impersonation – Techdirt (original) (raw)
Stories filed under: "impersonation"
Fake Images, Spread On Twitter, Fooled Media, Spooked Stock Market Briefly
from the the-deepfakes-are-evolving dept
Over the last few years, there’s been a lot of fretting among the media, politicians, and others about how “deep fakes” would have a major impact on events, with faked imagery, audio, and video creating havoc on news events and political campaigns. Back in 2019, we had published a story suggesting that people calm down a little. As we noted, similar fears had come about before, including in the early 1990s with the introduction of Photoshop. Similar predictions were made about how disastrous this would be for “truth.”
But… that never really came to be.
So it is interesting to see the story this week about a fake (most likely created using a generative AI program) photo showing what appears to be an explosion near the Pentagon. The image was fake, but it was shared by a bunch of accounts on Twitter who had paid Elon his $8 fee, enabling a blue checkmark to appear next to their name (while some people call them “verified” accounts, they’re not verified so they shouldn’t be called that). But, still, it was shared, and people believed it because it was made to look like it came from Bloomberg News.
The image, which bears all the hallmarks of being generated by artificial intelligence, was shared by numerous verified accounts with blue check marks, including one that falsely claimed it was associated with Bloomberg News.
“Large explosion near the Pentagon complex in Washington DC. – initial report,” the account posted, along with an image purporting to show black smoke rising near a large building.
And, from there, some in the media reported it as real:
The false reports of the explosion also made their way to air on a major Indian television network. Republic TV reported that an explosion had taken place, showing the fake image on its air and citing reports from the Russian news outlet RT. It later retracted the report when it became clear the incident had not taken place.
And… from there, it impacted the stock market:
In the moments after the image began circulating on Twitter, the US stock market took a noticeable dip. The Dow Jones Industrial Average fell about 80 points between 10:06 a.m. and 10:10 a.m., fully recovering by 10:13 a.m. Similarly, the broader S&P 500 went from up 0.02% at 10:06 a.m. to down 0.15% at 10:09 a.m.. By 10:11 a.m., the index was positive again.
The fact that it was debunked and the stock market recovered quickly again suggests that the “threat” of faked content is still at least somewhat limited. But, in those five minutes, it’s likely that some people might have lost a lot of money (and others may have made lots of money). So it did have an impact.
However, it does seem notable that this is the first story I can recall of such a faked image actually having such an impact, unlike the predictions from years ago that this would be a regular occurrence. Now, it may come to pass that this happens more often, but, if anything, this seems to reinforce our story from a few years ago that it’s pretty difficult to pull off a full scale faking that has any real impact.
It is still notable that the main vector that made it possible for this image to have even the slight (and temporary) effect that it had was Musk’s ridiculous decision to turn “verification” into a profit center/asshole signaling system, rather than an actual verification plan. That is still allowing malicious actors to abuse this system to try to pretend to be more legitimate. And that was a key piece to the puzzle here. Without that faux “verification” it seems unlikely that any of this would have worked.
Indeed, Bloomberg’s own report of the story, notes that the image was actually first posted to Facebook, but didn’t get much traction until “verified” Twitter accounts tweeted it, including conspiracy theory nonsense peddler ZeroHedge and a fake “Bloomberg News” feed:
The fake photo, which first appeared on Facebook, showed a large plume of smoke that a Facebook user claimed was near the US military headquarters in Virginia.
It soon spread on Twitter accounts that reach millions of followers, including the Russian state-controlled news network RT and the financial news site ZeroHedge, a participant in the social-media company’s new Twitter Blue verification system.
Filed Under: deep fakes, elon musk, impact, impersonation, truth, twitter blue, verification
Companies: twitter
Twitter Blue’s New Verification / Not Verification Scheme Widely Abused On Day One
from the will-the-real-elon-musk-please-bluecheck dept
Look, when it was revealed that Elon Musk’s first big plan was to make blue checks available for purchase for $8 a month, some of us quickly pointed out that the blue checks weren’t supposed to be about status, but about verification that someone is who they say they are. And, that’s kind of important. It came about because celebrities felt uncomfortable using the site while there were tons of impersonators, and advertisers were less interested in advertising next to questionable content.
But… Musk is gonna Musk, and the plan rolled out on Wednesday, along with the rapidly changing gray check system that sorta, but not really replaces some of the blue check system while the blue checks become available for everyone (don’t worry, you don’t need to follow).
