178 stories

Propaganda and the Weakening of Trust in Government

1 Share

On November 4, 2016, the hacker "Guccifer 2.0,: a front for Russia's military intelligence service, claimed in a blogpost that the Democrats were likely to use vulnerabilities to hack the presidential elections. On November 9, 2018, President Donald Trump started tweeting about the senatorial elections in Florida and Arizona. Without any evidence whatsoever, he said that Democrats were trying to steal the election through "FRAUD."

Cybersecurity experts would say that posts like Guccifer 2.0's are intended to undermine public confidence in voting: a cyber-attack against the US democratic system. Yet Donald Trump's actions are doing far more damage to democracy. So far, his tweets on the topic have been retweeted over 270,000 times, eroding confidence far more effectively than any foreign influence campaign.

We need new ideas to explain how public statements on the Internet can weaken American democracy. Cybersecurity today is not only about computer systems. It's also about the ways attackers can use computer systems to manipulate and undermine public expectations about democracy. Not only do we need to rethink attacks against democracy; we also need to rethink the attackers as well.

This is one key reason why we wrote a new research paper which uses ideas from computer security to understand the relationship between democracy and information. These ideas help us understand attacks which destabilize confidence in democratic institutions or debate.

Our research implies that insider attacks from within American politics can be more pernicious than attacks from other countries. They are more sophisticated, employ tools that are harder to defend against, and lead to harsh political tradeoffs. The US can threaten charges or impose sanctions when Russian trolling agencies attack its democratic system. But what punishments can it use when the attacker is the US president?

People who think about cybersecurity build on ideas about confrontations between states during the Cold War. Intellectuals such as Thomas Schelling developed deterrence theory, which explained how the US and USSR could maneuver to limit each other's options without ever actually going to war. Deterrence theory, and related concepts about the relative ease of attack and defense, seemed to explain the tradeoffs that the US and rival states faced, as they started to use cyber techniques to probe and compromise each others' information networks.

However, these ideas fail to acknowledge one key differences between the Cold War and today. Nearly all states -- whether democratic or authoritarian -- are entangled on the Internet. This creates both new tensions and new opportunities. The US assumed that the internet would help spread American liberal values, and that this was a good and uncontroversial thing. Illiberal states like Russia and China feared that Internet freedom was a direct threat to their own systems of rule. Opponents of the regime might use social media and online communication to coordinate among themselves, and appeal to the broader public, perhaps toppling their governments, as happened in Tunisia during the Arab Spring.

This led illiberal states to develop new domestic defenses against open information flows. As scholars like Molly Roberts have shown, states like China and Russia discovered how they could "flood" internet discussion with online nonsense and distraction, making it impossible for their opponents to talk to each other, or even to distinguish between truth and falsehood. These flooding techniques stabilized authoritarian regimes, because they demoralized and confused the regime's opponents. Libertarians often argue that the best antidote to bad speech is more speech. What Vladimir Putin discovered was that the best antidote to more speech was bad speech.

Russia saw the Arab Spring and efforts to encourage democracy in its neighborhood as direct threats, and began experimenting with counter-offensive techniques. When a Russia-friendly government in Ukraine collapsed due to popular protests, Russia tried to destabilize new, democratic elections by hacking the system through which the election results would be announced. The clear intention was to discredit the election results by announcing fake voting numbers that would throw public discussion into disarray.

This attack on public confidence in election results was thwarted at the last moment. Even so, it provided the model for a new kind of attack. Hackers don't have to secretly alter people's votes to affect elections. All they need to do is to damage public confidence that the votes were counted fairly. As researchers have argued, "simply put, the attacker might not care who wins; the losing side believing that the election was stolen from them may be equally, if not more, valuable."

These two kinds of attacks -- "flooding" attacks aimed at destabilizing public discourse, and "confidence" attacks aimed at undermining public belief in elections -- were weaponized against the US in 2016. Russian social media trolls, hired by the "Internet Research Agency," flooded online political discussions with rumors and counter-rumors in order to create confusion and political division. Peter Pomerantsev describes how in Russia, "one moment [Putin's media wizard] Surkov would fund civic forums and human rights NGOs, the next he would quietly support nationalist movements that accuse the NGOs of being tools of the West." Similarly, Russian trolls tried to get Black Lives Matter protesters and anti-Black Lives Matter protesters to march at the same time and place, to create conflict and the appearance of chaos. Guccifer 2.0's blog post was surely intended to undermine confidence in the vote, preparing the ground for a wider destabilization campaign after Hillary Clinton won the election. Neither Putin nor anyone else anticipated that Trump would win, ushering in chaos on a vastly greater scale.

We do not know how successful these attacks were. A new book by John Sides, Michael Tesler and Lynn Vavreck suggests that Russian efforts had no measurable long-term consequences. Detailed research on the flow of news articles through social media by Yochai Benker, Robert Farris, and Hal Roberts agrees, showing that Fox News was far more influential in the spread of false news stories than any Russian effort.

