AWS gave Parler a chance, won't say if it talked to NSO before axing spyware biz's backend systems Amnesty International's allegations this week that NSO Group's spyware products have been widely abused have rightly sparked a debate about the ethics of digital surveillance. Amazon Web Services' contribution to that debate, to date, is the following brief statement: "When we learned of this activity, we acted quickly to shut …
Errr except AWS now. Did you even read the article? Azure or GCP werent mentioned either.
And how do you expect them to assess their clients morals proactively?
Do you really want AWS pro-actively blocking usage ala Apples App Store if it doesn't comply to their self selected prudery?
So apart from everything you say being wrong I agree with you.
Additionally, I'm not quite sure what a conversation could have produced for this. With Parler it was a chance to get them to change what they're doing so that they were no longer breaking the TOS. Something they could have done but didn't want to.
With NSO, there's not much left if they remove the malware!
It seems like AWS was saying that their content moderation team was not up to the task to handle violent content review and removal. Parler was using the legal definition of incitement for enforcement. What's really interesting about this was that Facebook and Twitter were actually much more largely used to coordinate the riot on Jan 6.
What the move from AWS actually did was make it close to impossible for new platforms to compete, as content moderation is a beast that still has not been tamed by Facebook and Twitter after billions of dollars as well as years of market dominance.
What's also interesting is that AWS is holding their customers to a higher standard than they themselves are held to under Section 230. AWS would not be the juggernaut it is if they were held responsible for the amount of copyrighted material being illegally hosted on their platform.
Gab is doing just fine.
The reason its doing fine is that it doesn't rely on Big Tech. Parler tried go up against the cartel, while using the cartel's services.
AWS provided an excuse for its actions, not a reason. I'm not even sure Section 230 would apply to databases and content moderation as practised by the big tech cartel has practically nothing to do with illegal content.
Also, Parler could have enacted safeguards to ensure that they stayed within the bounds of the T&Cs, so they were given a chance to clean up their act, before being dumped.
NSO's raison d'être is to push malware out to unsuspecting Internet users. That is illegal is most jurisdictions (misuse of computer acts around the world), at least without a warrant, and I very much suspect the French justice system didn't give the Moroccans, for example, a warrant to tap Macron's phone.
So, yes, criminal liability.
Parler's content didn't even break AWS' ToS. The allegation was that they may not be able to comply in the future.
Parler failed to learn the lessons of Gab and died because of it.
Those lessons are generally applicable:
- Don't rely on the services of those who hate you.
- If you don't own the infrastructure of your business, it can be taken from you.
- "Cloud" is not a commodity, it is proprietary, and it isn't yours.
Amnesty do do good work, but it is sadly quite rare for many/most campaigning organisations to have a good understanding of tech and privacy issues (look how many of them fail to consider the impact on their own members' privacy, especially where sensitive issues are involved, merrily using the likes of MailChimp, Google and numerous other third parties). So it is quite refreshing to see Amnesty (or techies employed by them) doing some pretty in-depth research on this issue.
Maybe it time for an international law to say if you discover a software vulnerability you a legally obliged to report it to the software developers, and this includes those discovered by government agencies such as NSA, GCHQ who are just as guilty as NSO of using them for their own devices and not reporting them.
Pretty sure that it is a violation of international law to poison one of your citizens in another country, causing collateral damage and a big panic as a side effect. Also illegal to enter another country for a drive by shooting of one of their nuclear scientists. Also illegal to engage in "drone strikes" in another country.
Who is enforcing those laws against Russia, Israel and the US? If you can't enforce laws against acts like that, what hope do you have to enforce laws against discovering an exploit and keeping it to yourself?
I've never thought that relying on AWS was good enough for things that are truly mission critical.
What's interesting is why a company peddling stuff like this actually chose to use AWS, rather than hosting their own servers. Surely they'd prioritise their own security over ease of use?
What's interesting is why a company peddling stuff like this actually chose to use AWS, rather than hosting their own servers. Surely they'd prioritise their own security over ease of use?
Possibly scale. Ease of deployment. No incriminating (assuming illegal in their jurisdiction) hardware/data on premises. Hiding in plain sight among all other stuff that lives in AWS.
