The Daily Parker

As much fun as Cassie and I have had over the last few days, the news around the world didn't stop:

• After 448 days, Illinois will finally reopen fully on Friday.
• Security expert Tarah Wheeler, writing on Schneier.com, warns that our weapons systems have frightening security vulnerabilities.
• Fastly's content-delivery network (CDN) collapsed this morning, taking down The New York Times, The Guardian, Bloomberg News, and other major properties; no word yet on the cause, but we can guess.
• About 12,000 volunteer software developers around the world contributed to the Mars Helicopter project through GitHub.
• Josh Marshall looks at the burn-it-all-down ethos of defeated Israeli Prime Minister Benjamin Netanyahu and our own XPOTUS.
• Alexandra Petri wonders why anyone would buy a Swiss Army knife when an AR-15 does the job better?
• ProPublica divided income tax by (unrealized) wealth growth and found that the wealthiest 25 Americans paid almost no income tax from 2014 to 2018; however, they did not apply that methodology to the millions of middle-class families whose 401(k) funds appreciated, which would show that most people paid smaller percentages than they thought.
• Earth's CO₂ levels have reached 419 ppm, a level not seen since around the time humans and chimpanzees split from their last common ancestor.

Finally, journalist Jack Lieb filmed D-Day using a 16mm home movie camera, which you can see on the National Archives blog. It's really cool.

I've just received my third nearly-identical fake DMCA takedown notice, which I may decide to turn over to the FBI if I can muster the shits to give. I find it funny how each one of them has a few differences that make them look like something other than lazy script-kiddie stuff. This one again misstated the statutory damage limits for willful copyright infringement, and the randomly-generated name of the "claimant" was no less bizarre than the other two. And yet I wonder why they bothered altering the bits they altered. Maybe there are multiple entities involved, with each email coming from a different person or group? Maybe they have some low-paid flunky typing in the note each time, so I'm watching its slow drift from a semi-competent DMCA notice into the digital equivalent of "hodor?"

This one bounced through an IP address in New York State, which means my previous guess that this was a domestic script-kiddie operation might be wrong. For one thing, the threatening language has a few tells that its author doesn't speak English natively. I had originally thought the author merely wanted to sound more convincing by using stock phrases and "magic" legal words, but now that I've seen three examples of the same basic text, it looks more like Russian-inflected English. In any event, I wave my private parts at their aunties.

Both the New Yorker and New York Times published reports over the weekend about crap like this. In the first, Rachel Monroe talked with ransomware negotiator Kurt Minder about negotiating with criminals:

For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didn’t exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But they’ve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert.

Hackers use various techniques to gain access to a company’s computers, from embedding malware in an e-mail attachment to using stolen passwords to log in to the remote desktops that workers use to connect to company networks. Many of the syndicates are based in Russia or former Soviet republics; sometimes their malware includes code that stops an attack on a computer if its language is set to Russian, Belarusian, or Ukrainian.

When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyone’s mind was data breaches—the theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware.

Early last year, GroupSense found evidence that a hacker had broken into a large company. Minder reached out to warn it, but a server had already been compromised. The hacker sent a ransom note to the company, threatening to release its files. The company asked Minder if he would handle the ransom negotiations. Initially, he demurred—“It never occurred to me as a skill set I had,” he said—but eventually he was persuaded.

The profile on Minder dovetailed with the Times' collaboration with a criminal named Woris who gave the paper access to the tools gangs use to launch ransomware attacks:

The Times gained access to the internal “dashboard” that DarkSide customers used to organize and carry out ransom attacks. The login information was provided to The Times by a cybercriminal through an intermediary. The Times is withholding the name of the company involved in the attack to avoid additional reprisals from the hackers.

Access to the DarkSide dashboard offered an extraordinary glimpse into the internal workings of a Russian-speaking gang that has become the face of global cybercrime. Cast in stark black and white, the dashboard gave users access to DarkSide’s list of targets as well as a running ticker of profits and a connection to the group’s customer support staff, with whom affiliates could craft strategies for squeezing their victims.

In the chat log viewed by The Times, a DarkSide customer support employee boasted to Woris that he had been involved in more than 300 ransom attacks and tried to put him at ease.

“We’re just as interested in the proceeds as you are,” the employee said.