However, global adversaries like the Russians aren't the only actors who can use flooding and confidence attacks. US actors can use just the same techniques. Indeed, they can arguably use them better, since they have a better understanding of US politics, more resources, and are far more difficult for the government to counter without raising First Amendment issues.

For example, when the Federal Communication Commission asked for comments on its proposal to get rid of "net neutrality," it was flooded by fake comments supporting the proposal. Nearly every real person who commented was in favor of net neutrality, but their arguments were drowned out by a flood of spurious comments purportedly made by identities stolen from porn sites, by people whose names and email addresses had been harvested without their permission, and, in some cases, from dead people. This was done not just to generate fake support for the FCC's controversial proposal. It was to devalue public comments in general, making the general public's support for net neutrality politically irrelevant. FCC decision making on issues like net neutrality used to be dominated by industry insiders, and many would like to go back to the old regime.

Trump's efforts to undermine confidence in the Florida and Arizona votes work on a much larger scale. There are clear short-term benefits to asserting fraud where no fraud exists. This may sway judges or other public officials to make concessions to the Republicans to preserve their legitimacy. Yet they also destabilize American democracy in the long term. If Republicans are convinced that Democrats win by cheating, they will feel that their own manipulation of the system (by purging voter rolls, making voting more difficult and so on) are legitimate, and very probably cheat even more flagrantly in the future. This will trash collective institutions and leave everyone worse off.

It is notable that some Arizonan Republicans -- including Martha McSally -- have so far stayed firm against pressure from the White House and the Republican National Committee to claim that cheating is happening. They presumably see more long term value from preserving existing institutions than undermining them. Very plausibly, Donald Trump has exactly the opposite incentives. By weakening public confidence in the vote today, he makes it easier to claim fraud and perhaps plunge American politics into chaos if he is defeated in 2020.

If experts who see Russian flooding and confidence measures as cyberattacks on US democracy are right, then these attacks are just as dangerous -- and perhaps more dangerous -- when they are used by domestic actors. The risk is that over time they will destabilize American democracy so that it comes closer to Russia's managed democracy -- where nothing is real any more, and ordinary people feel a mixture of paranoia, helplessness and disgust when they think about politics. Paradoxically, Russian interference is far too ineffectual to get us there -- but domestically mounted attacks by all-American political actors might.

To protect against that possibility, we need to start thinking more systematically about the relationship between democracy and information. Our paper provides one way to do this, highlighting the vulnerabilities of democracy against certain kinds of information attack. More generally, we need to build levees against flooding while shoring up public confidence in voting and other public information systems that are necessary to democracy.

The first may require radical changes in how we regulate social media companies. Modernization of government commenting platforms to make them robust against flooding is only a very minimal first step. Up until very recently, companies like Twitter have won market advantage from bot infestations -- even when it couldn't make a profit, it seemed that user numbers were growing. CEOs like Mark Zuckerberg have begun to worry about democracy, but their worries will likely only go so far. It is difficult to get a man to understand something when his business model depends on not understanding it. Sharp -- and legally enforceable -- limits on automated accounts are a first step. Radical redesign of networks and of trending indicators so that flooding attacks are less effective may be a second.

The second requires general standards for voting at the federal level, and a constitutional guarantee of the right to vote. Technical experts nearly universally favor robust voting systems that would combine paper records with random post-election auditing, to prevent fraud and secure public confidence in voting. Other steps to ensure proper ballot design, and standardize vote counting and reporting will take more time and discussion -- yet the record of other countries show that they are not impossible.

The US is nearly unique among major democracies in the persistent flaws of its election machinery. Yet voting is not the only important form of democratic information. Apparent efforts to deliberately skew the US census against counting undocumented immigrants show the need for a more general audit of the political information systems that we need if democracy is to function properly.

It's easier to respond to Russian hackers through sanctions, counter-attacks and the like than to domestic political attacks that undermine US democracy. To preserve the basic political freedoms of democracy requires recognizing that these freedoms are sometimes going to be abused by politicians such as Donald Trump. The best that we can do is to minimize the possibilities of abuse up to the point where they encroach on basic freedoms and harden the general institutions that secure democratic information against attacks intended to undermine them.

This essay previously appeared on Motherboard, with a terrible headline that I was unable to get changed.

Read the whole story
14 days ago
Share this story

Grand Theft Auto V: Torture Time With Uncle Trevor

1 Share

For reasons I’ve explained before, I have a firm “no politics” rule here on the site. There are lots of places to have the standard Red v. Blue debates, and most of them are sewers. The last thing I’d want is to play referee in that never-ending screaming match. Having said that, I’m going to break my own rules and make a political statement:

I think government-sanctioned torture is a bad idea and – inasmuch as I have any say in the matter – I’m firmly against it.

I apologize for the breach of etiquette. I’m not announcing my beliefs to pick a fight or in the hopes that I can sway you to my thinking. In fact, I don’t really have a stake in what you think and I’m certainly not interested in trying to change your mind. If you disagree, that’s fine. We’re still friends as far as I’m concerned.

