Start Up No.1567: the FBI’s huge app sting, Facebook’s flawed “Discover” app, machine learning’s medical problem, and more

The arrival of Uber drove down the value of a “medallion” to drive a New York cab by about 75% – but now Uber is raising its ride prices towards those of cabs. CC-licensed photo by joiseyshowaa on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 9 links for you. Unencrypted. I’m @charlesarthur on Twitter. Observations and links welcome.

Trojan shield: how the FBI secretly ran a phone network for criminals • Vice

Joseph Cox:


In 2018, the FBI arrested Vincent Ramos, the CEO of Phantom Secure, which provided custom, privacy-focused devices to organized criminals. In the wake of that arrest, a confidential human source (CHS) who previously sold phones on behalf of Phantom and another firm called Sky Global, was developing their own encrypted communications product. This CHS then “offered this next generation device, named ‘Anom,’ to the FBI to use in ongoing and new investigations,” the court document reads. While criminals left Phantom, they flocked to other offerings. One of those was Anom; the FBI started what it called Operation Trojan Shield, in which it effectively operated a communications network targeted to criminals and intercepted messages running across it.

The FBI, AFP, and CHS built the Anom system in such a way that a master key silently attached itself to every message set through the app, enabling “law enforcement to decrypt and store the message as it is transmitted,” the document reads.

“A user of Anom is unaware of this capability,” it adds.

But first the FBI and their source needed to establish Anom as an option in the criminal underworld. As Motherboard showed in a years-long investigation, using sources around Phantom as well as FBI files, Phantom was particularly popular in Australia. The CHS introduced Anom to his already trusted distributors of mobile devices, who were in turn trusted by criminal organizations, the document reads. Three people in Australia who had previously distributed Phantom, “seeing a huge payday,” agreed to then sell these Anom devices, the document adds. With this, “the FBI aimed to grow the use of Anom organically through these networks,” it reads.

Earlier on Monday before obtaining the court record, Motherboard reviewed Anom’s social media presence. The company’s Reddit account first announced the existence of the company two years ago, according to a since deleted but cached Reddit post that Motherboard found.

“Introducing Anom—a Ultra-Secure Mobile-Cell-Phone Messaging App for Android,” the announcement read. “Your Confidentiality, Assured. Software hardened against targeted surveillance and intrusion—Anom Secure. Keep Secrets Safe!”


They were certainly safe, but not with the people that perhaps the criminals would have wanted them to be.
unique link to this extract

Massive internet outage hits websites including Amazon, and Guardian • The Guardian

Alex Hern:


As well as bringing down some websites entirely, the failure also broke specific sections of other services, such as the servers for Twitter that host the social network’s emojis.

The failure was not geographically universal. Users in some locations, such as Berlin, reported no problems, while others experienced massive failures across the internet. Outages were reported in locations as varied as London, Texas and New Zealand.

Within minutes of the outage starting, Fastly, a cloud computing services provider, acknowledged that its content distribution network was the cause of the problem. The company runs an “edge cloud”, which is designed to speed up loading times for websites, protect them from denial-of-service attacks, and help them deal with bursts of traffic.

The technology requires Fastly to sit between most of its clients and their users. That means that if the service suffers a catastrophic failure, it can prevent those companies from operating on the net at all.

In an error message posted at 10.58 UK time, Fastly said: “We’re currently investigating potential impact to performance with our CDN services.” It was not until 11.57 UK time, almost an hour later, that Fastly declared the incident over. “The issue has been identified and a fix has been applied. Customers may experience increased origin load as global services return,” the company said in a status update.


Before yesterday, hardly anyone had heard of Fastly. After yesterday, the company fervently hopes that will once more be the case, and that Tuesday was just a blip.
unique link to this extract

How Facebook Discover replicated many of Free Basics’ mistakes • Rest of World

Meaghan Tobin:


[Facebook’s connectivity app] Discover lets users scroll through a text-only version of any website for free, up to a certain daily data cap set by their mobile provider. But unlike Free Basics, Discover supposedly allows people to view the entire internet, instead of only a handful of preselected resources. Users don’t need a Facebook account to get started, and the company said it doesn’t collect user data for advertising.

The research was conducted in July and August last year by scholars at the University of California, Irvine and the University of the Philippines, and focused specifically on how Discover functions in the Philippines — a country with high levels of internet usage and where Facebook is already enormously popular. Facebook told Rest of World that Discover has now replaced Free Basics there entirely. 

To save data, Discover routes all traffic through a proxy server, which strips features like video and audio streaming, as well as some images. It essentially gives users free access to a pared-down version of any website. But the researchers found that when they accessed Facebook through Discover, it wasn’t redacted at all — and just 4% of images were removed from Instagram, compared with more than 65% of images on other popular sites like YouTube and e-commerce platform Shopee. In other words, the study found that Discover rendered Facebook’s own services far more functional than those of its own competitors. 


This was set out in a research paper that was just published. Discover is just the same as Free Basics: it makes it harder for people to find out the truth by checking reliable sites, but intensifies the experience of using Facebook.

