The tech stack of the disinformation triad: blogs, ads, and podcasts

Posted on by
4

A year ago we saw the fruits of disinformation writ large with the Capitol attack. Since then, I have thought alot about how this came about, and today I wanted to discuss what I will call the tech stack of the disinformation triad, and how blogs, ad exchanges and podcasts act as a self-reinforcing ecosystem. (And I include misinformation here as well.)

Most of the vitriol about disinformation campaigns have focused on the social media platforms removing or silencing various users. While these Tweets and Facebook posts are reprehensible, I don’t think we are focusing on the right place, and they don’t belong in the tech stack per se.

Each of the three elements plays an important role in the stack:

  • Blogs originate the disinformation content that draws in visitors. For best results, make your content more outrageous and more trolling. Steer clear of any actual facts too.
  • Ad exchanges place ads on these blogs (and other websites) that generate the cash to support the disinformation apparatus. These exchanges aren’t well known, aren’t well regulated, and make it easier for content creators to attract A-list brands to lend their websites an air of legitimacy. More on that in a moment.
  • Podcasts create the audio (and in some cases video) clips that are shared across social media and also drive visitors to the blog for further explanation. In some cases, podcasters originate disinformation through some off-the-cuff remark that gets taken out of context (or not). A recent NYTimes article cites research on how pervasive these podcasts have been at spreading disinformation.

Let’s look at who supplies these enabling technologies in the stack:

  • Blogs: WordPress, certainly. Medium and Substack should also be here. You can put up a basic blog in minutes at less than $10 a month now.
  • Ad exchanges. Here is a short test. Have any of you ever heard of the following brands: MGID, FreeWheel, Xandr, 33Across, and TremorHub. If you go to their various websites (I won’t link to them, sorry), you will find all sorts of euphemisms, such as “publisher monetization company,” or ” an integrated solution to unlock addressability and monetization” vendor. What they really are are networks of advertisers that take a commission to place ads on websites.
  • Podcasts. There are many underlying technologies to produce a good podcast: video and audio editors, streaming sites, search engines. But I would point towards Apple, Spotify, Stitcher, Google Podcasts and YouTube. What, you didn’t know Google indexes podcasts? Yep. And if you read the NYT article linked above, you will see that disinformation-laced podcasts that were banned on YouTube are still being promoted on Google Podcasts. No one said that Alphabet/Google has to be consistent.

We should, as the Watergate reporters did, follow the money. Cut off the cash supply, (as what happened in 2019 to one podcaster) and the other parts of the triad will have to regroup. One advocacy organization is trying to do exactly that. The problem is that the exchanges make various claims, such as they preserve privacy (by not using cookies) or police their advertisers, but don’t really deliver. And by being an intermediary between the brand and the web property that runs the ads, it makes it easier for everyone to say that disinformation-related ads were placed on the network in error or slipped through any trivial vetting process. Cue the Zuck apology tour highlight reel puh-leeze.

As you can see, the disinfo tech stack isn’t just the fault of social media platforms. Certainly, they have aided and abetted the spread of disinformation. But let’s get the cause and effect tech chain straight.

Avast blog: New ways to phish found by academic researchers

Posted on by
Reply

A years-long research effort between computer scientists at Stony Brook University and private industry researchers have found more than 1,000 new and more sophisticated phishing automation toolkits across the globe. What’s interesting about this effort is these tools can help subvert the multi-factor authentication (MFA) of just about any website using two key techniques, man-in-the-middle (MITM), and reverse web proxies. In my blog post for Avast, I talk about how the attack works, how these tools were found in the wild, and what you can do about them to keep using MFA to protect your own logins.

Avast blog: Countering disinformation requires a more coordinated approach

Posted on by
Reply

The US Cyberspace Solarium Commission’s latest report, entitled Countering Disinformation in the US, is the latest analysis to come from this two-year-old bipartisan Congressional think tank. The report, which was released earlier this month, takes a closer look at the way disinformation is spread across digital networks and proposes a series of policy actions to slow its spread using a layered defense.