The only reason I bring this up is because I want to make it clear that I am ideologically in agreement with the author of this scene. My objections to this mission aren’t because I don’t like having “someone else’s opinion” shoved down my throat. My grievances here aren’t based on party politics or tribal thinking. My problem here is that the GTA V argument against torture is so childish and inept that it made me want to disagree.

Of all the things in Grand Theft Auto V that don’t work, the torture scene is the not-workingest. It takes a rare skill to be simultaneously sanctimonious and incoherent. This scene is fractally wrong. As you zoom in on a mistake you’ll see it’s made up of smaller mistakes that are just as misguided as the whole. The last time I was presented with something this dense with problems was the hotel scene in Hitman: Absolution. It’s actually hard to analyze this in an orderly way because the problems are so thick and interconnected. But I’ll do my best.

The Setup

Why is Trevor not killing the FIB agents right now?
Why is Trevor not killing the FIB agents right now?

The FIB summon our antiheroes to a creepy warehouse on the edge of town. The FIB have a prisoner and they want to torture him for information, and then use that information to assassinate someone. Or rather, they want our protagonists to do these things while they stand back and pretend to not be involved.

This is already a bit thin. If they’re trying to make it so they’re not blamed for the human rights violations you’re about to commit, then why are they hanging around the crime scene?

The problem here is that we’re about to go through a fully interactive torture scene. The player will choose from several different torture implements and then use the controller to apply the chosen device to the victim as he screams and pleads for mercy. This is something a lot of people are not going to want to do, which means a lot of people are going to be asking for a solid justification for it, which means you need to make sure the whole thing stands up to scrutiny.

When I go on one of my rants about the lack of logic in a given situation, a common (and more or less reasonable defense) is to say, “Shamus, you’re over-thinking this. Just go with it and enjoy the gameplay.” That excuse doesn’t work here because the game is demanding we think about the situation, and we can’t “enjoy” the gameplay because it’s actively, deliberately unpleasant.

What makes this really awful is that the victim is the only explicitly innocent person in the entire game. Oh sure, there might be other people in the cast that you find sympathetic or likable. Tracey, Amanda, and Jimmy qualify as non-combatants. But everyone, and I do mean everyone in the world of GTA V is some combination of shallow, cruel, vindictive, toxic, greedy, abusive, manipulative, gross, hateful, bigoted, or nihilistic. Everyone except the guy you’re about to torture, who makes it clear up front that he’s willing to answer any questions and just wants to go back to his family. This is a very sensitive topic, and the game is going to engage with it in the most blunt-force way possible.

Agent Steve gives Trevor the job of torturing our victim while Michael and Agent Dave go to the other side of the city to do the assassination. The problem is that Trevor has no reason to go along with any of this. We just spent an entire (overly long) chapter establishing that Trevor is fearless, single-minded, and capable of violence on a shocking scale. He hates being bossed around, he hates when people are rude to him, he hates the government, and he’s basically unstoppable. And now he’s taking orders from a condescending government jackass in a polo shirt and the story doesn’t even give us a fig leaf excuse for why. It doesn’t even look like agent Steve is armed!

Left: A totally annoying prick who we want to kill the moment we meet him. Right: The only sympathetic guy in all of GTA V. Guess which one we torture?
Left: A totally annoying prick who we want to kill the moment we meet him. Right: The only sympathetic guy in all of GTA V. Guess which one we torture?

Yes, you could argue that maybe Trevor is in the mood for some torture. I can believe that. Except, wouldn’t he torture Agent Steve instead? The designated victim is a complete stranger to Trevor and means nothing to him. Meanwhile, Steve is smug, irritating, and deliberately going out of his way to piss Trevor off. Yes, the FIB has leverage over Michael. But they have no such leverage over Trevor.

The moment Trevor doesn’t strap Steve into the torture chair and go to work on him, this entire scenario collapses. This is not at all a plausible sequence of events. Sure, we can come up with some fanfiction that might explain Trevor’s behavior. But if you’re going to force the player to do something really unpleasant as part of some sanctimonious lecture / mission, then the reasoning behind it needs to be airtight and not reeking of contrivances.

Just to make it all as pointless as possible, the victim pleads with you to ask him questions because he’s already willing to talk. The writer is railroading us through this ridiculous mess so they can beat us over the head with the idea that “torture is bad”, and their presentation of the topic gives us a nonsensical strawman scenario that undercuts their point. Even a pro-torture thinker will readily admit there is nothing to be gained from torturing this guy. Which makes it feel like the writer doesn’t actually understand the debate. If they were actually going to take some sort of coherent swipe at the topic, then they really ought to present it in the context of the usual “ticking time bomb” hypothetical[1].

Either torture this guy or turn the game off. Those are your options.
Either torture this guy or turn the game off. Those are your options.

You must torture the subject several times, with the game encouraging you to try a different implement of torture each time. Your available tools are:

  • Use pliers to rip out one of his teeth.
  • Use a massive pipe wrench to crush his knee / balls / arm.
  • Car battery to the nipples.
  • Waterboarding.

