Sharp Words about US Government Security

May 22, 2025

dino orange_thumb_thumb_thumb_thumbNo AI. Just a dinobaby who gets revved up with buzzwords and baloney.

On Monday (April 29, 2025), I am headed to the US National Cyber Crime Conference. I am 80, and I don’t do too many “in person” lectures. Heck, I don’t do too many lectures anymore period. A candidate for the rest home or an individual ready for a warehouse for the soon-to-die is a unicorn amidst the 25 to 50 year old cyber fraud, law enforcement professionals, and government investigators.

In my lectures, I steer clear of political topics. This year, I have been assigned a couple of topics which the NCCC organizers know attract a couple of people out of the thousand or so attendees. One topic concerns changes in the Dark Web. Since I wrote “Dark Web Notebook” years ago, my team and I keep track of what’s new and interesting in the world of the Dark Web. This year, I will highlight three or four services which caught our attention. The other topic is my current research project: Telegram. I am not sure how I became interested in this messaging service, but my team and I will will make available to law enforcement, crime analysts, and cyber fraud investigators a monograph modeled on the format we used for the “Dark Web Notebook.”

I am in a security mindset before the conference. I am on the lookout for useful information which I can use as a point of reference or as background information. Despite my age, I want to appear semi competent. Thus, I read “Signalgate Lessons Learned: If Creating a Culture of Security Is the Goal, America Is Screwed.” I think the source publication is British. The author may be an American journalist.

Several points in the write up caught my attention.

First, the write up makes a statement I found interesting:

And even if they are using Signal, which is considered the gold-standard for end-to-end chat encryption, there’s no guarantee their personal devices haven’t been compromised with some sort of super-spyware like Pegasus, which would allow attackers to read the messages once they land on their phones.

I did not know that Signal was “considered the gold standard for end-to-end chat encryption.” I wonder if there are some data to back this up.

Second, is NSO Group’s Pegasus “super spyware.” My information suggests that there are more modern methods. Some link to Israel but others connect to other countries; for example, Spain, the former Czech Republic, and others. I am not sure what “super” means, and the write up does not offer much other than a nebulous adjectival “super spyware.”

Third, these two references are fascinating:

“The Salt Typhoon and Volt Typhoon campaigns out of China demonstrate this ongoing threat to our telecom systems. Circumventing the Pentagon’s security protocol puts sensitive intelligence in jeopardy.”

The authority making the statement is a former US government official who went on to found a cyber security company. There were publicized breaches, and I am not sure comparable to Pegasus type of data exfiltration method. “Insider threats” are different from lousy software from established companies with vulnerabilities as varied as Joseph’s multi-colored coat. An insider, of course, is an individual presumed to be “trusted”; however, that entity provides information for money to an individual who wants to compromise a system, a person who makes an error (honest or otherwise), and victims who fall victim to quite sophisticated malware specifically designed to allow targeted emails designed to obtain information to compromise that person or a system. In fact, the most sophisticated of these “phishing” attack systems are available for about $250 per month for the basic version with higher fees associated with more robust crime as a service vectors of compromise.

The opinion piece seems to focus on a single issue focused on one of the US  government’s units. I am okay with that; however, I think a slightly different angle would put the problem and challenge of “security” in a context less focused on ad hominin rhetorical methods.

Stephen E Arnold, May 22, 2025

Microsoft: What Is a Brand Name?

May 20, 2025

Dino 5 18 25Just the dinobaby operating without Copilot or its ilk.

I know that Palantir Technologies, a firm founded in 2003, used the moniker “Foundry” to describe its platform for government use. My understanding is that Palantir Foundry was a complement to Palantir Gotham. How different were these “platforms”? My recollection is that Palantir used home-brew software and open source to provide the raw materials from which the company shaped its different marketing packages. I view Palantir as a consulting services company with software, including artificial intelligence. The idea is that Palantir can now perform like Harris’ Analyst Notebook as well as deliver semi-custom, industrial-strength solutions to provide unified solutions to thorny information challenges. I like to think of Palantir’s present product and service line up as a Distributed Common Ground Information Service that generally works. About a year ago, Microsoft and Palantir teamed up to market Microsoft – Palantir solutions to governments via “bootcamps.” These are training combined with “here’s what you too can deploy” programs designed to teach and sell the dream of on-time, on-target information for a range of government applications.

