Franklin Faraday Insights Roundup for April 3, 2021
Technology + Common Sense + AI Pranks, Hackers, Volcanoes, and Mafia YouTube
Welcome to Our Weekly Roundup of Actionable and Interesting Things!
It’s cherry blossom season in Washington, D.C.
Kids are getting a spring break (from… um… not actually going to school); politicians are busy with intrigue; and government agencies are trying to hit their mid-year spending targets (with no shortage of companies trying to capture those dollars!)
But no break for us, as we work putting the finishing touches on some very interesting original content. Subscribe so you don’t miss it!
In this issue:
— AI pranks
— Amazon snark
— North Korea wants to be your LinkedIn friend (if you are a cyber expert)
— Volcanoes and airplanes don’t mix
— Dire straits (not Mark Knopfler)
— “It’s hard to draw lessons from your own failures”
— A mafioso in the kitchen
— Insider chaos
— Wifi is watching you
— Robot magicians!
You’re missing a lot more great stuff if you aren’t following us on Twitter @FranklinFaraday!
Help us out! Share the Franklin Faraday Insights Newsletter with a friend!
AI
Janelle Shane (@JanelleCShane) asked some AI systems to come up with April Fool’s Day pranks… and did they ever!
Some were pretty good:
Create a secret language that only you and your cat can understand.
Repaint your nails in an unusual color like ORANGE, and just leave them like that.
Sawing your mattress in half in order to see if it's still good.
Some were shockingly clever:
Install a fake microwave on the wall that you never use.
Some seem like they didn’t quite translate from a foreign language:
Take out your credit cards and plunk them down randomly in different parts of your house. If a funny looking cat appears on the bill, you will be laughing out loud before you've even opened a door!
Then there was April Fool’s Day, every day:
Make Your Own Coffee
Of course, the robot revolution starts with AI inflicting physical and mental damage on humans:
Pour a cup of coffee on your lap. It's an oldie, but it's still a favorite.
Talk to yourself. OK, this one might not seem like a prank, but I assure you, it is. Just wait until the third day of April when your friends hear that you are still talking to yourself!
Finally, she also asked the AIs to come up with pranks for when robots have taken over, such as this:
Intentionally mislabeling the trash receptacles in a superintelligent machine-run city. The trash containers were labeled with signs that looked exactly like the signs used to indicate the presence of humans.
If you like this, check out all the rest on her hilarious AI Weirdness Substack and new book called “You Look Like a Thing and I Love You.”
Bad Strategy
Amazon shocked a lot of people this week with its snarky and hostile tone towards several politicians using the official Amazon News (@amazonnews) account on Twitter.
In fact, an Amazon security engineer even reported the tweets as suspicious activity, thinking the Twitter account had been hacked.
“Over the past two days, there have been two threads by @amazonnews in response to comments made by US Government officials that have received considerable attention,” the ticket reads. “The tweets in question do not match the usual content posted by this account.”
The security engineer noted that the tweets were posted using Twitter’s web app rather than Sprinklr, the social media management software typically used by the Amazon News account to post tweets.
The tweets, according to the security engineer, “are unnecessarily antagonistic (risking Amazon’s brand) and may be a result of unauthorized access.”
Apparently Jeff Bezos told executives that they needed to push back harder against critics… so they did. Gotta be careful what you say when you are in charge…
We liked Jason Aten’s (@jasonaten) comments on the fiasco that were published in Inc.
It's actually a powerful lesson for every leader--don't pick fights where, even if you don't lose, the other person wins anyway. Especially since you're likely to help their case in the process. If it is a battle worth fighting, instead of condescension and snark, try a little humility and humor.
Cybersecurity
Google’s Threat Analysis Group announced that a North Korean government-backed entity set up a fake security company called “SecuriElite” — complete with fake social media profiles posing as security researchers on Twitter and LinkedIn.
SecuriElite claimed to be a Turkish company offering penetration testing, security assessments, and software exploits.
