Enlarge (credit: Getty Images)
As part of today’s blockbuster prisoner swap between the US and Russia, which freed the journalist Evan Gershkovich and several Russian opposition figures, Russia received in return a motley collection of serious criminals, including an assassin who had executed an enemy of the Russian state in the middle of Berlin.
But the Russians also got two hackers, Vladislav Klyushin and Roman Seleznev, each of whom had been convicted of major financial crimes in the US. The US government said that Klyushin “stands convicted of the most significant hacking and trading scheme in American history, and one of the largest insider trading schemes ever prosecuted.” As for Seleznev, federal prosecutors said that he has “harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court.”
What sort of hacker do you have to be to attract the interest of the Russian state in prisoner swaps like these? Clearly, it helps to have hacked widely and caused major damage to Russia’s enemies. By bringing these two men home, Russian leadership is sending a clear message to domestic hackers: We’ve got your back.
Microsoft recently caught state-backed hackers using its generative AI tools to help with their attacks. In the security community, the immediate questions weren’t about how hackers were using the tools (that was utterly predictable), but about how Microsoft figured it out. The natural conclusion was that Microsoft was spying on its AI users, looking for harmful hackers at work.
Some pushed back at characterizing Microsoft’s actions as “spying.” Of course cloud service providers monitor what users are doing. And because we expect Microsoft to be doing something like this, it’s not fair to call it spying.
We see this argument as an example of our shifting collective expectations of privacy. To understand what’s happening, we can learn from an unlikely source: fish.
In the mid-20th century, scientists began noticing that the number of fish in the ocean—so vast as to underlie the phrase “There are plenty of fish in the sea”—had started declining rapidly due to overfishing. They had already seen a similar decline in whale populations, when the post-WWII whaling industry nearly drove many species extinct. In whaling and later in commercial fishing, new technology made it easier to find and catch marine creatures in ever greater numbers. Ecologists, specifically those working in fisheries management, began studying how and when certain fish populations had gone into serious decline.
One scientist, Daniel Pauly, realized that researchers studying fish populations were making a major error when trying to determine acceptable catch size. It wasn’t that scientists didn’t recognize the declining fish populations. It was just that they didn’t realize how significant the decline was. Pauly noted that each generation of scientists had a different baseline to which they compared the current statistics, and that each generation’s baseline was lower than that of the previous one.
What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.
Pauly called this “shifting baseline syndrome” in a 1995 paper. The baseline most scientists used was the one that was normal when they began their research careers. By that measure, each subsequent decline wasn’t significant, but the cumulative decline was devastating. Each generation of researchers came of age in a new ecological and technological environment, inadvertently masking an exponential decline.
Pauly’s insights came too late to help those managing some fisheries. The ocean suffered catastrophes such as the complete collapse of the Northwest Atlantic cod population in the 1990s.
Internet surveillance, and the resultant loss of privacy, is following the same trajectory. Just as certain fish populations in the world’s oceans have fallen 80 percent, from previously having fallen 80 percent, from previously having fallen 80 percent (ad infinitum), our expectations of privacy have similarly fallen precipitously. The pervasive nature of modern technology makes surveillance easier than ever before, while each successive generation of the public is accustomed to the privacy status quo of their youth. What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.
Historically, people controlled their computers, and software was standalone. The always-connected cloud-deployment model of software and services flipped the script. Most apps and services are designed to be always-online, feeding usage information back to the company. A consequence of this modern deployment model is that everyone—cynical tech folks and even ordinary users—expects that what you do with modern tech isn’t private. But that’s because the baseline has shifted.
AI chatbots are the latest incarnation of this phenomenon: They produce output in response to your input, but behind the scenes there’s a complex cloud-based system keeping track of that input—both to improve the service and to sell you ads.
Shifting baselines are at the heart of our collective loss of privacy. The U.S. Supreme Court has long held that our right to privacy depends on whether we have a reasonable expectation of privacy. But expectation is a slippery thing: It’s subject to shifting baselines.
The question remains: What now? Fisheries scientists, armed with knowledge of shifting-baseline syndrome, now look at the big picture. They no longer consider relative measures, such as comparing this decade with the last decade. Instead, they take a holistic, ecosystem-wide perspective to see what a healthy marine ecosystem and thus sustainable catch should look like. They then turn these scientifically derived sustainable-catch figures into limits to be codified by regulators.
