How Russia is exploiting Telegram for war funding and news coverage

While lots of focus is on TikTok, I would argue that many of us are missing the influence and role played by the messaging network of Telegram. In this post, I explain why that could be a bigger threat to the online world.

Last fall, I wrote a post for SiliconAngle about how social media accounts are being used by pro-Russia misinformation groups. This was based on a report by Reset sponsored by the EU. One of the results from this report is that Telegram is very permissive in allowing hateful content and propaganda. A new report from  the Atlantic Council’s Digital Forensic Research Lab last week takes a deeper dive into how Telegram has been a communications kingpin for Russia’s war, and how effective and pervasive it is. The social network is not only being used for misinformation purposes, but also to recruit mercenaries, fund their purchases of tactical equipment and medical supplies, and serve as primary sources for Russian TV war coverage. The council calls it a digital front and another battlefield in the Ukraine conflict.

What surprised me was the huge audience that Russian Telegram has: with an estimated 30M monthly active users, billions of views and its cozy relationship with various Russian state-sponsored traditional TV channels. There are even channels run by the NY Times and Washington Post that were created to get around website and other internet content blocks.

By now, most of us are familiar with the term “catch and kill” as it applies to media buying stories that are never intended to run. Pro-Russia Telegram channels are paid not to mention specific persons or companies.

My analysis for Avast’s blog about data privacy of various messaging networks from early 2021 shows that Telegram isn’t as anonymous as many people first thought. The council’s report confirms this, finding government crackdowns on supposedly anonymous Telegram channels that have real-world consequences of arrest and prison terms for those channels that take these anti-government positions. Even so, there are many Telegram channels that continue to be critical of government policies and operations, such as those supporting last summer’s failed Wagner mutiny.  “While Telegram positions itself as a censorship-free platform, the available evidence demonstrates how the service is not a completely safe place for critics of the war,” they wrote. Wagner’s head Yevgeny Prigozhin discovered this first hand and died after declaring his mutinous intentions initially on Telegram.

Some of Russia’s military bloggers offer occasional criticism of the war, which adds to their credibility and popularity. “Users see their efforts as trustworthy and balanced, especially when compared to state media resources,” the council’s report wrote. That is not only insidious but dangerous, especially as many posts are widely shared and get millions of views.

As I mentioned earlier, many of the Telegram accounts openly ask for donations, providing bank account numbers and crypto wallet addresses, mostly in Bitcoin and Tether (ironically, one that is tied to the US dollar). The funds collected have been significant, in the equivalent of millions of dollars. They are also used for recruiting fighters and coordinating hacktivism efforts such as DDoS’ing Ukrainian targets such as civilian infrastructure, government data centers and banks. Ironically, Telegram is also used to help Russians avoid the draft with all sorts of tips and strategies on how to emigrate out of the country.

The final irony is that Telegram was created by two Russian brothers to get around government censorship, and was blocked by the government for several years. The brothers now live in Dubai and the Russian government has decided to leverage the network to amplify its propaganda and complement its communications.

The arrival of the digital guillotine

Our online cancel culture took another step deeper into the morass and miasma that shows how sophisticated, toxic, and partisan it has become. The 2024 version now comes with a new label called digitine, for digital guillotine, meaning cutting off discussion of the other side, boycotting the companies that have taken opposing positions, and moving to a worldwide audience.
Remember the Facebook ad boycott of the summer of 2020? That seems so naive now. Here are a few ways things have gotten worse:
  1. Much of the digitine can be traced to the division over two controversial wars and ratcheted up the hyper-politica volume. Either you are for Hammas (as incredible as that sounds) or for Israel. Pro-Russia or Ukraine. There is no middle ground. 
  2. It is religious. Jew vs Arab. Or more accurately, pro-Jew vs. anti-Jew. Bring out those dusty anti-semite tropes and re-quote the protocols of Zion. They aren’t so dusty after all. This has created all sorts of secondary corporate spillover effects. Say your company announces support for one or the other side. That triggers all sorts of boycotts and protests (as an example, what is happening in Malaysia — a Muslim-majority country — with complaints about Starbucks’ support of Israel). It takes apart our global village.
  3. It is directed at celebs/influencers, not the digital platforms themselves as the 2020 Facebook ad boycott. Makes it easier to digest, to put on placards, to gather media coverage. The viral nature of these clips, gassed up with social networks, feed into the outrage machinery which  brings these campaigns quickly to millions.
  4. Speaking of which — the dis/misinformation tooling has gotten better. Thanks AI. Who needs Russian human-based troll factories when you can generate the memes faster with GPU-laden computers? This is aided and abetted by easy manufacture of deep fake celebs that are “captured” espousing one thing or another. (Scarlett will appear before the House cybersecurity committee later this year, oh boy!)