I read “Microsoft Is Now Hosting xAI’s Grok 3 Models” and noted this subtitle:

Grok 3 and Grok 3 mini are both coming to Microsoft’s Azure AI Foundry service.

Microsoft’s Foundry service. Is that Palantir’s Foundry, a mash up of Microsoft and Palantir, or something else entirely. The name confuses me, and I wonder if government procurement professionals will be knocked off center as well. The “dream” of smart software is a way to close deals in some countries’ government agencies. However, keeping the branding straight is also important.

image

What does one call a Foundry with a Grok? Shakespeare suggested that it would smell as sweet no matter what the system was named. Thanks, OpenAI? Good enough.

The write up says:

At Microsoft’s Build developer conference today, the company confirmed it’s expanding its Azure AI Foundry models list to include Grok 3 and Grok 3 mini from xAI.

It is not clear if Microsoft will offer Grok as another large language model or whether [a] Palantir will be able to integrate Grok into its Foundry product, [b] Microsoft Foundry is Microsoft’s own spin on Palantir’s service which is deprecated to some degree, or [c] a way to give Palantir direct, immediate access to the Grok smart software. There are other possibilities as well; for example, Foundry is a snappy name in some government circles. Use what helps close deals with end-of-year money or rev up for new funds seeking smart software.

The write up points out that Sam AI-Man may be annoyed with the addition of Grok to the Microsoft toolkit. Both OpenAI and Grok have some history. Maybe Microsoft is positioning itself as the role of the great mediator, a digital Henry Clay of sorts?

A handful of companies are significant influencers of smart software in some countries’ Microsoft-centric approach to platform technology. Microsoft’s software and systems are so prevalent that Israel did some verbal gymnastics to make clear that Microsoft technology was not used in the Gaza conflict. This is an assertion that I find somewhat difficult to accept.

What is going on with large language models at Microsoft? My take is:

  1. Microsoft wants to offer a store shelf stocked with LLMs so that consulting service revenue provides evergreen subscription revenue
  2. Customers who want something different, hot, or new can make a mark on the procurement shopping list and Microsoft will do its version of home delivery, not quite same day but convenient
  3. Users are not likely to know what smart software is fixing up their Miltonic prose or centering a graphic on a PowerPoint slide.

What about the brand or product name “Foundry”? Answer: Use what helps close deals perhaps? Does Palantir get a payoff? Yep.

Stephen E Arnold, May 20, 2025

NSO Group: When Marketing and Confidence Mix with Specialized Software

May 13, 2025

dino-orange_thumb_thumb_thumb_thumb_thumbNo AI, just the dinobaby expressing his opinions to Zellenials.

Some specialized software must remain known only to a small number of professionals specifically involved in work related to national security. This is a dinobaby view, and I am not going to be swayed with “information wants to be free” arguments or assertions about the need to generate revenue to make the investors “whole.” Abandoning secrecy and common sense for glittering generalities and MBA mumbo jumbo is ill advised.

I read “Meta Wins $168 Million in Damages from Israeli Cyberintel Firm in Whatsapp Spyware Scandal.” The write up reports:

Meta won nearly $168 million in damages Tuesday from Israeli cyberintelligence company NSO Group, capping more than five years of litigation over a May 2019 attack that downloaded spyware on more than 1,400 WhatsApp users’ phones.

The decision is likely to be appealed, so the “won” is not accurate. What is interesting is this paragraph:

[Yaron] Shohat [NSO’s CEO] declined an interview outside the Ron V. Dellums Federal Courthouse, where the court proceedings were held.

From my point of view, fewer trade shows, less marketing, and a lower profile should be action items for Mr. Shohat, the NSO Group’s founders, and the firm’s lobbyists.

