Posts

Rattled: China’s Hardware Hack

/31 Comments/in , /by

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

As I noted in my last Three Things post, information security folks are rattled by the October 4 Bloomberg Businessweek report that extremely tiny microchips may have been covertly embedded in motherboards used by U.S. businesses.

Their cognitive dissonance runs in two general directions — the feasibility of implanting a chip at scale, and the ability of such a chip to provide a viable backdoor to a device.

Hardware security researchers and professionals have been debating manufacturing feasibility and chip ability across Twitter. Joe Fitz’ recent tweet threads suggest implantation of a rogue chip is entirely doable on a mechanical basis though what happens once a chip has been embedded must be assessed from a software perspective. Fitz is not alone in his assessment; other professionals and academics believe it’s possible to insert a ‘malicious’ chip. Computer security academic Nicholas Weaver pointed to small devices which could do exactly what the Bloomberg report suggested if these tiny objects were embedded into motherboards during manufacturing.

The feasibility also requires the right opportunity — a confluence of personnel, manufacturing capability and capacity, timing and traceability. Let’s say a rogue or compromised employee manages to slip chips into a batch of motherboards; which ones? To whom will they ship? How could a rogue/compromised employee ensure the motherboards left the facility undetected?

The Bloomberg report paints the U.S.-based Supermicro plant as a perfect environment in which such hardware infiltration could happen easily. With employees divided by two very different languages — English-speakers far less likely to understand Mandarin-speakers — discussions between multiple rogue/compromised employees could be very easy as would be sharing of written instructions. Supermicro’s ISO certifications for standards 9001, 13485, 14001, and 27001 may shed some light on how the company expected to manage two different languages in the same workplace.

One could argue a bilingual workplace shouldn’t pose a challenge given how many companies already use English/Spanish, English/French, or English/German. Compare, however, these words:

English: hardware

German: either hardware or computerhardware

French: either hardware or le matériel

Spanish: either hardware or los equipos

Mandarin: 硬件 (yìng jiàn)

With enough exposure the average English-as-primary-language worker could readily understand the most common western language words for equipment they were manufacturing. It would take considerably more investment in education to recognize and understand a pictographic language making casual quality control difficult.

The environment is even more challenging for mixed language staff in manufacturing plants located in China.

~ | ~ | ~

Let’s look at a timeline of events leading up to the Bloomberg report this week. Note how often the word ‘firmware‘ is used in this timeline and in the responses from Apple and Amazon to the Bloomberg story:

1993 — Charles Liang launched Supermicro.

2007 — Social search analytics company Topsy founded.

2005 — Defence Science Board warned “trojan horse” chips bought overseas could negatively affective military systems.

2008 — BusinessWeek reported that fake Chinese-made microchips had entered the military’s supply chain causing system crashes.

2010 — Defence Department bought 59,000 chips, unaware they were counterfeit.

2Q2011 — China denied entry visas to senators Levin and McCain staff for congressional probe in Guangdong province.

October 2011 — Apple releases Siri.

December 2013 — Apple acquired  Topsy.

December 2013 — Supermicro publicly disclosed vulnerability/ies in a web application related to management of motherboards (Amazon response, email Oct 2018)

December 2013 — CBS’ 60 Minutes program aired a story about the NSA in which a plot involving a rogue BIOS had been identified.

First half 2014 (date TBD) — Intelligence officials tell White House that PRC’s military would infiltrate Supermicro’s motherboard production with microchips intended for the U.S. market.

January 2014 — Elemental communicated to existing customers that a new version of the web app was available for download; equipment shipped after this date had updated versions of the web app. (Amazon response, email Oct 2018)

Early 2015 — Amazon launched pre-acquistion evaluation of startup Elemental Technologies which used Supermicro motherboards in servers it made.

Late spring 2015 — Elemental sent several servers to Ontario CAN for testing by third-party security firm. It found non-spec chips on server motherboards. (Bloomberg report)

May 2015 — Apple detected unusual network activity and experienced firmware problems.

Summer 2015 — Apple found non-spec chips on Supermicro motherboards Apple bought from Supermicro. (Bloomberg report)

September 2015 — Amazon announced its acquisition of Elemental.

December 2015 — Apple shut down Topsy.

Mid-2016 — Apple broke off its relationship with Supermicro.

June 2018 — Researchers publicized vulnerabilties found in Supermicro firmware. AWS notified customers and recommended a firmware upgrade. (Amazon response, email Oct 2018)

October 2018 — Amazon, Apple, Supermicro, and PRC submitted responses denying Bloomberg’s report. (Published by Bloomberg)

~ | ~ | ~

Follow up reporting by other news outlets increase the layers of denial that cloud companies Amazon and Apple were affected by a possible breach of the hardware supply chain.

Some have asked if Bloomberg’s report is merely an attempt to undermine Amazon and Apple, which are the two most valuable companies in the U.S. and in Apple’s case, the world.

It is their value and their place in the stock market along with the customers they serve which may drive some of the denial.

Remember that Amazon’s AWS has provided hosting to U.S. government agencies. Government employees also use Apple iPhones and by extension, Apple’s cloud services. Is it at all possible that in providing services to government agencies these corporations and/or their subsidiaries have been read into programs obligating a degree of secrecy which includes denial of vulnerabilities and breaches which do not affect directly the average non-governmental user of Amazon and Apple products and services?

~ | ~ | ~

There are additional events which appear to have happened independently of the alleged hardware supply chain infiltration. They may be extremely important and highly relevant if looked at from an industry and intelligence perspective.

March 2014Freescale Semiconductor lost 20 employees in apparent crash of Malaysia Air flight MH370 en route to Beijing. The employees were supposed to begin work on a new chip manufacturing facility in China. While Freescale’s chips were not those one might ordinarily associate with server motherboards, it’s worth asking if Freescale at that time had any chips which might have served as server chips, or if they could work as illicit hardware hacks when embedded in a motherboard. Freescale has since been acquired by NXP.

