found that this new #HarrisWalz #medicare benefit is likely to help more than 14 million beneficiaries.

Chart: kff.org/medicare/issue…Image
Image
Oct 21 7 tweets 3 min read
You've probably heard about Musk's petition.

It's run on the same website that ran bait-and-switch voter registration back in August.

They had to shut it down.

The goal then: probably soak up detailed voter data.

Remember, lots of shady micro-targeting is going on right now from Musk-backed PACs.

And now? Data collection is again a key priority.

I don't know why this isn't front and center in news stories about this.Image
Image
2/ Coverage of Musk's actions often treats them in isolation.

The petition for example is largely covered as "is this legal?"

Good question, but if you don't focus on the systemic effort to gather data & influence voters using that data, you miss the plot.
Oct 18 7 tweets 5 min read
BREAKING: Musk-backed PAC is micro-targeting muslim areas with ads saying Harris stands with Israel... and targeting jewish areas saying the opposite.

Writing is on the wall: Musk willing to further divide America if he thinks it will help his candidate win.

By @jason_koebler
404media.co/this-is-exactl…Image Review the @google ads data yourself.

A "PRO-ISRAEL TEAM WE CAN TRUST" designed to look like a #HarrisWalz campaign ad is micro-targeted to areas with a high muslim population around Dearborn, Michigan.

Meanwhile, same Musk-backed PAC has a "WHY PANDER TO PALESTINE?" ad micro-targeted to areas in Pennsylvania.

The ads are getting millions of impressions.

adstransparency.google.com/advertiser/AR0…Image
Image
Image
Image
Oct 17 4 tweets 4 min read
WARNING: fake pro-#HarrisWalz advertising campaign...

Is actually run by dark money network connected to Elon Musk.

The "Progress 2028" ads & text message campaigns feature lies about Harris policies about guns, immigrants & LGBTQ issues...

The goal is clearly to mislead voters.

Dirty politics that must be investigated.

By @annalecta
opensecrets.org/news/2024/10/p…Image
Image
Image
Image
This false-flag #HarrisWalz campaign is hammering #Georgia with ad buys on @meta.

$66,140k in spend in the past week alone, shown to a custom audience. I wonder who it is?

Please reply if you've seen advertisements for "Progress 2028" or gotten text messages promoting this fake campaign.

facebook.com/ads/library/?a…Image
Image
Oct 16 6 tweets 4 min read
NEW: sprawling AI bot army found attacking #HarrisWalz & dems, supporting Trump and GOP.

Researchers at @ClemsonUniv spotted & mapped the network.

It wasn't hard for them to conclude that an LLM was being used: they found tweets that leaked the prompts.

Which also helps makes the partisan objectives of the campaign crystal clear...

READ: open.clemson.edu/cgi/viewconten…Image
Image
Image
Image
2/ Beyond targeting the national election, specific Senate & House races were also a focus of efforts. As were specific figures like @SenatorBaldwin, who was apparently a perennial target. Image
Image
Image
Oct 5 10 tweets 5 min read
CATASTROPHIC: Chinese hackers massively wiretapped 🇺🇸USA by compromising the interception portals mandated under US law.

Remember this the next time a government demands encryption backdoors.

By: @bysarahkrouse @dnvolz @aviswanatha @bobmcmillan h/t @RonDeibert

READ: wsj.com/tech/cybersecu…Image
Image
Image
Image
Manufacturers of networking and phone gear must follow specific standards for 'lawful interception' in different jurisdictions (e.g. CALEA & ETSI's standards)

But as we learn time & time again, the scope of potential access & harm almost never matched by efforts to detect & block malicious use.Image
Oct 3 7 tweets 4 min read
BREAKING: @Microsoft & @TheJusticeDept take simultaneous action against 🇷🇺Russian FSB-backed hacking group.

#StarBlizzard/ #ColdRiver has been targeting a wide swath of US officials & civil society.

