Best Infosec-Related Long Reads for the Week, 11/11/23

Tokelau became the web's dark underworld, Oregon cops' surveillance apparatus lives on, Tool for small platforms to fight terrorism content, GOP fights to keep US in the dark, Inside fake Apple gear

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

How a tiny Pacific Island became the global capital of cybercrime

In MIT Tech Review, Jacob Judah tells the story of how the tiny Pacific island of Tokelau, the last place on Earth to be connected to the telephone in 1997, and its domain .tk became the unwitting “host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users” after Aukusitino Vitale, the then-general manager of Teletok, the impoverished country’s sole telecom operator, struck a deal with con artist Joost Zuurbier.

It took until the late 2000s for Vitale to realize that something had gone badly wrong. After problems first arose, Zuurbier invited ministers and advisors from Tokelau to the Netherlands, paid for their flights, and explained the business’s nuts and bolts in an effort to reassure them. They went to watch Samoa play at the Rugby World Cup in France.

“He [Zuurbier] appeared to be a really nice person,” Vitale remembers. “There was all this nice stuff that felt homely, warm fuzzies.” .Tk had hit the milestone of 1 million domain users.

But soon after this trip, he says, Zuurbier started falling behind on scheduled payments to Tokelau worth hundreds of thousands of dollars. (MIT Technology Review requested an interview with Zuurbier. He initially accepted but subsequently did not answer the phone or respond to messages.)

Meanwhile, Vitale had begun receiving complaints from concerned members of the “internet community.” He and his peers started to become aware that criminals and other questionable figures had cottoned onto the benefits that registering free domains could bring—providing an almost unlimited supply of websites that could be registered with virtual anonymity.

“It was obvious from the start that this was not going to turn out well,” says Levine, coauthor of The Internet for Dummies. “The only people who want those domains are crooks.”

Levine says that .tk had started attracting unsavory characters almost immediately. “The cost of the domain name is tiny compared to everything else that you need to do [to set up a website], so unless you’re doing something weird that actually needs lots of domains—which usually means criminals—then the actual value in free domains is insignificant,”  he says.

What started as techies complaining to Vitale about spamming, malware, and phishing on .tk domains soon turned into more worrisome complaints from the New Zealand administrator tasked with overseeing Tokelau, asking him whether he was aware of who .tk’s users were. Allegations surfaced that .tk websites were being used for pornography. Researchers had found jihadists and the Ku Klux Klan registering .tk websites to promote extremism. Chinese state-backed hackers had been found using .tk websites for espionage campaigns.

Oregon Police Obsessively Spied on Activists for Years, Even After Pipeline Fight Ended

The Intercept’s Natasha Lennard delves into how a new trove of internal police emails shows that a policing surveillance apparatus established in Oregon to track the climate justice group Siskiyou Rising Tide tracks even the most peaceful social justice activities as threats long after the group achieved its goal of stopping a natural gas pipeline project.

The emails show that, from 2016 to 2023, the Medford Police Department coordinated heavy-handed police responses to peaceful rallies and protests, tracked activist groups’ social media pages, and consistently treated typical, First Amendment-protected activity as a potential crime worthy of law enforcement scrutiny.

Sam Becker, a member of Information for Public Use, wrote in a Signal message that the Medford Police Department’s overreach included surveilling a Black teenager’s vigil, pushing back against the Oregon Health Authority’s choice to fund a harm reduction nonprofit, and monitoring a reproductive justice organization after receiving a tip from a member of an evangelical anti-abortion group.

Information for Public Use and Siskiyou Rising Tide believe that the surveillance activities revealed in the email trove constitute a violation of both First Amendment protections and an Oregon-specific law, ORS 181A.250, which prohibits law enforcement agencies from collecting and maintaining “information about the political, religious or social views, associations or activities” of individuals, groups, or business, unless the police have “reasonable grounds to suspect the subject of the information is or may be involved in criminal conduct.”

“Monitoring social media accounts available to the general public does not violate any part of the constitution or any Oregon statute,” wrote Medford City Attorney, Eric B. Mitton, in a statement to The Intercept. “Law enforcement agencies, including the Medford Police Department, actively look at the public social media profiles of organizations and individuals when there is reported or self-evident concern of a public safety interest.”

This New Tool Aims to Keep Terrorism Content Off the Internet

Wired’s David Gilberg reports on a new tool, Altitude, a free tool built by Jigsaw, a unit within Google that tracks violent extremism, misinformation, and repressive censorship, and Tech Against Terrorism, a group that seeks to disrupt terrorists’ online activity that aims to give smaller platforms the ability to quickly and efficiently detect terrorist content on their networks and remove it.

The project is also working with the Global Internet Forum to Counter Terrorism, which is an industry-led group founded in 2017 by Facebook, Microsoft, Twitter, and YouTube that hosts a shared database of image hashes—a kind of digital fingerprint—of terrorist content.

