Down to Chinatown with the IT Privacy and Security Weekly Update for the week ending April 18th., 2023



Daml’ers,


This update starts with the fortune cookie found in the back seat of what might just be the world’s top-selling car. Both have a surprise in store.

Fortune Cookie Lucky Day
–click on a fortune cookie to hear this as a podcast–

From there, we have a touching story of how the NYPD is re-adopting a dog called “Spot”.

We get an update on an ingenious bit of tomfoolery for Windows users with a new Chrome update and another reason why, if you need your transactions to be private, they shouldn’t be on a public blockchain.

There is some disturbing news from a “reliable source” related to social media and a new free tool from AWS that might kneecap a pay-to-play product from Microsoft.

Let’s get down, down to Chinatown to start this week’s adventure!


US: A.I. In Your Fortune Cookies

One of the many joys of eating Chinese food in the United States is breaking open a perfectly crispy, slightly sweet cookie and reading the clever message printed on the tiny slip of paper inside.

Fortune cookies did not originate in China—the tradition likely evolved from wafers eaten in ancient Japan, but, despite this mismatch, they’ve become a beloved accompaniment to meals from Chinese restaurants in America.

For decades, the companies that produce fortune cookies have leaned on human writers to come up with the witty sayings, insightful phrases, and mysterious messages that appear inside each cookie.

But for even the most creative humans, coming up with fortunes is not an easy feat—writers may spend hours trying to craft the perfect text.

Since manufacturers around the world churn out roughly three billion fortune cookies each year, the demand is high for unique, inventive fortunes.

Now, some fortune cookie makers are turning to technology to make this process a little easier. New York-based OpenFortune, which produces and distributes branded fortune cookies to more than 47,000 restaurants, recently began using ChatGPT to come up with its phrases.

“Based on our many months of testing and fine-tuning Chat GPT prompts, we see a future of an effectively unlimited variation of fortunes."

So what’s the upshot for you? Kevin Chan, a co-owner of San Francisco’s Golden Gate Fortune Cookie Factory, tells the Wall Street Journal:

“Fortune cookies are a form of meditation… and people today need to meditate.
We are humans. Computers are just computers.”

Stay tuned for our quote of the week…


US: FBI warns of cybercriminals posing as PRC to target Chinese communities

https://www.ic3.gov/Media/Y2023/PSA230410

Cybercriminals posing as members of China’s government are targeting Chinese nationals based in the United States, according to a new advisory from the FBI.

The law enforcement agency said the scammers are posing as law enforcement officers or prosecutors from the People’s Republic of China (PRC) in an effort to defraud people.

“Criminals tell victims they are suspects in financial crimes and threaten them with arrest or violence if they do not pay the criminals.

Criminals exploit widely publicized efforts by the People’s Republic of China government to harass and facilitate the repatriation of individuals living in the United States to build plausibility for their fraud,” the FBI said in a public service announcement.

“Criminals typically call victims, sometimes using spoofed numbers to appear as if the call is from the Chinese Ministry of Public Security, one of its localized Public Security Bureaus, or a US-based Chinese Consulate,” the alert said.

“Criminals may also communicate through online applications.”

In some cases, the FBI has found that criminals may show victims fake documents like warrants to prove their accusations or may use previously acquired information to legitimize their scams.

The FBI urged people to be wary of anyone accusing them of a crime in another country and noted that phone numbers can be spoofed to look like they’re coming from official offices.

Fortune Cookie Excuses
–click on the fortune cookie to hear this as a podcast–

So what’s the upshot for you? This is getting hard to keep track of. The PRC creates a fake police station in Chinatown New York to harass people with family in China and then more people pile in to compound the misery.


US: The NYPD Is Bringing Back Its Robot Dog

https://www.theverge.com/2023/4/11/23679297/nypd-robot-dog-spot-surveillance-boston-dynamics

The New York Police Department is reenlisting Digidog, the four-legged robot that the city faced backlash for deploying a few years back, as reported earlier by The New York Times.

NYC Mayor Eric Adams announced the news during a press event on Tuesday, stating that the use of Digidog in the city can “save lives.”

Digidog – also known as Spot – is a remote-controlled robot made by the Hyundai-owned Boston Dynamics.

It’s designed to work in situations that may pose a threat to humans, helping to do things like perform inspections in dangerous areas and monitor construction sites.

However, Boston Dynamics also touts its use as a public safety tool, which the NYPD has tried in the past.

City officials say that the NYPD will acquire two robot dogs for a total of $750,000, according to the NYT, and that they will only be used during life-threatening situations, such as bomb threats.