In January, Google reported on this same group targeting security researchers with a research blog and multiple Twitter profiles. The North Koreans would ask to collaborate with security researchers, then deliver malware that would infect the researchers’ computers.
Interestingly, the SecuriElite website had a link to the company’s PGP public key. Google noted that the same threat actors previously used a PGP key as a trap to lure visitors to a site with a browser exploit.
Dangerous Machines
Guatemala City La Aurora International Airport had to suspend operations in late March after the wind changed directions and covered it in volcanic ash. The airport is about 30 miles north of two recently active volcanoes. You can see a very, very sad picture of a Gulfstream G-II here.
The combination of volcanic ash and airplanes is even worse than it sounds. There have been two incidents—BA 9 in 1982 and KLM 867 in 1989—of Boeing 747s inadvertently flying though ash clouds and losing all four engines.
In both cases the engines restarted after the planes descended 24,000 and 14,000 feet, respectively.
Here’s part of the cockpit audio transcript from KLM 867’s encounter:
Pilot KLM B-747--``KLM 867 heavy is reaching (flight) level 250 heading 140''
Anchorage Center--``Okay, Do you have good sight on the ash plume at this time?''
Pilot KLM B-747--``Yea, it's just cloudy it could be ashes. It's just a little browner than the normal cloud.''
Pilot KLM B-747--``We have to go left now . . . it's smoky in the cockpit at the moment sir.''
Anchorage Center--``KLM 867 heavy, roger, left at your discretion.''
Pilot KLM B-747--``Climbing to (flight) level 390, we're in a black cloud, heading 130.''
Pilot KLM B-747--``KLM 867 we have flame out all engines and we are descending now!''
Anchorage Center--``KLM 867 heavy anchorage?
Pilot KLM B747--``KLM 867 heavy we are descending now . . . we are in a fall!''
Pilot KLM B-747--``KLM 867 we need all the assistance you have sir. Give us radar vectors please!''
Captain Terry McVenes, Executive Air Safety Chairman, Air Line Pilots Association, International, spoke about the incident before a Congressional Committee in 2006:
To classify this encounter as one presenting grave danger for those 240 passengers and that crew is an understatement! All four engines of this aircraft failed within 59 seconds! A false cargo compartment fire warning indication required special attention by the crew. All normal airspeed indications failed! The avionics compartments containing all of the radio, radar, electronic systems monitoring, and communications systems, all overheated and individual systems failed. The sophisticated electronic cockpit displays became an electronic nightmare. While ash was contaminating the engines and causing them to flame out, it was also contaminating electrical compartments and shorting electronic circuit boards. This four engine jumbo jet was essentially a glider for several minutes until the crew was able to individually restart engines. Three of the engines eventually restarted but delivered reduced performance. The fourth engine eventually came on line when the aircraft was on final approach to Anchorage. Although the crew landed safely, the encounter caused $80 million dollars [worth of] damage to the airplane. Under only slightly different circumstances, 240 plus fatalities and a total hull loss could have been the result.
Dire Straits
Our favorite article on the Suez situation was written by David Fickling (@davidfickling) and Anjani Trivedi (@anjani_trivedi) at Bloomberg Opinion. They nicely highlighted the historical and geopolitical context of controlling key waterways
The flow of goods by sea accounts for 70% of total international trade, and the chokepoints in that network have inspired both international conflict and commerce for millennia. The Greco-Persian wars of the 5th century BC were fought, at least in part, over control of the trade routes for Black Sea grain that kept Greece’s city-states alive. The coasts of India’s Kerala and Tamil Nadu states have been hubs of the world economy since antiquity, because of their role as transit points for the monsoon trade routes that brought Chinese silk to ancient Rome and African timber to the Persian Gulf.
Fickling and Trivedi point out that China imports 3/4 of its oil and 4/5 of its iron ore…
That makes [China] peculiarly vulnerable to maritime blockades. The geography of east Asia means that the straits of Malacca and Singapore, plus the quasi-straits that run through the navigable stretches of the South China Sea and those separating Taiwan from the Philippines, Japan’s Okinawa islands and the Chinese mainland, are all highly vulnerable to interdictions in the event of conflict.