Sure you can silence the folks on your feed that are caught up in these campaigns. Or leave the worst offending platforms (such as one that uses a single letter). But these are like using a band aid to stop an arterial bleeding.

The latest threat to ecommerce: crackdowns by the US Customs and Border Protection

If you want to ship illegal goods into the US, you might think sending them via air freight as probably the worst way to get them into the country. You would be wrong. Tens of thousands of tons of shipments enter our air freight ports every day, and the vast majority of them receive no inspection whatsoever.

In the past, the US Customs and Border Protection (CBP) agency has made it easier particularly for smaller volume shippers to send their stuff here without having to pay any duties or tariffs, under what is called an Entry Type 86 exception. This means if the value of the item is less than $800 per buyer and per day that the shipment arrives, nothing is owed. Last year a billion such packages came into the US, with many coming from two Chinese shippers, Temu and Shein.

But criminals are clever, at least initially. Many of them have taken advantage of Type 86 exemptions to ship drug precursor chemicals and raw textiles and other things, knowing that their cargo won’t be touched as it moved through the ports. Well, that situation has changed and now CBP is checking things more carefully. As you might imagine, given the tonnage that goes through our ports, this is slowing things down considerably. The stricter scrutiny has had results: CBP has suspended customs brokers from the Type 86 program and seized many illegal shipments.

There are several downstream problems that could happen. First, expect delays on your favorite Amazon package that isn’t in their own warehouse and has to come from overseas. Cargo flights will be delayed or cancelled when the warehouse ports fill up with yet-to-be-inspected merchandise. Second, criminals will undoubtedly migrate to maritime shipments, which don’t get much in the way of inspection either. Third, major shippers will probably shift to consolidating orders and shipping to their own warehouses. All this means longer shipping times and these delays could result in higher prices to the ultimate consumer. All of this turmoil could spell trouble for legit ecommerce businesses that rely on predictable shipments of their goods, which is ironic when you think about it.

The miserable mess that is Microsoft Recall

Last week Microsoft announced a new feature that is a major security sinkhole called Recall. It is a miserable mess, and makes Windows more vulnerable to attack. Sadly, it will be operating by default unless you get out your secret decoder ring and lock it up behind some group policies.

Why is Recall so bad? It combines the features of a keylogger and an infostealer and puts them inside the Windows OS. It automatically takes frequent screenshots of what you are doing, and stores them on your hard drive. This data is stored in a searchable database, so you can rewind what you are doing to a specific point in time. This includes all your passwords, if they are displayed on screen. Kevin Beaumont wrote that Recall fundamentally undermines your security and introduces immense new risks.

It didn’t take long after the announcement at Build, Microsoft’s annual developer conference, for the UK ICO, its privacy agency, to open an inquiry. Yes, hackers would need to gain access to your device and figure out the encryption of the data, but these aren’t big hills to climb. “Something could go wrong very quickly,” said one security researcher. 

Eva Galperin, director of cybersecurity with the Electronic Frontier Foundation, said Recall will “be a gift for domestic abusers,” given that a partner would have physical PC access and perhaps login details too. She said the database of screenshots would be a tempting target for hackers.

Bh187 Total Recall GIF - Bh187 Total Recall Arnie GIFsMicrosoft will start selling its own line of AI-enabled laptops later this summer that will include Recall. Sometimes total recall goes awry, as fans of the original Arnold movie (or Philip Dick short story) might remember. It’s too bad that this is one journey from sci fi to reality that we could do without.  Here is how to disable it.