Late 2010 — Beginning in late 2010, China identified and executed a network of U.S. agents within its borders over a two-year period, resulting in the deaths of at least 30 persons and the prosecution of former CIA agent Jerry Chung Shin Lee who worked as an informant for PRC. The exposure of these spies was blamed in part on a compromised communications system which had been previously used in the middle east. Due to compartmentalization of the project, it’s reported Lee could not have identified the agents, placing more emphasis on the communications system.

Mid-2011 — China refused visas to staff for senators Carl Levin and John McCain for the purposes of investigating electronic components manufacturing in city of Shenzhen in Guangdong province. The congressional probe sought the source of counterfeit parts which had entered the U.S. military’s supply chain; U.S. Commerce Department reported in January 2010 that 400 companies surveyed “overwhelmingly cited China” as the point of origin for counterfeit parts.

These events spawn more questions when looking at technology supply chain hacking and communications systems which rely on this supply chain.

Did Freescale’s plans to expand production in China pose a risk to the hardware supply chain hack? Or was it simply a fluke that a substantive portion of the company’s manufacturing engineers disappeared on that flight? Though Freescale originated in Austin, Texas, it had a presence in China since 1992 with at least eight design labs and manufacturing facilities in China as of 2014.

Was the communications system used by doomed U.S. assets in China affected not by tradecraft or betrayal, or even by counterfeit parts, but by the hardware supply chain hack — and at an even earlier date than the timeline of events shown above related to Supermicro’s compromised motherboard production?

Did China refuse admittance to Guangdong province in 2011 related not to counterfeit parts but to the possibility that supply chain hacks beyond counterfeiting alone might be revealed?

Is the supply chain hack reported by Bloomberg part of a much larger security threat which has been slowly revealed but not widely acknowledged because the threat has been viewed through narrow military, or intelligence, or tech industry lenses?

The tech industry may be rattled by allegations that the computer hardware supply chain has been hacked. But the possibility this hack has gone on much longer and with massive potential collateral damage may truly shake them up.

~ | ~ | ~

There is a third train of cognitive dissonance, not limited to information security professionals. Persons outside the tech industry have indulged in denialism, taking comfort in the aggressive pushback by Apple and Amazon which each claim in their own way that the Bloomberg report is inaccurate. (I have an analysis of the early responses by Apple and Amazon; I will also examine later expanded responses as well as Supermicro’s and PRC’s responses as soon as time permits.)

But there have been reports for years about counterfeit electronic components, obstruction of investigations into these components, system failures which could be attributed to hardware or software which do not meet specifications. Cognitive dissonance also resists Bloomberg’s report that as many as 30 U.S. companies were affected, not just Apple and Amazon which have offered up high-profile rebuttals.

And there have been reports in industries outside of cloud services and the military where off specification or counterfeit electronic components have made it into production. One such anecdote appears in a thread at Hacker News YCombinator, discussing credit card payment systems and development of screening systems requiring application of tests using angular momentum to determine if a board has been altered without breaking the board’s tamper-proof seal.

In addition to his early tweets assessing feasibility of malicious or covert off-spec chips added to motherboards, Nicholas Weaver wrote a post for Lawfare about the Bloomberg report.

The Bloomberg story also explains a previous mystery: in 2016, Apple quietly removed all SuperMicro servers from their products due to an unspecified “Security Incident.”  At the time the rumor was that SuperMicro provided a sabotaged BIOS—that is, the bootstrap program used to start the computer, another “god mode” target for compromise. Apple denied then that there was any security incident—just as they are denying one now.

This incident once again illustrates the “Coventry problem,” referring to Winston Churchill’s apocryphal decision not to prevent the bombing of Coventry in order to keep secret that British intelligence had decrypted the Enigma machine. Robertson and Riley describe a U.S. intelligence apparatus that knew of these ongoing attacks, but could not effectively notify the affected companies nor provide useful recommendations. If the intelligence community had warned these companies, it would probably have revealed to the Chinese that the U.S. was aware of these activities, as well as potentially compromise an ongoing FBI investigation described in the article.

Weaver called the suspect Supermicro firmware a ‘BIOS’ — the first use of this term across multiple reports covering the Bloomberg report and its aftermath. This change in nomenclature is critical, particularly so given the point he makes about the “Coventry problem.” The term ‘BIOS’ does not appear in the early responses from Apple, Amazon, or Supermicro.

In December 2013, CBS’ 60 Minutes aired a report about the NSA; it appeared at the time to puff up the agency after the publication of Edward Snowden’s leaked documents about the government’s domestic spying using  PRISM. Within the story was a claim about a thwarted cyberattack:

Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability— to destroy computers.

John Miller: To destroy computers.

Debora Plunkett: To destroy computers. So the BIOS is a basic input, output system. It’s, like, the foundational component firmware of a computer. You start your computer up. The BIOS kicks in. It activates hardware. It activates the operating system. It turns on the computer.

This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.

John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do.

Debora Plunkett: That’s right.

John Miller: —and basically turned it into a cinderblock.

Debora Plunkett: A brick.

John Miller: And after that, there wouldn’t be much you could do with that computer.

The description sounds remarkably like the rogue firmware update in concert with a malicious/covert chip.

The manner in which this report was handled by the NSA, however, made it appear like disinformation. The assessment that such firmware would be used solely brick a device heightened the FUD around this report, deterring questions about applications other than bricking a device — like taking control of the computer, or collecting all its transaction and data. Was the FUD-enhanced release via 60 Minutes the intelligence community’s approach to the “Coventry problem”?

~ | ~ | ~

The problem Bloomberg’s Jordan Robertson and Michael Riley reported is probably much bigger than they described. It is bigger than Supermicro motherboards and firmware, and it’s not a problem of the near-term future but ongoing over the last decade.

At what point will U.S. industries organize a collective response to both counterfeit and off-specification manufacturing of electronic components overseas? They can’t count on a calm and rational response from the Trump administration given the unnecessary trade war it launched against China.
_____

Disclosure: I have positions in AAPL and AMZN in my investment portfolio.