Anyway, tons of people, both experts and those with just basic common sense, pointed out that opening up the blue checks to anyone with 8toburnwasgoingtoleadtoabuse,impersonation,andscams.Muskandhisreliablegroupofyesmen,however,insistedthatitwouldsomehow…getridofallthat?Hekeepstryingtoarguethatsincesuchaccountswillgetshutdown,itwon’tbeworthittopeople.But8 to burn was going to lead to abuse, impersonation, and scams. Musk and his reliable group of yes men, however, insisted that it would somehow… get rid of all that? He keeps trying to argue that since such accounts will get shut down, it won’t be worth it to people. But 8toburnwasgoingtoleadtoabuse,impersonation,andscams.Muskandhisreliablegroupofyesmen,however,insistedthatitwouldsomehow…getridofallthat?Hekeepstryingtoarguethatsincesuchaccountswillgetshutdown,itwon’tbeworthittopeople.But8 is not much to pay for someone looking to do something nefarious (or funny). And it sure looks like Twitter isn’t set up to make sure that these aren’t being abused.
Yesterday, we highlighted one account that was pretending to be Twitter and pushing some sort of crypto scam:
And, on Wednesday, tons of people started impersonating famous people and famous brands. Just for the hell of it. The funniest one I saw was a fake Rudy Giuliani (the account was actually over a year old, but only just got the blue check).
Others impersonated Elon himself:
A fake Lebron James requested a trade from the Lakers and got a bunch of attention before it was deleted:
Note that all of those show the “verified” blue badge that used to denote that they were real.
Meanwhile, a ton of companies (i.e., potential advertisers) were also spoofed, and not always in a flattering light:
Now, at this point, most of these are kind of amusing. And all of the examples above have been shut down. Musk and his fans are joking about how they got $8 from all these guys and they lost their accounts, but the people who created them don’t much care about that. They were making a point.
And the point remains: advertisers are going to feel pretty uncomfortable about coming back to a platform that can’t protect their brands and is open to such things.
Even worse, is that while people are quickly spotting these jokes, you’d have to be crazy to assume that others aren’t using the blue checks for something more nefarious and a lot less public. It’s quite likely that scammers are quickly setting up blue check accounts, and it wouldn’t surprise me if mischief makers associated with nation states are doing the same.
This is the kind of thing that a good manager at least has folks exploring how to prevent, rather than launching it and just hoping you’ll fix it later. People are going to get scammed. That’s not good for Twitter, and it’s certainly not good for any company that wanted to do business with Twitter.
Filed Under: blue checks, elon musk, impersonation, security, verification
Companies: twitter
The Elon Speedrun Continues; Apparently Comedy Is Not Quite Legal On The New Twitter
from the careening-along-the-curve-of-hypocrisy dept
Last week, we posted a cheat sheet on how to speedrun the content moderation learning curve. It went a bit viral, but I don’t think Elon got to check it out. In the meantime, he seems to be doing his actual speedrunning in public.
Anyhoo… let’s just say that the next few paragraphs are known as foreshadowing
Back in May at a conference, Elon Musk said that he was against the idea of “perma” bans.
“I do think it was not correct to ban Donald Trump, I think that was a mistake,” Musk said. “I would reverse the perma-ban. … But my opinion, and Jack Dorsey, I want to be clear, shares this opinion, is that we should not have perma-bans.”
A few weeks before that, he said that he hoped that “even my worst critics remain on Twitter, because that is what free speech means.”
He also said that when he talked about bringing free speech back to Twitter, he meant “that which matches the law” saying that he was “against censorship that goes far beyond the law.”
And, just as a side note (by which I mean, more foreshadowing) parody has been found to be protected by the 1st Amendment, making it very much “matching the law.” And, in one important case, the wonderful judge, Pierre Leval, pointed out that parody is still protected by the 1st Amendment even if some are fooled by it. In that case, one of the claims was that a parody done by New York Magazine was not labeled as parody. But Judge Leval points out that this does not matter:
Although New York’s position would probably be stronger if its joke had been clearer, the obscurity of its joke does not deprive it of First Amendment support. First Amendment protections do not apply only to those who speak clearly, whose jokes are funny, and whose parodies succeed.
Oh, and one more: after he took over Twitter, Musk declared “Comedy is now legal on Twitter.”
Alrighty. Enough of the foreshadowing. On Sunday evening, Musk decreed that impersonation will immediately result in a permaban.
That says:
Going forward, any Twitter handles engaging in impersonation without clearly specifying “parody” will be permanently suspended
Of course, as basically everyone noticed, the “impersonation” accounts that were getting suspended seemed to most be people making fun of Elon Musk. Most notably, comedian Kathy Griffin changed her name to Elon Musk and had mocked him. Some others had done something similar.
Thus, only a week into ownership, Musk has gone back on “all legal free speech,” no permabans, and hoping that his critics would remain on Twitter all in one shot. It’s almost impressive.
