Best Infosec-Related Long Reads for the Week of 4/20/24

In late February 2023, Kivimäki was extradited to Finland and placed in Vantaa Prison, a half-hour north of Helsinki. The great challenge in prosecuting cybercrimes, aside from their technical opacity, lies in proving who was at the keyboard when a specific command was executed. The Vastaamo investigation was no exception, according to Marko Leponen, the NBI detective chief superintendent who led it. “The path from the crime to the suspect was not a straight line,” he says. But there were many connections. “It is a spider web, and in the middle of this web is Mr. Kivimäki.”

The first thread had emerged out of communications logs on the confiscated servers. Right after the accidental data dump, whoever controlled those servers had copied the contents somewhere else, then wiped as much of the memory as they could. But while previously that person had been careful to disguise their IP address by using a virtual private network, that time, perhaps out of haste or panic, they logged in without the VPN. The unmasked IP address that one of the servers had recorded was registered to one of Kivimäki’s two London apartments. Kivimäki had used that same IP address to make online payments, including one for a hotel stay and another to an OnlyFans creator.

Another IP address in the communication logs was traced to an apartment in Barcelona rented to a Daniel Fulgescu. That seems to have been another of Kivimäki’s Romanian aliases. According to prosecutors, it was the name on the registration of a BMW 7 Series that Kivimäki drove. A picture of the car, complete with license plate, had been posted by “Aleksanteri K” in a glowing five-star review for a high-end Barcelona auto detailing shop. (Kivimäki denies that the car was his.)

The server logs had also led the NBI to a different set of servers rented by a consulting company. Scanifi, as it was called, offered cybersecurity services to the owners of badly protected databases that it found online. The company co-founder was Kivimäki, who’d paid to rent the servers in question. One of the Scanifi servers had been configured into multiple smaller virtual servers, including one whose contents were encrypted. When investigators managed to break the encryption, they discovered a copy of ransom_man’s home folder. “It is an exact replica,” says Vainio, “of the server that was used to commit these crimes.”

In perhaps the biggest coup, investigators determined the ultimate destination of the 0.1 Bitcoin payment that negotiators made to the wallet address in the original ransom demand. Whoever controlled that wallet had first converted the Bitcoin into Monero, a cryptocurrency thought to be untraceable because of special obfuscating measures built into its blockchain. According to the NBI, the Monero was then transferred to an account at the crypto exchange Binance and converted back into Bitcoin. And a portion of that money ended up in a bank account belonging to Kivimäki.

While the investigative report redacts key details, the NBI’s Leponen says both the Monero tracking and the decryption of the Scanifi server relied heavily on other evidence available in the case. The accidental upload had been a rare gift to investigators. On ransom_man’s home folder, alongside the records of the tens of thousands of patients whose reputations he had taken hostage, his own information was stored. Some of his login credentials were there, as well as hints about others.

But any discussion of efficacy must also grapple with major questions posed by more frequent takedowns, for instance, intelligence gain/loss considerations: What kinds of insights are put at risk by either disrupting some infrastructure or alerting cyber criminals to their exposure to authorities? Moreover, do government agencies risk creating a moral hazard for their publics, disincentivizing more proactive cyber hygiene and systems-patching? Do they drive cyber criminals even deeper underground, prompting them to use even more anonymizing techniques? Do they divert cyber criminals’ focus toward lesser-developed countries with weaker defenses and limited capacity to strike back? By developing or purchasing malware for use in takedowns, do LEAs further fuel the underground market for software vulnerabilities? Such difficult questions are a reminder that technical takedowns cannot be untethered from broader cyber strategies and dialogs.

Meanwhile, states seem to broadly agree that extraterritorial cyber intrusions can be a violation of their sovereignty—but they also agree that often there are valid justifications for doing so. As extraterritorial cyber operations become more routine, they can gradually evolve into “customary international law.” In other words, silence is acceptance, and acceptance eventually can become codified as the norm. Such international norms are widely interpreted and disputed, particularly when they involve non- or quasi-state actors like cyber criminals. This ambiguity clouds discussions about whether technical takedowns of cyber crime infrastructure abroad are advisable, under what authority they might be conducted, or who is accountable for any unintended consequences.

To date, the U.S. government has not presented any evidence to suggest that TikTok has been used by the Chinese government as a covert tool against the American public.

On the contrary, in 2020, the Central Intelligence Agency (CIA) reportedly provided an assessment to the Trump administration that, though it was possible, there was no evidence that Chinese intelligence agencies had used TikTok to gather data or information on its American users.

Following a classified briefing by national security officials last week, some members of Congress said that current classified intelligence assessments still fail to demonstrate that TikTok is a legitimate threat.

“Not a single thing we heard in today’s classified briefing was specific to TikTok,“ Rep. Sara Jacobs (D-CA) told the Associated Press. “These are things that are happening on all social media platforms.”

