NSO Group: Now US Lawmakers Want Pegasus Information
March 7, 2022
Imagine a hearing in which elected government officials ask questions about NSO Group’s Pegasus. Once that technical information is internalized, the members will want to know if a US government agency and a company wearing a T shirt with the word “Privacy, Security, and China” printed on it use the specialized software.
“US Lawmakers Demand Answers from Apple and the FBI about the Agency’s Alleged Use of Pegasus Spyware” states:
…a pair of lawmakers in the US House are asking for some answers about the situation. The letters were signed by Rep. Jim Jordan, who is a ranking member of the House Judiciary Committee, and Rep. Mike Johnson, a ranking member of the subcommittee on civil rights. The letters were seeking information on “the FBI’s acquisition, testing, and use of NSO’s spyware.”, which indicated that the FBI has acquired NSO-developed spyware tools like Pegasus and Phantom.
Will this inquiry end up in a public hearing with breathless real news people infected with Potomac Fever reporting on what once was secret?
I don’t know. But it would be a cause to celebrate if the NSO Group matter would drift into the background. Alas. Now that elected officials “demand” answers, I think I will be subjected to another flow of Pegasus/Phantom talk.
Apple is not dragging its feet in the orchard. The company has sued NSO Group for stuff only lawyers understand in addition to billing.
Will senior officials from Tim Apple’s company and the FBI participate in what will be memorialized on cable TV, YouTube, and possibly the China affiliated TikTok?
I don’t know. What I do know is that knock on effects of the NSO Group’s cowboy approach to the digital Wild West is bigger news that Buffalo Bill’s traveling circus.
Stephen E Arnold, March 7, 2022
Is It Party Time for STM Professional Publishers?
March 4, 2022
I spotted a TorrentFreak write up called “FBI Gains Access to Sci-Hub Founder’s Google Account Data.” The article explains that investigators are gathering information about Alexandra Elbakyan, the founder of what the article references as the “Pirate Bay of Science.”
The idea behind the service is to make paywall protected content available without the paywalls. The article explains what agencies have been involved and some of the legal procedures followed. These are routine but may be surprising to those who think about new recreational vehicles and the new pizza place.
What makes the investigation interesting is that references are made to Ms. Elbakyan’s alleged links to other governmental entities.
Several observations:
- Alleged links to a foreign power engaged in hostile actions move the story from scientific, technical and medical content made available without the pro9fessional publishers permission to a higher level of security concern.
- Professional publishers have not been happy campers since Sci-Hub became available. (Is this because the service has chewed into some revenues for these commercial enterprises? My guess is, “Yep.”)
- Allegedly, Ms. Elbakyan lives in Russia and, if the Wikipedia is spot on, she is studying philosophy at the Russian Academy of Sciences. (Will extradition be possible? My view is that the process will be interesting.)
When I read the story, I thought about one professional publishing big wig who said off the record, “That crazy Kazakh has to be shut down?”
Is it party time in the world of STM professional publishing? Not yet, but some may want to buy foil party hats and cheap kazoos.
Stephen E Arnold, March 4, 2022
A Meta Burger Surprise? Nope, Seems Like a Standard Operating Procedure
March 3, 2022
I love the thinking of high school science club managers. I think I have spotted an example clearly spelled out in “Facebook Misled Investors on Scope of Misinformation Problems, Whistleblower Says.” The key point seems to be that Meta (maybe meat) says one thing and does another — often with world class ineptitude.
The write up states:
Haugen’s new complaints say that while Facebook/Meta executives trumpeted their efforts to tamp down misinformation about climate change and COVID in earnings calls and elsewhere, internally, the company knew it was falling short.
The saying one thing and doing another approach is okay until a certain someone steps forward and says, “Not so fast.” That someone is Frances Haugen, the former Facebooker turned whistle blower. The secret is that Meta (maybe meat) could not chop liver.