In privacy and security, we need to do the same. Instead of comparing to a shifting baseline, we need to step back and look at what a healthy technological ecosystem would look like: one that respects people’s privacy rights while also allowing companies to recoup costs for services they provide. Ultimately, as with fisheries, we need to take a big-picture perspective and be aware of shifting baselines. A scientifically informed and democratic regulatory process is required to preserve a heritage—whether it be the ocean or the Internet—for the next generation.
May Day was coming up and the feds were worried. In April 2015, the FBI and Department of Homeland Security sent out a bulletin warning that "anarchist extremists will probably engage in criminal or violent activity in one or more US cities on 1 May 2015 and may attempt to co-opt legal protest activity to carry out attacks."
It was the anniversary of the deadly 1886 labor unrest in Chicago's Haymarket. Several anarchists were executed for the violence back then, and in the 2015 bulletin's words, May 1 became "an international day honoring workers' rights that frequently results in anarchist extremist violence both domestically and internationally." To emphasize that anarchism was still a live threat, the Feds listed several recent anarchist attacks in their bulletin.
One of them, the firebombing of a congressional office in Kansas City, Missouri, was serious stuff. Police car tires were also slashed in Bloomington, Indiana; anonymous anarchists claimed online that the vandalism was in "Solidarity with the revolt in Ferguson." But another incident was more Parks and Recreation than V for Vendetta.
"In October 2014, 'some Bull City anarchists' chained the front door and glued the locks to a parking lot at a government facility in Durham, North Carolina, according to media reporting," the memo read. "The graffiti on the front of the building stated 'Solidarity with Missouri Rebels' and '[Expletive] the Police.'"
Reason was unable to locate any media reports from October 2014 mentioning the phrase "Bull City anarchists" or a parking lot incident in Durham like the one the bulletin describes.
Journalist Emma Best obtained a copy of the bulletin through a Freedom of Information Act (FOIA) request and published it to the public records platform MuckRock late last month. The FBI heavily redacted the version it sent Best. Reason also found an original copy of the bulletin in the BlueLeaks document dump, a trove of homeland security "fusion center" files released by hackers in June 2020.
The parts of the bulletin that the FBI had chosen to redact are a story unto themselves. The original version states that there is "no specific credible reporting to indicate anarchist extremists are planning violent criminal activity." But the FBI censored that line in the version it sent to MuckRock and Best under FOIA.
Curiously, the FOIA version also censored the assessment that "anti-police and law enforcement sentiment will likely continue to serve as a prominent motivator for anarchist extremists in 2015, barring any significant changes in anarchist extremist rhetoric or major public events that could galvanize anarchist extremists against other traditional targets."
Editorializing aside, that prediction turned out to be true. Anarchists played a significant role in the Black Lives Matter protests of 2020 and were often blamed for violence during the unrest.
In the FOIA version of the bulletin, the FBI redacted its specific recommendations for local police, citing the "law enforcement techniques" exemption to the Freedom of Information Act. Not that any of the advice was hard to guess. Basically, if police see anarchists training or gathering weapons and barricade materials, they should be extra vigilant and try to confiscate the weapons.
But, the Feds warned, local police shouldn't get too paranoid.
"Some of these behavioral indicators may be constitutionally protected activities and should be supported by additional facts to justify increased suspicions," the bulletin noted. "Independently, each indicator may represent legitimate recreational or commercial activities; however, multiple indicators could suggest a heightened threat."
The post Feds Worried About Anarchists Gluing the Locks to a Government Facility appeared first on Reason.com.
Last week's alleged Epic Games hack was a scam, so-called "ransomware" group Mogilevich have confessed, or at least, are reported to have confessed in a self-congratulary new statement. The group have not, it now seems, stolen a bunch of login data, WIP software and payment information from the creators of Fortnite; they were only pretending to have done so with a view to duping other hackers into buying their tools.
Or at least, that's what they're said to be saying now. I haven't tracked down the original source for Mogilevich's latest statement, and in any case, anything you read from a self-described "professional fraudster" should probably be treated with caution. Still, it lines up with Epic's own comments last week that there was no real sign that a hack had taken place.
Epic Games are investigating a claim that the Fortnite publishers have suffered a massive ransomware attack, with almost 200GB of data reportedly stolen including emails, passwords, full names, payment information, source code and more besides.
As much as I love Persona and have gladly sunk hundreds of hours into the many entries in Atlus’ series of RPGs, a lot of other people actually respect their time. That means they likely haven’t played or finished a Persona game. Thankfully, Atlus made 2022’s Soul Hackers 2 for people who want to experience the joys…
Přihlásit se