“I believe that technology is here; we cannot be afraid of it,” Mayor Adams said during Tuesday’s press conference. "A few loud people were opposed to it, and we took a step back — that is not how I operate.

I operate on looking at what’s best for the city."

So what’s the upshot for you? The Surveillance Technology Oversight Project (STOP), a group that advocates against the use of local and state-level surveillance, has denounced Mayor Adams’ move.

“The NYPD is turning bad science fiction into terrible policing,” Albert Cahn, STOP’s executive director, says in a statement. "New York deserves real safety, not a knockoff robocop.

Wasting public dollars to invade New Yorkers’ privacy is a dangerous police stunt."


FR: France Eyeing Antitrust Action Against Apple

The French Competition Authority is likely to move forward soon with an antitrust investigation into Apple over complaints tied to 2021 changes to its app tracking policies, Axios reported, citing sources.

A formal investigation would mark the first major government move taken globally against Apple related to privacy rule changes that upended the digital advertising world.

French regulators are favoring issuing a formal “Statement of Objections” to parties involved in the matter in the coming weeks.

That step would signal to groups that issued initial complaints about Apple’s actions and Apple that the authority found evidence of illegal anticompetitive behavior in its initial review of the complaints it received.

The 2020 complaint argues that Apple’s app tracking changes did not adequately adhere to European Union privacy rules and that Apple failed to hold itself to the same ad targeting standards that it forced on its competitors because it targeted iOS users with ads from app tracking data.

Four French advertising trade groups filed the complaint jointly: IAB France, Mobile Marketing Association (MMA), SRI, and UDECAM.

So what’s the upshot for you? Do unto others Apple, as you would have the EU do unto you.


IL: NSO Hacked iPhones Without User Clicks in 3 New Ways, Researchers Say

Israeli spyware maker NSO Group deployed at least three new “zero-click” hacks against iPhones last year, finding ways to penetrate some of Apple’s latest software, researchers at Citizen Lab have discovered.

The attacks struck phones with iOS 15 and early versions of iOS 16 operating software, Citizen Lab said in a report Tuesday.

The lab, based at the University of Toronto, shared its results with Apple, which has now fixed the flaws that NSO had been exploiting.

It’s the latest sign of NSO’s ongoing efforts to create spyware that penetrates iPhones without users taking any actions that allow it in.

Citizen Lab has detected multiple NSO hacking methods in past years while examining the phones of likely targets, including human rights workers and journalists.

While it is unsettling to civil rights groups that NSO was able to come up with multiple new means of attack, it did not surprise them.

“It is their core business,” said Bill Marczak, a senior researcher at Citizen Lab.

“Despite Apple notifying targets, and the Commerce Department putting NSO on a blacklist, and the Israeli ministry cracking down on export licenses – which are all good steps and raising costs – NSO for the moment is absorbing those costs,” Marczak said.

Given the financial and legal fights NSO is involved in, Marczak said it was an open question of how long NSO could keep finding or buying new exploits that are effective.

So what’s the upshot for you? It’s odd to show concern about a hacking group’s business model.

Frankly, we hope they float out of business, sooner, rather than later.


UK: WhatsApp, Signal, and Encrypted Messaging Apps Unite Against UK’s Online Safety Bill

They are concerned that the bill could undermine end-to-end encryption - which means the message can only be read on the sender and the recipient’s app and nowhere else.

Ministers want the regulator to be able to ask the platforms to monitor users, to root out child abuse images.

The government says it is possible to have both privacy and child safety. “We support strong encryption,” a government official said, "but this cannot come at the cost of public safety.

"Tech companies have a moral duty to ensure they are not blinding themselves and law enforcement to the unprecedented levels of child sexual abuse on their platforms.

“The Online Safety Bill in no way represents a ban on end-to-end encryption, nor will it require services to weaken encryption.”

End-to-end encryption (E2EE) provides the most robust level of security because nobody other than the sender and intended recipient can read the message information.

Even the operator of the app cannot unscramble messages as they pass across systems - they can be decrypted only by the people in the chat.

“Weakening encryption, undermining privacy, and introducing the mass surveillance of people’s private communications is not the way forward,” an open letter warns.

So what’s the upshot for you? Why is this important to you? Any means to create a backdoor to access encrypted messages means that someone will use it, and if one uses it many will, and then what is the point of encrypted communication?


Global: Compromised Sites Use Fake Chrome Update Warnings to Spread Malware

Bleeping Computer warned this week about compromised websites “that display fake Google Chrome automatic update errors that distribute malware to unaware visitors.”

