Best Infosec-Related Long Reads: Holiday Wrap-Up Edition

The man behind the hacked voting machine conspiracy theory, How private Roomba screenshots got on Facebook, Israel's new dystopian cyber firm, Roblox’s criminal underworld, Oz's scary data breaches

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

The man behind Trump World’s myth of rigged voting machines

Reuters’ Aram Roston and Peter Eisler offer a profile of Dennis Montgomery, a computer programmer and self-described former contractor for the U.S. Central Intelligence Agency (CIA), who provided the basis for the toxic theory that shadowy and malicious forces hacked into voting machines to rob Donald Trump of his presidential victory in 2020. Montgomery claims that he had built a supercomputer called the Hammer years ago as a U.S. government surveillance tool, along with software called Scorecard that could be used to manipulate election results.

Montgomery, 69, last year sold a trove of the purported evidence to Lindell, one of America’s most prominent Trump allies and election conspiracy theorists. Lindell, the founder and CEO of MyPillow, has spent millions of dollars on a campaign to abolish voting machines. He publicly announced his purchase of Montgomery’s data in August at a gathering in Missouri of hundreds of his followers.

“I own it,” Lindell said of Montgomery’s data, touting it as irrefutable proof Trump was cheated. “The machines are going to be gone!” he yelled, to uproarious applause. “We’re going to get our country back!”

He called Montgomery the “smartest man I’ve ever met.”

Lindell confirmed to Reuters that he bought the data from Montgomery in 2021 but declined to say exactly when or what he paid. He said it includes internet records of intrusions into U.S. voting systems to manipulate election results.

Lindell has promised to publicly release the full data set for more than a year but hasn’t delivered, citing legal and security concerns for repeated delays. He did release some data, however, in August of 2021, when he invited teams of information-technology experts to scrutinize it at a “cyber symposium.”

A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?

Eileen Guo in MIT Technology Review explains how sometimes intimate images taken by development versions of iRobot’s Roomba J7 series robot vacuum sent to Scale A.I., a startup that contracts workers around the world to label audio, photo, and video data used to train artificial intelligence, ended up on Facebook.

While the images shared with us did not come from iRobot customers, consumers regularly consent to having our data monitored to varying degrees on devices ranging from iPhones to washing machines. It’s a practice that has only grown more common over the past decade, as data-hungry artificial intelligence has been increasingly integrated into a whole new array of products and services. Much of this technology is based on machine learning, a technique that uses large troves of data—including our voices, faces, homes, and other personal information—to train algorithms to recognize patterns. The most useful data sets are the most realistic, making data sourced from real environments, like homes, especially valuable. Often, we opt in simply by using the product, as noted in privacy policies with vague language that gives companies broad discretion in how they disseminate and analyze consumer information.

The data collected by robot vacuums can be particularly invasive. They have “powerful hardware, powerful sensors,” says Dennis Giese, a PhD candidate at Northeastern University who studies the security vulnerabilities of Internet of Things devices, including robot vacuums. “And they can drive around in your home—and you have no way to control that.” This is especially true, he adds, of devices with advanced cameras and artificial intelligence—like iRobot’s Roomba J7 series.

This ‘Dystopian’ Cyber Firm Could Have Saved Mossad Assassins From Exposure

Omer Benjakob in Haaretz pulls back the curtain on Toka, the Israeli cybersecurity firm co-founded by former Israeli premier Ehud Barak and former Israel Defense Forces cyber chief Brig. Gen. (ret.) Yaron Rosen that sells technologies that allow clients to locate security cameras or even webcams within a given perimeter, hack into them, watch their live feed and even alter it and past recordings.

While Israeli cyberoffense firms like the NSO Group or Candiru offer bespoke tech that can hack into popular devices such as smartphones and computers, Toka is much more niche, a cyber industry source explained. The firm links the worlds of cyberoffense, active intelligence and smart surveillance.

As well as co-founders Barak and Rosen, the company is run by two CEOs from the world of cyberdefense: Alon Kantor and Kfir Waldman. Among the firm’s backers are venture capitalists Andreessen Horowitz, an early investor in Facebook (its co-owner Marc Andreessen still has a seat on the Meta board; Meta is currently suing Israeli spyware maker NSO Group).

According to a company pitch deck obtained by Haaretz, Toka offers what it terms “previously out-of-reach capabilities” that “transform untapped IoT sensors into intelligence sources,” and can be used “for intelligence and operational needs.” (IoT stands for Internet of Things and refers here to web-connected cameras and even car media systems.)

Inside Roblox’s Criminal Underworld, Where Kids Are Scamming Kids

Luke Winkie in IGN reveals a criminal underworld of teenage hackers on gaming platform Roblox’s Discord network who steal from fellow adolescent gamers.

I'd love to say that the hacker I spoke to at the beginning of this story was an outlier. That the other underworld dwellers better fit the image you and I have of the typical cybercriminal — someone who understands the ramifications of their actions, or at the very least, is of legal age. But minutes after the conclusion of our interview, I spoke to another swindler active on the beaming servers who claimed to be 13. Over text, he provided a holistic overview of his operation. It's a basic phishing scheme, explains the hacker. He enters popular Roblox games and targets those who seem to be wearing expensive limited items; or he trawls through Discord channels in order to "trick mainly younger people, who don't understand much."

"We can convince them to do whatever. Like click the link and enter their info," says the hacker. "You just have to be good with your words."

Five Lessons from Down Under's Data Disasters: Parts One and Two

On his Substack blog, the former CEO of the U.K.’s National Cyber Security Centre Ciaran Martin presents Part One and Part Two of his thoughts on the string of cybersecurity incidents rattling Australia.

So for a period of nearly three months, and particularly in November, serious and scary data breaches have been at the top of the political agenda in Australia in a way not seen in other major Western economies for some years. The new Labor administration in Canberra have taken the incidents extraordinarily seriously. The Government seemingly plans a wide ranging reviews of Australia’s cyber security laws and strategic posture.

Clearly, and for obvious reasons, these incidents matter to the millions of Australians affected. But their implications go well beyond Australian shores (there is absolutely no reason to believe that Australia, a wealthy Five Eyes country with excellent security services, is somehow uniquely bad cyber security).

As well as reminding us that data breaches haven’t gone away, the incidents throw up some of the most important and unsolved challenges of doing cyber security in advanced digital economies. These incidents therefore have global resonance and importance.

Image by Karolina Grabowska from Pixabay