Photo: Pavan Trikutam via Unsplash

Three URGENT Things: POTUS’ Alert Text, Facebonked, Kavanuh-uh

/253 Comments/in , , /by

Let’s get right to it, no time for preamble (and don’t forget to check the byline above).

~ 3 ~

There will be an unblockable nationwide test of the Presidential Alert system on all cell phones today at 2:18 p.m. ET.

This infuriates me to no end, especially after Trump’s insulting bullshit at his fan club rally last night in which he denigrated assault survivor Dr. Blasey Ford. It’s as if he’s going to grab us all by the privates at the same time today without our consent.

Think about it: so much of your private personal life goes through your phone and now Trump’s FEMA has decided it will inject itself into your phone?

Lifehacker has a decent article suggesting some methods for mitigating or avoiding the text if not blocking it — you can read about it at this link.

Make sure you tell friends and family ASAP about this alert so they don’t freak out and aren’t in the middle of something important when this alert shows up.

Pity the poor residents of Hawaii, having to face this crap first thing this morning.

Time zone conversion for the alert:

Eastern: 2:18 p.m. ET
Central: 1:18 p.m. CT
Mountain: 12:18 p.m. MT
Pacific: 11:18 a.m. PT
Alaska: 10:18 a.m.
Hawaii: 08:18 a.m.

Check time conversion at this link. I’m going to shut my phone off at 2:00 p.m. ET and take an hour-long break.

~ 2 ~

The half-assed FBI investigation will likely be finished today; don’t expect to see the Swiss cheese-y results riddled with holes where testimony wasn’t collected. It’s unlikely the public will see this report.

This means McConnell will likely pursue a vote on cloture today to end debate in order for the full Senate to vote on Kavanaugh before the end of the week.

Which in turn means CALL YOUR SENATORS. Yes, even the steadfast Democrats who are unlikely to sway because their offices are being flooded with right-wing calls demanding their poor rich white frat boy judge be seated for a lifetime on the Supreme Court.

Screw that. Just MAKE THE CALLS.

Congressional switchboard: (202) 224-3121

Need a script for your call? @Celeste_pewter has them broken into four categories:

– The Democrats who have already said yes, and won’t flip no matter what.
– The red state Democrats.
– The potential GOP flips.
– The GOP senators who will vote yes, no matter what.

And a universal, all-senators script.

Pick the appropriate script and have at it. (Thanks, Celeste!)

HOOSIERS: Make a special effort to thank Joe Donnelly who came out last night as a NO on Kavanaugh. He is surely being pummeled today by Indiana’s finest red staters.

NORTH DAKOTANS: Heitkamp is down but within margin of error of her Republican opponent. Make sure you call so that she doesn’t feel pressure to backslide.

Trouble getting through switchboard or full mailbox? Try contacting your senators’ local offices. Look them up at:

Contacting Congress: https://www.contactingcongress.org
Ballotpedia: https://ballotpedia.org/Who_represents_me%3F

~ 1 ~

Facebook’s massive breach exposes what a bad, BAD idea it was to allow a Facebook login to become a universal login for other applications. Let’s not forget Facebook has also appropriated users’ phone numbers for advertising without users’ consent. It’s a security cataclysm and Facebook is once again flat-footed.

NEVER LOG INTO SITES WITH FACEBOOK USERID.

Never use the same password for more than one site.

Use a password manager.

Read up here about the problem.

What did I do? I gave up Facebook years ago when it was clear to me they were a security cesspool.

~ 0 ~

Now get going. Run!

Treat this as an open thread.

The Crimes with which NSD Envisions Charging Those Attacking Elections

/14 Comments/in , , /by

The Senate Judiciary Committee had a hearing on how to protect our elections today. Among others, Deputy Assistant Attorney General Adam Hickey from DOJ’s National Security Division testified. He gave a list of some of the crimes he thought might be used to charge people who tampered with elections.

Foreign influence operations, though not always illegal, can implicate several U.S. Federal criminal statutes, including (but not limited to) 18 U.S.C. § 371 (conspiracy to defraud the United States); 18 U.S.C. § 951 (acting in the United States as an agent of a foreign government without prior notification to the Attorney General); 18 U.S.C. § 1001 (false statements); 18 U.S.C. § 1028A (aggravated identity theft); 18 U.S.C. § 1030 (computer fraud and abuse); 18 U.S.C. §§ 1343, 1344 (wire fraud and bank fraud); 18 U.S.C. § 1519 (destruction of evidence); 18 U.S.C. § 1546 (visa fraud); 22 U.S.C. § 618 (Foreign Agents Registration Act); and 52 U.S.C. §§ 30109, 30121 (soliciting or making foreign contributions to influence Federal elections, or donations to influence State or local elections).

In their testimony, Ken Wainstein (someone with extensive experience of national security prosecutions, but less apparent focus on the available evidence in this investigation) and Ryan Goodman (who doesn’t have the prosecutorial experience of Wainstein, but who is familiar with the public facts about the investigation) also list what crimes they think will get charged.

I find a comparison of what each raised, along with what has already been charged, to be instructive. I believe that comparison looks like this:

I’m interested, in part, because Hickey, who likely has at least a sense of the Mueller investigation (if not personal involvement), sees the case somewhat differently than two differently expert lawyers. Two charges — agent of a foreign power (basically, being a foreign spy in the US not working under official cover) and CFAA (hacking) seem obvious to both National Security Division prosecutors, but have not yet been publicly charged. Illegal foreign contributions seems obvious to those paying close attention, but also has not been charged. We might expect to see all three charges before we’re done.

Neither Wainstein nor Goodman mentioned false statements, but of course that’s what we’ve seen charged most often so far.

Then there are the two crimes Hickey mentions that the others don’t, but that have not yet been charged (both have been alleged as overt acts in the Internet Research Agency indictment): Visa fraud (alleged against the trolls who came to the US to reconnoiter in 2014) and destruction of evidence (again, alleged against IRA employees destroying evidence after Facebook’s role was discovered). Mueller also described George Papadopoulos destroying evidencec when he deleted his Facebook account, but like the Russian trolls, he didn’t get charged for it. Visa fraud, in particular, is something that multiple figures might be accused of — Alexander Torshin and others reaching out via NRA, Natalia Veselnitskaya, and even Brits who worked illegally during the election for Cambridge Analytica.