Whether or not the US Congress will take up these recommendations is hard to say. Certainly, the current hyper-partisan split won’t make it easier. You can see the move away from bipartisan bill sponsorship as documented by the report in the graph above. You can read more in my post for Avast here.

Infoworld: What app developers need to do now to fight Log4j exploits

Posted on by
Reply

Earlier this month, security researchers uncovered a series of major vulnerabilities in the Log4j Java software that is used in tens of thousands of web applications. The code is widely used across consumer and enterprise systems, in everything from Minecraft, Steam, and iCloud to Fortinet and Red Hat systems. One analyst estimate millions of endpoints could be at risk.

There are at least four major vulnerabilities from Log4j exploits. What is clear is that as an application developer, you have a lot of work to do to find, fix, and prevent log4j issues in the near-term, and a few things to worry about in the longer term.

You can read my analysis and suggested strategies in Infoworld here.

Tech and Main podcast: Let’s talk about passwordless

Posted on by
Reply

I am back on Shaun St. Hill’s Tech and Main podcast, this time talking about the benefits and frustrations of using passwordless technologies. There are some signs of hope, particularly with new tools that don’t require you to type in one-time codes but can recognize your smartphone’s intrinsic hardware to help authenticate you. Of course, this means you need a smartphone for every employee.

Biznology: An update on women in tech

Posted on by
Reply

Eight years ago, I attended a conference (remember doing that in person?) and had a chance to hear from some pretty amazing speakers, many of them women. The conference, Strangeloop, was notable for their number in the tech field which so often diminishes the contributions of women and POC. I happened upon the piece that I wrote and asked the women I interviewed if they had more recent experiences that they would like to share with my readers. Sadly, while there has been some progress, it isn’t much.

You can read the story in Biznology here.

Retaining my back catalog

Posted on by
2

Taylor Swift and I have something in common: we both are having trouble retaining our back catalogs. In her case, she is busily re-recording her first six albums since the originals are now under the control of a venture-backed investment group. In essence, she is trying to devalue her earlier work and release new versions that improve upon the recordings. In my case, I am just trying to keep my original blog posts and other content available to my readers, despite the continued effort by my blog editors to remove this content. Granted, many of these posts are from several years ago, back when we lived in simpler times. And certainly a lot of what I wrote about then has been eclipsed by recent events or newer software versions, but still: a lot hasn’t. Maybe I need to add more cowbell, or sharpen up the snare drums. If only.

I realize that many of my clients want to clean up their web properties and put some shiny new content in place. But why not keep the older stuff around, at least in some dusty archive that can still receive some SEO goodness and bring some eyeballs into the site? Certainly, it can’t be the cost of storage that is getting in the way. Maybe some of you have even done content audits, to determine which pieces of content are actually delivering those eyeballs. Good for you.

Although that link recommends non-relevant content removal, which I don’t agree. I think you should preserve the historical record, so that future generations can come back and get a feel for what the pioneers who were making their mark on the internet once said and felt and had to deal with.

Some newspaper sites take this to the extreme. In July 2015, the venerable Boston Globe newspaper sent out a tweet with a typo, shown here. Typos happen, but this one was pretty odd. How one goes from “investigate” to “investifart” is perhaps a mystery we will never solve, but the Globe was a good sport about it, later tweeting, “As policy we do not delete typographical errors on Twitter, but do correct#investifarted…” Of course, #investifarted was trending before long. The lesson learned here: As long as you haven’t offended anyone, it’s ok to have a sense of humor about mistakes.

Both Tay and I are concerned about our content’s legacy, and having control over who is going to consume it. Granted, my audience skews a bit older than Tay’s –  although I do follow “her” on Twitter and take her infosec advice. At least, I follow someone with her name.

I have lost count on the number of websites that have come and gone during the decades that I have been writing about technology. It certainly is in the dozens. I am not bragging. I wish these sites were still available on something other than archive.org (which is a fine effort, but not very useful at tracking down a specific post).

I applaud Tay’s efforts at re-recording her earlier work. And I will take some time to post my unedited versions of my favorite pieces when I have the time, typos and investifarts and all.

In any event, I hope all you stay healthy and safe this holiday season.