There are even optional things you can do to make the whole thing more sadistic, like sparking the battery connections right in his face to terrify him. The game won’t let you go easy on him, but it will allow you to be even more cruel. For some reason.

Pointless Yet Mandatory

A scene protesting the lack of accountability in government-sanctioned extra-judicial killings has accountability built into it. For some reason.
A scene protesting the lack of accountability in government-sanctioned extra-judicial killings has accountability built into it. For some reason.

After each bout of torture, Steve asks another question about the guy they’re trying to assassinate. As we go we learn he’s an Azerbaijani with a full beard who smokes a lot and is left-handed. While all of this is going on, Michael is up on a hill overlooking a house party, peering at the guests through the scope of a sniper rifle. Once you have all of those facts, you can switch over to Michael and shoot the guy in question[2].

This is supposed to be commentary on how torture yields unreliable information and that there’s not enough accountability in the system, yet the mission itself undercuts this entire idea because the monomaniacal game designer can’t let go of their precious DIAS gameplay for one stupid mission, no matter how badly it clashes with the heavy-handed sermon the writer is hitting us with. If you shoot the wrong person then somehow everyone clairvoyantly realizes they’ve made a mistake and you fail the mission.

Imagine how much more sense it would make if you just had to kill someone at the party, and nobody was much concerned with fact-checking. Maybe players would torture the guy, only to realize later that it didn’t matter. Other players would just shoot someone at random and get a free pass, underscoring how easy and tempting it is to abuse a system with no accountability. There’s your message right there!

The Writer Thinks You’re Stupid

This is how subtle the messaging is in this scene.
This is how subtle the messaging is in this scene.

Once you’re done with the torture and Michael kills his target, Steve orders Trevor to kill the informant. Trevor finally begins acting in-character and disobeys this order, instead taking the guy to the airport to “escape”.

It doesn’t make a lick of sense, of course. Regardless of what you did in the torture room, this guy is in no shape to fly. The game sort of assumes you used each torture implement once. So the informant is shirtless, covered in blood, slurring his words due to the missing tooth, and limping badly. He has no money, no ID, and no way of obtaining these things. What is he supposed to do at the airport? I have no idea. He tumbles down the steps in what I’m assuming is supposed to be “slapstick comedy” and that’s the last we see of him.

Turning this gruesome ordeal into a pratfall isn’t the writer’s big sin here. No, the really obnoxious thing is that after this blunt-force message, the writer turns Trevor into a sock puppet and has him explain to the informant (and to the audience) the point the writer is trying to make! I don’t know which is more disappointing, their lack of trust in the audience, or their lack of confidence in their craft.

And just to make it as bad as possible, Trevor’s “explanation” is wrong and incoherent. He correctly points out that they got no useful information out of the victim. Ok, fair enough. But then he goes on to say that torture is for the benefit of the torturer, or their boss, or their boss, etc.

Of course they made the tooth-pulling completely interactive. You can't cut corners on stuff like this!
Of course they made the tooth-pulling completely interactive. You can't cut corners on stuff like this!

This makes no sense. The US government didn’t adopt a torture program for the benefit of a handful of agents who get off on it. That’s the opposite of how power dynamics work. To say more would get into politics and involve pointing fingers, but the machinery that brought us here is a lot bigger and a lot more powerful than the will of a few CIA agents. Furthermore, if this was true then the FIB would have wanted to torture this guy themselves and not outsource the job. The only thing worse than explaining the lesson is the fact that the explanation disagrees with what we’ve been shown.

So the FIB brought in Trevor, a guy that is personally dangerous to them and has no reason to cooperate and they have no means to control. They did this so they could outsource a job they should have been able to do themselves, in order to extract information they had no means to verify from a guy who was already willing to tell them everything. This is all done in service of making an overt political statement, which is undercut by both the actions of the characters and the ingame mechanics. In doing so they take a real topic involving real human suffering and turn it into an incoherent slapstick farce. Then at the end the writer decides to just explain the lesson to us and gets it wrong.

*Slow sarcastic applause.*

Way to go, Rockstar. You managed to offend me with my own opinion, and I didn’t even know that was possible.

Read the whole story
61 days ago
Share this story


Drew DeVault: I don't trust Signal:

I expect a tool which claims to be secure to actually be secure. I don't view "but that makes it harder for the average person" as an acceptable excuse. If Edward Snowden and Bruce Schneier are going to spout the virtues of the app, I expect it to actually be secure when it matters - when vulnerable people using it to encrypt sensitive communications are targeted by smart and powerful adversaries.

Making promises about security without explaining the tradeoffs you made in order to appeal to the average user is unethical. Tradeoffs are necessary - but self-serving tradeoffs are not, and it's your responsibility to clearly explain the drawbacks and advantages of the tradeoffs you make. If you make broad and inaccurate statements about your communications product being "secure", then when the political prisoners who believed you are being tortured and hanged, it's on you. The stakes are serious. Let me explain why I don't think Signal takes them seriously. [...]