I confess I’m most interested in Hickey’s mention of destruction of evidence, though. That’s true, in part, because SDNY seems to think Michael Cohen might destroy evidence.

Hope Hicks, too, reportedly thought about hiding evidence from authorities. Then there’s the report that Mueller is checking encrypted messaging apps as people turn in phones when they arrive for interviews.

Huckey seems to think some of the people being investigated — beyond Papadopoulos and IRA troll Viktorovna Kaverzina — may have been destroying evidence.

I wonder if he has reason to suspect that.

[Photo: Emily Morter via Unsplash]

Open Thread: Oddments Olio

/58 Comments/in , , /by

A dog’s breakfast, hodgepodge, pastiche, olio — this is a catch-all post with an open thread. I have a bunch of tidbits and loose ends with no place to go, not enough on which to center posts. Make of them what you will and bring your own potpourri in comments.

Loews — No, not Lowe’s as in the big box hardware store chain. Loews Regency, as in pricey hotel in NYC where Trump’s personal attorney and likely cut-out has been staying, ostensibly because of construction at his home. Yeah, the same home which was searched this past week along with this hotel room and office.

One detail folks may have forgotten: Loews Regency is the same hotel where Felix Sater arranged a 27-JAN-2017 meeting between Michael Cohen and Ukrainian lawmaker Andrey Artemenko to discuss a plan to lift the sanctions on Russia. Totally legal one week after the inauguration, right? But why meet with the president’s personal lawyer instead of State Department employees, or wait until Rex Tillerson was confirmed on February 1?

And when was the meeting set up — did Sater take a phone call from Artemenko before the inauguration?

It wasn’t clear back in early 2017 when exactly this back-channel was first established and it’s still not clear now.

Searching Cohen’s room at the Loews seems more reasonable considering the Artemenko meeting. Has Cohen had a room or rooms in Loews Regency since inauguration day or earlier?

~ | ~

Hacka cracka lacka — Hey, remember how former CIA director John Brennan was hacked in 2015 and 2016 by a couple of “Cracka” hackers? Two dudes from North Carolina were arrested and prosecuted, sent to prison for two years for hacking senior U.S. officials.

One detail sticking in my craw has been the third party characterized as a group leader; only a teenager at the time, they were located in the U.K.

Why have so many issues related to politics and information security had links to the U.K. — like Cambridge Analytica/SCL and Brexit? Did somebody manipulate an autistic U.K. teenager into work assisting larger aims?

~ | ~

Facebook’s Chancellor — Prof. David Carroll asked a very good question: why didn’t any member of Congress on either the Senate Judiciary Committee or the House Energy & Commerce Committee ask about Facebook employee Joseph Chancellor, a psychologist who had been hired away from Cambridge Analytica. Well?

Speaking of Facebook, there are several folks who’ve been all over the this scandal, some of whom have been responsible for the public’s awareness that Facebook data had been acquired without users’ consent. Give them a follow:

Carole Cadwalladr — reporter-writer for Guardian-UK and Observer who has doggedly covered Cambridge Analytica/SCL links to Facebook user data and their impact on the Brexit referendum in June 2016. Her Guardian content here (consider throwing them a few bucks for her great work.)

Chris Wylie — Cambridge Analytica’s former director of research now whistleblower who revealed much of the workings between CA/SCL and Facebook’s ill-gotten data.

David Carroll — Associate professor of media design at the School of Art, Media, and Technology at The New School’s Parsons School of Design; he’s been chasing his personal data located in the U.K and is now suing Cambridge Analytica’s parent, SCL, for U.S. data it obtained without consent. (Read about the case and chip into the legal fund at this link.)

Also note that Verge senior writer Sarah Jeong generously tweeted all the members of Congress who’d received donations from Facebook as they questioned CEO Mark Zuckerberg. Check it out.

~ | ~

Content bias — During this week’s committee hearings with Facebook CEO, GOP members of Congress tried repeatedly to make a case that Facebook was biased against conservative content. Too bad Facebook helped get a GOP POTUS elected, shooting that narrative in the ass.

But one related thing has stuck in my craw for quite some time, and I can’t help wonder if it was yet another way in which Facebook was manipulated by a disinformation operation.

Remember back in 2016 stories reporting Facebook’s contract content editors complained that Facebook was biased against conservatives? The story first appeared in Gizmodo on May 9, then got picked up by other outlets. A political story during the campaign season usually happens the other way around — covered first in a big national outlet then picked up in lesser outlets. Why did this story happen via Gizmodo first? This would be the perfect manner in which to launder information; the point of origin is obscured by the second and third outlets to pick it up as they typically go to the biggest source to confirm their story. In this case, an outlet like NYT or WaPo would go to Facebook and put them on the spot. They wouldn’t bug Gizmodo or the leakers who went to Gizmodo.

Another important factor: Gizmodo was part of beleaguered Gawker Media, which was about to implode and bought out months later by Univision. Anybody remaining at the time this story hit was uncertain about the security of their job. Journalists would have been ripe for manipulation because they needed an attention-getting story to improve their odds for a next gig.

In fact, Gawker Media filed for Chapter 11 bankruptcy one month after the Facebook bias story was published — on June 10, 2016. Think of this 30-day time frame as two very stressful paydays for beleaguered Gawker employees who were trying hard to keep on keeping on but probably frantically wallpapering prospective media employers with resumes.

One more important factor: the reporter who covered this story was a technology editor whose beat wasn’t politics or free speech issues. This changed the way the story was covered and rolled out; if a reporter with more savvy and experience covering politics had been approached with this particular tip, they might have known there was something more to this than poor-conservatives-being-suppressed-by-liberal-bias. A political contributor might have questioned the insistance that outlets like Breitbart and Newsmax weren’t being included alongside NYT and WaPo.