Much of China’s foreign policy over the past decade [such as the Belt and Road initiative] makes more sense as a way of overcoming those vulnerabilities...
Even the nationalistic pressure over Taiwan has an economic element in the background: as much as half of China’s shipping is coastal transport between domestic ports up and down the coast, much of it in the waters separating Taiwan from its Kinmen island, which is about 6 kilometers (about 4 miles) off the mainland city of Xiamen.
By the way, you obviously knew that the Ever Given was a tight fit in the Suez, but it’s also so big it barely fits through the Strait of Malacca, where the draft of a ship cannot exceed 82 feet (25 meters.) Thus there are ships referred to Malaccamax, Panamax, and—of course—Suezmax that refer to the largest ships capable of navigating these waterways.
Entrepreneurship
David Heinemeier Hansen (@dhh) (of Basecamp) posted an outstanding essay on “It’s hard to draw lessons from your own failures.”
The genesis for the essay was awkward: an entrepreneur/investor named Andrew Wilkinson (@awilkinson) posted a Twitter thread about how he had lost $10 million “doing something stupid” in starting the “To do list” company Flow. Wilkinson claimed Flow was inspired by Basecamp’s model…
Except it wasn't. Wilkinson was inspired by our funding model – bootstrapped from consulting – but didn't follow any of the principles that go with that model…
The key takeaway, however, is this:
It's so easy to fall in love with one of those infinite alternate universes where you just did that one thing differently and everything worked out. Like "if only we had raised venture capital, we would have made it". No, sorry, you probably wouldn't have.
#FAIL
A alleged member of the Italian 'Ndrangheta mafia was arrested this week because prosecutors recognized him giving Italian cooking lessons on YouTube.
(Marc Feren Claude Biart did hide his face, but he forgot about his tattoos.)
There’s really not much more to say: this happened because of course it did.
The ‘Ndrangheta inspires great fear, but Calabrian cooking is pure joy. So, the real question is: were the recipes any good?
Insider Threat
Examples of insider threats continue to pile up. In late March a U.S. Federal Court sentenced an Indian citizen, Deepanshu Kher, to two years in prison for deleting 1,200 of 1,500 Microsoft accounts at a California company. From the DOJ press release:
The attack affected the bulk of the company’s employees and completely shut down the company for two days… Employees’ accounts were deleted – they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and Virtual Teams environment necessary for them to perform their jobs. Outside the company, customers, vendors and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again…
The Carlsbad Company repeatedly handled multitudes of IT problems for three months. The Vice President of IT closed by saying, “[i]n my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”
What’s interesting about this one—at least from the information that’s been made public—is that the company knew there was a problem with Kher almost immediately, and they still could not prevent the incident. Kher was employed by a consulting firm to help with a Microsoft Office migration. The victim company quickly notified the consulting company that they were not happy with Kher, and the consulting company pulled him from the contract and fired him a few months later. Kher returned to India, and then hacked into the company’s servers two months after that.
It’s unclear what Kher actually did to regain access—he could have installed malware before leaving, he could have used a remote attack based on his insider knowledge, or he could have simply retained access because his accounts were not properly removed. This last scenario is apparently what happened to Cisco. In December 2020, one of their former engineers was also sentenced to two years in prison for accessing Cisco’s cloud infrastructure on AWS and deleting 456 virtual machines, resulting in the loss of 16,000 WebEx accounts.
Of course, some insiders just choose to go big versus cause damage on the way out. In November 2020, former Microsoft software engineer and Ukrainian citizen Volodymyr Kvashuk got 9 years in prison for stealing $10 million in “currency stored value” (e.g. gift cards), using other employees’ email accounts to cover his tracks.
In February 2020, KVASHUK was convicted by a jury of five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud. At his sentencing hearing, U.S. District Judge James L. Robart said KVASHUK “didn’t have any respect for the law.”
