Best Infosec-Related Long and Long(ish) Reads of the Week, 1/28/23

A hacktivist group targets Latin American leaders and institutions, Smart ovens check in with Russia and China, Why legislation targeting TikTok is a good thing, How "spam" came to mean junk mail

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form and long-ish infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

The politics and power of Latin American hacktivists Guacamaya

Cyberscoops AJ Vicens offers this in-depth look at the hacktivist group Guacamaya (the Mayan name for a Macaw) and how it bedevils Latin American politicians, governments, and corporations by threatening to dump the data and expose the secrets of the players it deems corrupt.

Guacamaya has released between 20 and 25 terabytes of stolen data since March 2022, including files it provided the nonprofit news site Forbidden Stories a year prior for an exposé about corruption involving Guatemalan officials and a Swiss mining conglomerate. Their hacking operations have targeted what the group says is the exploitation of indigenous lands throughout Mexico and Central and South America. So far, the leaks have led to the resignation of one of Chile’s top military officials.

“Guacamaya is definitely one of the most responsible and impactful hacktivist groups we’ve seen in recent years,” said Emma Best, a journalist and transparency advocate who co-founded Distributed Denial of Secrets, or DDoSecrets, a nonprofit “transparency collective” that hosts hacked and leaked material and distributes it in the public interest to journalists and researchers. Fuerzas Represivas — the campaign published Sept. 19 that included more than 13 terabytes of data — ”was the largest leak in history, and instead of dumping the files on the open internet they came to us and Enlace Hacktivista and asked us to make sure journalists and researchers were able to work with the data.”

I disconnected our smart oven, and maybe you should as well

Software architect Stephan van Rooij explains why he disconnected two smart appliances from appliance maker AEG as soon as he discovered what they do.

AEG choose the easy route, and checks three public websites every 5 minutes when connected to your wifi. The AEG smart appliances also have this hidden cloud api which is used for controlling the devices, so there should not be a reason to connect to these websites:

I really don’t like the fact that my oven connects to China and Russia just to check if it has an internet connection. If that is the only thing it’s doing.

Congress, TikTok, and Securing Democracy in the Digital Age

Pablo Chavez, Adjunct Senior Fellow with the Center for a New American Security’s Technology and National Security Program, delves into why recently introduced Congressional legislation to prohibit TikTok in the U.S. on security grounds is a welcome and necessary step in the ongoing debate on how to deal with Chinese technology and its suspected ability to engage in surveillance.

One factor that complicates the picture is that millions of people in the U.S. use the TikTok app as a platform for expression protected by the First Amendment. This is a critical reason why Congress should wrestle with TikTok’s fate instead of leaving the matter solely to CFIUS, which is designed to focus only on identifying security concerns, assessing risks, and putting forth solutions for mitigating or eliminating those risks.

By contrast, Congress has the authority and responsibility to weigh the First Amendment implications—both substantive and symbolic—of shutting down a platform like TikTok. In fact, in cases of national emergency, when a president has the broadest and strongest powers, Congress reserves the right to limit free expression and withholds that authority from the president. Specifically, the International Emergency Economic Powers Act (IEEPA) gives the president broad emergency powers to address foreign threats but denies the executive the authority to ban personal communications and the import or export of any kind of information or informational materials, regardless of the medium, during the emergency.

Flash From the Past - Origin of the term "spam" to mean net abuse

Courtesy of Cory Doctorow’s blog, twenty years ago this week, legendary online activist and Canadian software developer Brad Templeton wrote a detailed history of how the word “spam,” the infamous but yet beloved luncheon meat, came to mean junk email.

In April of 1994, the term was not born, but it did jump a great deal in popularity when two lawyers from Phoenix named Canter and Siegel posted a message advertising their fairly useless services in an upcoming U.S. "green card" lottery. This wasn't the first such abusive posting, nor the first mass posting to be called a spam, but it was the first deliberate mass posting to commonly get that name. They had posted their message a few times before, but on April 12, they hired an mercenary programmer to write a simple script to post their ad to every single newsgroup (message board) on USENET, the world's largest online conferencing system. There were several thousand such newsgroups, and each one got the ad.

Quickly people identified it as "spam" and the word caught on. Future multiple postings soon got the appelation. Some people also applied it to individual unwanted ads that weren't posted again and again, though generally it was associated with the massive flood of the same message. It turns out, however, that the term had been in use for some time before the famous green card flood.

Later, some particularly nasty folks figured they could take mass e-mailing software (which had been around for decades to handle mailing lists) and use it to send junk e-mail to large audiences who hadn't asked for it. The term quickly came to be used to describe these unwanted junk e-mails, and indeed that is the most common use of the term today.