I watched as NSO Group became the poster child for specialized software. I was not happy as the firm’s systems and methods found their way into publicly accessible Web sites. I reacted negatively as other specialized software firms (these I will not identify) began describing their technology as similar to NSO Group’s.

The desperation of cyber intelligence, specialized software firms, and — yes — trade show operators is behind the crazed idea of making certain information widely available. I worked in the nuclear industry in the early 1970s. From Day One on the job, the message was, “Don’t talk.” I then shifted to a blue chip consulting firm working on a wide range of projects. From Day One on that job, the message was, “Don’t talk.” When I set up my own specialized research firm, the message I conveyed to my team members was, “Don’t talk.”

Then it seemed that everyone wanted to “talk”. Marketing, speeches, brochures, even YouTube videos distributed information that was never intended to be made widely available. Without operating context and quite specific knowledge, jazzy pitches that used terms like “zero day vulnerability” and other crazy sales oriented marketing lingo made specialized software something many people without operating context and quite specific knowledge “experts.”

I see this leakage of specialized software information in the OSINT blurbs on LinkedIn. I see it in social media posts by people with weird online handles like those used in Top Gun films. I see it when I go to a general purpose knowledge management meeting.

Now the specialized software industry is visible. In my opinion, that is not a good thing. I hope Mr. Shohat and others in the specialized software field continue the “decline to comment” approach. Knock off the PR. Focus on the entities authorized to use specialized software. The field is not for computer whiz kids, eGame players, and  wanna be intelligence officers.

Do your job. Don’t talk. Do I think these marketing oriented 21st century specialized software companies will change their behavior? Answer: Oh, sure.

PS. I hope the backstory for Facebook / Meta’s interest in specialized software becomes part of a public court record. I am curious is what I have learned matches up to the court statements. My hunch is that some social media executives have selective memories. That’s a useful skill I have heard.

Stephen E Arnold, May 13, 2025

Geocoding Price Data

April 28, 2025

dino orange_thumb_thumbNo AI, just a dinobaby watching the world respond to the tech bros.

Some data must be processed to add geocodes to the items. Typically the geocode is a latitude and longitude coordinate. Some specialized services add addition codes to facilitate height and depth measurements. However, a geocode is not just what are generally called “lat and long coordinates.” Here’s a selected list of some of the items which may be included in a for-fee service:

  • An address
  • A place identifier
  • Boundaries like a neighborhood, county, etc.
  • Time zone
  • Points-of-interest data.

For organizations interested in adding geocodes to their information or data, pricing of commercial services becomes an important factor.

I want to suggest that you navigate to “Geocoding APIs Compared: Pricing, Free Tiers & Terms of Use.” This article was assembled in 2023. The fees presented are out of date. However, as you work through the article, you will gather useful information about vendors such as Google, MSFT Azure, and TomTom, among others.

One of the question-answering large language models can be tapped to provide pricing information that is more recent.

Stephen E Arnold, April 28, 2025

Paragon: Specialized Software Revealed

April 14, 2025

It can be difficult to get information about spyware and the firms that produce it. That is why we welcome the report, “Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations” from University of Toronto’s Citizen Lab. The detailed report gives a brief background on the company and a thorough map of its spyware infrastructure. Eye-opening. We learn about the effort by Meta and WhatsApp to thwart a Paragon zero-click exploit. The lab also shares details from its investigations into links between Paragon and the Italian and Canadian governments. See the article for all the details.

The report’s conclusion? “You Can’t Abuse-Proof Mercenary Spyware.” The authors emphasize:

“Paragon specifically courts media attention with claims that by only selling to a select group of governments, they can avoid the abuse scandals plaguing their peers. The implicit message: if you do not sell to autocrats, your product will not be used recklessly and in anti-democratic ways. History, however, shows us that this is not always the case. Many democratic states have histories of using secret surveillance powers and technologies against journalists and members of civil society. Mercenary spyware is no exception, with multiple democracies deploying spyware against journalists, human rights defenders, and other members of civil society. Indeed, organizations working against the proliferation and abuse of spyware, including the Citizen Lab, have warned that the temptation to use this technology in a rights-abusing way is so great that, even in democracies, it will be abused. Overall, the cases described in this report suggest that Paragon’s claims of having found an abuse-proof business model may not hold up to scrutiny. We acknowledge that this report does not seek to cover the totality of Paragon cases, but rather a set of cases where targets have chosen to come forward at this time and in our report. However, the pattern in these cases challenges Paragon’s marketing approach which has claimed that the company would only sell to clients that ‘abide by international norms and respect fundamental rights and freedoms.’”