A new week and new threats to worry about

This week I saw two stories that sent a chill up my spine. They indicate that cybersecurity is an ever-evolving universe where exploits continue to find new ground, and defenders have to look carefully and remain ever-vigilant. Let’s take a look.

The first one sounds almost comical: two UC Santa Cruz students figured out how to get their clothes cleaned at their dorms’ laundry room for free. But behind the stick-it-to-the-man college prank lies a more sobering tale. The students were able to analyze the data security posture of the laundry vendor and find a combination of weak programs to run endless wash-and-dry cycles almost surgically. The vendor wasn’t some small-time operator either: they run a network of a million machines at hotels and campuses installed around the world. But despite this footprint, they have miserable application security. To wit, there is no way for anyone to report any vulnerabilities, either online or via phone.  The company’s mobile app, used to pay to activate a specific machine, has no authentication mechanisms and so the students were able to top off their accounts without spending any actual money. The APIs used by their apps don’t verify the users, so the students could issue commands to the washers and dryers, commands that were easily discovered with the company’s own documentation.

The students were responsible, although they did “top off” their accounts to the tune of a million dollars, just to make a point. The only thing the laundry vendor did do was zero these accounts out but didn’t fix any of the other flaws. Nor did the company reach out to them or work with them (or any actual security researcher, at least according to what I read), again showing a complete cluelessness.

I will let you spin up the various morals from this story. I was impressed with the level of professionalism that the students demonstrated, and would imagine that they will have no problem getting infosec jobs and will do well once they have to leave the halls of academia and have to start paying for their own laundry operations.

Let’s move on to the second story, about how your Wifi router can be used as another means of surveillance. Brian Krebs broke this one, based on research from two University of Maryland computer scientists. They discovered a way to de-anonymize the locations of Wifi routers based on the network communications of Apple and Google products that connect to them. The problem lies in the design of Wifi positioning systems that are seeking more precise geo-locations: think Apple AirTags and other GPS applications that are tracking your movements. Attackers could leverage these processes to figure out specific movements of people, even people that haven’t given any permission to be tracked and are just moving about the world. Someone with a portable travel router, for example, is ripe for this exploit. The research paper posits three situations that demonstrate what you can learn from this analysis, such as tracking the movements of Gazans after 10/7, the victims of the Maui wildfires last summer, or people involved on both sides of the war in Ukraine.

As they wrote in their paper, “This work identifies the potential for harm to befall owners of Wifi routers. The threat applies even to users that do not own devices for which the Wifi positioning systems are designed — individuals who own no Apple products, for instance, can have their router listed merely by having their Apple devices come within Wifi transmission range.”

For privacy-concerned folks, one solution is to append “_nomap” to the SSID name of your Wifi router, which will prevent Apple and Google from using its location data.

I remember Myst

I have long been a fan of quirky museums and collections, and heard last week about the Museum of Play, based in Rochester NY. They recently awarded their latest round of “hall of fame” computer video games, and on this year’s list is Myst. This 30+ year old game was a significant moment in its day and a big hit back as I wrote on a blog from 2012. It sold more than six million copies and raised the bar from crude graphics and beeping computer generated noises that were found in many of the early games from that era. After hearing about the news, I wanted to dust off my software and try to take it for another spin (which is what I did back in 2012), but alas, I didn’t have the right vintage of OS and drivers to make it work.

Myst gets a fully modern update in this realtime 3D Masterpiece Edition - PolygonAs I wrote back then in my blog, I observed that Myst’s graphics were not anything like more modern games. Its genius was giving equal weight to both graphics and audio, and while I was clicking about its landscape, I left the sounds of the ocean lapping up against the rocky island playing while I was working, and it was very soothing. The museum says it was slow paced and contemplative but inspired wonder. I concur.

