you are definitely correct that it is potentially a big deal because it breaks expectation around network segmentation and isolation
however, most people will read "breaks wi-fi encryption" and assume that it means that someone can launch this attack while wardriving, which they cant.
>assume that it means that someone can launch this attack while wardriving, which they cant.
As a former wardriver (¡WEPlol!), it only makes this more difficult. In my US city every home/business has a fiber/copper switch, usually outside. A screw-driver and you're in.
Granted, this now becomes a physical attack (only for initial access) — but still viable.
----
>the next step is to put [AirSnitch] into historical context and assess how big a threat it poses in the real world. In some respects, it resembles the 2007 PTW attack ... that completely and immediately broke WEP, leaving Wi-Fi users everywhere with no means to protect themselves against nearby adversaries. For now, client isolation is similarly defeated—almost completely and overnight—with no immediate remedy available.
----
I think the article's main point is that so many places have similarly-such-unsecured plug-in points. Perhaps even a user was authorized for one WiFi network segment, and is already "in" — bless this digital mess!
As a funny personal anecdote, my brother is a state judge. His most personal thoughts & correspondances are crafted upon typewriters (mine as well). He isn't officially allowed to just use any phone/computer/network. He is a "high value target" [0],
My personal attorney still doesn't use "the cloud" for client documents (which is respectable) — has local servers, mostly offline. No typewriter, though =P
----
I'm just an electrician.
[0] Does it bother anybody else that Pam Bondi has reports specifically of which documents each congressman reviewed (photographed by AP, during recent testimony)?
the problem is that the emails arent typically sent from the main domain.
in this example, the email came from buildrunanywhere.org, which is just a parked domain. the real domain is runanywhere.ai, which they arent using for spam.
so, once buildrunanywhere.org has their reputation burned from reports, they will simply register buildrunanywheres.org and start spamming again.
These companys don't care about the reputation of their domains anymore at the moment they start to send spams. However, email senders (SendGrid, Mailgun etc.) care about the reputation of their IP addresses.
but areas i am familiar with can consider a negative reference to be defamation, thus anyone providing a negative reference should only do so if they are able to defend it (i.e. prove their statement is substantially true, or prove that the statement was honestly believed to be true and published with no malice or reckless disregard).
seems risky, at least, to build a whole business around negative references that could potentially cross the line into defamation. but that type of thinking is probably why i am not rich.
There are many definitions of illegal (criminal, civil, regulatory, the much much looser “license to operate” as used in chemical industry, etc).
A blacklist seems dubious. I’d advise the founders to get counsel on their obligations under the FCRA, which they may be construed to be regulated by.
That said, I believe "Bad News" is an AI hallucination. The most similar company I can find historical news is "Peeple"[0], which was not funded by YC. YCombinator's only known association with a blacklist that I can find was a blacklist of VC's that were accused of harassing female founders[1].
>There are many definitions of illegal (criminal, civil, regulatory, the much much looser “license to operate” as used in chemical industry, etc).
yes, but i am not sure why this matters here. i am not aware of negative references, in general, being illegal under any of those definitions of illegal.
no one would say regular speech is illegal just because it can be subject to a defamation lawsuit. same logic.
but i agree, if it is a real business, it seems exceptionally risky.
It's more than just "subject to a defamation lawsuit" (including class action lawsuits). Although for me, even if it were "just that", I'd still call it "potentially illegal". Rather, they'd potentially face FTC penalties and CFPB enforcement actions under 15 U.S.C. section 1681d(a), (b).
This law would likely classify such a company as falling under laws pertaining to "investigative consumer reports" under FCRA. This is any report on someone's "character, general reputation, personal characteristics, and mode of living" used for the purposes of employment, loans, housing, etc.
> A consumer reporting agency shall not prepare or furnish an investigative consumer report on a consumer that contains information that is adverse to the interest of the consumer and that is obtained through a personal interview with a neighbor, friend, or associate of the consumer or with another person with whom the consumer is acquainted or who has knowledge of such item of information, unless—
> (A) the agency has followed reasonable procedures to obtain confirmation of the information, from an additional source that has independent and direct knowledge of the information; or
> (B) the person interviewed is the best possible source of the information.