The campaign has been underway since November 2022, and according to NTT’s security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish.

BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores…

If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install.

“An error occurred in Chrome’s automatic update. Please install the update package manually later, or wait for the next automatic update,”

reads the fake Chrome error message.

The scripts will then automatically download a ZIP file called ‘release.zip’ that is disguised as a Chrome update the user should install.

However, this ZIP file contains a Monero miner that will utilize the device’s CPU resources to mine cryptocurrency for the threat actors.

Upon launch on Windows, the malware copies itself to C:\Program Files\Google\Chrome as “updater.exe” and then launches a legitimate executable to perform process injection and run straight from memory.

According to VirusTotal, the malware uses the “BYOVD” (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.

The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender.

Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file.

This hinders updates and threat detection and may even disable an AV altogether.

So what’s the upshot for you? Set Chrome to auto-update and don’t take the bait.


US: The US Cracked a $3.4 Billion Crypto Heist - and Bitcoin’s Anonymity

U.S. authorities are making arrests and seizing funds with the help of new tools to identify criminals through cryptocurrency transactions.

James Zhong appeared to have pulled off the perfect crime.

In December 2012, he stumbled upon a software bug while withdrawing money from his account on Silk Road, an online marketplace used to hide criminal dealings behind the seemingly bulletproof anonymity of blockchain transactions and the dark web.

Mr. Zhong, a 22-year-old University of Georgia computer-science student at the time, used the site to buy drugs.

“I accidentally double-clicked the withdraw button and was shocked to discover that it resulted in allowing me to withdraw double the amount of Bitcoin I had deposited,” he later said in federal court.

After the first fraudulent withdrawal, Mr. Zhong created new accounts and with a few hours of work stole 50,000 bitcoins worth around $600,000, court papers from federal prosecutors show.

Federal officials closed Silk Road a year later on criminal grounds and seized computers that held its transaction records.

The records didn’t reveal Mr. Zhong’s caper at first.

Authorities hadn’t yet mastered tracking people and groups hidden behind blockchain wallet addresses, the series of letters and numbers used to anonymously send and receive cryptocurrency.

One elemental feature of the system was the privacy it gave users.

Mr. Zhong moved the stolen bitcoins from one account to another for eight years to cover his tracks.

By late 2021, the red-hot crypto market had raised the value of his trove to $3.4 billion.

In November 2021, federal agents surprised Mr. Zhong with a search warrant and found the digital keys to his crypto fortune hidden in a basement floor safe and a popcorn tin in the bathroom.

Mr. Zhong, who pleaded guilty to wire fraud, is scheduled to be sentenced Friday in New York federal court, where prosecutors are seeking a prison sentence of less than two years.

Mr. Zhong’s case is one of the highest-profile examples of how federal authorities have pierced the veil of blockchain transactions.

Private and government investigators can now identify wallet addresses associated with terrorists, drug traffickers, money launderers, and cybercriminals, all of which were supposed to be anonymous.

Law-enforcement agencies, working with cryptocurrency exchanges and blockchain analytics companies, have compiled data gleaned from earlier investigations, including the Silk Road case, to map the flow of cryptocurrency transactions across criminal networks worldwide.

So what’s the upshot for you? In the past two years, the U.S. has seized more than $10 billion worth of digital currency through successful prosecutions, according to the Internal Revenue Service – in essence, by following the money.

Instead of subpoenas to banks or other financial institutions, investigators can look to the blockchain for an instant snapshot of the money trail.

And Mr. Zhong can use his upcoming quiet time to explore the benefits of private blockchain by learning Daml.
https://docs.daml.com/daml-finance/index.html


Global: Undercutting Microsoft, Amazon Offers Free Access to Its AI Coding Assistant ‘CodeWhisperer’

Amazon is making its AI-powered coding assistant CodeWhisperer free for individual developers, “undercutting the $10 per month pricing of its Microsoft-made rival.”

Amazon launched CodeWhisperer as a preview last year, which developers can use within various integrated development environments (IDEs), like Visual Studio Code, to generate lines of code based on a text-based prompt…

CodeWhisperer automatically filters out any code suggestions that are potentially biased or unfair and flags any code that’s similar to open-source training data.

It also comes with security scanning features that can identify vulnerabilities within a developer’s code, while providing suggestions to help close any security gaps it uncovers.

CodeWhisperer now supports several languages, including Python, Java, JavaScript, TypeScript, and C#, including Go, Rust, PHP, Ruby, Kotlin, C, C++, Shell scripting, SQL, and Scala.