Add "being difficult to blacklist on an IP basis" to that list. If NSO hosted their own content, it's be a simple matter of looking up their public IP allocation(s) and blacklisting it at a border firewall. Doing that with AWS will break lots and lots and LOTS of stuff, some of it even useful.
I see the same thing with spammers frequently- they'll hijack or compromise someone using O328 and send out phishing or spam mail, and I can't block the entirety of Azure and the hosted MS ip blocks because that would block legitimate traffic as well.
Define mission critical in this case. If you mean grey/black hat stuff needs to spread between clouds I agree with you. OR if you mean borderline illegal content I agree with you.
If you mean run of the mill corporate business I don't in this context - which is Vendor takedowns. If you mean for true-cost-no-object resiliencey I agree but that's besides the point of this article.
Possibly because of the anonymity. If they are pushing from their own, Israeli based IP address, it might look a bit fishy and is easy to trace.
Just another anonymous AWS/Google Cloud/Azure IP address going through your firewall? Easy to overlook and harder to block.
I think if I was ever paranoid enough to think that I am bugged, I will do the following :
1) Primary phone will have mobile data disabled.
2) All data transfers from primary phone will go thru a mobile wifi hotspot
3) Hotspot will record all connections made by phone
4) Either hotspot will flag suspicious links / data transfers or someone(me?) has to check often to see where my phone is connecting to.
5) Check phone bills to make sure no mobile data is transfered at any time.
This assumes the telco is not involved in spying on me.
This also assumes my hotspot device is not hacked.
At the very least it makes it easy to change different hotspot devices transparently, so will make it harder for someone to hack the mobile hotspot and I will have full logs of all connections made by my phone. Even if my phone is hacked, it will not be possible to manipulate / erase logs since it will be in another device.
/Posted it wrongly in the neutron star article, my bad. :(
1. My bugging software will silently re-enable mobile data
2. It will especially log all transfers to wifi hotspots
3. Hotspot hardware is already hacked not to report it's connection to my control data centre
4. See 3. What suspicious link?
5. You get itemised data usage bills? And if you did, fairly easy to loose a few MB in the JPEG of a funny GIF you forwarded....
I would avoid phones which have apps. As such avoiding popular phone platforms.
If I need social media on the move I would use their websites in my phones browser.
Icon, mine is the on with a phone in the pocket with Linux installed on it (The phone not the jacket).
... avoid phones which have apps.
... avoiding popular phone platforms.
Quite so.
Been doing that for ages.
But been branded from backwards to idiot, etc. by many.
Because, you know, all those social media apps and assorted things are so convenient.
And yes, they're also free.
O.
Honestly, if I could find a featurephone with a physical QWERTY keyboard...
I miss my Symbian slider. I mean, I still have it, but the battery dies in a matter of hours and it has some dead pixels on the screen, so I'm concerned that even if I replaced the battery it wouldn't live much longer. And of course no updates for S60 and exploits only get better over time.
But I did use it for a couple of months a couple years back when Yet Another Fucking Smartphone died, and, man, just that keyboard alone made it so much nicer than all these button-less smartphones.
The telco doesn't need to actively participate in spying on you. It was known 20 years ago that Mossad tracked and traced Palestinians of interest and had them assassinated on foreign soil. They infiltrated telcos via legitimate Israeli software to do it. I do not doubt other secret services are doing the same, their advantage is that unlike Israel it's often less obvious who is behind something as their goals are less polarised.
You may also find that someone installed an independently operating modem periodically sending snapshots (replacing battery with a smaller model is a convenient way to make space inside a modern phone), so your steps may not be sufficient.
Use your primary phone for ordinary non-secure messaging, browsing, non-secure phone calls.
Get another phone, install nothing on it except that one messaging app. Never browse or use anything on it but that one app. Use wifi only, or if absolutely necessary a data only SIM (~$10 a month)
Get yet another phone, install nothing on it except that one internet phone app. Never browse or use anything on it but that one app. Use wifi only, or if absolutely necessary possibly a data only SIM (~$10 a month)
Shut all the phones down when you don't want your location data tracked.
The above is possible and affordable for a non-techie. It's far from perfect - e.g., the messaging app itself might be hacked.
I think people forgot the part where I said IF I was paranoid.
I am currently a nobody and probably of no unusual interest for any government organisations.