I loved this approach to grilling the Meta outfit:
Using whistleblower complaints to address the misinformation problem is “creative,” Nathaniel Persily, a professor at Stanford Law School and director of the Stanford Cyber Policy Center, told The Washington Post. “You cannot pass a law in the US banning disinformation,” he said. “So what can you do? You can hold the platforms accountable to promises they make. Those promises could be made to users, to the government, to shareholders.” The strategy could work, given many investors’ appetites for focusing on environmental, social, and governance investment strategies (so-called ESG investors). For years, the SEC has told publicly traded companies that they need to make clear and accurate disclosures, Jane Norberg, a partner at Arnold & Porter who recently ran the SEC’s whistleblower program, told the Post. “If the company says one thing to investors but internal documents show that what they were saying is untrue, that could be something the SEC would look at,” she said.
Would the head Meta person pull a sophomoric stunt like obfuscate, fiddle with words, and prevaricate?
Yep, just like 14 years olds explaining the chemistry experiment was not intended to blow up the lab table.
Stephen E Arnold,March 3, 2022
UK Bill Would Require Age Verification
February 25, 2022
It might seem like a no-brainer—require age verification to protect children from adult content wherever it may appear online. But The Register insists it is not so simple in, “UK.gov Threatens to Make Adults Give Credit Card Details for Access to Facebook or TikTok.” The UK’s upcoming Online Safety Bill will compel certain websites to ensure users are 18 or older, a process often done using credit card or other sensitive data. Though at first the government vowed this requirement would only apply to dedicated porn sites, a more recent statement from the Department for Digital, Culture, Media, and Sport indicates social media companies will be included. The statement notes research suggests such sites are common places for minors to access adult material.
Writer Gareth Corfield insists the bill will not even work because teenagers are perfectly capable of using a VPN to get around age verification measures. Meanwhile, adults following the rules will have to share sensitive data with third-party gatekeepers just to keep up with friends and family on social media. Then there is the threat to encryption, which would have to be discontinued to enable the bills provision for scanning social media posts. Civil liberties groups have expressed concern, just as they did the last time around. Corfield observes:
“Prior efforts for mandatory age verification controls were originally supposed to be inserted into Digital Economy Act but were abandoned in 2019 after more than one delay. At that time, the government had designated the British Board of Film Classification, rather than Ofcom, as the age verification regulator. In 2018, it estimated that legal challenges to implementing the age check rules could cost it up to £10m in the first year alone. As we pointed out at the time, despite what lawmakers would like to believe – it’s not a simple case of taking offline laws and applying them online. There are no end of technical and societal issues thrown up by asking people to submit personal details to third parties on the internet. … The newer effort, via the Online Safety Bill, will possibly fuel Britons’ use of VPNs and workarounds, which is arguably equally as risky: free VPNs come with a lot of risks and even paid products may not always work as advertised.”
So if this measure is not viable, what could be the solution to keeping kids away from harmful content? If only each child could be assigned one or more adults responsible for what their youngsters access online. We could call them “caregivers,” “guardians,” or “parents,” perhaps.
Cynthia Murrell, February 25, 2022
Anduril Victorious with SOCOM Contract
February 25, 2022
Tech startups, and the venture capitalists that back them, have been trying valiantly to break the chains of traditional government procurements. Pointing to a recent nearly billion-dollar deal, Breaking Defense ponders, “Anduril Nets Biggest DoD Contract to Date: Signifier or Outlier for Defense Start-Ups?” Anduril is based in Irvine, California, and was founded in 2017. The surveillance and military tech company beat out 11 others competing for the lucrative contract with Special Operations Command (SOCOM). Reporter Andrew Eversden writes:
“Anduril will serve as a systems integrator partner on SOCOM’s counter-unmanned systems efforts. The contract is worth a maximum of $967,599,957 over the next the decade. Under the contract, SOCOM will be able to purchase Anduril’s systems through traditional means, in addition to buying Anduril’s products as a service, meaning the command can configure the system ‘based on mission profiles and ensuring SOCOM can rapidly adapt to new and evolving threat profiles.’ According to the company press release, the company will ‘deliver, advance, and sustain CUxS capabilities for special operations forces wherever they operate.’ It will provide counter-drone capability through its Lattice AI platform, which is designed to autonomously identify and classify threats. The system will be deployed both domestically and overseas, the Jan. 20 announcement stated. Anduril has made major strides in the last year positioning itself to win major defense contracts and augment its technology portfolio. Last year, it acquired Area-I, a tube-launched unmanned aerial system maker. Last summer, the company won a five-year, $99 million production other transaction agreement with the Pentagon’s Defense Innovation Unit for its counter-drone tech. In September, it bought Copious Imaging, whose technology added another layer of threat detection to Anduril’s air defense portfolio.”