Quite a surprise. The researchers are not stopping here. On the contrary, they describe this report as a first step. We look forward to hearing what they find next.

Cynthia Murrell, April 14, 2025

FOGINT: Targets Draw Attention. Signal Is a Target

April 1, 2025

dino orange_thumb_thumb_thumbDinobaby says, “No smart software involved. That’s for “real” journalists and pundits.

We have been plugging away on the “Telegram Overview: Notes for Analysts and Investigators.” We have not exactly ignored Signal or the dozens of other super secret, encrypted beyond belief messaging applications. We did compile a table of those we came across, and Signal was on that list.

I read “NSA Warned of Vulnerabilities in Signal App a Month Before Houthi Strike Chat.” I am not interested in the political facets of this incident. The important point for me is this statement:

The National Security Agency sent out an operational security special bulletin to its employees in February 2025 warning them of vulnerabilities in using the encrypted messaging application Signal

One of the big time cyber security companies spoke with me, and I mentioned that Signal might not be the cat’s pajamas. To the credit of that company and the former police chief with whom I spoke, the firm shifted to an end to end encrypted messaging app we had identified as slightly less wonky. Good for that company, and a pat on the back for the police chief who listened to me.

In my experience, operational bulletins are worth reading. When the bulletin is “special,” re-reading the message is generally helpful.

Signal, of course, defends itself vigorously. The coach who loses a basketball game says, “Our players put out a great effort. It just wasn’t enough.”

In the world of presenting oneself as a super secret messaging app immediately makes that messaging app a target. I know first hand that some whiz kid entrepreneurs believe that their EE2E solution is the best one ever. In fact, a year ago, such an entrepreneur told me, “We have developed a method that only a government agency can compromise.”

Yeah, that’s the point of the NSA bulletin.

Let me ask you a question: “How many computer science students in countries outside the United States are looking at EE2E messaging apps and trying to figure out how to compromise the data?” Years ago, I gave some lectures in Tallinn, Estonia. I visited a university computer science class. I asked the students who were working on projects each selected. Several of them told me that they were trying to compromise messaging systems. A favorite target was Telegram but Signal came up.

I know the wizards who cook up EE2E messaging apps and use the latest and greatest methods for delivering security with bells on are fooling themselves. Here are the reasons:

  1. Systems relying on open source methods are well documented. Exploits exist and we have noticed some CaaS offers to compromise these messages. Now the methods may be illegal in many countries, but they exist. (I won’t provide a checklist in a free blog post. Sorry.)
  2. Techniques to prevent compromise of secure messaging systems involve some patented systems and methods. Yes, the patents are publicly available, but the methods are simply not possible unless one has considerable resources for software, hardware, and deployment.
  3. A number of organizations turn EE2E messaging systems into happy eunuchs taking care of the sultan’s harem. I have poked fun at the blunders of the NSO Group and its Pegasus approach, and I have pointed out that the goodies of the Hacking Team escaped into the wild a long time ago. The point is that once the procedures for performing certain types of compromise are no longer secret, other humans can and will create a facsimile and use those emulations to suck down private messages, the metadata, and probably the pictures on the device too. Toss in some AI jazziness, and the speed of the process goes faster than my old 1962 Studebaker Lark.

Let me wrap up by reiterating that I am not addressing the incident involving Signal. I want to point out that I am not into the “information wants to be free.” Certain information is best managed when it is secret. Outfits like Signal and the dozens of other EE2E messaging apps are targets. Targets get hit. Why put neon lights on oneself and try to hide the fact that those young computer science students or their future employers will find a way to compromise the information.