Sweet moment because civil society played a key role in the lawsuit. Thanks to @NonprofitISAC & our partner @accessnow, voices of victims from our collaborative investigation into the spear phishing operation were included. 1/Image
Image
Image
Image
2/ Back in August we @citizenlab alongside our partners
@accessnow w/@DeptFirst, Arjuna Team & RESIDENT.ngo published a collaborative investigation into Russian gov-backed phishing.👇

The clever attacks were causing harm around the world.
x.com/jsrailton/stat…
Sep 16 6 tweets 4 min read
NEW: fresh 🇺🇸US sanctions dropping on mercenary spyware industry.

Biden administration just fired a 2nd salvo against the #Intellexa consortium, which sells #Predator spyware.

The spyware is linked to human rights abuses around the globe & was used to target US officials. 1/

home.treasury.gov/news/press-rel…Image
Image
Image
Image
2/ Back in March, US first used ‘big gun’ @USTreasury sanctions against #Intellexa.

It was precedent-setting & sent a chill through the spyware industry.

Today’s sanctions against yet-more Intellexa people read as the US saying "can you hear me yet?"
Sep 1 4 tweets 3 min read
If you collect it, they will come.

Investigators will eventually identify any consumer product that persistently records people's activities.

One day, they'll show up, requesting access.

If the data is consistently helpful, they'll stop asking & start demanding.

Once this happens enough the company will probably create a law enforcement portal to simplify access & save customers the trouble...🧵Image 2/ So many companies build consumer products with inherent pervasive surveillance collection without planning for the inevitable moment when demands begin coming in.

If you collect it, the demands will always come.

When you don't anticipate this moment in how you balance your design decisions, you expose yourself & your consumers to a lot of pressure. And introduce society to new kinds of surveillance.

It's an ethical conundrum in societies with a rule of law and judicial oversight.

And it is entirely more ominous when your product reaches countries that have none of that.
Aug 25 5 tweets 3 min read
WARNING: Account impersonating the popular @harris_wins now has a blue check.

Top result is a copycat with 72k+ followers that spreads inflammatory falsehoods.

Genuine account isn't even the first search result. Please report: ❌@kamala_wins47Image
Image
Image
Image
2/ This copycat regularly & misleadingly claims censorship to request amplification.

Over 200k people saw this particular misinformation, thousands more amplified it.

The account should never have been verified, and it astonishes me that @Safety hasn't pulled it yet. Image
Aug 25 6 tweets 2 min read
Misunderstandings about #Telegram & encryption are already shaping the conversation about Pavel Durov's detention. So, here's a primer.

Telegram is often seen as an "encrypted messenger" but for many users it functions a lot more like an unencrypted social network. 1/ 2/ Remember, most #Telegram features are not end-to-end-encrypted, e.g.:

No e2e encrypted by default:
❌Regular messages

Never e2ee:
❌ Groups
❌Channels

E2ee only when you opt into:
✅ Secret chats

If you see an❌ this means that Telegram can/could access the contents.
Aug 21 7 tweets 4 min read
NEW: Researchers find microplastics in human brains.

Moreover, shards of microplastics in autopsied brain tissue increased between samples collected in 2016 vs. 2024.

Frontal cortex tissue (executive function, learning & memory, judgement...) concentrations were 7-30x those previously found in livers & kidneys.

Incredibly alarming potential implications for #AlzheimersDisease, dementia, blood brain barrier health etc.

Caveats: early days in methodology for spotting & characterizing these particle loads & understanding their impacts on brain health.

And that's just focusing on the physical particles.

There's a whole second disturbing tier of questions around what potentially toxic compounds like plasticizers will leach from #microplastics, especially as the particle size gets smaller.

Preprint: ncbi.nlm.nih.gov/pmc/articles/P…Image
Image
Image
Image
2/ There doesn't appear to be a place on earth that hasn't got a microplastics load.

Dust in the atmosphere? Yep. The ocean? Yep. Creatures in it? Yep. Ocean breezes by the seashore? Yep.

Now our brains.

It's like the radioisotopes from atmospheric nuclear testing. Only there's no test ban in sight, and more are pouring into the ecosystem with every moment.

