Best Infosec-Related Long Reads of the Week, 1/14/23

'Scambaiters' target scam call centers, Violated trust of Roomba's test version victims, Tracking down the Idaho killer, Restoring civil-military cyber normal normalcy, OECD rules for reading emails

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Vigilantes for views: The YouTube pranksters harassing suspected scam callers in India

Andrew Deck and Raksha Kumar offer a gripping and sometimes disturbing expose of Trilogy Media, a part of the “scambaiting” community, a new and growing internet subculture that involves hacking, pranking, and taking revenge on people they believe are conducting scam phone calls.

Many of the YouTube creators who make scambaiting videos are from North America and Europe, and their most frequent targets are in India. Oftentimes, scambaiters simply annoy scammers: They might pretend they are falling for a scam call, for instance, only to waste the caller’s time with inane questions or inside jokes. In these videos, the scammers usually remain nameless and faceless, just a voice on the other end of the line.

But Trilogy has taken things up a notch. In April 2022, their team traveled from Los Angeles to Kolkata in order to prank workers at Ansh Info Solutions and two other call centers, which they claim conduct scam call operations that allegedly defraud victims in the U.S. and elsewhere. Naturally, they filmed the whole thing, hoping to pull it together into their newest viral video.

Kulik and Bingham say their goal is to educate viewers about scams — a public service disguised as comedic entertainment. They talk about how they’re motivated by a sense of justice for victims of scams, and suggest that they’re stepping in where law enforcement has failed.

Roomba testers feel misled after intimate images ended up on Facebook

Eileen Guo in MIT Tech Review follows up her scoop about how intimate Roomba images ended up on Facebook with a look at how nearly a dozen people whose images from a test version of iRobot’s Roomba J series were exposed felt about their exposure and the sense of violation of trust they experienced.

For many testers, the greatest shock from our story was how the data would be handled after collection—including just how much humans would be involved. “I assumed it [the video recording] was only for internal validation if there was an issue as is common practice (I thought),” another tester who asked to be anonymous wrote in an email. And as B put it, “It definitely crossed my mind that these photos would probably be viewed for tagging within a company, but the idea that they were leaked online is disconcerting.”

“Human review didn't surprise me,” Greg adds, but “the level of human review did … the idea, generally, is that AI should be able to improve the system 80% of the way … and the remainder of it, I think, is just on the exception … that [humans] have to look at it.”

Even the participants who were comfortable with having their images viewed and annotated, like Igor, said they were uncomfortable with how iRobot processed the data after the fact. The consent agreement, Igor wrote, “doesn’t excuse the poor data handling” and “the overall storage and control that allowed a contractor to export the data.”

How Police Actually Cracked the Idaho Killings Case

Slate’s Heather Tal Murphy offers this fascinating explanation of how investigators used a relatively new and contentious method known as forensic technology, a technique reliant on genealogy databases and other digital strategies to track down Bryan Kohberger, a 28-year-old criminology student at Washington State University who stands accused of stabbing to death four University of Idaho students.

The precise way forensic genealogy helped investigators zero in on Kohberger hasn’t been previously reported. This is one of the most high-profile cases in which this relatively new, ethically contentious method has been used so soon after a crime has been committed, and it will likely influence how law enforcement approaches it going forward. Though multiple news outlets, including CNN and ABC News, reported that forensic genealogy helped with the case, none has explained how it was used or why it did not appear in the affidavit.

That how and why matters. For one thing, it shows that a method known mostly for solving cold cases can apply to ones that are still hot. That may increase demand for an emerging field that was already experiencing a boom.

The use of forensic genealogy also underlines that the current storyline about how police identified their suspect, which some are suggesting is a model, is missing pivotal details. According to numerous genetic genealogists, the case embodies an emerging trend of leaving out any mention of forensic genealogy from court documents and press conferences. The Idaho affidavit’s “thoughtful omission” of any reference to genealogy, as forensic DNA analyst Tiffany Roy put it, has reignited a heated debate among investigative genealogists, lawyers, detectives, and other forensic experts about the wisdom of this strategy.

A New Cyber Strategy To Restore Civil-Military Normalcy

Marc Losito, Director of Strategic Plans and Policy for the U.S. Army, argues in Real Clear Defense that President Biden’s upcoming national cybersecurity strategy should try to solve what he claims is an over-militarization and a forever war in the cyber domain.

At a minimum, President Biden’s National Cybersecurity Strategy needs to address three problems to restore civil-military normalcy. First, the strategy should address the Pentagon’s sprawling ecosystem of cyber-related entities and advisors by establishing civilian control. The Cyberspace Solarium Commission entertained the idea, but now is the time to establish a “service like” secretary—Assistant Secretary of Defense for Cyber—as a principal staff assistant with full access to the same fora that the service secretaries have. Second, the strategy should frame internal coherence by addressing the competing roles and responsibilities of federal agencies in cyberspace. Our adjustments of cyber policy over time have created a patchwork of byzantine line-and-block charts creating uncertainty of how these roles would interact in the face of an incident response. Last, the strategy should advance the non-military cyber instruments of power to reflect the President’s National Security Strategy shift of restoring faith in diplomacy. Ideally, the State Department’s newly created Bureau of Cyberspace and Digital Policy would take the lead in addressing national security challenges abroad.

Gentlemen’s Rules for Reading Each Other’s Mail: The New OECD Principles on Government Access to Personal Data Held by Private Sector Entities

Kenneth Propp, senior fellow at the Europe Center of the Atlantic Council, senior fellow at the Cross-Border Data Forum, and adjunct professor of European Law at Georgetown Law, explains in Lawfare how the Organization for Economic Cooperation and Development’s (OECD) recently finalized Declaration on Government Access to Personal Data Held by Private Sector Entities is the first intergovernmental agreement that enables governments to protect the private data of non-citizens.

One goal of the OECD was to “increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities[,]” while the other was to “provide a standard for how democratic, rule-of-law based systems limit and constrain government power in contrast with approaches that are unconstrained, unreasonable, arbitrary or disproportionate, in violation of human rights and in breach of international obligations” (emphasis added).

In other words, the principles aim to be both descriptive and exemplary, coming at a time of proliferating technological means for information access in authoritarian countries.

In line with these purposes, the OECD document takes the form of a nonbinding declaration, not a convention binding under international law like, for instance, the OECD Anti-Bribery Convention. Declarations are a well-established feature of the international law landscape, and they can have normative significance over time. The United Nations’ Universal Declaration of Human Rights, for example, is a similar “soft law” instrument that influenced a generation of human rights treaties; its content today is largely considered to be part of binding customary international law.