Technical stealth, network fiddling, human bumbling — Compromises will continue to occur. There were good reasons to enforce security. That’s why stringent procedures and hardened systems have been developed. Today it’s marketing, and the possibility that non open source, non American methods may no longer be what the 23 year old art history who has a job in marketing says the systems actually deliver.

Stephen E Arnold, April 1, 2025

An Intel Blind Spot in Australia: Could an October-Type Event Occur?

March 17, 2025

dino orange_thumb_thumb_thumb_thumbYep, another dinobaby original.

I read a “real” news article (I think) in the UK Telegraph. The story “How Chinese Warships Encircled Australia without Canberra Noticing” surprised me. The write up reports:

In a highly unusual move, three Chinese naval vessels dubbed Task Group 107 – including a Jiangkai-class frigate, a Renhai-class cruiser and a Fuchi-class replenishment vessel – were conducting exercises in Australia’s exclusive economic zone.

The date was February 21, 2025. The ships were 300 miles from Australia. What’s the big deal?

According to the write up:

Anthony Albanese, Australia’s prime minister, downplayed the situation, while both the Australian Defence Force and the New Zealand Navy initially missed that the exercise was even happening.

Let me offer several observations based on what may a mostly accurate “real” news report:

  1. Australia like Israel is well equipped with home grown and third-party intelware. If the write up’s content is accurate, none of these intelware systems provided signals about the operation before, during, and after the report of the live fire drill
  2. As a member of Five Eyes, a group about which I know essentially nothing, Australia has access to assorted intelligence systems, including satellites. Obviously the data were incomplete, ignored, or not available to analysts or Preligens-type of systems. Note: Preligens is now owned by Safran
  3. What remediating actions are underway in Australia? To be fair, the “real” news outfit probably did not ask this question, but it seems a reasonable one to address. Someone was responsible, so what’s the fix?

Net net: Countries with sophisticated intelligence systems are getting some indications that these systems may not live up to the marketing hyperbole nor the procurement officials’ expectations of these systems. Israel suffered in many ways because of its 9/11 in October. One hopes that Australia can take this allegedly true incident involving China to heart and make changes.

Stephen E Arnold, March 17, 2025

NSO Group the PR of Intelware Captures Headlines …. Yet Again

March 13, 2025

Our reading and research have lead us to this basic rule: Unless measures are taken to keep something secret, diffusion is inevitable. Knowledge about systems, methods, and tools to access data is widespread. Case in point—Today’s General Counsel tells us, "Pegasus Spyware Is Showing Up on Corporate Execs’ Cell Phones." The brief write-up cites reporting by The Record’s Suzanne Smalley, who got her information from security firm iVerify. It shows a steep climb in Pegasus-infected devices over the second half of last year. We learn:

"The number of reported infected phones among iVerify corporate clients was eleven out of 18,000 devices tested in December last year. In May 2024, when iVerify first began offering the spyware testing service, a study found seven spyware infections out of 3,000 phones tested. ‘The world remains totally unprepared to deal with this from a security perspective,’ says iVerify co-founder and former National Security Agency analyst Rocky Cole, who was interviewed for the article. ‘This stuff is way more prevalent than people think.’ The article notes that business executives are now proving to be vulnerable, including individuals with access to proprietary plans and financial data, as well as those who frequently communicate with other influential leaders in the private sector. These leaders engage in sensitive work out of the public eye, including deals that have the potential to impact financial markets."

But how could this happen? Pegasus-maker NSO Group vows it only sells spyware to whitelisted governments for counterterrorism and fighting crime. It does do that. And also other things, reportedly. So we are unsurprised to find business executives among those allegedly targeted. We think it best to assume anything digital can be accessed by anyone at any moment. Is it time to bring back communications via pen and paper? At least someone must get out from behind a desk to intercept snail mail or dead drops.