Here’s how Amazon’s senior developer advocate pitched the usefulness of their “real-time AI coding companion”:

Helping to keep developers in their flow is increasingly important as, facing increasing time pressure to get their work done, developers are often forced to break that flow to turn to an internet search, sites such as StackOverflow, or their colleagues for help in completing tasks.

CodeWhisperer meets developers where they are most productive, providing recommendations in real time as they write code or comments in their IDE.

During the preview, we ran a productivity challenge, and participants who used CodeWhisperer were 27% more likely to complete tasks successfully and did so an average of 57% faster than those who didn’t use CodeWhisperer…

It provides additional data for suggestions — for example, the repository URL and license — when code similar to training data is generated, helping lower the risk of using the code and enabling developers to reuse it with confidence.

So what’s the upshot for you? That’s what we need in this space: A price war! Microsoft, surely you cannot let AWS undercut you! Your turn!


Global: DuckDuckGo’s Building AI-Generated Answers Into Its Search Engine

https://www.theverge.com/2023/3/8/23629095/duckduckgo-ai-answers-browser-app-extension-search

DuckAssist’s beta is live on the search engine right now – but only through DuckDuckGo’s mobile apps and browser extensions.

Gabriel Weinberg, the founder and CEO of DuckDuckGo, says the company will add it to the web-based search engine if the trial “goes well.”

When you enter a question that DuckAssist can help with, you’ll see a box that says “I can check to see if Wikipedia has relevant info on this topic, just ask” at the very top of your search results.

Hit the blue “Ask” button, and you’ll get an AI-generated answer using summarized information from Wikipedia.

If DuckAssist has already answered a question once before, that response will automatically appear, which means you won’t have to “ask” it the same thing multiple times.

While the tool’s built upon language models from OpenAI, the company that makes ChatGPT, and the Google-backed Anthropic, Weinberg says it’ll retain the same focus on privacy as DuckDuckGo.

According to the announcement, DuckAssist won’t share any personally identifiable information with OpenAI and Anthropic, and neither company will use your anonymous questions to train their models.

DuckDuckGo says the feature uses the “most recent full Wikipedia download available,” which is around a few weeks old, so it might not be able to help if you’re searching for something later than that.

However, the company plans to update this in the future, as well as add more sources for DuckAssist to draw from.

So what’s the upshot for you? Even the duck is getting AI’d.


US: Elon Musk claims the US government had ‘full access’ to private Twitter DMs

Twitter CEO Elon Musk claimed in an interview that the U.S. government has “full access” to users’ private direct messages, saying knowing that information blew his mind.

In an excerpt of his Fox News interview with host Tucker Carlson, Musk told Carlson that he was shocked to find out about the government’s ability to read users’ direct messages on his platform.

“The degree to which government agencies effectively had full access to everything that was going on on Twitter blew my mind,” Musk, who recently founded an artificial intelligence company called X.AI, told Carlson in the interview set to air on Tuesday. “I was not aware of that.”

“Would that include people’s DMs?” Carlson asked Musk.

“Yes,” Musk replied to Carlson.

So what’s the upshot for you? We think it’s safest to assume the same access to all social media platforms.


Global: Car Story

With Tesla’s earnings coming tomorrow, we expect the automaker to give an update on that goal.

Early numbers for Q1 2023 indicate that the Tesla Model Y is on track to be the best-selling car this year.

Data coming from China indicates that the Model Y took the top spot in China in the first quarter – beating the BYD Song Plus, a PHEV, and VW and Nissan’s best-selling ICE cars.

Considering China is the biggest auto market in the world, it bodes well for Tesla.

Furthermore, in the US, the world’s second-biggest auto market, early registration data shows that Model Y is leading for passenger cars, ahead of the Toyota RAV4 and Nissan Rogue – though the final data is not in yet.

Data coming from Europe also shows Tesla’s electric SUV leading in several markets, thanks to the ramp-up to 5,000 units per week at Gigafactory Berlin.

Across the four factories that produce the Tesla Model Y, the automaker is expected to achieve approximately 1.5 million units in annual production capacity.

Between that production capacity, the price cuts to the Model Y earlier this year, and the performance in Q1, it looks like Tesla is on track to have the best-selling passenger car in the world.

So what’s the upshot for you? Who would have guessed at this point in history that the best-selling car in the world in 2023 would be one of Elon’s Teslas?


Fortune Cookie Bla Bla
–click on the fortune cookie to hear this as a podcast–

This week’s quote comes to us via a fortune cookie: “A harmonious melody will soon drift into your world, guiding you to dance with destiny.”


That’s it for this week. Stay safe, stay secure, follow your fortunes, and see you in se7en.