And, yes, you can (and I’m sure some very eager people will in our comments) make the argument that impersonating users is potentially problematic. Musk tried to clarify that he was talking about accounts with checkmarks (what used to be verified accounts, but under Musk’s leadership now mean “willing to pay $8/month”). And, yes, back when the checkmarks were about verified identity, I could see how problematic it would be for someone to impersonate someone else. That’s less so under the “pay for checkmark with no verification” setup though.
But, the key point is that this is exactly what many of us have been trying to tell Musk since way back in March. That moderation issues are not about “free speech.” It’s something else entirely.
I don’t begrudge Musk trying to deal with real potential issues that might come with impersonation. But… if he had even an ounce of self-reflection he might realize that all of these hypocritical moves he is making suggests that maybe, just maybe, Twitter and all the employees he fired, actually did have a decent (or, let’s say, very, very firm) grasp on what free speech actually means and how to manage a platform like Twitter.
And while I really had hoped that maybe he secretly did understand all this and was just hamming it up for his fans, it really appears that Musk is rushing headlong through the content moderation learning curve and making all the same moves as everyone else before him. It’s easy to declare “free speech for all” until suddenly all hell breaks loose and people are mocking you left and right.
Anyway, comedy remains legal, and in some ways, this is all very, very funny.
Filed Under: content moderation, elon musk, free speech, impersonation, jokes, parody, permablocks
Companies: twitter
Facebook (Again) Tells Law Enforcement That Setting Up Fake Accounts Violates Its Terms Of Use
from the LAPD-teaching-respect-for-the-law-by-playing-by-its-own-rules-wtaf dept
Law enforcement agencies routinely engage in surveillance of social media accounts. Some of this is accomplished with third-party tools that use keywords and geofences to give cops info that may be relevant to investigations. These tools also give cops a lot of garbage data that law enforcement is free to sift through for officers’ own entertainment or to bypass constitutional protections surrounding speech and warrantless searches.
Does it actually help combat crime? The jury (if a court would ever allow one to consider these issues…) is still out on that. But social media surveillance continues under the theory that anything someone published publicly should be accessible by cops since it’s accessible by everyone else.
But the constitutional metric changes (or at least should) when cops set up fake accounts to engage in surveillance of suspected criminals. In these cases, cops may be welcomed into more private circles where information can’t be accessed unless a person has been given access.
This isn’t a new problem. It dates back to 2009, when Facebook was gaining critical mass and Twitter was just starting to generate enough interest to become (very eventually) sustainable. Twitter’s account verification process allows users to engage without turning over much personal info. The same can’t be said for Facebook, which would prefer to have its user base verified with as much personal info as possible — something that was supposed to limit abusive behavior but just ended up giving the platform plenty of actionable (and sellable) demographic info. Facebook insisted on real people and real names and altered its policy to inform users that setting up bogus accounts was something that could result in account termination.
Cops didn’t care. They had online lurking to do in hopes of finding something prosecutable without ever leaving the office. Facebook warned law enforcement that setting up fake accounts wasn’t permissible in 2018 after news surfaced showing cops were bypassing these rules to do a little online fishing for potential criminals.
Facebook is now Meta. It is also still Facebook, albeit under a new umbrella corporation. The rules about “real names” still apply to Facebook account creation. And law enforcement officers are still continuing to ignore this rule. Three years after its last letter addressed to cops about terms of service violation Meta is sending out another one [PDF]. It reiterates what officers already know but are apparently of the belief Facebook/Meta won’t actually do much to enforce.
The letter references Los Angeles Police Department activities exposed by the Brennan Center. The LAPD apparently encourages officers to set up fake accounts to locate and surveil criminal suspects. The practice is common enough that the LAPD actually has policies governing the use of social media surveillance via dummy accounts. But the policies ignore Facebook’s rules, which take precedence over the LAPD’s rules. After all, it’s Facebook’s platform, not the LAPD’s playground.
According to the Brennan Center for Justice and media reports the Los Angeles Police Department (“LAPD”) has been instructing its officers to create fake (or “dummy”) Facebook accounts and impersonate legitimate users. Not only do LAPD instructional documents use Facebook as an explicit example in advising officers to set up fake social media accounts, but documents also indicate that LAPD policies simply allow officers to create fake accounts for “online investigative activity.” To the extent these practices are ongoing they violate our terms of service. While the legitimacy of such policies may be up to the LAPD, officers must abide by Facebook’s policies when creating accounts on our services. The Police Department should cease all activities on Facebook that involve the use of fake accounts, impersonation of others, and collection of data for surveillance purposes.
This alone won’t prevent the LAPD from violating Facebook’s terms of service to engage in online surveillance. Facebook will have to determine which accounts are fake and terminate them. But this letter gives the LAPD notice that when its bogus accounts are terminated, it will have zero recourse.