After years of missteps and failing to deal with the problem of removing terrorist content from their networks, big tech platforms like Facebook, Google, and X (formerly Twitter) have—with the help of dedicated NGOs and law enforcement—largely removed this content from their networks, with the notable exception of Telegram. As a result, terrorists have moved to less regulated and under-resourced platforms where their presence either goes unnoticed or cannot be dealt with because the companies involved simply don’t have the resources to cope with a flood of takedown requests.

“Islamic State and other terrorist groups didn't give up on the internet just because they no longer had the megaphone of their social media platforms. They went elsewhere,” Yasmin Green, the CEO of Jigsaw, tells WIRED. “They found this opportunity to host content on file-hosting sites or other websites, small and medium platforms. Those platforms were not welcoming terrorist content, but they still were hosting it—and actually, quite a lot of it.”

While there are some tools on the market that work in a similar way to Altitude, they are prohibitively expensive for a lot of smaller companies. Experts like Green believe that tools like this need to be open source and free of charge.

How the GOP muzzled the quiet coalition that fought foreign propaganda

NBC News’ Kevin Collier and Ken Dilanian walk through how relentless GOP attacks have fragmented a once-robust alliance of federal agencies, tech companies, election officials, and researchers that worked together to thwart foreign propaganda and disinformation, raising alarms among current and former government and tech employees that the US will be left in the dark regarding foreign influence campaigns.

More than a dozen current and former government and tech employees who have been involved in fighting online manipulation campaigns and election falsehoods since 2020 echoed those concerns. Most agreed to speak only on the condition that they not be named, all citing the current climate of harassment against people who work in election and information integrity.

A common theme among those interviewed: The chilling effect that Republican attacks had on the sharing of information about possible interference, which could make it easier for foreign adversaries to manipulate U.S. public opinion and harder for 2024 voters to sort out what’s real from what’s fake.

Beyond the FBI briefings, other coordination efforts have folded after facing pressure from conservatives. The Cybersecurity and Infrastructure Security Agency (CISA), which oversees federal election cybersecurity and has become a favorite target of Republicans, has halted its outreach to Silicon Valley, and the Department of Homeland Security has shuttered a board designed to coordinate its anti-disinformation programs.

“Some of these efforts really are designed to isolate people and make them feel like they can’t communicate with CISA, like they can’t communicate with their peers in other states,” a person who works in state election administration said.

“People feel that things are really, really fraught, and common sense does not rule today,” the person added.

Simple circuitry, surprising engineering: Inside counterfeit Apple gadgets

Ars Technica’s Scharon Harding illustrates how industrial CT scanners and software maker Lumafield uses its Neptune scanner to show what consumers get when they purchase counterfeit electronics such as fake MacBook chargers or knockoff AirPods Pro.

Lumafield's CT scanned a pretend Apple charger purchased from a "sketchy" eBay seller (eBay's policies ban counterfeit products), Lumafield head of marketing Jon Bruner told Adam Savage's Tested YouTube channel in a Lumafield-sponsored video posted Tuesday. Bruner told Ars Technica via email that the charger was around $30. It showed noticeable differences from the true Apple 85 W MagSafe 2 Power Adapter, which is currently $79 on Apple's website.

[You] can see an image showing how similar the two chargers look on the outside. But as detailed in [a] YouTube video, the one bought off eBay only has two inductors, as well as a large electrolytic capacitor, but a lot less circuitry overall.

A CT scan of Apple's charger showed "sophisticated" power management with various components for power conditioning and conversion," a Lumafield blog post on Tuesday said. The dupe's internals, however, are "far less complex," lacking the “filtering features that ensure safety and longevity in Apple's charger."

"This simplified internal structure not only raises concerns about the counterfeit’s performance but also its ability to safely manage the power supplied to your devices," Lumafield's blog said.

Heat management between the two chargers, while not tested, likely differs, too. Apple's thin heatsink is more advanced than the one in the copycat and enwraps most of the charger's transformer.

CT scans emphasize the broad coverage of the heatsink in the Apple charger, which can help prevent hot spots from forming. The heatsink uses more metal than the fake for, likely, better heat dissipation. Also, the Apple charger's use of converters, which the imitator forgoes, probably improves efficiency and enables the charger to generate less heat.

While there's an impressive amount of engineering in the spurious charger for a scam product, there's a chance the charger won't put out the desired voltages. But assuming it did or that the connected computer could adjust voltages, the fraudulent charger's likelihood of getting hotter might not pose an immediate threat. But in the long term, or if covered up, this could be dangerous.

"Over time, if you get frayed wires and it builds up a little more extra resistance, that'll increase the heat and all of these things … can build up and produce a dangerous situation," Zach Radding, an electronics engineer at Build Cool Stuff, said on Adam Savage's Tested video.

Finally, the knock-off charger has a fake grounded pin that's not actually connected to anything inside the charger and wouldn't be compliant in the UK.