Watching GOP congresspersons repeatedly bash Zuckerberg about media bias, I could see the same deer-in-the-headlights reaction Facebook had back in 2016 when these contract editors complained about bias. There was no bias; the hearings this week and the story in 2016 were naked attempts to screw with Facebook’s algorithms so that POS outlets like Mercer-funded, Bannon-operated Breitbart and Alex Jones’ InfoWars could get the same attention as legitimate outlets like NYT and WaPo.

We’re still going to have to press Facebook and other social media outlets to address this problem. It’s just not a problem of bias but identifying legitimate reported journalism. And we all have a problem with being easily played for our lack of sufficient skepticism.

~ | ~

Go for it. What detritus have you been carrying around that doesn’t fit anywhere else? Share in comments.

Facebook, Hot Seat, Day Two — House Energy & Commerce Committee Hearing

/30 Comments/in , , , /by

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the House Energy & Commerce Committee today.

After these two hearings my head is swimming with Facebook content, so much so that I had a nightmare about it overnight. Today’s hearing combined with the plethora of reporting across the internet is only making things more difficult for me to pull together a coherent narrative.

Instead, I’m going to dump some things here as food for further consideration and maybe a possible future post. I’ll update periodically throughout the day. Do share your own feedback in comments.

Artificial Intelligence (AI) — every time Mark Zuckerberg brings up AI, he does so about a task he does not want to employ humans to do. Zuckerberg doesn’t want to hire humans even if it means doing the right thing. There are so many indirect references to creating automated tools that are all substitutions for labor that it’s obvious Facebook is in part what it is today because Facebook would rather make profits than hire humans until it is forced to do otherwise.

Users’ control of their data — this is bullshit whenever he says it. If any other entity can collect or copy or see users’ data without explicit and granular authorization, users do not have control of their data. Why simple controls like granular read/not-read settings on users’ data operated by users has yet to be developed and implemented is beyond me; it’s not as if Facebook doesn’t have the money and clout to make this happen.

Zuckerberg is also evasive about following Facebook users and nonusers across the internet — does browsing non-Facebook website content with an embedded Facebook link allow tracking of persons who visit that website? It’s not clear from Zuckerberg’s statements.

Audio tracking — It’s a good thing that Congress has brought up the issue of “coincident” content appearing after users discuss topics within audible range of a mobile device. Rep. Larry Buschon (R-Indiana) in particular offered pointed examples; we should remain skeptical of any explanation received so far because there are too many anedotes of audio tracking in spite of Zuckerberg’s denials.

Opioid and other illegal ads — Zuckerberg insists that if users flag them, ads will be reviewed and then taken down. Congress is annoyed the ads still exist. But at the hear of this exchange is Facebook’s reliance on users performing labor Facebook refuses to hire to achieve the expected removal of ads. Meanwhile, Congress refuses to do its own job to increase regulations on opioids, choosing instead to flog Facebook because it’s easier than going after donors like Big Pharma.

Verification of ad buyers — Ad buyers’ legitimacy based on verification of identity and physical location will be implemented for this midterm election cycle, Zuckerberg told Congress. Good luck with that when Facebook has yet to hire enough people to take down opioid ads or remove false accounts of public officials or celebrities.

First Amendment protections for content — Congressional GOP is beating on Facebook for what it perceives as consistent suppression of conservative content. This is a disinfo/misinfo operation happening right under our noses and Facebook will cave just like it did in 2016 while news media look the other way since the material in question isn’t theirs. Facebook, however, has suppressed neutral to liberal content frequently — like content about and images featuring women breastfeeding their infants — and Congress isn’t uttering a peep about this. Congress also isn’t asking any questions about Facebook’s assessments of content

Connecting the world — Zuckerberg’s personal desire to connect humans is supreme over the nature and intent of the connections. The ability to connect militant racists, for example, takes supremacy (literally) over protecting minority group members from persecution. And Congress doesn’t appear willing to see this as problematic unless it violates existing laws like the Fair Housing Act.

More to come as I think of it. Comment away.

UPDATE — 2:45 PM EDT — I’m gritting my teeth so hard as I listen to this hearing that I’ve given myself a headache.

Terrorist content — Rep. Susan Brooks (R-Indiana) asked about Facebook’s handling of ISIS content, to which Zuckerberg said a team of 200 employees focus on counterintelligence to remove ISIS and other terrorist content, capturing 99% of materials before they can be see by the public. Brooks further asked what Facebook is doing about stopping recruitment.

What. The. Fuck? We’re expecting a publicly-held corporation to do counterintelligence work INCLUDING halting recruitment?

Hate speech — Zuckerberg used the word “nuanced” to describe the definition while under pressure by left and right. Oh, right, uh-huh, there’s never been a court case in which hate speech has been defined…*head desk*

Whataboutism — Again, from Michigan GOPr Tim Walberg, pointing to the 2012 Obama campaign…every time the 2012 campaign comes up, you know you are listening to 1) a member of Congress who doesn’t understand Facebook’s use and 2) is working on furthering the disinfo/misinfo campaign to ensure the public thinks Facebook is biased against the GOP.

It doesn’t help that Facebook’s AI has failed on screening GOP content; why candidates aren’t contacting a human-staffed department directly is beyond me. Or why AI doesn’t interact directly with campaign/candidate users at the point of data entry to let them know what content is problematic so it can be tweaked immediately.

Again, implication of discrimination against conservatives and Christians on Facebook — Thanks, Rep. Jeff Duncan, waving your copy of the Constitution insisting the First Amendment is applied equally and fairly. EXCEPT you’ve missed the part where it says CONGRESS SHALL MAKE NO LAW respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press…

The lack of complaints by Democratic and Independent representatives about suppression of content should NOT be taken to mean it hasn’t happened. That Facebook allowed identified GOP-voting employees to work with Brad Parscale means that suppression happens in subtle ways. There’s also a different understanding between right and left wings about Congress’ limitation under the First Amendment AND Democrats/Independents aren’t trying to use these hearings as agitprop.