The letter also says the LAPD is violating other Facebook rules, albeit indirectly.
It has also come to our attention that the LAPD has used a third-party vendor to collect data on our platforms regarding our users. Under our policies, developers are prohibited from using data obtained on our platforms for surveillance, including the processing of platform data about people, groups, or events for law enforcement or national security purposes (https://developers.facebook.com/terms/#control).
Again, this won’t stop the LAPD from utilizing services it’s paid for. But it does make it clear that if Facebook ever decides to terminate access to this firehose being abused by third parties, neither the third parties or their LAPD beneficiaries will be able to do anything but bitch ineffectively about the loss of access to a surveillance tool.
Subterfuge is often essential to law enforcement investigations. But that doesn’t mean private companies are obliged to provide cover for undercover surveillance. Law enforcement has been told (at least twice) that govern regular people also govern government employees — people who often seem to believe they’re above rules, laws, and even the rule of law.
Filed Under: fake accounts, impersonation, lapd, law enforcement, police
Companies: facebook, meta
Former NSO Employees Says The Company Impersonated Facebook To Deploy Malware
from the so-much-for-the-innocent-middleman-theory dept
As Facebook’s lawsuit against Israeli malware purveyor, NSO Group, continues, more facts are coming to light that undercut the spyware vendor’s claims that it’s just a simple software developer that can’t be blamed for the malicious acts of its customers.
NSO Group argued in court that the sovereign immunity that insulates the governments it sells to (including such abusive regimes as the United Arab Emirates and Saudi Arabia) similarly shields it from Facebook’s desire to prevent it from using WhatsApp to deploy malware. Facebook has since pointed out NSO uses US servers that it owns or rents to deploy the malware it claims it has no involvement in deploying.
More information has come to light, thanks to a whistleblower of sorts who spoke to Joseph Cox of Motherboard. The statements made by a former NSO employee further implicate the company in the dirty doings of its customers (who have targeted journalists, activists, and lawyers).
Infamous Israeli surveillance firm NSO Group created a web domain that looked as if it belonged to Facebook’s security team to entice targets to click on links that would install the company’s powerful cell phone hacking technology, according to data analyzed by Motherboard.
“Pegasus” is the name of the malware deployed via WhatsApp — the preferred tool of governments the company sells to. (It’s branded as “Phantom” when NSO pitches to US law enforcement agencies.) Once successfully deployed, the malware grants government agencies almost complete access to phone data, communications, and functions. Messages can be intercepted, making encryption irrelevant and the phone’s mic and camera can be surreptitiously accessed to record conversations and take pictures.
It’s easier to get targets to activate the malware if it looks like it came from a legitimate source. That’s where the impersonation comes in.
The IP address provided to Motherboard related to a 1-click installation of Pegasus, the former employee said. Motherboard reviewed multiple databases of so-called passive DNS records from cybersecurity services DomainTools and RiskIQ, which show what web domain an IP address related to at different points in time. Throughout 2015 and 2016, the IP address resolved to 10 domains. Some of these seem to have been designed to appear innocuous, such as a link a person could click on to unsubscribe themselves from emails or text messages. Others impersonated Facebook’s security team and package tracking links from FedEx.
The IP address impersonating Facebook is no longer under NSO’s control. Infamous IP protection firm MarkMonitor apparently took control of the domain in late 2016, handing control of it to Facebook to prevent further misuse.
Facebook is also suing domain registrars for allowing customers to purchase domains that appear to be associated with the social media service. This isn’t an unusual move, but it does appear to indicate most purchasers of Facebook-adjacent domains are using them for malicious purposes. Until now, no one’s linked any of these domains to a malware vendor. This is only going to further harm NSO’s assertions that its involvement in malware deployment begins and ends at the point of sale.
Filed Under: impersonation, malware, spyware, surveillance
Companies: facebook, nso group, whatsapp
It's Apparently Easy To Pretend To Be A Cop, Grab Location Data From Cellular Carriers
from the ill-communication dept
Mon, Mar 11th 2019 10:44am - Karl Bode
While Facebook tends to get the lion’s share of (deserved) criticism, the telecom sector continues to make its case for being the absolute worst when it comes to protecting your private data. Scandal after scandal have highlighted how wireless carriers routinely collect and store your daily location data, then sell that data to a universe of shady middlemen with little to no oversight as to how the data is used. Users sign one overlong privacy policy with their wireless carrier, and that policy is being read to mean consumers sign off on the practice, which they certainly haven’t.