We also note the firm had the honor of collaborating with Palantir on the Army’s Tactical Intelligence Targeting Access Node (TITAN) prototype last year. Tech executives and investors have expressed frustration at the challenges of doing business with our military, but this latest contract may be a signal that startups and other non-giant companies can make their way in the federal marketplace after all. On the other hand, we are told, SOCOM has long been the DoD division most likely to embrace innovative, non-traditional partners. If this contract goes well, perhaps SOCOM’s forward-thinking perspective will spread to other agencies. No pressure, Anduril.
Cynthia Murrell, February 25, 2022
Facebook: Irish Troubles
February 24, 2022
When I think of Ireland, here’s what comes to mind:
- A really weird street with jazzy murals and a penchant for violence
- Uplifting novels by Ken Bruen
- Potatoes
- The craic
After reading “Facebook Receives Bad News That Could Disrupt Its Business,” I am now thinking big money changing hands. The write up explains:
“We issued our decision [regarding trans border data] to Meta yesterday. And we have given them 28 days to come back to us with any comments they have. And at that stage we will prepare our draft decision and send our draft decision to our colleague data protection authorities in the EU and I expect that to happen in April,” Doyle [Irish Data Protection spokes person] said. The stakes are high: if the Meta is prohibited from transferring information, its activities in Europe will be very strongly affected.
Implications? Meat — sorry, I meant Meta, formerly the Zuckbook — has one more issue to ponder. Oscar Wilde noted:
“Experience is merely the name men gave to their mistakes.”
Perhaps a VR headset will improve the Emerald Isle real world experience?
Stephen E Arnold, February 24, 2022
Yep, Those Microsoft Exchange Servers Are Appealing to Some Bad Actors
February 22, 2022
I know that few agree with my assessment of Windows 11; that is, rushed out without informing the Twit.tv experts. Why? To get attention focused on something other than Microsoft security issues. SolarWinds? Exchange Server? I don’t know.
Then I irritated a few folks with my opinion that the big deal for the electronic game company and the attendant meta chant is essentially another distraction? Why? Maybe the wonderful Windows Defender system before an issue was fixed recently? Maybe another problem with Azure? I don’t know.
I do know that I read some information, which if true, makes clear that the US has a problem with security. And I know that some of the “problem” is a result of Microsoft’s software and systems. My source is the “real” news article FBI Says BlackByte Ransomware “FBI Says BlackByte Ransomware Group Has Breached Critical US Infrastructure.” Let’s assume that the information in the write up is mostly on the money.
First, we note that the FBI issued a statement available here which says that malware has compromised multiple businesses. What’s interesting is that infrastructure sectors appear to have been compromised. What does that mean? My take is that this is a gentle way of saying that bad actors can muck up certain organizations, financial functions, and food (maybe jiggle the chemicals for fertilizer or send box cars to Texas?).
Second, the write up points out that an NFL football team’s systems may have been fiddled. Interesting indeed. Why? No idea.
Third, this paragraph is the one which I think is the most important:
In their warning, the authorities said some victims reported that the bad actors used a known Microsoft Exchange Server vulnerability to gain access to their networks. The authorities have also released filenames, indicators of compromise and hashes that IT personnel can use to check their networks for presence of the ransomware.
Yep, Microsoft. Exchange Servers.
Windows 11 distracted for a while. The game deal is headed for legal choppy water. What will Microsofties roll out next? A phone, a new foldable perhaps, another reorganization?
Fascinating that security issues keep emerging and with each revelation the stakes creep higher. Bad actors may find this information encouraging. I find it downright awful.
