Best Infosec-Related Long Reads for the Week of 3/30/24

The US government may have had nothing to do with North Korea’s man-made internet outage, but it quietly took an interest in it. In the weeks after WIRED published its story about P4x’s solo hacking feat, Caceres began to receive messages from hacker friends with connections to the Pentagon and intelligence agencies—sent not to P4x but to Caceres’ own true-name accounts. Several agencies, he was told, were intrigued by his work and interested in talking to him.

For those in the know, identifying Caceres had been worryingly easy: He had given away hints in posts to his Twitter account about his North Korean targeting prior to his decision to hide it behind the P4x pseudonym. After P4x’s public statements on the cyberattack, one fellow hacker had even posted screenshots of Caceres’ now-deleted tweets, though without spelling out what exactly they revealed.

One friend had discussed Caceres’ work with a high-ranking military official and told Caceres there was someone the official now wanted Caceres to talk to: a longtime military intelligence contractor who had done contract work for the Joint Special Operations Command, which oversees groups like the Army’s Delta Force and the Navy’s Seal Team Six. WIRED agreed to call him Angus, though that isn’t his real name.

A few weeks after his North Korea attack, Caceres met Angus in the offices of Angus’ Pentagon-funded hacker startup. Angus began by warning Caceres that he was potentially in danger of reprisal from the North Korean state and that he should be wary of the possibility of a physical attack that might be made to look like a mugging, or of someone tampering with his prescription medications. “Before that, I was nervous,” Caceres says. “After that, I was shit-scared.” Angus suggested the hacker ought to arm himself. (Caceres, not one for half measures, later bought three guns and multiple bulletproof vests.)

Angus quizzed Caceres about his past hacking activities, his allegiance to other governments—he said he didn’t have any—and his politics. He specifically asked Caceres if he was a Marxist. Caceres confirmed he was not. With that brief vetting out of the way, they went out for drinks and talked late into that night about what a P4x-style US special forces hacker team might look like and what sort of work they might do together to demonstrate that model to the Department of Defense.

Soon after, Angus convened a meeting of military and intelligence staff at his startup’s office, where they listened to a presentation from Caceres. Standing before an audience of officials from Cyber Command, Special Operations Command, the NSA, and the Marines' Cyberspace Command known as Marforcyber, he detailed his North Korean hacking project as a case study and laid out principles for how it could be replicated: Aim for “easy and impactful.” Minimize the number of “cooks in the kitchen.” Iterate rapidly. He laid out a timeline for operations that suggested assembling teams of two to four hackers, with support from researchers and analysts, and taking just a few days to plan an operation.

“For the US government, any execution on target is typically a six-month process. P4x did it in two weeks,” says Angus. “The whole point was that he can show them how to do it, and if they wanted to they could fund it and see it happen.”

The response to the presentation was positive, if somewhat cynical, according to Angus. “Most of them put their faces in their palms when they realized what he’d done and how he did it, and the only thing that stopped them from doing it was bureaucracy,” he says. Caceres remembers that one audience member responded with a joke: that Caceres forgot the step where he presents a 100-slide PowerPoint deck to someone who doesn’t understand what he’s talking about and then denies him authorization.

Despite not holding a senior position, Goziker claims that his main job at TikTok was “overseeing” Project Texas to ensure the social media app’s plan to secure US user data would be effective. The goal was to implement a set of safeguards that would satisfy the ​​Committee on Foreign Investment in the United States, an interagency body charged with evaluating national security risks associated with foreign firms acquiring or taking major stakes in US companies. CFIUS has the power to force companies to unwind deals it considers risky, and since 2019 has been investigating ByteDance’s 2017 purchase of a lip-syncing app called Musical.ly, which was later merged into TikTok.

Goziker claims that he interviewed more than three dozen people at TikTok and ByteDance about Project Texas, according to court filings. He says that he identified flaws in the initiative that led him to refuse to “sign off” on it, despite alleged pressure from his manager and other executives at the company. Goziker tried to flag his concerns to TikTok’s top leadership, including the CEO and board of directors, according to court records.

Goziker alleges in court filings that he found evidence TikTok’s software could send data to China in January of 2022—weeks before he was fired. He claims in the filings that through “collaborative and willful joint effort with ByteDance engineers from mainland China,” he obtained “a verified artifact” in TikTok’s software that connected the platform to Toutiao, a popular Chinese news aggregation app also owned by ByteDance. Goziker said that his findings demonstrated US data from TikTok could still flow to the People’s Republic, despite TikTok’s assertions to the contrary. The filings do not contain detailed documentary evidence of his allegations.

In countries where demonstrating can come with physical or political risk, large-scale protests have historically offered a degree of anonymity, and, with it, a level of protection. Mass protests are a way for citizens to express dissent as a collective — often under the assumption that “they can’t arrest us all.”