Figure it's unlikely I am being targetted for specific spyware.
*/adjusts the tin foil hat to seat more snaggly*/
It's kind of funny, because usually the accusation of 'whataboutism' comes from those plebs who surprisingly exactly share the elite establishment view.
But, really, I don't quite understand the allegations here. Spyware in general is pretty uncool. Free speech in general is pretty cool. Sure, the details may count, and one can either think that Parler support 'the wrong people' or 'free speech', and that spyware can fight against terrorism and criminality.
But in the end, it's apples and pears.
Just last month I contact AWS abuse department about a malicious script being hosted on CloudFront that fingerprints user's devices and if an Android device is detected the script shows a fake media player or fake CAPTCHA to trick users into accepting push notifications.
The push notifications popup fake virus warnings to trick users into installing questionable apps on Google's Play store.
The script also uses the fake player and fake CAPTCHA to trick users into downloading a malicious Android app disquised as an ad block app that installs apps from third party app stores on the victims device.
MD5 sum of AdBlock.apk 6f1fd359a382348b3307ed9d64eeebaa
Here is a link to URL scan of one of the malicious scripts still hosted on CloudFront:
https://urlscan.io/responses/4977ca31d4113ba7bf0249fa9868f3739345f50811cc6fd9816ef2c2bebd2088/
If you search further into URL scan you can see screenshots of the script hosting the fake AdBlock.apk:
https://urlscan.io/screenshots/d6816f60-70ba-43b1-b7f6-ecd4ce66d1cb.png
Here was AWS abuse team final email on the malicious script(s) hosted on CloudFront:
"Hello,
We understand your concern regarding the continued availability of the content you have reported. As noted previously, AWS customers are responsible for their activity on AWS.
As a courtesy we notified our customer of your request to have the content removed or access disabled, however, at this time we are not able to take additional action. We strongly encourage you to continue to work with our customer directly to address the concerns that you may have."
AWS reps told me to "continue to work with our customer directly" even after I told them several times that their "customer" doesn't respond to my repeated attempts to contact them.
(I guess it takes huge media attention before AWS takes any action and I understand now why NSO chose AWS to host their malware.)
Disgusted.
So, there's an easy reason for different treatment here.
NSO was running spyware and running the spyware backend in AWS. There's no question that's against TOS, it's not a grey area, and there's nothing to discuss. It doesn't matter if they're running it as a business or service, they can do that with their own systems if they want.
Parler is (or was) a disgusting hive of villainy and infamy. BUT, the US has the 1st ammendment, freedom of speech does apply (at least AWS would get bad PR for immeidately terminating accounts due to speech even though they are allowed to). So AWS gave them a chance to straighten up, then closed their services when they didn't.
They need to be treated the same way as a foreign Raytheon or any other such company. From what anecdotal evidence I have, I'm betting that AWS doesn't have processes in place for handling such things. Oh well.
Of course, technology is moving a lot faster than the law, and it's pretty clear that they are turning a rather blind eye to just what their customers are doing with the arms they are receiving. Given who they are and what they are doing, I would be disappointed if this "Shocked, shocked!" moment by Amazon had a noticeable effect on their operations for fifteen minutes. It's entirely possible that it had none at all.
Honestly, it's a bit disappointing that Amazon was even able to identify which accounts they are using. Oh well. Lessons learned, and all that. I expect that there will be a Swiss LLC (or equivalent) created before the end of this week that just happens to handle traffic that has rather... similar characteristics to what was previously attributed to the NSO.
1. Buy a mobile which is not a smart phone (say a 3G feature phone).
2. Go to a convenience store and buy a pay-as-you-go SIM for cash (say Lebara)
3. Go to a different convenience store and buy lots of minutes for cash.
4. Register the SIM and the minutes in a public place, a place not usually associated with the rest of your life.
5. Have the phone switched off most of the time.
6. Only switch the phone on in a public place, and only for long enough to make calls or respond to text or voicemail.
7. Persuade people close to you to follow steps #1 through #7.
*
This process (pretty much) guarantees that ANYONE snooping on your phone traffic has NO IDEA about your identity.
*
Of course, if your social network includes individuals who are not very careful, then your mileage will vary. But of course, you can always start again at item #1.....!!!!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