Truly secure systems do not require you to trust the service provider. This is the point of end-to-end encryption. But we have to trust that Moxie is running the server software he says he is. We have to trust that he isn't writing down a list of people we've talked to, when, and how often. We have to trust not only that Moxie is trustworthy, but given that Open Whisper Systems is based in San Francisco we have to trust that he hasn't received a national security letter, too (by the way, Signal doesn't have a warrant canary). Moxie can tell us he doesn't store these things, but he could. Truly secure systems don't require trust. [...]

And here comes the truly despicable bit:

Moxie forbids you from distributing branded builds of the Signal app, and if you rebrand he forbids you from using the official Open Whisper servers. Because his servers don't federate, that means that users of Signal forks cannot talk to Signal users. This is a truly genius move. No fork of Signal to date has ever gained any traction, and never will, because you can't talk to any Signal users with them. In fact, there are no third-party applications which can interact with Signal users in any way. Moxie can write as many blog posts which appeal to wispy ideals and "moving ecosystems" as he wants, but those are all really convenient excuses for an argument which allows him to design systems which serve his own interests.

No doubt these are non-trivial problems to solve. But I have personally been involved in open source projects which have collectively solved similarly difficult problems a thousand times over with a combined budget on the order of tens of thousands of dollars.

What were you going to do with that 50 million dollars again?

It is clear from its design and behavior that Signal's priority is to be a social network first and an encryption tool second. Growth at any cost.

Last year I gave Signal a try and it immediately spammed all of my contacts with my non-public phone number. So I was already aware that Signal is sketchy as fuck.

But abusing Trademark law to circumvent the checks and balances that open source development normally provides is just appalling. They get to pretend that it is open source, get the bullet item on the pitch sheet, get the good press associated with that, while still maintaining absolute control. It's no less a vertically-integrated, untrustworthy data silo than any product from Facebook or Google.

Previously, previously, previously, previously, previously, previously, previously, previously, previously.

Read the whole story
113 days ago
Seeking good cross-platform alternative.
113 days ago
If you can live without a desktop app: Threema.
Share this story
1 public comment
110 days ago
Shit. Signal is spamming all of my contacts who install Signal, right?

What ever happened with keybase.io?
New York, NY
110 days ago
I don't know about the "spam" part. Signal does notify you if people (phone numbers) in your contact list have joined and vice versa, but it's not what I'd call spam. I think this person is being a little hyperbolic about that aspect of Signal's behavior, at least. This is how (I believe) Signal handles contact discovery and what it is doing with your contact list access: https://signal.org/blog/contact-discovery/ and https://signal.org/blog/private-contact-discovery/ Or maybe not...I'm not sure as I have not looked at the code, etc. to see what they actually are doing.
110 days ago
Spam is a little harsh, but you get little notifications in the Android app which are indistinguishable from interpersonal Signal messages. This forces you to open Signal to see if someone new has actually joined Signal or just sent you a message. That counts as social-network-spam in my book.
101 days ago
I had no idea they had a chat

Hanging Up on Mobile in the Name of Security

1 Share

An entrepreneur and virtual currency investor is suing AT&T for $224 million, claiming the wireless provider was negligent when it failed to prevent thieves from hijacking his mobile account and stealing millions of dollars in cryptocurrencies. Increasingly frequent, high-profile attacks like these are prompting some experts to say the surest way to safeguard one’s online accounts may be to disconnect them from the mobile providers entirely.

The claims come in a lawsuit filed this week in Los Angeles on behalf of Michael Terpin, who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

According to Terpin, this was the second time in six months someone had hacked his AT&T number. On June 11, 2017, Terpin’s phone went dead. He soon learned his AT&T password had been changed remotely after 11 attempts in AT&T stores had failed. At the time, AT&T suggested Terpin take advantage of the company’s “extra security” feature — a customer-specified six-digit PIN which is required before any account changes can be made.

Terpin claims an investigation by AT&T into the 2018 breach found that an employee at an AT&T store in Norwich, Conn. somehow executed the SIM swap on his account without having to enter his “extra security” PIN, and that AT&T knew or should have known that employees could bypass its customer security measures.

Terpin is suing AT&T for his $24 million worth of cryptocurrencies, plus $200 million in punitive damages. A copy of his complaint is here (PDF).

AT&T declined to comment on specific claims in the lawsuit, saying only in a statement that, “We dispute these allegations and look forward to presenting our case in court.”


Mobile phone companies are a major weak point in authentication because so many companies have now built their entire procedure for authenticating customers on a process that involves sending a one-time code to the customer via SMS or automated phone call.

In some cases, thieves executing SIM swaps have already phished or otherwise stolen a target’s bank or email password. But many major social media platforms — such as Instagramallow users to reset their passwords using nothing more than text-based (SMS) authentication, meaning thieves can hijack those accounts just by having control over the target’s mobile phone number.

Allison Nixon is director of security research at Flashpoint, a security company in New York City that has been closely tracking the murky underworld of communities that teach people how to hijack phone numbers assigned to customer accounts at all of the major mobile providers.

