Start Up: Russia’s US election hacks, negotiating bots, hacking Windows 10S, GoFundMe fraud, and more

“What’s that? You want me to fund solar startups in the US?” Photo by Ann Althouse on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 13 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

Obama’s secret struggle to retaliate against Putin’s election interference • Washington Post

Greg Miller, Ellen Nakashima and Adam Entous:


Over that five-month interval [from August 2016], the Obama administration secretly debated dozens of options for deterring or punishing Russia, including cyberattacks on Russian infrastructure, the release of CIA-gathered material that might embarrass Putin and sanctions that officials said could “crater” the Russian economy.

But in the end, in late December, Obama approved a modest package combining measures that had been drawn up to punish Russia for other issues — expulsions of 35 diplomats and the closure of two Russian compounds — with economic sanctions so narrowly targeted that even those who helped design them describe their impact as largely symbolic.

Obama also approved a previously undisclosed covert measure that authorized planting cyber weapons in Russia’s infrastructure, the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It would be up to President Trump to decide whether to use the capability.

In political terms, Russia’s interference was the crime of the century, an unprecedented and largely successful destabilizing attack on American democracy. It was a case that took almost no time to solve, traced to the Kremlin through cyber-forensics and intelligence on Putin’s involvement. And yet, because of the divergent ways Obama and Trump have handled the matter, Moscow appears unlikely to face proportionate consequences.


This is one of those stories where they couldn’t get it right whatever. The damage had been done by the time the incursion was discovered. So is the “covert measure” misdirection, or real?
link to this extract

Russian hacking on election more widespread than reported •

Massimo Calabresi:


The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least one successful attempt to alter voter information, and the theft of thousands of voter records that contain private information like partial Social Security numbers, current and former officials tell TIME.

In one case, investigators found there had been a manipulation of voter data in a county database but the alterations were discovered and rectified, two sources familiar with the matter tell TIME. Investigators have not identified whether the hackers in that case were Russian agents.

The fact that private data was stolen from states is separately providing investigators a previously unreported line of inquiry in the probes into Russian attempts to influence the election. In Illinois, more than 90% of the nearly 90,000 records stolen by Russian state actors contained driver’s license numbers, and a quarter contained the last four digits of voters’ Social Security numbers, according to Ken Menzel, the General Counsel of the State Board of Elections.

Congressional investigators are probing whether any of this stolen private information made its way to the Trump campaign, two sources familiar with the investigations tell TIME.


link to this extract

Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it • ZDNet

Zack Whittaker:


Windows 10 S presents a few hurdles. Not only is it limited to store-only apps, but it doesn’t allow the user to run anything that isn’t necessary. That means there’s no command prompt, no access to scripting tools, and no access to PowerShell, a powerful tool often used (and abused) by hackers. If a user tries to open a forbidden app, Windows promptly tells the user that it’s off-limits. Bottom line: If it’s not in the app store, it won’t run.

Cracking Windows 10 S was a tougher task than we expected.

But one common attack point exists. Hickey was able to exploit how Microsoft Word, available to download from the Windows app store, handles and processes macros. These typically small, script-based programs are designed to automate tasks, but they’re also commonly used by malware writers.


Smart idea for an article; clever use of a flaw that has existed since 1995 or so.
link to this extract

Prince was a secret patron of solar power • Bloomberg

Brian Eckhouse and Chris Martin:


Before his abrupt death a year ago, the pop musician Prince made an investment in green energy that’s now helping solar start-ups weather an assault from President Donald Trump. 

It started with a conversation in 2011 between Prince and his friend Van Jones, a CNN commentator and California human rights agitator and onetime green-jobs adviser to President Barack Obama.

“He asked, ‘If I have a quarter-million dollars, what can I do with it?’” Jones recalled in an interview. “My wife said he should put solar panels all over Oakland.”

That led to the creation of Powerhouse, a rare for-profit incubator dedicated to putting clean-tech entrepreneurs together with investors. The company has helped 43 start-ups get on their feet in an era when venture capital funding for renewables has plunged and Trump is working to slash funds for early-stage entities from the U.S. Department of Energy.


Alphabet Str.. Purple Ra.. umm.. Sign O’ The Times?
link to this extract

Facebook tried teaching bots art of negotiation – so the AI learned to lie • The Register

Katyanna Quach:


The bots can only spar with words they were taught. The training data was compiled from 5,808 human dialogues, containing about 1,000 words in total, all generated by real people grafting away for the Amazon Mechanical Turk service. The bots learn to imitate the ways people compromise so that they can try to predict what the other person will say in certain situations.