Myst was not a first-person-shooter, but a game that involved solving puzzles, puzzles that had very inscrutable clues that were easy to miss at first glance. It easily got frustrating, and I often found myself going back over ground that I thought I had covered, only to find another hidden puzzle that unlocked a new landscape. Eventually, I bough a cheater book to get to the end of the game, thereby sealing my fate as a forever-novice gamer.

Myst came along at a time when PCs were just getting CD-ROMs installed: I remember buying this add-on package from Soundblaster because those early computers didn’t have any audio support either. And figuring out that puzzle of drivers, OS updates, and rooting around inside my computer to connect everything up was my first foray into building the kind of computer that we now take for granted where sound and optical media (and writable multi-speed ones at that) are part of the package.

Well, at least we can take the sound features for granted —  we seem to be moving away from having DVD drives as standard equipment in the name of streaming and having ultra-thin laptops and tablets. It also came at a time when color monitors were very new to the Mac world and graphics cards came with very little additional memory. This meant that the ability to do full-motion high-resolution video was still far off. Now we have graphic processors that have more horsepower than the CPUs in the same machine, and companies like Nvidia and AMD are finding new markets in providing the GPUs for doing machine learning and AI processing.

And software such as Photoshop and QuickTime were very much v1.0, barely able to keep up with the demands by the game’s two brothers who created it. Creating the three-dimensional images wasn’t easy: rendering took hours per image, because of software and hardware limitations.

And it especially wasn’t easy because the internet hadn’t yet taken off: the Myst dev team had to resort to “tire net” — meaning driving around the latest builds on removable media that were probably all of a 100MB in capacity and delivering them to various team members.

The Miller brothers would also star as actors in the video segments that a player would uncover in the game itself.

Myst was also ahead of its time when it came to non-linear storytelling: we have since had various feature films that are so constructed, such as Sin City in 2005 and Pulp Fiction, just to name a few of them. Rand Miller in a long interview with Ars done a few years ago speaks about how real life is all about embedding stories, and Myst was the first time that a game used this technique to make it more realistic and compelling. It was as if the made-up world was talking back to you, the gamer, directly. Again, now we take this situation very much for granted in modern games.

So I am glad after all these years that Myst is receiving some recognition, even if it is in a quirky Rochester museum, and even if all of my aging PCs can’t run it because they are n’t old enough. But if this essay has piqued your interest and you want to run Myst for yourself, act now and offer to pay the Fedex delivery and it could be yours. I will pick one reader to get the 3-CD package of Myst and its successor games — if you have a vintage machine that is old enough to run it.

The battlefield smartphone: a progress report

Thaddeus Grugq’s latest newsletter opines on the role of the smartphone in how warfare is reported on by the media, calling it a revolution in military media relations. Things have certainly changed since battlefield reporters began reporting on wars: events are posted in near-real-time, with streaming color video transmitted via social media networks, shrinking the distance from the war zone to the reporter and viewed around the world. “The information environment is truly beyond the control of the military,” he writes.

This is perhaps the ultimate in media disintermediation. There are no gatekeepers, everyone with a smartphone and a You Tube channel is now a “citizen journalist” with a ready-made audience.

It isn’t just for the reporters: there are benefits for smartphone-toting warfighters as well. There have been plenty of articles that have documented how soldiers have exploited smartphones over the past several years, including this one that documents what is going on in Israel. It enables the troops to better communicate with their families, something that I am personally familiar with my Israeli son-in-law, who has been deployed several times since the war began. When he was deployed in Gaza, his regular phone didn’t work, so it was always stressful. But when he was deployed in Israel, he was in touch with us, which seemed surreal. Even foxholes now have Wifi.

And of course smartphones and citizen journalists aren’t restricted to the war zone either, such as coverage of the riots during the Ferguson summer of 2014 and this spring’s college encampments. Some of that reporting was better than the mainstream media, to be sure. That link explores the concept of citizen journalists that I wrote during that summer.