But in the last decade, the spread of facial recognition technology has changed that equation: A lone face in a crowd is no longer anonymous; facial recognition allows authorities to capture people’s identities en masse.

It’s no coincidence that the widespread adoption of the technology has evolved in parallel with increasingly draconian laws against protest. As part of its “Protect the Protest” project, Amnesty International tracks repressive legislation that imposes illegitimate restrictions on protests, with examples across five regions. Facial recognition tech helps enable this repression by offering a way to enforce such regulation on a sweeping scale.

In the U.S., law enforcement used facial recognition at Black Lives Matter protests in 2020, resulting in at least one activist being targeted at their home. In the U.K., the London Metropolitan Police admitted to using facial recognition technology on tens of thousands of people attending King Charles III’s coronation in May 2023.

Often, facial recognition is used to disproportionately target people belonging to a racial, ethnic, or religious minority. “Again and again we see that it’s people who are already targeted by police or subject to severe movement restrictions, or have already been subject within their communities to police brutality, that are most targeted by these tools,” Matt Mahmoudi, a researcher at Amnesty International who specializes in facial recognition, told Rest of World.

Mass demonstrations have become opportunities for authorities to net thousands of faces via CCTV, van-mounted cameras, and police mobile devices, which can then be added to facial recognition databases. In the past month, Indian authorities used the technology to identify people who participated in farmers’ protests, threatening to cancel their passports. A Russian civil society group believes Moscow police used the technology to track down people who attended opposition leader Alexei Navalny’s funeral.

A black and white photograph showing a number of security officers wearing camouflage and body armor, walking along a street past a large crowd.

Law enforcement walk past crowds gathered for the funeral service of Alexei Navalny in Moscow, Russia, on March 1, 2024. Alexander Nemenov/AFP/Getty Images

The result is a fundamental shift in the power balance between authorities and the general public that is changing the nature of protest. The most obvious outcome is a chilling effect: Facial recognition technology puts demonstrators at greater risk of persecution, often stymieing efforts to protest before they even occur.

In past research I have surveyed census representative samples of Americans to determine their privacy expectations against government surveillance and their views on biometric privacy. In a recent article, I combined these to look at public attitudes toward facial recognition. What I found is that neither privacy advocates nor privacy skeptics fully represent the public.

Across three surveys I found that the public holds highly nuanced views of facial recognition. The basic method in each survey was to, first, describe a potential government use of facial recognition in a few short sentences so that people could plainly picture the use in question and then, second, ask participants to rate their comfort with the practice on a scale ranging from 1 to 4. This allowed participants to be categorized as more comfortable than not or less comfortable than not with each use.

[P]eople report being generally comfortable with the government using facial recognition to investigate serious crimes, enhance the security of controlled spaces like airports and schools, and increase the efficiency of identity verification in some contexts. Combined, these are the lion’s share of current uses. People also draw little distinction between using facial recognition to identify a stored image of a criminal suspect and scanning live feeds to try to locate the suspect.

There were few differences in the views of different demographic groups—race, ethnicity, and gender had no significant relationship with facial recognition comfort. More educated respondents and, in one model, younger respondents reported slightly greater comfort.

This pattern of comfort with targeted uses persisted even when, in a second study, participants were primed with negative information about the accuracy of facial recognition. Though telling people that facial recognition worked poorly, as opposed to presenting equally biased information claiming it worked well, caused them to be less comfortable with its use, the difference was relatively small.

The third study examined the similarly small difference between identification of a face from a video image and scanning a citywide network of cameras to search the city for that same face. Participants were told about an investigation into an auto theft or a homicide and asked how comfortable they were with law enforcement using facial recognition (a) to identify the suspect; (b) to find the suspect’s current location by scanning all the publicly owned cameras in the city, including those on mass transit; and (c) to track everywhere the suspect had been over the prior week using all publicly owned cameras in the city. As can be seen in Table 2, the differences between these three uses are not especially stark.

While floppies were still a significant medium in the mid-1990s, it was obvious that they would not be enough capacity for the next generation of data hoarders. It would only be a couple of years before Apple would put the first dagger in the heart of the floppy disk with the iMac, breaking with tradition by releasing a personal computer in 1998 with no built-in floppy disk drive.

That was a harbinger of what was to come. Within a decade of the decision, floppy drives, compact cassettes, and videotapes—the three key elements of 3M’s move into consumer-driven magnetic media—had fallen by the wayside. Imation, still active today, is owned by O-Jin Corp., a Korean technology company that basically bought it for its trademarked name.

Much like its one-time competitor Memorex, Imation is a technology ghost kitchen. Its former corporate parent 3M, meanwhile, has a market cap of $51.33 billion at the time of this writing.