Free Basics was a big cause of problems in Philippines and Brazil. (It’s in my book!) India’s decision to ban it there was probably one of the wisest moves it could have made.
unique link to this extract

Farewell, millennial lifestyle subsidy • The New York Times

Kevin Roose:


“Today my Uber ride from Midtown to JFK cost me as much as my flight from JFK to SFO,” Sunny Madra, a vice president at Ford’s venture incubator, recently tweeted, along with a screenshot of a receipt that showed he had spent nearly $250 on a ride to the airport.

“Airbnb got too much dip on they chip,” another Twitter user complained. “No one is gonna continue to pay $500 to stay in an apartment for two days when they can pay $300 for a hotel stay that has a pool, room service, free breakfast & cleaning everyday. Like get real lol.”

Some of these companies have been tightening their belts for years. But the pandemic seems to have emptied what was left of the bargain bin. The average Uber and Lyft ride costs 40% more than it did a year ago, according to Rakuten Intelligence, and food delivery apps like DoorDash and Grubhub have been steadily increasing their fees over the past year. The average daily rate of an Airbnb rental increased 35% in the first quarter of 2021, compared with the same quarter the year before, according to the company’s financial filings.

Part of what’s happening is that as demand for these services soars, companies that once had to compete for customers are now dealing with an overabundance of them. Uber and Lyft have been struggling with a driver shortage, and Airbnb rates reflect surging demand for summer getaways and a shortage of available listings.


The days of huge subsidies through venture capitalists are over, my friends. Nice while it lasted, right? Apart from the New York taxi drivers who saw their medallions (the badges that allowed them to drive) reduced in value from a million dollars to a quarter of that.
unique link to this extract

Machine learning is booming in medicine. It’s also facing a credibility crisis • Stat News

Casey Ross:


Machine learning, a subset of AI driving billions of dollars of investment in the field of medicine, is facing a credibility crisis. An ever-growing list of papers rely on limited or low-quality data, fail to specify their training approach and statistical methods, and don’t test whether they will work for people of different races, genders, ages, and geographies.

These shortcomings arise from an array of systematic challenges in machine learning research. Intense competition results in tighter publishing deadlines, and heavily cited preprint articles may not always undergo rigorous peer review. In some cases, as was the situation with Covid-19 models, the demand for speedy solutions may also limit the rigor of the experiments.

By far the biggest problem — and the trickiest to solve — points to machine learning’s Catch-22: There are few large, diverse data sets to train and validate a new tool on, and many of those that do exist are kept confidential for legal or business reasons. But that means that outside researchers have no data to turn to test a paper’s claims or compare it to similar work, a key step in vetting any scientific research.

The failure to test AI models on data from different sources — a process known as external validation — is common in studies published on preprint servers and in leading medical journals. It often results in an algorithm that looks highly accurate in a study, but fails to perform at the same level when exposed to the variables of the real world, such as different types of patients or imaging scans obtained with different devices.

“If the performance results are not reproduced in clinical care to the standard that was used during [a study], then we risk approving algorithms that we can’t trust,” said Matthew McDermott, a researcher at the Massachusetts Institute of Technology who co-authored a recent paper on these problems. “They may actually end up worsening patient care.”


unique link to this extract

Exclusive: Apple’s Craig Federighi on WWDC’s new privacy features • Fast Company

Michael Grothaus:


I asked Federighi if he feels that Apple must pick up the ball because governments haven’t enacted laws that would guarantee privacy. “I’d certainly like to believe that we’re doing good and play a constructive role here, for sure,” he says. “[But] I do think Apple has a set of different tools, naturally, than governments have. We have certain technology skills and a certain access to an end-to-end technology platform where we can innovate.”

Federighi explains that governments are often reactive when it comes to technology–and there’s no way for them to get around that. At least on the consumer front, companies do most of the innovating. They’re also the ones who find new ways to exploit data. So governments can put rules around technologies or processes only after they’ve become a problem. Those rules often lag far behind the speed of such innovations. That’s why even if governments were more proactive, it would still fall on companies such as Apple to develop new privacy-enhancing technologies.

That being said, Federighi believes that “there’s absolutely a role where government can look at what companies like Apple are doing and say, ‘You know, that thing is such a universal good–such an important recognition of customer rights–and Apple has proven it’s possible. So maybe it should be something that becomes a more of a requirement.’ But that may tend to lag [Apple’s privacy] innovation and creation of some new thing that they can evaluate and decide to make essentially the law.”


The new iCloud Private Relay is essentially Tor, but without the dark web, offering a dual-hop structure so that none of the nodes on the network can see where traffic is coming from or going to – the “Tor exit node problem”. It’s going to be part of “Apple+”, yet another paid-for add-on to the Services group.
unique link to this extract

How the superforecasters do it • The Commoncog Blog

Cedric Chin:


The general question that we’re trying to answer here, the one that’s sort of hanging out in the background over everything is: ‘is this nature or nurture?’ And [superforecasting progenitor Philip] Tetlock believes that it’s both. Superforecasters have higher-than-average fluid intelligence. They score higher on tests of open-mindedness. They possess an above-average level of tested general knowledge. But all three of the GJP’s [Good Judgement Project, a competition to find superforecasters] interventions have resulted in sustained performance improvements: over time, the correlation between intelligence and forecasting results dropped (which Tetlock took to mean that continued practice was having an effect, even on average forecasters).