But we have crossed a Rubicon of sorts with the Israeli government literally shuttering Al Jazeera’s Jerusalem studios this week. My daughter, who has been living there for many years, and I disagree on this action (she is in favor of the shutdown, I think the network should be allowed to continue to broadcast). Imagine if Biden were to shutter Newsmax. Or if police raided a newspaper in Kansas. (Wait, that did happen last year.)  For many years, I watched the early morning news coverage from Al Jazeera English’s programming. It was mostly fair. I haven’t seen much since the war began last October, and I am not sure how I would react to hearing misinformation being broadcast now.

The record of independent journalism in the Israel-Hamas war is a difficult one, because no one can really do research. But imagine if nearly 100 journalists were killed by the US in one of our recently wars — that is the current tally of who has been killed in Gaza and the West Bank, according to the CPJ. None of these people were engaged in any military capacity, at least according to their documentation. And Israel has also blocked any journalists from entering Gaza, making matters more difficult.

Let’s look at the coverage of the college protests. We saw the furniture barricades at Hamilton Hall on Columbia’s campus: is that a peaceful protest? Did the police act responsibly? With all the live streams, including some from the police bodycams, it is hard to say. Now imagine having very limited access to what is going on (which some colleges are trying to do). For all the real-time streaming, the fog of war becomes very thick indeed.

I wrote after the Ferguson riots, that if we are going to be a shining example of a working democracy, we need a strong and independent press that can document police abuses. Otherwise, we are no better than the countries we criticize for trumped up charges and wrongly arresting people. The same is true for wartime journalism.

Managing your identity theft protection

World Password Day is Thursday, I know all of my readers are gearing up major parties to celebrate. What, you don’t know about this day in flackery?  Read on.

I know my inbox runneth over with WPD PR pitches. Perhaps you have already planned your day, such as noting yet another account of yours that has been breached? Another chance to reuse that password from 1992? Time to get another password manager other than Lastpass? Or perhaps just have a cupcake decorated with ones and zeros? (Image credit: Google’s Gemini)

Here is how I am celebrating. I am actually reviewing the two free identity protection services that I have been granted, thanks to two recent and massive data breaches. One is from the credit bureau Experian, the other from a company called IdentityDefense.com. Normally, these outfits charge anywhere from $10 to $30 a month, and in the past I have not been motivated to use these, or any other service. Here is the problem: being a privacy paranoid person, I don’t want to give out any of my numbers. Yet to sign up for these services, you have to lay it all out there: SSN, birth date, previous addresses, drivers license, phone numbers and so forth.

Some things you might want to know: my wife and I have had spurious credit card charges over the years — one just recently where someone kept trying to charge a rideshare in San Francisco repeatedly. And I think her credit is still frozen (although I don’t recall when we got it or if we actually unfroze it).

The dashboard for IdentityDefense looks like this:

You’ll notice that it shows you a bunch of dark web alerts (where a bunch of passwords have been collected after a breach by some baddie), my credit score (nice), and a bunch of other stuff. The alerts all date from when I initiated the service last month and haven’t been updated. Some of these alerts are less than meaningful, such as the breach of Xss.js that was found in May of 2018 or the one called Combolist_bundles_solenya from December of 2017. I have no idea what these were, and if actually wanted to change my password, where to go about doing so. On some of the other dark web listings, the breach id’ed an actual website where I didn’t ever have an account. So right away, you can see that this information isn’t very helpful.

One thing that IdentityDefense does have is a way to file online credit freezes for the three credit agencies. You could probably find the web pages for these on your own, but still, it is nice to have this all here in one place.

Let’s look at the Experian ID works dashboard. It is less than useful:

This is because almost everything that you want to know about will require a lot of clicking around, For example, you see the “CreditLock” panel — that is slightly more than a freeze, because you can lock and unlock it in real time, and of course this is just for Experian. When you find your way to the dark web alert report, you will also see a lot of useless data, such as an email address for me that I have never used, although attached to my actual phone number. One alert had both the right phone and email for a breach from Apollo.io in July 2018, never heard of them, and when I tried to reset my password on their site, it claimed no one with that email has an account.