Together, they hatched the plan to put the squeeze on the publishing company, a nearly century-old, family-owned business with only a few hundred employees.

In addition to shutting down the company’s computer systems and issuing the pedophile threat, Woris and DarkSide’s technical support drafted a blackmail letter to be sent to school officials and parents who were the company’s clients.

The Russian government allows this to happen because (a) Russian President Vladimir Putin loves annoying the West, and (b) it seems obvious after two seconds of thought that Russian government officials are probably on the take.

All of this gets so exhausting, doesn't it? Simple economics demonstrates the inevitability of theft. It imposes a tax on everyone else, both financially (it costs money to set up good security) and mentally (I will never get back the hour I spent investigating the bogus DMCA notices). At some point, though, it just becomes easier to tolerate a certain level of theft than to build a squirrel-proof bird feeder.

I had planned to note Bruce Schneier's latest essay, "The Misaligned Incentives for Cloud Security," along with a report that Microsoft has noticed an uptick in SolarWinds attacks against its own services. But twice in two weeks I've received bogus DMCA takedown notices that tried to trick me into downloading files from a Google site, and I'm impressed by the effort that went into these phishing attacks.

In both cases, the attacks came through the blog's Contact page, meaning someone had to copy and paste the text into the form. They both lay out most, but not all, of the elements of a DMCA takedown notice, with lots of threatening (but inaccurate) text about what could happen if I don't comply. But here's the kicker: instead of specifying which of the Daily Parker's nearly 8,000 posts contain infringing material, as required by the DMCA, they contain a link to a file on a Google site that I should download to see the material they claim to own.

It turns out, I know a thing or two about copyright law, and about computer security, so I didn't fall for the phish. I worry, though, that this attack could fool a lot of people. Reminder, folks: never download a file you didn't specifically ask for. (In my case, I did attempt to download one of the files, in a sandbox, with virus protection jacked all the way up. The virus protection took one look at the file and didn't even allow the download.)

Let me enumerate the really sophisticated features of this attack:

• It contained mostly true information. People send out DMCA takedown notices all the time; experienced website administrators take them seriously when received. The author of this phish included the correct and relevant US Code sections, and a mostly-correct description of how the DMCA operates. They got the statutory damage amount totally wrong, but only because the number they used would scare people more.
• It didn't contain any English language errors. Whoever wrote the copy for this attack speaks perfect English. This wasn't a laughable 409 scam.
• It came through the Contact feature, not an email. The attacker took the time to go to the Daily Parker contact page, copy and paste the phishing text, and click "send." A human had to do that.
• It stated a plausible claim. This is Daily Parker post #7,922 since the blog started on 13 May 1998. It is conceivable that at some point in the last 23 years I posted a photo for which I didn't obtain a proper license. This would be true of any large blog or website.
• It used a real Google Sites link. The download link pointed to an asset actually stored on a google.com computer somewhere. That might convince someone of its legitimacy, unless you remember that anyone can put anything up on a Google Site or other cloud storage service. Again: never download a file you didn't specifically ask for.
• It came from a network in the US. Reverse-IP lookups showed the origin IP addresses to be owned by a major ISP in Colorado, not a scary Eastern European location. Of course, it means that the attacker has access to a computer physically located in the US, which means I'll send my own legal notice to the ISP if I receive another one of these.

Now, here's where they missed the mark:

• They asked me to download a file. No. No, no, no. GFY a thousand times with a chainsaw.
• The phish did not contain all the required elements of a DMCA takedown notice. They didn't list specific assets, with URLs, that they allege infringed their copyrights; they didn't assert a claim of ownership in a legally-sufficient manner; they didn't provide full contact information; and they didn't sign it. But of course they didn't, because the closer they got to legal sufficiency, the more information I'd have that they have no real claim.
• They sent two nearly-identical (but not identical enough) phishes 8 days apart. You think I didn't remember the first one? You think I didn't compare them? The second attempt simply confirmed that the first attempt wasn't merely an amateur-hour legal notice but, as I suspected, a phish.
• One of the phishes came through a non-publicized FQDN. Because I host the Daily Parker on Microsoft Azure, it has an Azure-provided fully-qualified domain name (FQDN) in addition to www.thedailyparker.com. I have never publicized the Azure FQDN, and as far as I know the Azure FQDN has no inbound links. I suppose it could have gotten picked up by a search engine, but again, without inbound links, I can't see how. It's not secret; it's just really odd that someone would use it.
• The claimant's names were...weird. I said earlier that the text of the phish used correct English throughout, but the names of the supposed claimants seem to have come from a name-generation tool. Seriously, the names were Ford Prefect-weird.
• It turns out, I'm well-versed in both copyright law and cybersecurity. This type of mistake even has an entire TV Tropes entry. I guess a criminal wouldn't necessarily know that, however. They might find out, should they send a third phishing attempt my way. Will I haul them into Illinois court to answer a tortious trespassing case? Probably not. But I might tell their ISP. And the FBI. Because at some point, they will get someone to open whatever malicious file they linked to, which I expect will lead to actual crimes.