This week journalist Joseph Cox again highlighted the problems on the location data front, reporting how many stalkers and debt collectors are able to get access to this data without paying for it. How? By pretending to be law enforcement officers:
“…bounty hunters and people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone and email, according to court records and multiple sources familiar with the technique. In some cases, these people abuse telecom company policies created to give law enforcement real-time location data without a court order in ?exigent circumstances,? such as when there is the imminent threat of physical harm to a victim.
In addition to cellular tower location data, carriers were also recently busted selling A-GPS data, which is supposed to be protected by FCC data rules. Despite significant reporting on this subject and carrier promises to stop collecting and selling this data, this practice is still ongoing. Like Facebook, these are companies that are staring down the barrel of looming regulation — and still somehow can’t seem to find the motivation to behave. Regulators at the Ajit Pai FCC have also sat on their hands and have yet to issue so much as a warning to cellular carriers.
At least one skiptracer told Motherboard that wireless carriers remain several steps behind in trying to crack down on the practice:
“So many people are doing that and the telcos have been very stupid about it. They have not done due diligence and called the police [departments] directly to verify the case or vet the identity of the person calling,? Valerie McGilvrey, a skiptracer who said she has bought phone location data from those who obtained access to it, told Motherboard. A skiptracer is someone tasked with finding out where people, typically fugitives on the run or those who owe a debt, are located.”
In many instances the third parties are exploiting telecom company procedures for “exigent circumstances,” allowing them to request and receive real-time location data by fabricating law enforcement data request documents telecom operators aren’t properly verifying. Of course as the New York Times noted more than a year ago, law enforcement officers have also been busted abusing this system to spy on judges and other law enforcement officers.
Like so many sectors, wireless carriers were so excited by the billions to be made selling your daily habits, they forgot to actually protect that data. As reporters like Cox continue to dig deeper, you have to think that many cellular carriers are scrambling hard to clean up their mess as inevitable class action lawsuits and regulatory investigations wait in the wings. This scandal is getting so ugly, even the carrier-cozy Trump FCC may, at some point, be forced to actually do something about it.
Filed Under: bounty hunters, data sharing, debt collectors, exigent circumstances, impersonation, law enforcement, location info, privacy, stalkers, telcos
Someone Impersonated New Jersey's Attorney General To Demand Cloudflare Takedown 3d Printed Gun Instructions
from the faking-takedowns dept
Buckle in, folks. Here’s a crazy one involving 3D printed guns, angry lawsuits and an apparently forged letter from the New Jersey Attorney General.
Over the past few years, we’ve been highlighting a whole bunch of stories concerning the lengths that some people will go to in an effort to block certain content online. One version that we’ve seen quite a bit in the past few years is forging takedown demands, including forged court orders. However, now we’ve seen it expand to a different arena — touching on another issue we’ve written about before. Last year (not for the first time) we wrote about the moral panic and hysteria around 3D printed guns that had resulted in a few states claiming the right to order 3D files offline.
Not much had seemed to happen on that front, until a week or so ago when various 2nd Amendment groups, including the somewhat infamous Defense Distributed (makers of 3D printer files for firearm components) filed a lawsuit, seeking an injunction against New Jersey’s Attorney General, Gurbir Grewal, arguing that he had sent an unconstitutional takedown letter to Cloudflare, which was the CDN service that Defense Distributed was using for its website CodeIsFreeSpeech.com.
In theory, this was setting up an important potential 1st Amendment case. But, on Tuesday, something unexpected happened. The State of New Jersey showed up in court to say no one there actually sent the takedown — and that they believed it was forged, and sent via a proxy service in the Slovak Republic. Really.
The Attorney General?s Division of Criminal Justice (DCJ) has concluded that a key document supporting Plaintiff?s TRO application?a ?takedown notice? purportedly sent by DCJ to CloudFlare, Inc., which hosts one of the plaintiff?s websites, CodeIsFreeSpeech.com?was not in fact issued by DCJ, and appears to have been issued by some entity impersonating the Attorney General?s Office.
The filing recognizes that New Jersey’s legislature did pass a law late last year restricting the distribution of such 3D printed instructions, but that the state’s law enforcement arm has yet to do anything to enforce it, and most certainly did not send the letter in question.
As noted, we have no reason to believe the Attorney General?s Office filed this takedown notice with Cloudflare, and our investigation thus far demonstrates the office did not do so. We have conferred with all relevant parties within the Attorney General?s Office?including DCJ and the New Jersey State Police?and there is no evidence that anyone within the Office authorized its filing. In an effort to determine who, in fact, issued the notice, DCJ assigned two investigators to review the matter, who obtained the IP address of the device used to submit the notice to Cloudflare, and learned that the IP address is associated with a server located in the Slovak Republic. This IP address is not connected to DCJ, nor would DCJ use this type of proxy server for routine communications with third parties.
Intrigue.