Cynthia Murrell, March 13, 2025

A Super Track from You Know Who

February 20, 2025

Those CAPTCHA hoops we jump through are there to protect sites from bots, right? As Boing Boing reports, not so much. In fact, bots can now easily beat reCAPTCHA tests. Then why are we forced to navigate them to do anything online? So the software can track us, collect our data, and make parent company Google even richer. And data brokers. Writer Mark Frauenfelder cites a recent paper in, “reCAPTCHA: 819 Million Hours of Wasted Human Time and Billions of Dollars in Google Profits.” We learn:

“‘They essentially get access to any user interaction on that web page,’ says Dr. Andrew Searles, a former computer security researcher at UC Irvine. Searle’s paper, titled ‘Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2,’ found that Google’s widely-used CAPTCHA system is primarily a mechanism for tracking user behavior and collecting data while providing little actual security against bots. The study revealed that reCAPTCHA extensively monitors users’ cookies, browsing history, and browser environment (including canvas rendering, screen resolution, mouse movements, and user-agent data) — all of which can be used for advertising and tracking purposes. Through analyzing over 3,600 users, the researchers found that solving image-based challenges takes 557% longer than checkbox challenges and concluded that reCAPTCHA has cost society an estimated 819 million hours of human time valued at $6.1 billion in wages while generating massive profits for Google through its tracking capabilities and data collection, with the value of tracking cookies alone estimated at $888 billion.”

That is quite a chunk of change. No wonder Google does not want to give up its CAPTCHA system—even if it no longer performs its original function. Why bother with matters of user inconvenience or even privacy when there are massive profits to be made?

Cynthia Murrell, February 20, 2025

"Real" Entities or Sock Puppets? A New Solution Can Help Analysts and Investigators

January 28, 2025

Bitext’s NAMER (shorthand for "named entity recognition") can deliver precise entity tagging across dozens of languages.

Graphs — knowledge graphs and social graphs — have moved into the mainstream since Leonhard Euler formed the foundation for graph theory in the mid 18th century in Berlin.

With graphs, analysts can take advantage of smart software’s ability to make sense of Named Entity Recognition (NER), event extraction, and relationship mapping.

The problem is that humans change their names (handles, monikers, or aliases) for many reasons: Public embarrassment, a criminal record, a change in marital status, etc.

Bitext’s NER solution, NAMER, is specifically designed to meet the evolving needs of knowledge graph companies, offering exceptional features that tackle industry challenges.

Consider a person disgraced with involvement in a scheme to defraud investors in an artificial intelligence start up. The US Department of Justice published the name of a key actor in this scheme. (Source: https://www.justice.gov/usao-ndca/pr/founder-and-former-ceo-san-francisco-technology-company-and-attorney-indicted-years). The individual was identified by the court as Valerie Lau Beckman. The official court documents used the name "Lau" to reference her involvement in a multi-million dollar scam.

However, in order to correctly identify her in social media, subsequent news stories, and in possible public summaries of her training on a LinkedIn-type of smart software is not enough.

That’s the role of a specialized software solution. Here’s what NAMER delivers.

The system identifies and classifies entities (e.g., people, organizations, locations) in unstructured data. The system accurately links data across different sources of content. The NAMER technology can tag and link significant events (transactions, announcements) to maintain temporal relevance; for example, when Ms. Lau Beckman is discharged from the criminal process. NAMER can connect entities like Ms. Lau or Ms. Beckman to other individuals with whom she works or interacts and her "names" appearance in content streams.

The licensee specifies the languages NAMER is to process, either in a knowledge base or prior to content processing via a large language model.

Access to the proprietary NAMER technology is via a local SDK which is essential for certain types of entity analysis. NAMER can also be integrated into another system or provided as a "white label service" to enhance an intelligence system with NAMER’s unique functions. The developer provides for certain use cases direct access to the source code of the system.

For an organization or investigative team interested in keeping data about Lau Beckman at the highest level of precision, Bitext’s NAMER is an essential service.

Stephen E Arnold, January 28, 2025

Next Page »

  • Archives

  • Recent Posts

  • Meta