…Superforecasters perform so well because they think in a very particular way. This method of thinking is learnable. I’ll admit that exposure to this style of thinking has had an unforeseen side-effect in the years since I read Superforecasting: I find myself comparing the rigour of any analytical argument against the ideal examples presented by Tetlock and Gardner. As you’ll soon see, the superforecasters of the GJP set a high bar for analysis indeed.

Superforecasters break stated forecasting problems into smaller subproblems for investigation. The term that Tetlock uses is to ‘Fermi-ize’ a problem — aka ‘do a Fermi estimation’ — which is a fancy name for the method with which physicist Enrico Fermi used to perform educated guesses.

The canonical example for ‘Fermi estimation’ is the question: “how many piano tuners are there in Chicago?” — a brainteaser Fermi reportedly enjoyed giving to his students.


unique link to this extract

US authorities seize the affiliate’s share of the DarkSide ransom paid by Colonial Pipeline • Elliptic

Dr. Tom Robinson:


DarkSide is an example of “Ransomware as a Service” (RaaS). In this operating model, the malware is created by the ransomware developer, while the ransomware affiliate is responsible for infecting the target computer system and negotiating the ransom payment with the victim organisation. This new business model has revolutionised ransomware, opening it up to those who do not have the technical capability to create malware, but are willing and able to infiltrate a target organisation.

Any ransom payment made by a victim is then split between the affiliate and the developer. In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer.

It appears to be the majority of the affiliate’s share of this ransom – 63.7 BTC – that has been seized by US authorities today. Using blockchain analysis we can trace the affiliate’s share of the Colonial ransom transaction (previously identified by Elliptic) to the Bitcoin address bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq – the same address mentioned in the seizure affidavit.

This address was emptied at around 1.40pm (Eastern Time) today – presumably by US authorities. (There was also the movement of an additional 5.9 BTC not mentioned in the affidavit).


The more that emerges about this, the more questions there are. Why hit the affiliate and not Darkside? (If you had Darkside’s private key, wouldn’t that give you more leverage over Darkside?) Should we suspect that Darkside somehow handed over the affiliate’s private key to the wallet because it created such a level of threat? Most of all, how did the FBI get hold of the private key? That question is going to mildly obsess me until we get a good answer.
unique link to this extract

How to negotiate with ransomware hackers • The New Yorker

Rachel Monroe:


Last November, Fowler was the designated negotiator for the construction-engineering firm. When he logged on to the dark-Web site, he noticed that the timer showed that three days had already elapsed in the negotiations. In the chat box, a conversation was in progress. “It was shocking for me,” Fowler said. “This is a whole negotiation—poorly done, but a whole negotiation—that I’m looking at.”

Whoever had been chatting on behalf of the engineering firm was confrontational and aggressive. When the hackers demanded two hundred thousand dollars to unlock the company’s files, the negotiator initially counteroffered ten thousand dollars, and then quickly went up to fourteen thousand, then twenty-five thousand. “What that communicates to the threat actor is: there’s more money here,” Fowler said. The hackers grew frustrated. “You have reported an annual income of $4 million,” they wrote. “We are not expect small money from you.” The final message in the chat had arrived from the hackers two days earlier: “Are you ready to close with a cost of 65k?”

Fowler and Minder tried to piece together what had happened. The clients insisted that they had never gone to the dark-Web site, much less interacted with the hacker. Then Fowler reminded Minder about a recent post on REvil’s blog, warning about fraudulent middlemen who said that they could decrypt files; instead, the middlemen would secretly negotiate with the hackers before offering the decrypted files at a markup. At the time, it had amused Minder that a cybercrime syndicate was issuing a warning about scammers. But now the clients acknowledged that they had reached out to MonsterCloud, a Florida company that advertises itself as “the world’s leading experts in Cyber Terrorism & Ransomware Recovery.” MonsterCloud’s Web site encouraged victims to use its ransomware-removal services instead of paying a ransom. That pitch likely appealed to the heads of the engineering firm, who were “very, very patriotic,” Minder told me. “It didn’t surprise me at all that they’d rather pay a software company in Florida” than send a ransom to a foreign criminal syndicate.

Minder soon learned that, shortly after the REvil hacker demanded sixty-five thousand dollars, a MonsterCloud representative told the engineering firm that it could recover the files for a hundred and forty-five thousand dollars. (MonsterCloud declined to comment.)


So ransomware has created not just affiliates for the ransomware companies, but companies that negotiate with the ransomware people, and companies that try to skim off companies hit by ransomware companies.
unique link to this extract

Preorder Social Warming, my forthcoming book.

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.