In recognition the effort that went into this phishing attack, I wanted to publicize it in case it happens to anyone else. If you get an alleged DMCA takedown notice, and it doesn't meet the legal requirements as outlined by the USPTO, ignore it. And once more, with feeling: never download a file you didn't specifically ask for.

And if you're the script kiddie who sent the phish, GFY with a tree. Sideways.

Now that I'm more than two weeks past my second Pfizer jab, I'm heading to O'Hare tomorrow for the first time since January 2020. I remember back in September 2018 when I finally broke my longest-ever drought from flying of 221 days. Tomorrow will mark 481 days grounded.

But that's tomorrow. Today, I'm interested in the following:

• Mother Jones obtained leaked video showing the right-wing group Heritage Action for America bragging that it had essentially drafted all the voter-suppression bills going through state legislatures right now.
• Former presidential speechwriter James Fallows describes "how FDR changed political communication."
• Via Andrew Sullivan, former UK Prime Minister Tony Blair warns that the Labour Party must reform if they want to win elections.
• Researchers discovered the nearly 2,000-year-old skeleton of a Roman soldier, who they believe was dispatched to Pompeii on a rescue mission in the aftermath of the 79 CE eruption of Mt Vesuvius.
• Bruce Schneier says that "ransomware is getting ugly," and pointed me to Brian Krebs' report on the Colonial Pipeline attack last week.

And finally, Chicago's endangered piping plovers Monty and Rose have laid three eggs. We should see baby piping plovers in about four weeks.

A supporter of the XPOTUS has organized, with the help of the Arizona State Senate, a private hand-recount of Maricopa County's ballots. Apparently they're looking for bamboo fibers? Yeah, it's just as crazy as it sounds:

On the floor of Veterans Memorial Coliseum, where Sir Charles Barkley once dunked basketballs and Hulk Hogan wrestled King Kong Bundy, 46 tables are arrayed in neat rows, each with a Lazy Susan in the middle.

Seated at the tables are several dozen people, mostly Republicans, who spend hours watching ballots spin by, photographing them or inspecting them closely. They are counting them and checking to see if there is any sign they were flown in surreptitiously from South Korea. A few weeks ago they were holding them up to ultraviolet lights, looking for a watermark rumored to be a sign of fraud.

The 2.1 million ballots were already counted by Maricopa County election officials in November, validated in a partial hand recount and certified by Gov. Doug Ducey. Two extra audits confirmed no issues. No evidence of fraud sufficient to invalidate Joe Biden’s narrow victory in Arizona and Maricopa County has been found.

Still, counters are being paid $15 an hour to scrutinize each ballot, examining folds and taking close-up photos looking for machine-marked ballots and bamboo fibers in the paper. The reason appears to be to test a conspiracy theory that a plane from South Korea delivered counterfeit ballots to the Phoenix airport shortly after the election.

When the recount started, the ballots were viewed under ultraviolet light to check for watermarks. A theory popular with QAnon followers has it that Trump secretly watermarked mail ballots to catch cheating.

Meanwhile, our named adversary, Russia, continues to disrupt our economy with impunity because people don't know how to do security.

Spring has gone on spring break this week, so while I find the weather pleasant and enjoyable, it still feels like mid-March. That makes it more palatable to remain indoors for lunch and catch up on these stories:

• Josh Marshall reminds us why, given today's anemic jobs report, listening to Larry Summers never ends well.
• David Brooks asks, "Could today’s version of America have been able to win World War II?" Tl;dr: Nope.
• George Conway III outlines Rudy Giuliani's legal troubles.
• Ted Koppel takes a look at "cancel culture" in the context of the past 40 years. Tl;dr: old practice, new name.
• Thanks to inside dealing, bad drafting, and the usual bullshit neighbors give each other, a 6-unit condo building in Wicker Park with 5 parking spaces has triggered a 3-year lawsuit over who can park in one of the spaces.