They'd find themselves subject to legal penalties under:
FCRA Willful Noncompliance (15 U.S. Code § 1681n) (if they did not disclose their existence/use/content of reports to employment candidates)
FCRA Negligent Noncompliance (15 U.S. Code § 1681o) (if they made somewhat reasonable but insufficient efforts to comply with the FCRA)
or
Administrative Enforcement (15 U.S. Code § 1681s)
and be subject to fines up to $4,700 per violation plus actual damages, plus punitive damages, plus legal fees. State Attorneys General can also bring FCRA lawsuits on behalf of their constituents, not just the federal government. FTC / CFPB can name the founders individually in the lawsuits, not just their corporate entity, and ban[1][2] them from operating any similar businesses in the future.
That all said, to some extent, YCombinator partners are on the record[3] supporting the idea of their startups sometimes doing illegal things. Generally they'll frame this as challenging outdated regulations, but they acknowledge that the founders whose strategies they fully support sometimes come into office hours and discuss how they're worried that the strategy puts them at risk of going to jail.
ah, okay. so the hypothetical company may potentially be doing something illegal (the "investigative consumer report" part). good to know! that makes sense, and i was unaware of that.
i stand corrected in the hypothetical "bad reference aggregator company" scenario.
>YCombinator partners are on the record[3] supporting the idea of their startups sometimes doing illegal things.
interesting, thanks for surfacing that up! i wont pretend to be surprised, though.
i dont believe that it is illegal to provide a negative reference in the UK, as long as it is honest, factual, and provided in good faith.
from gov.uk:
>"If you think you’ve been given an unfair or misleading reference, you may be able to claim damages in court. Your previous employer must be able to back up the reference, such as by supplying examples of warning letters.
You must be able to show that:
- it’s misleading or inaccurate
-you ‘suffered a loss’ – for example, the withdrawal of a job offer"
which means, if the reference is not misleading and not inaccurate, a negative reference is ok. other uk-based law firms (from a quick google) agree with this interpretation.
Providing a negative reference is totally different than gathering negative references and selling them. The former could be legal while the latter could be illegal.
in my comment, i was speaking more generally than i should have, and that (obviously, in hindsight) caused some confusion between the specific case of the hypothetical company, and the general case of an employer providing a negative reference. my bad -- and it is too late to edit to provide clarification.
No problem, I wasn't very clear either! I remember someone I know looking into this in the early 2000s as part of a wider collective thing. It's long enough ago that I can't remember the details but it was definitely less about a poor reference and more about the individuals' being on a list somewhere without having even applied for a job. And come to think of it, it's probably even more illegal now because of GDPR.
but i dont think most people here are complaining because of security risk... otherwise they wouldnt be recommending things like notepad++, other obscure editors, or editors with way larger code bases.
stylometry is only one aspect of de-anonymization. what you describe is certainly a threat that we will have to deal with, but there is a lot more to credible impersonation than just being able to mimic a writing style
it may become more trivial to llm your comments/blog/whatever into a different "voice", but there is so much that can be used for de-anonymization that the llm-assisted technique dont address.
for example, you may change the content of your comments, but if you only ever comment on the same topic, the topic itself is a signal. when you post (both day and time), frequency of posts, topics of interest, usernames (e.g. themes or patterns), and much more.
"We apply our de-anonymization methodology to the Netflix Prize dataset, which contains anonymous movie ratings of 500,000 subscribers of Netflix [...]. We demonstrate that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber’s record in the dataset."
and that was 20 years ago! de-anonymization techniques have improved by leaps and bounds since then, alongside the massive growth in various technology that enhances/enables various techniques.
i think the age of (pseduo-)anonymous internet browsing will be over soon. certainly within my lifetime (and im not that young!). it might be by regulation, it might be by nature of dragnet surveillance + de-anonymization, or a combination of both. but i think it will be a chilling time.
That's a great background paper on the Netflix attack, we make a pretty direct comparison in section 5. We also try to use similar methods for comparison in sections 4 and 6. In section 5 we transform peoples Reddit comments into movie reviews with an LLM and then see if LLMs are better than naraynan purely on movie reviews. LLMs are still much better (getting about 8% but the average person only had 2.5 movies and 48% only shared one movie, so very difficult to match)
awesome, i saw the mention in the introduction but i havent yet had a chance for a thorough read through of the paper -- ive just skimmed it. looking forward to reading it in-depth!
We don't need everyone to be completely anonymous to state and corporate actors. We just need to make it so that they can't identify and surveil everyone at once, because it would be too expensive.