Cloudflare has similarly posted a blog post giving its side of the story, noting that there were some oddities with the notice, but considering that it doesn’t actually host the content in question, it followed its standard operating procedures of filing the notice along to the actual host. But then they started to notice some oddities:
A few days after we forwarded the complaint, we saw news reports indicating that the website operator and a number of other entities had sued the State of New Jersey over the complaint we had forwarded. That lawsuit prompted us to take a closer look at the complaint. We immediately noticed a few anomalies with the complaint.
First, when law enforcement agencies contact us, they typically reach out directly, through a dedicated email line. Indeed, we specifically encourage law enforcement to contact us directly on our abuse page, because it facilitates a personalized review and response. The NJ-related request did not come in through this channel, but was instead submitted through our general abuse form. This was one data point that raised our skepticism as to the legitimacy of this report.
Second, the IP address linked to the complaint was geo-located to the Slovak Republic, which seemed like an unlikely location for the New Jersey Attorney General to be submitting an abuse report from. This particular data point was a strong indicator that this might be a fraudulent report.
Third, while the contact information provided in the complaint appeared to be a legitimate, publicly available email address operated by the State of NJ, it was one intended for public reporting of tips of criminal misconduct, as advertised here. It seems unlikely that a state attorney general would use such an email to threaten criminal prosecution. On occasion, we see this technique used when an individual would like to have Cloudflare?s response to an abuse report sent to some type of presumably interested party. The person filing this misattributed abuse report likely hopes that the party who controls that email address will then initiate some type of investigation or action based on that abuse report.
Cloudflare further notes that, having learned that this notice was forged, it has now found “other abuse reports submitted from this IP address” and established “a clear pattern of fake abuse reports,” such that abuse reports from that IP will no longer be allowed.
There are, of course, some larger issues here. As we’ve noted for years and years and years — mainly with regard to the DMCA notice-and-takedown process — when you have a process that allows for notice and takedown it will get abused. Widely and continuously. Expanding notice and takedown to other arenas only means it will get abused more and more, and the abuse will become increasingly sophisticated.
We should be especially concerned about things like the EU’s Terrorist Content Regulation, which will not only deputize random law enforcement officials to send such takedowns to various platforms, but also mandate that platforms takedown any such content within one hour of the notice being sent. If you don’t believe that process won’t be abused in a similar manner to what we see above, you have not been paying attention. Giving people tools for censorship will lead to censorship, and often it will be done in very surreptitious ways.
We should be extra careful about enabling more such activity under the false belief that only the “good guys” will use such powers, and that they will only use them for good.
Filed Under: 1st amendment, 2nd amendment, 3d printed guns, 3d printing, forgery, gurbir grewal, impersonation, new jersey, takedowns
Companies: cloudflare, defense distributed
FBI Faked Up A FedEx Website To Track Down A Scam Artist
from the phishing-for-fraudsters dept
Trust no one. The DEA impersonates medical board investigators. Police pretend to be people’s friends. FBI agents pretend to be journalists. And, in this case, federal investigators pretended they could help an alleged scammer trace a FedExed payment. Joseph Cox of Motherboard has more details, taken from recently unsealed FBI warrant applications.
The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust. The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed reveal the IP address of the fraudsters. The cases were unsealed in October.
The warrant application [PDF] in one case seeks permission to use an NIT (Network Investigative Technique) to expose identifying information about a targeted device/computer. This warrant request — relying on recent changes to jurisdictional limitations — says the NIT deployment was necessary because the FedEx impersonation failed to obtain usable IP address info thanks to the target’s use of a VPN to access the impersonated site.
On July 25, 2017, FBI Buffalo, Rochester Resident Agency purchased the domain www.fedextrackingportal.com and developed the website www.fedextrackingportal.com/apps/us-en/tracking.php?action=track&trackingnumber=731246AF7684\. The website was created with the message “Access Denied, This website does not allow proxy connections” error message when accessed. The website was created to capture the basic server communication information, as IP Address date and time stamp, and user string when the website was accessed. No malware or computer exploit was deployed in the development of the website; the only information captured in the webserver logs was unencrypted basic network traffic data identified above.
The IP addresses trapped with this ruse traced back to ExpressVPN, necessitating the technique described in this warrant application: a malicious email attachment.
The deployment of the NIT will occur through email communications with the TARGET USER, with consent from the victim company, Gorbel, and the Accounts Payable manager Belt. The FBI will provide an email attachment to the victim which will be used to pose as a screen shot of the FedEx tracking portal for the sent payment. The FBI anticipates the target user, and only the target user, will receive the email and attachment after logging in and checking emails. The subject will download the attachment which will deploy a technique designed to identify basic information of the TARGET location. […] For the email attachment approach, the FBI will use a document with an embedded image requiring the computer to navigate outside the proxy service in order to access the embedded item.