And finally, via Bruce Schneier, Australia has proposed starting cyber-security training in Kindergartens.

We have gloomy, misty weather today, keeping us mostly inside. Cassie has let me know how bored she is, so in the next few minutes we'll brave the spitting fog and see if anyone else has made it to the dog park.

Meanwhile:

• As today is May the Fourth (be with you), NPR reminded us of the time they produced a radio drama based on "A New Hope."
• It turns out, the FBI never actually got around to warning Rudy Giuliani that he was the target of a Russian disinformation campaign.
• The US Trustee, the Department of Justice official charged with enforcing bankruptcy laws, has told the court overseeing the National Rifle Administration's bankruptcy that the US Government opposes the organization's petition, instead arguing that NRA Executive Vice President Wayne LaPierre's mismanagement brought the NRA to its current state of affairs.
• Via Bruce Schneier, German security researchers successfully took over the infotainment system in a parked Tesla using a drone.
• David Frum says that "China is a paper dragon."

All right, off to the damp dog park.

Happy 51st Earth Day! In honor of that, today's first story has nothing to do with Earth:

• The MOXIE experiment on NASA's Perseverance rover produced 5.4 grams of oxygen in an hour on Mars, not enough to sustain human life but a major milestone in our efforts to visit the planet.
• Back on earth, the Nature Conservancy has released a report predicting significant climate changes for Illinois, including a potential 5°C temperature rise by 2100.
• Microsoft has teamed up with the UK Meteorological Office (AKA "the Met") to provide HPE Cray EX supercomputers capable of 60 petaflops and storing 4 exabytes of data.
• The Chicago Transit Authority has begun running brand-new, Chicago-built rail cars on the Blue Line, which runs from O'Hare Airport through the Loop and out to Oak Park.
• Guthries Tavern, a Chicago institution since the 1930s that closed because of the pandemic, will reopen under new ownership.
• Are you feeling blah in the late-stage pandemic? You could be languishing.
• Via Bruce Schneier, the New Yorker explains how North Korea has created an army of cyber thieves.

Finally, it looks like I'll have some really cool news to share about my own software in just a couple of weeks. Stay tuned!

The United States Postal Service has a surveillance program that tracks social media posts for law enforcement, and no one can say why:

The details of the surveillance effort, known as iCOP, or Internet Covert Operations Program, have not previously been made public. The work involves having analysts trawl through social media sites to look for what the document describes as “inflammatory” postings and then sharing that information across government agencies.

“Analysts with the United States Postal Inspection Service (USPIS) Internet Covert Operations Program (iCOP) monitored significant activity regarding planned protests occurring internationally and domestically on March 20, 2021,” says the March 16 government bulletin, marked as “law enforcement sensitive” and distributed through the Department of Homeland Security’s fusion centers. “Locations and times have been identified for these protests, which are being distributed online across multiple social media platforms, to include right-wing leaning Parler and Telegram accounts.”

When contacted by Yahoo News, civil liberties experts expressed alarm at the post office’s surveillance program. “It’s a mystery,” said University of Chicago law professor Geoffrey Stone, whom President Barack Obama appointed to review the National Security Agency’s bulk data collection in the wake of the Edward Snowden leaks. “I don’t understand why the government would go to the Postal Service for examining the internet for security issues.”

I mean, scraping social media takes only a modicum of technical skills. In the last year I've written software that can scan Twitter and run detailed sentiment analysis on keyword-based searches. But I'm not a government agency with arrest powers. Or, you know, a constitutional mandate to deliver the mail.

Weird.

Today's end-of-workweek stories:

• National Geographic details who needs to wear a mask outside, and who doesn't.
• New Yorker reviews a documentary on WeWork and the "decade of delusion" around it.
• Someone broke into the PHP master Git server and tried to put a backdoor in the most ubiquitous Web platform out there.

Finally, today is the 157th anniversary of the surrender of the traitors and the end of the white rebellion in America. (Sounds different these days, doesn't it?)