Internet service — CONGRESS NEEDS TO STOP ASKING FACEBOOK TO HELP FILL IN THE GAPS BETWEEN NETWORKS AND INTERNET SERVICE PROVIDERS THEY HAVE FAILED TO REGULATE TO ENSURE BROADBAND EVERYWHERE. Jesus Christ this bugs the shit out of me. Just stop asking a corporation to do your goddamned jobs; telcos have near monopoly ensured by Congress and aren’t acting in the best interest of the public but their shareholders. Facebook will do the same thing — serve shareholders but not the public interest. REGULATE THE GAP, SLACKERS.

3:00 PM thank heavens this beating is over.

Three more thoughts:

1) Facial recognition technology — non-users should NEVER become subjected to this technology, EVER. Facebook users should have extremely simple and clear opt-in/opt-out on facial technology.

2) Medical technology — absolutely not ever in social media. No. If a company is not in the business of providing health care, they have no business collecting health care data. Period.

3) Application approval — Ask Apple how to do it. They do it, app by app. Facebook is what happens when apps aren’t approved first.

UPDATE — 9:00 PM EDT — Based on a question below from commenter Mary McCurnin about HIPAA, I am copying my reply here to flesh out my concerns about Facebook and medical data collection and sharing:

HIPAA regulates health data sharing between “covered entities,” meaning health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers. Facebook had secretly assigned a doctor to work on promoting a proposal to some specific covered entities to work on a test or beta; the program has now been suspended. The fact this project was secret and intended to operate under a signed agreement rather than attempting to set up a walled-off Facebook subsidiary to work within the existing law tells me that Facebook didn’t have any intention of operating within HIPAA. The hashing concept proposed for early work but still relying on actual user data is absurdly arrogant in its blow off of HIPAA.

Just as disturbing: virtually nothing in the way of questions from Congress about this once-secret program. The premise which is little more than a normalized form of surveillance using users’ health as a criteria is absolutely unacceptable.

I don’t believe ANY social media platform should be in the health care data business. The breach of U.S. Office of Personnel Management should have given enough Congress enough to ponder about the intelligence risks from employment records exposed to foreign entities; imagine the risks if health care data was included with OPM employment information. Now imagine that at scale across the U.S., how many people would be vulnerable in so many ways if their health care information became exposed along with their social records.

Don’t even start with how great it would be to dispatch health care to people in need; we can’t muster the political will to pay for health care for everybody. Why provide monitoring at scale through social media when covered entities can do it for their subscriber base separately, and apparently with fewer data breaches?

You want a place to start regulating social media platforms? Start there: no health care data to mingle with social media data. Absolutely not, hell to the no.

Facebook on the Hot Seat Before Senate Judiciary Committee

/45 Comments/in , , , /by

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the Senate Judiciary Committee this afternoon. At the time of this post Zuckerberg has already been on the hot seat for more than two hours and another two hours is anticipated.

Before this hearing today I have already begun to think Facebook’s oligopolic position and its decade-plus inability to effectively police its operation requires a different approach than merely increasing regulation. While Facebook isn’t the only corporation monetizing users’ data as its core business model, its platform has become so ubiquitous that it is difficult to make use of a broad swath of online services without a Facebook login (or one of a very small number of competing platforms like Google or Twitter).

If Facebook’s core mission is connecting people with a positive experience, it should be regulated like a telecommunications provider — they, too, are connectors — or it should be taken public like the U.S. Postal Service. USPS, after all, is about connecting individual and corporate users by mediating exchange of analog data.

The EU’s General Data Protection Regulation (GDPR) offers a potential starting point as a model for the U.S. to regulate Facebook and other social media platforms. GDPR will shape both users’ expectations and Facebook’s service whether the U.S. is on board or not; we ought to look at GDPR as a baseline for this reason, while compliant with the First Amendment and existing data regulations like the Computer Fraud and Abuse Act (CFAA).

What aggravates me as I watch this hearing is Zuckerberg’s obvious inability to grasp nuance, whether divisions in political ideology or the fuzzy line between businesses’ interests and users’ rights. I don’t know if regulation will be enough if Facebook (manifest in Zuckerberg’s attitude) can’t fully and willingly comply with the Federal Trade Commission’s 2011 consent decree protecting users’ privacy. It’s possible fines for violations of this consent decree arising from the Cambridge Analytica/SCL abuse of users’ data might substantively damage Facebook; will we end up “owning” Facebook before we can even regulate it?

Have at it in comments.

UPDATE — 6:00 PM EDT — One of my senators, Gary Peters, just asked Zuck about audio capture, whether Facebook uses audio technology to listen to users in order to place ads relevant to users’ conversational topics. Zuck says no, which is really odd given the number of anecdotes floating around about ads popping up related to topics of conversation.

It strikes me this is one of the key problems with regulating social media: we are dealing with a technology which has outstripped its users AND its developers, evident in the inability to discuss Facebook’s operations with real fluency on either the part of government or its progenitor.

This is the real danger of artificial intelligence (AI) used to “fix” Facebook’s shortcomings; not only does Facebook not understand how its app is being abused, it can’t assure the public it can prevent AI from being flawed or itself being abused because Facebook is not in absolute control of its platform.

Zuckerberg called the Russian influence operation an ongoing “arms race.” Yeah — imagine arms made and sold by a weapons purveyor who has serious limitations understanding their own weapons. Gods help us.

EDIT — 7:32 PM EDT — Committee is trying to wrap up, Grassley is droning on in old-man-ese about defending free speech but implying at the same time Facebook needs to help salvage Congress’ public image. What a dumpster fire.

Future shock. Our entire society is suffering from future shock, unable to grasp the technology it relies on every day. Even the guy who launched Facebook can’t say with absolute certainty how his platform operates. He can point to the users’ Terms of Service but he can’t say how any user or the government can be absolutely certain users’ data is fully deleted if it goes overseas.

And conservatives aren’t going to like this one bit, but they are worst off as a whole. They are older on average, including in Congress, and they struggle with usage let alone implications and the fundamentals of social media technology itself. They haven’t moved fast enough from now-deceased Alaska Senator Ted Steven’s understanding of the internet as a “series of tubes.”