It appears all three individuals were in the U.S. on H-1B visas. Therefore—fairly or not—expect that these type of incidents will increase insider threat scrutiny on foreign IT workers in the U.S.
Networks (Are Watching You)
In 2013 engineers at MIT were able to use changes in WiFi signals to detect motion behind walls, and in 2015 they extended this work to recognize people with high accuracy.
Unfortunately, what started as a science project is now on track to be part of the 802.11bf IEEE standard in September 2024, according to the Register, citing this paper by Northeastern University Professor Francesco Restuccia.
The impact that IEEE 802.11bf will have on our society at large cannot be overstated. When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm. This standardization effort, coupled with the numerous SENS systems currently being developed at the research stage, will create the “perfect storm” for the introduction into the market of groundbreaking applications that we cannot even imagine today.
What are those applications? Glad you asked…
More formally, the [IEEE 802.11bf Task Group] defines Wi-Fi Sensing (SENS) as the usage of received Wi-Fi signals from a Wireless Station (STA) to detect features (i.e., range, velocity, angular, motion, presence or proximity, gesture, etc) of intended targets (i.e., object, human, animal, etc) in a given environment (i.e., house, office, room, vehicle, enterprise, etc).
If you aren’t worried yet, Restuccia lays it out for you:
While creating a plethora of life-improving benefits for ordinary citizens, the IEEE 802.11bf standard will enable Wi-Fi devices to regularly perform SENS operations in highly-populated indoor environments. As a consequence, the pervasiveness of SENS into our everyday lives will necessarily elicit security and privacy (S&P) concerns by the end users. Indeed, it has been shown that SENS-based classifiers can infer privacy-critical information such as keyboard typing, gesture recognition and activity tracking. Given the broadcast nature of the wireless channel, a malicious eavesdropper could easily “listen” to [Channel State Information] reports and track the user’s activity without authorization. Worse yet, since Wi- Fi signals can penetrate hard objects and can be used without the presence of light, end-users may not even realize they are being tracked.
Restuccia notes that privacy issues need to be addressed, including an “opt out” mechanism, but we believe this is realistically impossible. First, it is difficult to opt out from something you don’t know exists. Second, given how these systems work, the opt-out mechanism may require people to highlight themselves in some way and actively tell systems “do not track;” yet this opt out mechanism itself may result in more precise tracking and highlighting people who want privacy.
Privacy
Professor Douglas Leith at Trinity College Dublin measured the amount of data that Android and iOS phones send to Google and Apple — and it’s shocking. The headline number was that Google collected 20X more data than Apple, but both companies dispute Leith’s findings, even though Leith notified the companies of his findings and claims he tried to work with them prior to publication.
Leith reported:
— In the first 10 minutes of startup, a Pixel (Android) phone sent 1 MB of data to Google, while an iPhone sent Apple about 42 KB.
— When idle, the Pixel phone sent 1 MB of data to Google every 12 hours compared to the iPhone sending 52 KB to Apple.
— Both phones connected to their back end servers every 4.5 minutes on average, even when the phones were not being used.
Speaking to Dan Goodin (@dangoodin001) at Ars Technica, Google said Leith’s findings were off by an order of magnitude, and, essentially, this is how smartphones work. Google offered an analogy to how “modern cars” work, which should make consumers even more concerned about their Google phones AND their cars!
This brings to mind a quote from our good friend, repeat entrepreneur and venture capitalist Stephen Forte (@worksonmypc): “The numbers are wrong, but the direction is probably right…”
Random
Check out this robot magician performing coin magic…
Shameless Plug
You’ve read this far — please subscribe below if you have not done so already, and share this newsletter with a friend!
We had to copy this from last week because our lawyer is in the hospital. He broke his nose chasing a parked ambulance.
All linked content is the property of the respective author(s). Commentary and non-linked content is Copyright © 2021 Franklin Faraday Group LLC.