Rather than harping on the PRC’s use of TikTok to surreptitiously gather data on American citizens, current top U.S. intelligence officials have largely focused on concerns over how the platform can be used for social engineering to influence public opinion.

During her March testimony before the House Intelligence Committee, Director of National Intelligence Avril Haines acknowledged that China could use TikTok to influence the upcoming 2024 presidential elections. However, America’s top intelligence official stopped short of saying there was any evidence the platform was being used by the People’s Republic of China for malicious purposes.

In previous congressional testimonies and interviews, both FBI Director Christopher Wray and CIA Director Bill Burns have expressed similar concerns regarding TikTok, noting the potential for China to use the platform for strategic purposes. However, neither official has claimed that TikTok is currently being used or has been used for information warfare.

In the 2024 National Threat Assessment of the U.S. Intelligence Community, officials said that China was demonstrating a higher degree of sophistication in its influence activity, including experimenting with generative artificial intelligence. The report noted, “TikTok accounts run by a PRC propaganda arm reportedly targeted candidates from both political parties during the U.S. midterm election cycle in 2022.“

The report, which compiles assessments on the major threats to national interests by the 18 agencies that make up the U.S. Intelligence Community, did not explain why TikTok was the only platform specifically mentioned or whether the PRC was equally using other social media apps for influence operations.

In a March 2023 report, researchers at the Georgia Tech School of Public Policy Internet Governance Project concluded that, after a “comprehensive national security threat analysis,“ the fears over the Chinese government weaponizing TikTok were unfounded and vastly overblown.

“TikTok is a commercially-motivated enterprise, not a tool of the Chinese state,“ researchers concluded in their report. “Chinese government efforts to assert control over ByteDance’s Chinese subsidiaries are targeting its domestic (Chinese) services, not its overseas operations.“

Georgia Tech researchers also found no evidence that TikTok’s content recommendation algorithm is being manipulated to support Chinese propaganda or the CCP’s strategic interest.

ShotSpotter, which rebranded as SoundThinking in 2023, has a customer base of roughly 170 cities, according to its most recent filing with the US Securities and Exchanges Commission. Chicago is not the first to deem the ShotSpotter technology not worth the cost. (By the time the city’s contract extension ends in November, ShotSpotter will have cost Chicago more than $57 million since then-mayor Rahm Emanuel inked a comprehensive deal with the company in 2018.)

San Antonio, San Diego, and Dayton, Ohio, have all joined a growing list of cities that have publicly cut ties with ShotSpotter. Confidential company emails reviewed by the Weekly and WIRED, however, indicate that the company never completely pulled its technology out of some cities.

An October 2023 email sent to John Fountain, a director of field and network operations at SoundThinking who left the company in December, described how the company continued to secretly offer its help to police in cities where contracts had lapsed. The email, which addressed a shortage of sensors in a city with an active contract, apparently referred to Clark Dunson, SoundThinking’s director of systems engineering.

“I would like to imagine we can pull some [sensors] from an old coverage area … Maybe San Diego and Indianapolis,” wrote the sender, whose name was redacted. “Last time we looked to remove sensors from an old coverage area I know Clark flipped out since we still work with police using those sensors (which I did not know).”

If we continue in this direction, the web—that extraordinary ecosystem of knowledge production—will cease to exist in any useful form. Just as there is an entire industry of scammy SEO-optimized websites trying to entice search engines to recommend them so you click on them, there will be a similar industry of AI-written, LLMO-optimized sites. And as audiences dwindle, those sites will drive good writing out of the market. This will ultimately degrade future LLMs too: They will not have the human-written training material they need to learn how to repair the headlights of the future.

It is too late to stop the emergence of AI. Instead, we need to think about what we want next, how to design and nurture spaces of knowledge creation and communication for a human-centric world. Search engines need to act as publishers instead of usurpers, and recognize the importance of connecting creators and audiences. Google is testing AI-generated content summaries that appear directly in its search results, encouraging users to stay on its page rather than to visit the source. Long term, this will be destructive.

Internet platforms need to recognize that creative human communities are highly valuable resources to cultivate, not merely sources of exploitable raw material for LLMs. Ways to nurture them include supporting (and paying) human moderators and enforcing copyrights that protect, for a reasonable time, creative content from being devoured by AIs.

Finally, AI developers need to recognize that maintaining the web is in their self-interest. LLMs make generating tremendous quantities of text trivially easy. We’ve already noticed a huge increase in online pollution: garbage content featuring AI-generated pages of regurgitated word salad, with just enough semblance of coherence to mislead and waste readers’ time. There has also been a disturbing rise in AI-generated misinformation. Not only is this annoying for human readers; it is self-destructive as LLM training data. Protecting the web, and nourishing human creativity and knowledge production, is essential for both human and artificial minds.