Parkland and the Twittered Revolt

/11 Comments/in , /by

Marvel at the teen survivors of the mass shooting at Marjory Stoneham Douglas High School in Parkland, Florida. Their composed rage is terrifying to a generation or two which have not seen the like since the 1960s and early 1970s. They are leading a revolution — but note the platform they’re using to best effect.


I can’t tell you how much use they are making of Facebook as I haven’t used it in several years. What I find telling is the dearth of links to students’ and followers’ Facebook posts tweeted into my timeline. I also note at least one MSD student exited Facebook after receiving death threats.

Twitter’s platform allows the authenticity and immediacy of the students’ communications, as easy to use as texting. There’s no filter. For whatever reason, parents haven’t taken to Twitter as they did Facebook, leaving the micro-blogging platform a space without as much adult oversight.

These attributes terrify the right-wing. There’s nothing limiting the reach of students’ messages — no algorithms slow their tweets. The ability to communicate bluntly, efficiently, and yet with grace has further thrown the right. The right-wing’s inability to accept these students as legitimately speaking for themselves and for their fellow students across the country is an expression of the right’s cognitive dissonance.

The students’ use of Twitter redeems the platform, asserting its true value. It’s 180 degrees from the problems Twitter posed as a toxic cesspool filled with trolls and bots. Parkland’s tragedy exposes what Twitter should be, what Twitter must do to ensure it doesn’t backslide.

Minors shouldn’t have to put up with bullying — especially bullying by adults. Donnie Trump Jr. is one of the worst examples of this bullying and should be booted out of the platform. Other adult bullies have also emerged but Twitter’s user base is ruthless in its swiftness, dealing a coup de grâce to Laura Ingraham’s sponsorships.

If only Twitter itself was as swift in ejecting bullies and trolls. Troll bots continue to flourish even after a large number were removed recently. Victims of tragedies should expect an ethical social media platform to eliminate trolls and bots promptly along with bullies.

Ethical social media platforms also need to ask themselves whether they want to make profit off products intended to maim and kill. Should it allow certain businesses to use promoted tweets to promote deadly products, or allow accounts for lobbying organizations representing weapons manufacturers as well as owners? Should Twitter remove the NRA just as it doesn’t permit accounts representing tobacco products?

Not to mention avoiding Facebook’s ethical crisis — should Twitter be more proactive in protecting its users now that Parkland’s Marjory Stoneham Douglas High School students have revitalized its brand?

The Very Globalized Forces Manipulating the Anti-Globalist President

/21 Comments/in , , , /by

I want to consider three stories related to the conspiracies that got Trump elected and have influenced his policy decisions.

Cambridge Analytica and Facebook privatizes intelligence sources and methods behind “democratic” elections

First, there’s the Cambridge Analytica scandal. Here are some of the most scandalous tidbits:

Likelihood Facebook failed to abide by a 2011 FTC consent decree and certainty that Cambridge Analytica and Facebook failed to abide by British and EU privacy law, respectively. While Facebook and other big tech companies have sometimes publicly bowed to the onerous restrictions of more repressive regimes and have secretly bowed to the invasive demands of American spies, the public efforts to rein in big tech have had limited success in Europe and virtually none in the US.

In the US in particular, weak government agencies have done little more than ask consumers to trust big tech.

As privacy advocates have long argued, big tech can’t be trusted. Nor can big tech regulate itself.

Cambridge Analytica used legally suspect means — the same kind of illegal means intelligence agencies employ — to help its customers. Channel 4 reported that Cambridge Analytica at least promised they could set honey traps and other means to compromise politicians. The Guardian reported that Cambridge Analytica acted as a cut-out to share hacked emails in Nigerian and a Nevis/St. Kitts elections. Thus far, the most problematic claim made about Cambridge Analytica’s activities in the US are the aforementioned illegal use of data shared for research purposes, visa fraud to allow foreign (British) citizens to work on US elections, and possibly the illegal coordination between Rebekah Mercer’s PAC with the campaign.

Internet Research Agency used the same kind of methods advertising and marketing firms use, but to create grassroots. The IRA indictment laid out how a private company in Russia used Facebook (and other tech giants’) networking and advertising services to create fake grassroots enthusiasm here in the US.

All of these means undermine the democratic process. They’re all means nation-state intelligence services use. By privatizing them, such services became available to foreign agents and oligarchical interests more easily, with easy ways (many, but not all, broadly acceptable corporate accounting methods) to hide the financial trail.

Russia buys the network behind Joseph Mifsud

Then there’s the Beeb piece advancing the story of Joseph Mifsud (ignore the repetitive annoying music and John Schindler presence). It provides details on the role played by German born Swiss financier and lawyer Stephan Roh. Roh has three ties to Mifsud. In 2014, Roe started lecturing at the London Academy of Diplomacy where Misfud worked. In the same year, he bought the Roman institution Misfud helped manage. And then, in 2016, when George Papadopoulos was being targeted, Roh was on a panel with Papadopoulos’ two handlers.

That same month, Mifsud was in Moscow on a panel run by the Kremlin-backed Valdai Club with Timofeev and the third man, Dr Stephan Roh, a German multi-millionaire.

Mifsud and Roh interlock: in 2014, Roh became a visiting lecturer at the London Academy of Diplomacy. Roh bought Link Campus University, a private institution in Rome where Mifsud was part of the management and Mifsud became a consultant at Roh’s legal firm.

The Beeb piece goes on to describe how Roh bought a British nuclear consultancy too. When the British scientist behind it balked at cozying up to Russia, he was fired, but it appears to still be used as a cut-out.

Again, none of this is new: Russia just spent a lot of money to set up some fronts. The amount of money floating around and the ability to buy into a title by buying an old castle do make it easier, however.