But the impact on us and our world are shockingly ill- understood.
Aug 14 13 tweets 10 min read
NEW: sophisticated phishing targets Russia's perceived enemies around the globe.

Targets were sent credible approaches pretending to be friends & colleagues.

Here's why we say 🇷🇺#Russia's spies are responsible 1/🧵

Collaboration between us @citizenlab & @accessnow, with @DeptFirst, Arjuna Team &

REPORT: RESIDENT.ngo
citizenlab.ca/2024/08/sophis…Image
Image
2/ Here's a typical attack: an email comes in, seemingly from a colleague you know well. It sounds like them.

They want you to look at an attached document.

But there's a twist: there is no attachment!

This is intentional, and clever...Image
Aug 7 6 tweets 4 min read
People saying a lot of things about Gov. Tim Walz.

Like that he's a map nerd.

And as a map nerd, I was skeptical.

Until I spotted an @Esri* tote bag being loaded into his motorcade yesterday.

Rumor: confirmed.

*(ESRI: Biggest maker of Geographic Information Systems software)Image 2/ “A geographically illiterate member of the United States Congress is a very scary proposition,” he said.

Me nodding along so hard I hurt my neck.

minnesotareformer.com/2024/08/06/for…


Image
Image
Image
Aug 2 7 tweets 5 min read
Website backed by billionaire solicits detailed info with a "Register to Vote" button.

But won't send voters to genuine voter registration sites if they are in a battleground state.

Oh, and the billionaire is Elon Musk.

By @schwartzbCNBC
cnbc.com/2024/08/02/elo…Image WOW: Here's Elon Musk's America PAC bait-and-switch voter registration page.

It showed me: "Voter Registration It takes less than two minutes to register"

I entered information saying I was from Michigan and it solicited a lot of detailed personal information

Then it was over. It did not send me to an official voter registration page.Image
Image
Image
Image
Jul 26 4 tweets 1 min read
You've been non-consensually opted into training Twitter / X's Grok AI.

Want to opt out?

✅Go here:

-or-

✅Navigate to: Settings ➡️ Privacy & Safety ➡️ Grokx.com/settings/grok_…Image I'm hearing a lot of feedback from people struggling to opt out of Grok data sharing in on the mobile app.

Some report having success with the web version.

Again, not good. Regulators are surely paying attention.
Jul 12 10 tweets 5 min read
STAGGERING: Nearly all @ATT customers' text & call records breached.

An unknown entity now has an NSA-level view into Americans' lives.

Damage isn't limited to AT&T customers.

But everyone they interacted with.

Also a huge national security incident given government customers on $T. 1/

By @MattEganCNN &@snlyngaas
cnn.com/2024/07/12/bus…Image
Image
Image
Image
2/ From @ATT's SEC filing. None of this is remotely reassuring.

Making matters worse, it looks like some of the data has cell site information.

That means broad stroke location information that can be translated into intelligence about peoples' locations and movements.

sec.gov/ix?doc=/Archiv…Image
Jul 11 7 tweets 5 min read
WOW: Bolsonaro's spy services in #Brazil allegedly ran sprawling technical surveillance of:

❌Opposition leaders
❌Judges
❌journalists
❌environmental officials
❌Those investigating son for corruption...

Then used the material.. 1/

@tomphillipsin
theguardian.com/world/article/…



Image
Image
Image
Image
2/ OF COURSE. Material allegedly surreptitiously collected by this parallel intelligence service... was then used in harassment campaigns.

This pipeline of technical surveillance to disinformation is achingly familiar to anyone that has lived under authoritarianism. Image
Jul 10 5 tweets 3 min read
IMPORTANT: has @Apple sent you a mercenary spyware threat notification?

Latest round just went out.

Take them seriously. Get expert help.

If you a journalist, activist, dissident etc. I suggest you ✅contact @accessnow's helpline. 1/
accessnow.org/help/ 2/ In my experience, @Apple's mercenary spyware threat notifications do several things:

✅ Help users take action to secure themselves
✅ Impose cost on spyware companies & customers
✅ Keep us researchers busy investigating cases

They can also have a✅deterrent effect.