There is another service that businesses use to manage their dark web and other threats that I have used from time to time from CyberSixGill.com, where I wrote a white paper for them a few years ago. That paper spoke to this situation of not having very complete information about what was breached, or how metadata on the breach wasn’t of sufficiently high-enough quality or complete enough to be actionable. I wrote that you should be able to visualize the context of the threat and figure out where you were compromised, and what you should do in the future to prevent something similar from happening. That is still very much the case.

And if you are in the market for one of these services, you can read Paul Bischoff’s hands-on review of these and other services here on Comparitech. He puts them through more rigorous testing, and recommends services depending on how much of your life you want to divulge and then protect, and how complex a financial situation you might have.

So you should know by now that when something is free, it may or may not have any value to you. That latter situation is certainly the case with these protect-after-breach situations. Far better to have stronger (long and complex) passwords that are unique and managed by a service other than LastPass (I use Zoho Vault, which is free and does have value).

And if you are still in the mood to celebrate WPD, this comment from a security nerd from 2018 is instructive: “Happy WorldPasswordDay. Or in 90 days, WorldPassword1 Day.” Last year, I wrote: “Maybe on WPD in 2024 we can finally break out the bubbly and celebrate their actual demise.” Nope, not yet, put that bottle back in the fridge.

Beware of the pink slime website

Jack Brewster built his own hyperlocal news website in a couple of days and with a grand total investment of $105. What is significant is the circumstances by which he accomplished this. He used these funds to hire a programmer that he never met. Although Brewster had no other specialized expertise, he was able to launch a fully automated, AI-generated “pink slime” site capable of publishing thousands of articles a day. What is scary is that he could tune the AI to create whatever partisan bent and nearly all of the articles were rewritten without credit from legitimate news sources. Brewster is a reporter for the Wall Street Journal and describes his process here. “The appearance of legitimacy is everything online, and pink-slime websites are a serious menace,” he concluded.

This is the first time I have heard the term. It is certainly evocative, and dates back a few years. I last wrote about this condition in the pre-AI era, when actual people were being paid close to nothing to create this so-called content. That link has a bunch of resources to help you spot these fakes, but as AI gets better at sounding like some overblown windbag commentator, it will certainly get harder to discriminate what is real and what isn’t.

Apparently, slime pays. His programmer has built hundreds of these types of slimery, and is one of many, many people who advertise their services on Fiverr and other employment-as-a-service websites. What they are doing isn’t (yet) illegal, but makes me (and Brewster for that matter) uncomfortable. He set up his site behind a paywall, but the WSJ piece has a screencap where you can see what it looks like.

Speaking of Fiverr, long ago and in a galaxy far, far away I set up my own site to sell my freelancing services. Needless to say, I had no takers. My rate was a lot higher than the programmer Brewster hired for his website.

Brewster does misinformation tracking for a living, so it is somewhat ironic that he paid to produce his own slime site. His operation, Newsguardtech.com, has tracked more than a thousand slimy sites, and offers browser extensions and various other tools to rate news sites, both slimy and (supposedly) legit ones.

Of course, that isn’t the only development of genAI content. This movie trailer looks so airbrushed that it is hard to watch. One reviewer wrote:

It is not clear whether the trailer is bouncing between different characters, or if TCL has been unable to figure out how to keep them consistent between scenes. The lip-synching is wildly off, the scenes are not detailed, walking animations do not work properly, and people and environments warp constantly.

All I can say, this is one bad movie trailer, and I am sure an even worse movie.

I guess it is a testament to the progress of genAI that we have come so far, so fast. And perhaps this is yet another reduction of the circumference of the noose around my own neck, or an indication of how my astronomical pay rates (at least, seen in this AI/Fiverr context) really are.

Dark Reading: Electric vehicle charging stations still have major cybersecurity flaws

The increasing popularity of electric vehicles isn’t just a favorite for gas-conscious consumers, but also for cyber criminals that focus on using their charging stations to launch far-reaching attacks. This is because every charging point, whether they are inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

In this post for Dark Reading, I review some of the issues surrounding deployment of charging stations, what countries are doing to regulate them, and why they deserve more attention than other connected IoT devices such as smart TVs and smart speakers.