Stephen E Arnold, February 22, 2022
Department of Defense: Troubling News about Security
February 21, 2022
It looks like a lack of resources and opaque commercial cloud providers are two factors hampering the DOD’s efforts to keep the nation cyber-safe. Breaking Defense discusses recent research from the Pentagon’s Director of Operational Test and Evaluation (DOT&E) in, “Pentagon’s Cybersecurity Tests Aren’t Realistic, Tough Enough: Report.” We encourage anyone interested in this important topic to check out the article and/or the report itself. Reporter Jaspreet Gill summarizes:
“[The report] states DoD should refocus its cybersecurity efforts on its cyber defender personnel instead of focusing primarily on the technology associated with cyber tools, networks and systems, and train them to face off against more real threats earlier in the process. For now, cybersecurity ‘Red Teams’ are stretched too thin and the ones that do test military systems are doing it with one hand tied behind their back compared to what actual adversaries would do, the report said.”
Enabling these teams to do their best work would mean giving them more time on the network to test vulnerabilities, more extensive toolsets, realistic rules of engagement, and better end-to-end planning, the report explains. In addition, it states, cyber security training must be expanded to include mission defense teams, system users, response-action teams, commanders, and network operators. We also learn that current funding practices effectively prohibit setting up offices dedicated to cyber technology effectiveness and training. Seriously? See the write-up for more recommendations that should be obvious.
The following bit is particularly troubling in this age of increasing privatization and corporate power. Gill informs us:
“The assessment also found DoD’s cyber concerns increasingly mirror those in the commercial sector due to increasing reliance on commercial products and infrastructure, especially with cloud services. The report recommends the Pentagon renegotiate contracts with commercial cloud providers and establish requirements for future contracts. ‘The DOD increasingly uses commercial cloud services to store highly sensitive, classified data, but current contracts with cloud vendors do not allow the DOD to independently assess the security of cloud infrastructure owned by the commercial vendor, preventing the DOD from fully assessing the security of commercial clouds. Current and future contracts must provide for threat-realistic, independent security assessments by the DOD of commercial clouds, to ensure critical data is protected.’”
Well yes—again that seems obvious. Public-private partnerships should be enacted with a dash of common sense. Unfortunately, that can be difficult to come by amidst bureaucracy.
Cynthia Murrell, February 21, 2022
Google Joke: A Googler Walks into a Coffee Shop with a Regulator and…
February 17, 2022
I read an amusing write up called “Google Keeps Android Ad Tool Into At Least 2024, Exploring Other Options.” I think the writer of the article is serious, not crafting a joke for Joe Rogan’s much admired “Man Show” comments. Here is the passage I found semi amusing:
Google said it would give “substantial notice” before axing what is known as AdId. But it will immediately begin seeking feedback on its proposed alternatives, which Google said aim to better protect users’ privacy and curb covert surveillance.
But better than what? What happens if there are technical issues in 2024? A Googler walks into a coffee shop with a regulator and says, “We need more time to better protect users’ privacy and curb covert surveillance.”
The regulator laughs out loud because he was thinking of Apple marginalizing Facebook. Perhaps the Google is delivering some Meta-Aid. Whoops. I meant to type Meta AdID.
Stephen E Arnold, February 17, 2022
Interesting Assertion from Bezos Affiliated Newspaper
February 15, 2022
My recollection is that Amazon, when under Jeff Bezos’ control, provided technology to the US Central Intelligence Agency. I was surprised when I read “Senators: CIA Has Secret Program That Collects American Data.” I have no idea if the story is on the money or note. I found it interesting that Amazon was not mentioned in the write up. Even though that interesting detail was omitted, I noted this passage in the article:
“These reports raise serious questions about the kinds of information the CIA is vacuuming up in bulk and how the agency exploits that information to spy on Americans,” Patrick Toomey, a lawyer for the American Civil Liberties Union, said in a statement. “The CIA conducts these sweeping surveillance activities without any court approval, and with few, if any, safeguards imposed by Congress.”
And Amazon? Not in the picture. Amazon’s client? In the picture.
Stephen E Arnold, February 15, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