The team used a mixture of supervised learning for the prediction phase and reinforcement learning to help the bots pick which response they should reply with. If the software agents walk away from the negotiation or do not reach an agreement within 10 rounds of dialogue, both receive zero points, so it is to their benefit to broker a deal.

The most interesting tactic to emerge was the ability to lie. Sometimes bots feigned interest in objects they didn’t really want, and then pretended to give them up during the bargaining process.

“They learned to lie because they discovered a strategy that works, given the game reward. Maybe it occurred a few times in the training dataset. Humans don’t tend to be deceptive in Amazon Mechanical Turk, so it’s a rare strategy,” Bhatra said.

The hope is that the negotiation process learned here can be extended to other settings, such as using bots to book a meeting with someone or buying and selling products – all useful features for personal assistants.


link to this extract

The woman who spends her free time hunting down GoFundMe fraud • The Outline

Rollin Bishop:


In early 2015, a cat in Florida was hit by a car. His owner, thinking he had died, buried him in the backyard. Five days later, the cat — his name was Bart — rose from the dead and crawled back to the house. The story about the zombie cat spread far and wide, and someone quickly set up a page on the crowdfunding site GoFundMe to pay Bart’s mounting medical bills.

Except there were no bills to pay.

“The minute I heard this story, I was like, ‘Bull. Crap. There’s no way this actually happened,’” said Adrienne Gonzalez, a freelance finance reporter and the publisher behind GoFraudMe, a blog about GoFundMe scams that she started as a Facebook page after the Bart incident. According to Gonzalez’s reporting, Bart’s medical bills were being paid for by the Humane Society, and the cash from GoFundMe was being collected by a neighbor. Despite Gonzalez’s best efforts, GoFundMe did not take down the campaign. It ended up raising more than $6,000.

Since then, Gonzalez has written more than 400 posts about alleged GoFundMe misuse and fraud on her blog. There was the Alabama woman who allegedly faked terminal cancer, raising more than $25,000 through a campaign for medical bills started by a friend as well as raising a separate $10,000 for a campaign called “Mom has Terminal Cancer Disney Trip” in which she asked for money to take her son to Disney World before she died. That woman did not even make Gonzalez’s list of top ten cancer fakers.


Given the current direction of US healthcare reform and standard rates of evolution, in 200 years the average American will be able to write a convincing note 100 words long that cons you out of all your money and makes you feel good about it.
link to this extract

Virgin urges Super Hub 2 password change • Which? News

Andrew Laughlin:


A Which? investigation has found that Virgin Media’s Super Hub 2 router can be hacked in a matter of days if it’s left with the default password that’s printed on the router. In response to our research, Virgin is advising all Super Hub 2 users to change their password to improve their network security.

In our hacking investigation, we targeted a real home that used the Virgin Media Super Hub 2 router for its cable broadband. The user had remained on the relatively weak default password – only eight characters long, using just lowercase letters from an A-Z alphabet, with two letters removed.

Using publicly available hacking tools that can be found on the web, we were able to crack the router password in just a few days.


“Publicly available hacking tools” would be a brute-force algorithm to crack a hash, of course. There are about 864,000 of these still in use; the next version uses 12-character passwords. This story caused Virgin to put out a warning to people to change their router passwords.
link to this extract

‘Why is the Internet so slow?!’ • APNIC Blog

Ilker Nadi Bozkurt:


Latency is a critical determinant of the quality of experience for many Internet applications. Google and Bing report that a few hundred milliseconds of additional latency in delivering search results causes significant reduction in search volume, and hence, revenue. In online gaming, tens of milliseconds make a huge difference, thus driving gaming companies to build specialized networks targeted at reducing latency.

Present efforts at reducing latency, nevertheless, fall far short of the lower bound dictated by the speed of light in vacuum[1]. What if the Internet worked at the speed of light? Ignoring the technical challenges and cost of designing for that goal for the moment, let us briefly think about its implications.


Hmm, is it “sites would expand their page size dramatically on the basis that it would get to you really fast anyway”? The Google link is from 2009, though pretty notable nonetheless.
link to this extract

Google will stop reading your emails for Gmail ads • Bloomberg

Mark Bergen:


Google is stopping one of the most controversial advertising formats: ads inside Gmail that scan users’ email contents. The decision didn’t come from Google’s ad team, but from its cloud unit, which is angling to sign up more corporate customers.