Nixon calls the current SIM-jacking craze “a major identity crisis” for cybersecurity on multiple levels.

“Phone numbers were never originally intended as an identity document, they were designed as a way to contact people,” Nixon said. “But because of all these other companies are building in security measures, a phone number has become an identity document.”

In essence, mobile phone companies have become “critical infrastructure” for security precisely because so much is riding on who controls a given mobile number. At the same time, so little is needed to undo weak security controls put in place to prevent abuse.

“The infrastructure wasn’t designed to withstand the kind of attacks happening now,” Nixon said. “The protocols need to be changed, and there are probably laws affecting the telecom companies that need to be reviewed in light of how these companies have evolved.”

Unfortunately, with the major mobile providers so closely tied to your security, there is no way you can remove the most vulnerable chunks of this infrastructure — the mobile store employees who can be paid or otherwise bamboozled into helping these attacks succeed.

No way, that is, unless you completely disconnect your mobile phone number from any sort of SMS-based authentication you currently use, and replace it with Internet-based telephone services that do not offer “helpful” customer support — such as Google Voice.

Google Voice lets users choose a phone number that gets tied to their Google account, and any calls or messages to that number will be forwarded to your mobile number. But unlike phone numbers issued by the major mobile providers, Google Voice numbers can’t be stolen unless someone also hacks your Google password — in which case you likely have much bigger problems.

With Google Voice, there is no customer service person who can be conned over the phone into helping out. There is no retail-store employee who will sell access to your SIM information for a paltry $80 payday. In this view of security, customer service becomes a customer disservice.

Mind you, this isn’t my advice. The above statement summarizes the arguments allegedly made by one of the most accomplished SIM swap thieves in the game today. On July 12, 2018, police in California arrested Joel Ortiz, a 20-year-old college student from Boston who’s accused of using SIM swaps to steal more than $5 million in cryptocurrencies from 40 victims.

Ortiz allegedly had help from a number of unnamed accomplices who collectively targeted high-profile and wealthy people in the cryptocurrency space. In one of three brazen attacks at a bitcoin conference this year, Ortiz allegedly used his SIM swapping skills to steal more than $1.5 million from a cryptocurrency entrepreneur, including nearly $1 million the victim had crowdfunded.

A July 2018 posting from the “OG” Instagram account “0”, allegedly an account hijacked by Joel Ortiz (pictured holding an armload of Dom Perignon champagne).

Ortiz reportedly was a core member of OGUsers[dot]com, a forum that’s grown wildly popular among criminals engaging in SIM swaps to steal cryptocurrency and hijack high-value social media accounts. OG is short for “original gangster,” and it refers to a type of “street cred” for possession of social media account names that are relatively short (between one and six characters). On ogusers[dot]com, Ortiz allegedly picked the username “j”. Short usernames are considered more valuable because they confer on the account holder the appearance of an early adopter on most social networks.

Discussions on the Ogusers forum indicate Ortiz allegedly is the current occupant of perhaps the most OG username on Twitter — an account represented by the number zero “0”. The alias displayed on that twitter profile is “j0”. He also apparently controls the Instagram account by the same number, as well as the Instagram account “t”, which lists its alias as “Joel.”

Shown below is a cached snippet from an Ogusers forum posting by “j” (allegedly Ortiz), advising people to remove their mobile phone number from all important multi-factor authentication options, and to replace it with something like Google Voice.

Ogusers SIM swapper “j” advises forum members on how not to become victims of SIM swapping. Click to enlarge.


All four major wireless carriers — AT&T, Sprint, T-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

Mobile store employees who can be bought or tricked into conducting SIM swaps are known as “plugs” in the Ogusers community, and without them SIM swapping schemes become much more difficult.

Last week, KrebsOnSecurity broke the news that police in Florida had arrested a 25-year-old man who’s accused of being part of a group of at least nine individuals who routinely conducted fraudulent SIM swaps on high-value targets. Investigators in that case say they have surveillance logs that show the group discussed working directly with mobile store employees to complete the phone number heists.

In May I wrote about a 27-year-old Boston man who had his three-letter Instagram account name stolen after thieves hijacked his number at T-Mobile. Much like Mr. Terpin, the victim in that case had already taken T-Mobile’s advice and placed a PIN on his account that was supposed to prevent the transfer of his mobile number. T-Mobile ultimately acknowledged that the heist had been carried out by a rogue T-Mobile store employee.

So consider establishing a Google Voice account if you don’t already have one. In setting up a new number, Google requires you to provide a number capable of receiving text messages. Once your Google Voice number is linked to your mobile, the device at the mobile number you gave to Google should notify you instantly if anyone calls or messages the Google number (this assumes your phone has a Wi-Fi or mobile connection to the Internet).

After you’ve done that, take stock of every major account you can think of, replacing your mobile phone number with your Google Voice number in every case it is listed in your profile.