 

 

An update on deepfake video threats

Posted on by
2

What has happened in the world of deepfake videos? Since I wrote about the creation and weaponization of them back in October 2020 for Avast’s blog, there have been a number of virtual conferences and new algorithms that have been developed to create these odd pieces of media. There is surprisingly a very bimodal consensus: either the sky is falling and we are all about to be subjects of revenge porn and various misinformation campaigns; or that things haven’t (yet) gotten out of hand and the tech is still in early stages. I will let you be the judge, but will give you a few places that you can start your own research.

Chicken Little (2005) | MovieWebOne blog post that I read on the ethics of “synthetic media” (that is what the people who write the deepfake algorithms call their work product to make it sound more legitimate) compared the deepfake world with the introduction of the Kodak camera back 130 years ago. Back then, folks were worried about image manipulation by newbie photographers, and whether we could use photos to show anything other than the literal, “real” state of the world. The chicken little scenarios didn’t materialize, and now we all walk around with digital cameras that carry multiple lenses and built-in effect filters that previously were only found on the higher-end pro gear.

Still, there is no doubt that the tech will get better: check out this timeline from one of the deepfake scanning vendors that claims “the technology was developed so fast that now bad actors can create realistic synthetic videos easily.” That perspective was reinforced with this report earlier this summer from Threatpost, which warned that a “drastic uptick in deepfake tech is happening.” There are plenty of deepfake algorithms out there, as Shelly Palmer recently cataloged.

Hold on. Yes, the tech has been developing quickly, thanks to some amazing AI that can deploy huge computing power. But the fakes aren’t really at the point to start wars or create bank panics. Instead, we have seen numerous cyberattacks that make use of synthetic voice recordings (think your boss leaving you a voicemail saying to make a particular payment to a hacker), according to presenters at a June conference.

And many predicted deepfake disasters haven’t really materialized. A celebrated case of a deepfake cyberbullying mom who sent videos to the cheer squad and coach of her daughter’s team turned out to be based on more mundane image manipulation.This could be a wake-up call to have better cyberbullying laws and how to prove these cases too.

I stand with the skeptics (are you really surprised) and suggest you proceed with caution. No doubt as the tech improves the threats will quickly follow, and perhaps we’ll see that happening in 2022. Don’t yet hit the panic button, but instead prepare yourself for potential attacks that could compromise facial and voice ID security measures.

The Verge: How to recover when your Facebook account is hacked

Posted on by
1

Hopefully the day will never come when you find your Facebook account has been hacked or taken over. It is an awful feeling, and I feel for you for the world of hurt that you will experience in time and perhaps money to return your account to your rightful control. Let me take you through the recovery process and provide some proactive security pointers that you should follow to prevent this awful moment from happening, or at least reduce the chances that it will.

In this post for The Verge, I explain the three different scenarios (a friend borrows your account, someone uses your photo on a new account, or you truly have been hacked) and how you can try to get your social life back. It isn’t easy, it could cost you a lot of time and a bit of money, and there are steps you should take to protect yourself now that will reduce the chances that your account will become compromised — such as removing any payment methods that you may have forgotten about, as shown above.

And if you would rather listen to my descriptions, my podcasting partner Paul Gillin interviewed me on this subject in a recent 16-minute episode.

CNN Underscored: Review of the best USB-C charging blocks

Posted on by
Reply

With USB-C finally more-or-less standard across phones, tablets and laptops, and fewer and fewer manufacturers including chargers in the box with their products, a myriad of charging blocks have become available that promise to get your batteries topped up as quickly as possible.

To find the best USB-C charger for your devices, we tested 15 devices from respected manufacturers to find the best for your needs, whether you need to charge a phone, a laptop, or a bagful of accessories. My top pick was the PowerPort Atom III Slim — it has a single USB-C port, and is rated at 45W (there are older versions still on the market that are rated at 30W, so make sure you are getting the higher capacity unit). We liked the smaller footprint slim design, which combines a slimer unit (5/8” thick) with a folding power prong. These make fitting it behind furniture (or carrying in your travel bag) easier.

You can read my review of these chargers here for CNN’s Underscored site.