Alphabet Inc.’s Google Cloud sells a package of office software, called G Suite, that competes with market leader Microsoft Corp. Paying Gmail users never received the email-scanning ads like the free version of the program, but some business customers were confused by the distinction and its privacy implications, said Diane Greene, Google’s senior vice president of cloud. “What we’re going to do is make it unambiguous,” she said.

Ads will continue to appear inside the free version of Gmail, as promoted messages. But instead of scanning a user’s email, the ads will now be targeted with other personal information Google already pulls from sources such as search and YouTube. Ads based on scanned email messages drew lawsuits and some of the most strident criticism the company faced in its early years, but offered marketers a much more targeted way to reach consumers. 

Greene’s ability to limit ads, Google’s lifeblood, shows her growing clout at the company.


This story was going so well until that sentence there. Greene hasn’t – as the previous paragraph shows – “limited” ads. Google has plenty of other personalised detail, like every website you’ve visited while its cookies were set on your browser, and (if you’re using Android) where you live and work. Hardly “clout”. More like an open goal. There’s no change to privacy here.
link to this extract

Is ISIS conceding defeat? • The New Yorker

Robin Wright:


The U.N. special envoy to Iraq, Ján Kubiš, said that the Islamic State’s decision to blow up the mosque [ in eastern Mosul which once marked the claimed capital of Islamic State’s caliphate] was “a clear sign” of the group’s imminent collapse. “This latest barbaric act of blowing up a historic Islamic site adds to the annals of Daesh’s crimes against Islamic, Iraqi and human civilization,” he said, in a statement, and added that it “shows their desperation and signals their end.”

The destruction of a historic mosque may mark the beginning of the end of the Islamic State. But then what? The looming issue is what the loss of its territory means for isis as a stateless movement. Its loyalists still number in the many thousands. And thousands who fought in Iraq and Syria have already returned home; its influence is now global. It is still capable of craven violence, from inspiring terrorist attacks in Britain to waging an insurgency in the Philippines. The scariest scenario is the prospect of someday feeling nostalgia for a period when most of isis was contained in one place.


The next few weeks and months will see mopping-up operations of escaping IS fighters leaving Mosul and Raqqa for the Iraq desert. If the progress of the military operations interests you, then follow Moon of Alabama, which has remarkably good intel about it all. (Thanks Jim C for the recommendation.)
link to this extract

Everything I hate about Justin Caldbeck’s statement • Medium

Brenden Mulligan is an entrepreneur and designer; he wrote this after the venture capitalist Justin Caldbeck confessed to “playing a role in perpetrating a gender-hostile environment”:


I’m very proud to work in the tech industry. I feel like at most times, we’re collectively moving in the right direction. We’re making people’s lives better. We’re supporting progressive issues.

Could we do more? Of course. But I don’t let that ruin my feelings that we’re doing some really amazing things and setting a good example for other industries to follow.

So when it comes out that rich, powerful, men in my industry are using their position to get away with sexually harassing women, it infuriates me.

An all-too-common scenario played out over the past few days. A group of women exposed a man in power for sexually harassing them. The man said he’s sorry and he’ll get help.

I was mad when I learned what had happened. I got much angrier when I read his statement.

It’s now 2am and I can’t sleep because I’m so angry, so I thought I’d dissect the statement. I apologize in advance for my language.


Mulligan tears Caldbeck’s weasel words apart far more effectively than anything else I’ve seen.
link to this extract

Moscow artist ‘arrested for wearing a virtual reality headset’ • Euronews


A woman has claimed she was arrested in Moscow for refusing to remove a virtual-reality (VR) headset.

Artist-activist Katrin Nenasheva was detained outside the walls of the Kremlin and taken to a psychiatric clinic.

Nenasheva wrote on Facebook that officers told her: “It’s strictly forbidden to be in virtual reality in a public place. Here it’s the real world.”

Nenasheva was performing part of an art project in which she walks through Moscow wearing a VR headset viewing photographs of Russian psychiatry clinics.

Journalist Mikhail Levin, who reported the arrest on Facebook, said the arrest was the first of its kind in Russia.

She was released after psychiatric doctors concluded she did not need to be hospitalised.


Soon to be a common occurrence?
link to this extract



President of the United States is a big job, so it’s a credit to Donald Trump that he still finds the time to reach out to ordinary Americans and block them on Twitter. But how many people has the president blocked, and who are they?


Devised by Kevin Poulsen, though it doesn’t actually tell you how many people have been blocked (at least, not yet). Perhaps in time. The problem is that it’s difficult to find out if someone has blocked someone else; Twitter’s API doesn’t generally include that information.
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.