Here’s where it gets tricky. If you’re all-in for taking the anti-SIM-hacking advice allegedly offered by Mr. Ortiz, once you’ve changed all of your multi-factor authentication options from your mobile number to your Google Voice number, you then have to remove that mobile number you supplied to Google from your Google Voice account. After that, you can still manage calls/messages to and from your Google Voice number using the Google Voice mobile app.

And notice what else Ortiz advises in the screen shot above to secure one’s Gmail and other Google accounts: Using a physical security key (where possible) to replace passwords. This post from a few weeks back explains what security keys are, how they can help harden your security posture, and how to use them. If Google’s own internal security processes count for anything, the company recently told this author that none of its 85,000 employees had been successfully phished for their work credentials since January 2017, when Google began requiring all employees to use physical security keys in place of one-time passwords sent to a mobile device.

Standard disclaimer: If the only two-factor authentication offered by a company you use is based on sending a one-time code via SMS or automated phone call, this is still better than relying on simply a password alone. But one-time codes generated by a mobile phone app such as Authy or Google Authenticator are more secure than SMS-based options because they are not directly vulnerable to SIM-swapping attacks.

The web site twofactorauth.org breaks down online service providers by the types of secondary authentication offered (SMS, call, app-based one-time codes, security keys). Take a moment soon to review this important resource and harden your security posture wherever possible.

Read the whole story
117 days ago
Share this story

DEA Asks for Help Laundering Money

2 Comments and 3 Shares

As Justin Rohrlich reports this week for the Daily Beast, the Drug Enforcement Administration recently expressed a concern that currency it seizes in drug busts could be covered in deadly chemicals, and has asked potential vendors for information about helping it clean up the dangerous bills.

There is good reason to believe that this is ridiculous.

In a Request for Information posted on June 14, the DEA said it was “interested in learning more about available capability in cleaning and decontaminating currency tainted with drugs and other unknown substances.” Some of these substances, it explained, “may be extremely harmful to human health and potentially result in death,” which can also be extremely harmful to human health. “As such,” the DEA continued, “the currency must be decontaminated to ensure safety.” It invited interested vendors to respond by June 26.

There is a lot wrong with this, even beyond the glaring misuse of the phrase “as such” to mean “therefore” and to refer to “substances” in one sentence but “currency” in the other. I mean, that is certainly appalling and something we need to address, it’s just not the biggest problem here.

Here are two bigger ones.

First, according to multiple sources quoted in the article, while one could not describe currency in circulation as “clean,” and drug residue of some kind is not rare, there seems to be little if any evidence that the levels involved could be harmful in any way, much less deadly. I say this only partly because the “hazardous substances” listed by the DEA for potential “decontamination” include marijuana/THC. (I’m not a doctor, but I haven’t exactly seen any headlines about emergency rooms being choked with cases of marijuana poisoning, and I live in San Francisco.) But what did the actual experts quoted in the article say? Here’s a summary:

  • Former FBI special agent for 22 years: this is all news to me.
  • Forensic toxicologist: “absurd at best,” also “ludicrous.”
  • Med-school professor: “quite odd, given the lack of scientific support.”
  • Former detective: no … but maybe for fentanyl?
  • Forensic toxicologist again: no, not fentanyl either, unless maybe you eat the bills.

The question therefore seems to be: Are DEA agents or administrators eating any of the currency they seize?

And this brings us to the second problem: if they are eating it, how would we know? Because the most interesting thing in the RFI is the DEA’s statement that, because the seized drug money is so dangerous that they will not be able to count it before turning it over to the vendor for cleaning:

Contaminated Currency Packaging Requirements and Delivery. The vendor shall indicate to DEA how contaminated currency should be packaged. DEA will not count the contaminated currency (due to inherent safety issues) prior to packaging the contaminated currency, but will have a general indication of the amount that has been packaged for the vendor. The vendor shall also indicate whether they provide pick up services for DEA, if DEA should deliver the contaminated currency, or both. It is preferred that DEA have a service where the contaminated currency can be double-bagged and provided directly to the vendor….

Emphasis added.


“Hi, guys, Steve over at DEA again. Hey, so we got another truckload or so of contaminated currency here that we need to ship over for you to laun— to decontaminate.”

“Whoops! You almost said it, Steve!”

“No, I said ‘decontaminate.’ Like in the proposal. Anyway, we’ve got, like, a truckload of hundreds here. What do you think?”

“Will Friday work?”

“Yes. Oh, and don’t forget—we need to get a truckload back, too.”

“Oh, absolutely. You will get a truckload back.” <is making air quotes with fingers>

“Okay … You’re not making air quotes, are you?”


“Okay. Because we talked about that.”

“Absolutely. Oh, and Steve?”


“Don’t forget to double-bag the cash. You know, so some of the bags don’t break and spill the money out all over the road, never to be seen again.”

“Very funny. You guys are a real hoot.”

“Hey, it’s a good joke.” <is making air quotes again> “Okay, we’ll try to make some room in the hundreds bin.”

“Okay, thanks.”