A second warrant application dug up by Motherboard details pretty much the same process: an NIT deployed via email attachment to force the target to relinquish identifying info like IP addresses and device information. The twist in the second application is that the malicious embed (an image contained in a Word document) would require the recipient to turn off “Protected Mode” to open the attachment. Simply harvesting info from an end user is one thing. Having them perform an action on their end to give the government access to their computer is another. “In an abundance of caution,” the FBI requested a warrant, even though the application makes it clear the FBI believes it shouldn’t need a warrant to force targeted devices to give up potentially-identifying info.
The impersonation of FedEx may be novel, but the FBI’s use of NITs began well before its extrajurisdictional searches were codified by Rule 41 changes. NITs have been in the FBI’s toolkit for most of this decade. Here’s a 2012 application and returned warrant showing the FBI using an NIT to obtain IP addresses and device info to locate a wanted felon using an email address the agency believed belonged to the target.
The FBI’s impersonation of people, places, and things is likely just as widespread, even if the rules (very loosely) governing this investigative technique suggest it shouldn’t be. FedEx may have questions about the FBI’s use of its name to obtain IP addresses from criminal suspects, but so far, it hasn’t commented on the news. What’s seen in these applications suggests some care is being taken to avoid sweeping up innocent internet users, but there’s only so much that can be implied from this very small sampling of federal investigative activity.
Filed Under: doj, fake website, fbi, impersonation, nit, phishing, warrant
Companies: fedex
FBI Releases Guidelines On Impersonating Journalists, Seems Unworried About Its Impact On Actual Journalists
from the whatever.-at-least-it's-not-harming-investigations.-yet. dept
The FBI’s impersonation of journalists raised questions about its investigative activities, none of which the FBI felt like addressing. An Inspector General’s investigation of FBI investigations using this tactic found that it was generally a bad idea, but not an illegal or unconstitutional one. Prior to the investigation, the FBI apparently had no clear policies governing this form of impersonation, which it used to snare a school-bombing suspect.
Following the report, a policy was put in place that added some additional layers of oversight but didn’t indicate the obvious downside of impersonating journalists: that the people the FBI wants to investigate are going to do a lot less talking to anyone they don’t know, which includes journalists attempting to document newsworthy events that might contain criminal activity.
The FBI blew it with one of its other impersonation efforts. As Camille Fassett reports for the Freedom of the Press Foundation, a more recent effort may have put a serious damper on its fake news(person) efforts.
In an even more disturbing incident in 2015, FBI posed as a documentary filmmaker crew in order to gain the trust of a group of ranchers engaged in an armed standoff with the government. The fake crew recorded hundreds of hours of video and audio and spent months with the ranchers pretending to make a documentary.
The FBI tacitly acknowledged these efforts are great for the short-term, but ultimately harmful to the FBI in the long-term. Notably, it’s not because they have a chilling effect on press freedoms, but rather because they undermine trust in the entities the FBI wants to impersonate.
The FBI’s own arguments in the case acknowledge the chilling effect on journalism presented by this tactic. In a motion of summary judgment obtained by Freedom of the Press Foundation, the agency argued that it should not be required to disclose details about other instances of media impersonation, on the grounds that “it would allow criminals to judge whether they should completely avoid any contacts with documentary film crews, rendering the investigative technique ineffective.”
The Reporters Committee for Freedom of the Press has obtained the FBI’s guidelines [PDF] for undercover efforts that involve impersonating journalists. They indicate there are several levels of approval needed, but don’t contain details about what’s considered by those making these determinations.
The relevant FBI field office must submit an application to the Undercover Review Committee at FBI headquarters and it must be approved by the FBI Deputy Director after consultation with the Deputy Attorney General. The guidelines do not provide any criteria the FBI Deputy Director and/or the Deputy Attorney General must consider when approving these undercover activities.
All well and good, but one wonders how high the potential impact on civil liberties rates on the scale of 0-Impersonation, or whether it’s more important the agency doesn’t undermine future investigations by setting fire to the reputation of the impersonated entities by opening the Adventurous Reporter dress-up kit once too often.
I don’t believe the FBI doesn’t care at all about the collateral damage. I’m just reasonably certain it’s far more concerned about how often — and how successfully — it will be sued. Adding more layers of oversight won’t necessarily steer agents away from questionable tactics, but it will make it more difficult for plaintiffs to show the FBI carelessly caused damage to their livelihoods by pretending to be the press.