The US defense budget is about $1T dollars. They can't spend it all on surveillance, but let's say tech companies + gov spends about this amount per year on surveillance in total. If we can raise the cost to surveil the average person to over $10K/yr, they just lose. This is very doable.
Every little precaution you take will raise the cost, probably more than you think. Every open-source project that aims to anonymize and decentralize is an arrow in their knee. They're hoping that you'll get cynical and stop trying because they don't stand a chance otherwise.
Unfortunately the cost for this stuff is going down. Cheaper to collect information, cheaper to store it, cheaper compute, and better algorithms that mean you need fewer resources.
If the cost to surveil the population is $10k per capita today, it'll be $1k in a few years and $100 a few years after that.
This is a war that can't be won, it's just part of the changing landscape of technology in the information era.
I don't think the cost has been doing down or will continue to trend downward long term. You're assuming that the public hasn't gained and won't gain additional capabilities while our adversaries evolve. But look at our communication reach, bandwidth, latency, and cipher strength.
How easy was it for the government to deliver mass propaganda before the Internet without the public realizing? How quickly and how many bits of information can Alice in Seattle reliably get to Bob in Houston with a strong cipher in the 1960s? Was there ever such a thing as a cipher that's widely used yet unbreakable by the state? Why do you think China banned TLS 1.3? Do you think it will be harder or easier to pretend to be a different person when there are open-source LLMs that can run on a gaming computer?
The Internet is a recent invention. Smartphones and seamless network coverage are even more recent, and so is curve25519. We're closer than ever to what is effectively secure instant telepathy with anyone in the world. We just need to stay vigilant and not be fall for doom and gloom in this last stretch.
> Does privacy of Netflix ratings matter? The issue is not “Does the average Netflix subscriber care about the privacy of his movie viewing history?,” but “Are there any Netflix subscribers whose privacy can be compromised by analyzing the Netflix Prize dataset?”
My guess is that a statistical analysis of other things such as access patterns, timestamps, content you engage with, etc, could de-anonymize you regardless of the phrasing you use, so LLMs won't save you.
True, but you could also use llms to autonomously engage with content you're not interested in, batch replies for times you're not around, inject coherent, consistent, plausible, but false details into your messages, or modify/flag details you didn't mean to disclose.
as the_af says, stylometry is only one technique in a bag of techniques used for de-anonymization. a big one to be sure, but nowhere near the only one.
As you say, the_af mentions this an hour before your reply. I'm curious what is the point of your posting a "me too" comment here? Was it to teach naive readers the word stylometry?
Throwaway accounts using "clever" turns of phrase can often be anonymized by double click, right-clicking -> googling their witty pun and seeing their the sole instance elsewhere, on Twitter, Facebook, etc
If I see a couple words I dont know in a row, I can infer a posters real name.
Id be more specific but any example is doxxing, literally so
If you have access to the whole site dataset it's much more reliable with simpler checks. You can just use word usage frequency of common words. Someone posted a demo here of doing this to HN comments which was very effective at showing alt accounts for a user.
I assume one's vocabulary is basically a fingerprint, even if one doesn't use unique turns of phrase. Domain knowledge just leaks in and we aren't conscious of it being identifiable.
It also geographic. There's a bunch of quizzes online where in 10 or 20 questions, it can tell you exactly what area in the US somebody is from. It comes down to the terms you use that you might not even realize are not universal. Highway vs freeway, what you call a sugary carbonated drink, and so on.
OTOH I think a lot of these methods don't matter that much because of plausible deniability. Stylometry and other stuff processes is always probabilistic, and can be dismissed.
>OTOH I think a lot of these methods don't matter that much because of plausible deniability. Stylometry and other stuff processes is always probabilistic, and can be dismissed.
i've come to realize, often the "opressor" or whatever party i imagine using this kind of thing against me, they do not care about being exactly <right. i will not be able to lawyer my way out. if something is actionable, action will be taken. and i'm not the one deciding if its actionable
>OTOH I think a lot of these methods don't matter that much because of plausible deniability. Stylometry and other stuff processes is always probabilistic, and can be dismissed.
while all of it is probabilistic, the issue is that the probability can quickly begin to approach 1 when multiple sources of data & varying techniques are combined.
however, most people will read "breaks wi-fi encryption" and assume that it means that someone can launch this attack while wardriving, which they cant.
reply