The phrase you’re looking for, I think, is “what could go wrong?” We have a federal agency pursuing a “war on drugs” that is basically pointless to begin with; an agency that (like many others) has a record of seizing assets before any conviction has taken place and without any discernible connection to law enforcement (see Report: Many DEA Cash Seizures Have ‘No Discernible Connection’ to Law Enforcement” (Apr. 6, 2017); and here it is saying it’s going to ship money back and forth for “decontamination,” on a questionable basis, without even counting it.

What could go wrong?

See also DEA Agent: If You Legalize Pot, Rabbits Will Get High” (May 4, 2015) (discussing another really stupid argument a DEA agent made once).

Read the whole story
174 days ago
Share this story
1 public comment
173 days ago
The better question is which administration buddy this contract will be steered to. The Trump Org is too obvious but has anyone checked Erik Prince’s business filings recently?
Washington, DC

When I asked about Rage 2’s worst character, I got an unexpected response

1 Share

Collector’s Edition celebrates Rage’s most regrettable tendencies

If I had to name a favorite game of E3 2018 — I’m fickle and bad with favorites — I’d probably say Rage 2. I wrote yesterday that it plays like a mixtape of Bethesda’s portfolio, grafting some of the best bits from Doom, Quake, Wolfenstein and Elder Scrolls onto an open world first-person shooter. Unfortunately, Rage 2 retains the one thing I despised about its predecessor, something I worried would prevent me from really enjoying the sequel.

In 2018, the only thing I remember with any clarity about the original Rage is its tone-deaf depiction of heroes and villains. The good guys were blessed with impossibly perfect skin and preternatural good looks. The villainous foot soldiers were mutants, many with facial wounds that looked an awful lot like my own birth defect: a full cleft lip and palate.

Cleft lips and palates (among other birth defects) have a history of representing villainy, one I’ve had to navigate my entire life. But I hadn’t appreciated the anxiety it caused me until I spent a couple dozen hours shooting ghouls who looked as if they’d been traced off my baby photos — pictures of me before I had the dozen-plus surgeries that pieced my mouth and nose together into what’s culturally established to be a “normal” look.

I’d heard rumors about Rage 2 a couple months ago, that it was being made in collaboration with one of my favorite developers, Avalanche Studios. And I was disappointed, though not surprised, when the trailer revealed that the project, while being something largely new, would retain the same imagery with regard to its mutants and heroes. I was downright crushed when Bethesda revealed the Collector’s Edition statue: a bust of Ruckus the Crusher, a mutated goon with an absent upper lip and deformed nose.

As a journalist, you don’t want to make yourself part of the story. But with a little extra time left in my interview with id Software studio director Tim Willits, I asked why the cleft lip and palate imagery made the cut from Rage to Rage 2. To his credit, he didn’t spin his response. Here’s the transcript.

Chris Plante: I have one other thing. I enjoyed Rage 1, but one thing ended up turning me off to it. I was born with a cleft lip and cleft palate, and one of the frustrating things about that game is that many of the enemies have that imagery — and there’s still a little of that in Rage 2. And I’m curious —

Tim Willits: So you feel that it’s a little insensitive?

Plante: Yeah. It makes me a little uncomfortable when it’s always the bad guys that have the upper lip and nose removed, effectively.

Willits: You know, I never really thought of that. I mean, you know, we try to make — you know, Kenneth Scott was our art director on Rage 1, and yeah, I mean I kind of feel bad now. Sometimes it’s hard when you — you don’t live in that world, so you’re like, ‘Oh, these guys …’ So I apologize. And you know, yeah, I’ll talk to the guys.

Plante: Sure. Are mutations normal for the heroes, too, in this version of the game?

Willits: It’s mostly the bad guys. But we do have some — the heroes in Rage 2 are not as pretty as the heroes in Rage 1. Someone did, like, “the girls of Rage” posters and stuff, so we are trying to be a little more balanced. And the Avalanche guys have been very good about being a little more sensitive. So I do think we have a better balance.

Is it a disappointment to hear that some of Rage 2’s villains will be modeled to share my birth defect? Yes, absolutely. Is it a relief to hear someone simply say sorry? More than I could have imagined, to be frank.

I can’t remember a time somebody did this in an interview: just recognized the error and apologized. It made me emotional, tapping into some psychological payload I won’t detonate in this piece. But it also felt like I suddenly could be excited about this thing I liked, some of its baggage left on the side of the road.

I recognize I have the rare opportunity to actually speak to creators in person, that there isn’t a better means for other people outside my position to have this experience. And I recognize that people of other backgrounds have for decades had to play games that treat them as targets — and that they still do. But for a moment, I felt a surge of optimism. If developers can be open, if they can make efforts to find other voices rather than wait for those voices to come to them, then everyone could feel welcome to play the hero, rather than be forced to spot themselves as the villain.

After all, this is a game set in an apocalyptic wasteland. I don’t expect the villains to be pristine beauty models. I know they’ll be grotesque, deformed and mutated. I just hope that in the future the heroes can look like me, too. Maybe that can be a new feature in Rage 3.

Read the whole story
181 days ago
Share this story
Next Page of Stories