Filed Under: fbi, impersonating journalists, impersonation, journalism, journalists
Leaked ICE Manual Shows Gov't Allowing Informants To Engage In Illegal Behavior, Impersonate Lawyers, Journalists, And Doctors
from the black-hats-v.-black-hats dept
The 9/11 attacks gave us the DHS. And from that atrocity came ICE. We used to get by with Customs and a Border Patrol, but no, we needed something additional that tied the homeland’s “security” to a new, deeply brutal form of “customs enforcement.” Normally, the word “customs” would suggest the rounding up of illegal imported goods or the collection of duty payments from incoming arrivals.
Instead, we were handed an agency that concerns itself mainly with ejecting people from the country in the most aggressive way possible, cheered on by White House officials and a large group of Americans who view our closest southern nation with deep suspicion and a touch of xenophobia. ICE’s current activities aren’t the fault of the Trump Administration, but this administration has done more than most to take everything that’s bad about ICE (which is a lot) and crank it up to 11.
Warrantless raids, misrepresentation of advocacy efforts, deporting critical journalists… these are all part of ICE’s playbook. But there’s far more to it than this. The official “playbook” for ICE undercover operations basically allow the agency to operate as a criminal operation and engage in illegal activity for the greater good of booting immigrants out of the US.
The guidebook for ICE’s undercover operations has been published by Unicorn Riot, which makes no statements about how it obtained this document. Its Twitter account refers to it as a “leak,” which suggests this wasn’t the result of a FOIA request. Regardless of its origins, it’s a harrowing read. Many of the highlights of the 227-page manual [PDF] can be viewed in UR’s tweet thread. Other details have been posted at its website, which takes a bullet-pointed trip through the entirety of the document.
What is crystal clear is that ICE undercover operations involve informants who are allowed to engage in criminal activity, including fun stuff like trafficking immigrants, purchasing stolen property, drug dealing, paying bribes, entrapment, and anything else that might be deemed “necessary” to ensure the viability of an investigation.
Informants are strongly encouraged not to engage in violent acts or entrapment, but given enough leeway to perform these acts if deemed necessary. The only thing that changes is the number of government officials receiving reports about these departures from policy guidelines.
If these sanctioned illegal acts happen to turn a profit, everyone wins. ICE itself can partake of funds obtained through illegal activity. Some of this is routed back to informants to purchase whatever’s needed to continue the investigation. In many cases, this means funneling funds into purchasing supplies needed for further criminal activity. The funds may also be used to fund ICE itself. It’s perfectly acceptable for ICE to use funds derived from the criminal activity of its informants to cover ICE agent overtime.
ICE is also authorized to create shell companies as cover for investigations. In ICE terminology, this is “backstopping” — providing a credible back story for ICE operations should they happen to be investigated by their investigation targets. This ordained creation of shell companies allows ICE operatives to obtain fake SSNs, brokers licenses, medical degrees, pilots certifications, and immigration documents.
The shell companies themselves are made possible/plausible with the assistance of several federal agencies:
Federally-issued undercover identification/backstopping for undercover proprietary businesses and shell companies can be obtained through the Undercover Operations Unit.
Types of available corporate identification/backstopping include, but are not limited to, the following:
A. Employer Identification Numbers (EINs) (Note: All EINs must be obtained through the Undercover Operations Unit in order to avoid tax issues with the Internal Revenue Service); B. Dun and Bradstreet reports; C. Department of Transportation/Motor Carrier numbers; D. Department of Defense Trade Compliance Registration numbers; E. Office of Foreign Asset Control License; F. FAA airplane registration number/certificates; G. U.S. Coast Guard marine identification; and H. business credit cards.
Then there’s the list of personas undercover informants can adopt, which include priests/clergy, lawyers, doctors, therapists, and “news media.” Naturally, some of these roles involve the harvesting of privileged communications — even though the privilege is assumed by the person the informant is conversing with and certainly not extended by those working for ICE. But, as the handbook, points out, this puts informants in the position of overhearing actually privileged communications due to the nature of the charade, which may find them conversing with real lawyers, members of the clergy, doctors, and therapists.
This is referred to as “Sensitive Circumstances” by the DHS, an official designation that means nothing more than a case-by-case review rather than the blanket approval it extends to other undercover activities.
The guidebook, issued in 2008, may have seen some updates in recent months, but it’s unlikely anything was added to rein in ICE’s condoned criminal activity. Unicorn Riot notes it has confirmation this manual was still in use as of 2016, so it’s not a relic of one particular administration. It apparently predates Obama’s election and quite possibly extends into Trump’s.
This shows how far our government is willing to go to enforce its laws. It will condone the breaking of laws in the name of enforcing them. The handbook may as well be named “End Justifies The Means” — a 272-page compendium of acceptable means that would be unacceptable if anyone other than the government were engaged in them.
Filed Under: backstopping, dhs, ice, impersonation, informants, training manual, undercover