George Nader purchases US foreign policy for the Saudis and Emirates

Then there’s NYT’s confirmation of something that was obvious from the first reports that the FBI whisked George Nader away from Dulles Airport before he could meet Donald Trump at Mar a Lago earlier this year. Nader got an immunity deal and has been cooperating with Mueller’s team to describe how he brokered US foreign policy decisions (most notably, and anti-Qatari stance). He did so by cultivating GOP fundraiser Elliott Broidy, turning him into both an asset and front for foreign influence. Those activities included:

  • Securing hundreds of millions of dollars of contracts for Broidy’s private security firm, Circinus, with the Saudis and Emirates, and offering several times more.
  • Working with Broidy to scuttle the nomination of Anne Patterson to DOD and to orchestrate the firing, last week, of Rex Tillerson, in both cases because they were deemed too supportive of diplomacy towards Iran.
  • Offering financial support for a $12.7 million Washington lobbying and public relations campaign, drafted by a third party, targeting both Qatar and the Muslim Brotherhood.
  • Paying Broidy $2.7 million to fund conferences at both Hudson Institute and the Foundation for Defense of Democracies attacking Qatar and the Muslim Brotherhood; Broidy provided a necessary American cut-out for the two think tanks because their fundraising rules prohibit donations from undemocratic regimes or foreign countries, respectively. The payment was laundered through an “Emirati-based company [Nader] controlled, GS Investments, to an obscure firm based in Vancouver, British Columbia, controlled by Mr. Broidy, Xieman International.”
  • Unsuccessfully pitching a private meeting, away from the White House, between Trump and Emirates Crown Prince Mohammed bin Zayed.
  • Obtaining a picture of Nader with Trump, effectively showing the president in the company of a foreign agent and convicted pedophile.

Effectively, Nader provides Mueller what Mueller has been getting from Rick Gates: details of how a foreign country purchased American policy support via cutouts in our easily manipulated campaign finance system.

Nader brings two more elements of what I pointed to last May: what is ultimately a Jared Kushner backed “peace” “plan” that is instead the money laundered wish of a bunch of foreign interests. While we’ve seen the Russian, Saudi, and Emirate money behind this plan, we’re still missing full details on how Mueller is obtaining the Israeli side, though I’m sure he’s getting that too.

Note, Broidy has claimed the details behind his work with Nader were hacked by Qatari hackers. That may be the case; there have also been a slew of presumably hacked documents from Emirates Ambassador to the US, Yousef al Otaiba, floating around. So while this is important reporting, it relies on the same kind of illicitly obtained intelligence that was used against Hillary in 2016.

Importantly, the Nader story generalizes this. Nader has worked with both the Clinton and the Dick Cheney Administrations, and the laundering of foreign funds to US think tanks has long been tolerated (in some cases, such as Brookings, the think tank doesn’t even bother with the money laundering and accepts the foreign money directly). Democrats are not immune from this kind of influence peddling, in the least. It’s just that Trump, because of his greater narcissism, his ignorance of real foreign policy doctrine, and his debt and multinational business make Trump far more vulnerable to such cultivation. Given Cheney’s ties to Halliburton and the Clinton Foundation, it’s a matter of degree and competence, not principle.

Globalism is just another word for fighting over which oligarchs will benefit from globalization

Which brings us to Trump’s claim (orchestrated by Steven Bannon, paid for by the Mercers) to oppose “globalists,” a racialized term to demonize the downsides of globalization without actually addressing the forces of globalization in an effective way. Little Trump is doing (up to and including the trade war with China he’s rolling out today) will help the white people who made him president (the demonization of immigrants will have benefits and drawbacks).

What it will do is foster greater authoritarianism in this country, making it easier both to make Trump’s white voters less secure even while channeling the resultant anger by making racism even more of an official policy.

And it will also shift somewhat which oligarchs — both traditionally well-loved ones, like the Sauds, and adversaries, like the Russians — will benefit as a result.

Importantly, it is being accomplished using the tools of globalization, from poorly overseen global tech companies, easily manipulated global finance system, and a global network of influence peddling that can also easily be bought and paid for.

Cambridge Analytica Uncovered and More to Come

/92 Comments/in , , /by

A little recap of events overnight while we wait for Channel 4’s next video. Channel 4 had already posted a video on March 17 which you can see here:

Very much worth watching — listen carefully to whistleblower Chris Wylie explain what data was used and how it was used. I can’t emphasize enough the problem of non-consensual use; if you didn’t explicitly consent but a friend did, they still swept up your data

David Carroll of Parsons School of Design (@profcarroll) offered a short and sweet synopsis last evening of the fallout after UK’s Channel 4 aired the first video of Cambridge Analytica Uncovered.

Facebook CTO Alex Stamos had a disagreement with management about the company’s handling of crisis; first reports said he had resigned. Stamos tweeted later, explaining:

“Despite the rumors, I’m still fully engaged with my work at Facebook. It’s true that my role did change. I’m currently spending more time exploring emerging security risks and working on election security.”

Other reports say Stamos is leaving in August. Both could be true: his job has changed and he’s eventually leaving.

I’m betting we will hear from him before Congress soon, whatever the truth.

Speaking of Congress, Sen. Ron Wyden has asked Mark Zuckerberg to provide a lot of information pronto to staffer Chris Sogohian. This ought to be a lot of fun.

A Facebook whistleblower has now come forward; Sandy Parkilas said covert harvesting of users’ data happened frequently, and Facebook could have done something about it.

Perhaps we ought to talk about nationalization of a citizens’ database?

Another Shoe Dropped: Cambridge Analytica Used Its Own Kompromat

/69 Comments/in , , /by

I confess, I did NOT see this coming, a perfect example of blindness based in preconceived notions about technology companies.

UK’s Channel 4 just aired a report in which Cambridge Analytica executives were secretly filmed discussing the creation and use of compromising material in campaigns. Some of the acts described violate UK Bribery Act and the US Foreign Corrupt Practices Act.

Watch:

Last evening there had been teasers revealing Cambridge Analytica had used actual Facebook users’ account information while demonstrating their psychographic profiling product, without masking the users’ personal information. This is ugly on its own, violating users’ privacy without permission.

But the creation and use of kompromat…wow.

This is an open thread. Have at it.