New: an activist made a script to flood the Texas abortion 'whistleblower' website with fake info. When they IP banned him, he made an iOS shortcut so essentially anyone with an iPhone can replicate what he did in seconds. Verified it works ourselves
Joseph Cox
@josephfcox
Hacking/crime/privacy journalist. Co-founder of . Signal: +44 20 8133 5190. Email: joseph@404media.co Mastodon: infosec.exchange/@josephcox
404media.coJoined March 2011
Joseph Cox’s posts
Texas police are refusing to release the bodycam footage of the Uvlade school shooting to Motherboard because they claim it could be used by other shooters to determine "weaknesses" in cop response to crimes. Asked state Attorney General to block release
New: we proved it could be done. I used an AI replica of my voice to break into my bank account. The AI tricked the bank into thinking it was talking to me. Could access my balances, transactions, etc. Shatters the idea that voice biometrics are foolproof vice.com/en/article/dy7
0:45
Today at VICE I was unable to pull a court record, which costs 10 cents, because the company isn't paying bills
Meanwhile so many execs, some which led VICE to bankruptcy, make $700-900k, including bonuses at the time VICE laid off much cheaper workers. It's worse than I thought
New: Walmart has been selling 30TB and other SSDs at an insanely good price. Turns out, its just two SD cards with firmware designed to trick the PC into displaying much more storage
Walmart removed the item from sale after we contacted for comment
'Girls Who Code' Teams Up With Tomahawk Missile Maker Raytheon
Girls Who Code is a nonprofit that aims to close the gender gap in tech. It has various clubs and programs that seek to foster a love of STEM and tech in women
Raytheon makes weapons of war
New: companies selling location data on visits to abortion clinics. We know because we just bought some data for $160.
Could be used to see clinics being visited by people from across state lines. Threatens both the patient and clinic. The risk is real.
New: this NFT will steal your IP address.
Viewing this and some other NFTs on marketplace OpenSea will send your IP to the NFT creator, because OpenSea lets people load custom code, including HTML. NFTs can gather data on viewers. Confirmed with my own IP
New: we've obtained the code the FBI used to backdoor an encrypted messaging app, and we're publishing parts of it today. Code shows app created a 'ghost' contact that hid itself from users contact lists and silently received every message. More findings:
New: journalist clicks 'view source' on a public government webpage, finds government site is exposing SSNs. Waits until the issue is fixed before publishing their story. Governor now wants to prosecute the journalist as 'hacker'
New: Amazon has AI cameras installed in its delivery vans; decide whether drivers get money. But the cameras are flawed, penalizing drivers when ~they~ get cut off by other cars, making them lose pay.
"Really dystopian dark, robotic voice, shouts at me"
New: Facebook is removing posts and temporarily banning people who say that they will mail abortion pills to those who need it, or even just state the fact they can be mailed. In 2021 the FDA made it possible and legal to send abortion pills via mail
New: here is the user manual for a mass surveillance tool that U.S. local cops are actively using. Based on location data harvested from ordinary apps installed on peoples' phones. No warrant needed, just login and search
Replying to
Spoke to the activist who made the tool via email.
"To me the McCarthyism era tactics of turning neighbors against each other over a bill I feel is a violation of Roe V Wade is unacceptable."
New: electric vehicle charging stations in Russia are not working and instead are displaying the messages "GLORY TO UKRAINE," "PUTIN IS A DICKHEAD." Seemingly possible because charger company outsourced production to a Ukraine company that had access
Guess I'll tweet this before Twitter completely implodes. Netflix has acquired the rights for my forthcoming book DARK WIRE, on how the FBI secretly ran a tech company for organized crime. If you need to reach me, Signal +44 20 8133 5190/Wickr josephcox
New: lot of people have noted the similarities between Trump's new social network 'Truth Social' and Mastodon, the free open-source social media platform. Spoke to Mastodon's founder. They agree, seems Trump is just using Mastodon without giving credit
New: we asked tech companies if they would provide data to police about users + abortions
Facebook, Twitter, Snapchat, TikTok, Google, Amazon, Discord, Verizon, AT&T, T-Mobile, Binance, Kraken, CashApp, Coinbase, Venmo, Uber and Lyft.
None answered
New: the bombs weren't real. Neither was the voice. We've traced some of the nationwide swatting wave to a specific swatting-as-a-service. Uses syntheiszed voices to target schools, more. The automation of swatting tech threatens to make it more prevalent.
Replying to
When we tested the tool, it appears the Texas abortion 'whistleblower' website has introduced a captcha, presumably to stop automated submissions. I found you could just fill out the captcha first then run the shortcut. Activist says working on update. vice.com/en/article/z3x
New: Vince Ramos wanted Phantom Secure to be the Uber of privacy-focused phones—flood the market and figure out laws later. Then the FBI investigated him. Based on Phantom sources, internal docs, FBI files, years of reporting, this is "The Network"
New: spoke to actors + unions across video games, animation, more about voice generating AI. Contracts that take rights from actors to later produce more lines with AI are already "very prevalent." Some being told can't work w/o signing these rights away
New: the US military has spent millions of dollars on a powerful internet monitoring tool that includes browsing data, email data, cookies, more. Data is worldwide, covers 90%+ of the internet, harvested from ISPs then sold to military by private company.
New: encryption used in police and military radios around the world has been scrutinized by outside researchers for the first time. The researchers found what they believe is an intentional backdoor, allowing those in the know to decrypt traffic
New: Homeland Security is using an AI-powered tool to analyze the social media of U.S. citizens and refugees. The tool can link a person's Social Security number to their social media and smartphone location data. According to internal doc we're publishing
Well, it happened: local cops have access to a tool called Fog Reveal that is based on location data harvested from ordinary smartphone apps. Cops using without warrants to see what devices in an area, track down individuals. Sold to cops for cheap.
Personal news: I'm writing a book on one of the craziest law enforcement stings ever, where the FBI secretly ran its own tech startup called Anom & used it to wiretap hundreds of organized crime gangs globally. DARK WIRE will tell that insane story from the people who were there.
Two LAPD cops were fired because instead of responding to a call to a robbery in progress, they decided to try and catch a Snorlax in Pokemon Go vice.com/en/article/g5q
New: Uvalde and Uvalde Police have hired a private law firm in order to try to stop the release of public records related to the recent school mass shooting. The files could be "highly embarrassing" it says
New: hackers breached a website connected to Russia's Space Research Institute. Defaced a section with a message against Russia's threats to pull out of operating the International Space Station. Also leaked a number of files they claimed from Roscosmos
New: Russia won't officially say how many Russian soldiers have died in its invasion of Ukraine. So hackers breached multiple Russian news sites and published the current figures released by the Ukrainian military themselves: 5300
New: tried out the newer OMG Cables, one being a Lightning to USB-C cable that looks identical to the real Apple one. But it silently sends everything you're typing on your keyboard to an attacker's device potentially a mile away vice.com/en/article/k78
0:24
New: the top result on Google for a search of "opensea", the most popular marketplace for NFTs, was a phishing link. Was a paid Google Ad that redirected to a spoof of OpenSea that asked you to link your digital wallet. Removed after Motherboard contacted vice.com/en/article/k7w
New: people are pirating access to GPT-4 by scraping code online. In one case, someone gained access to an account with $150,000 usage limit, now offering access for free via a website and Discord server. Why pay for GPT-4 when you can just steal it?
New: underneath mega-popular gaming platform Roblox's $68 billion business is an underground ecosystem of hackers who steal rare items from kids, marketplaces that cash out items for crypto, casinos, etc. We went inside the Roblox underground.
Replying to
Obviously this is a very funny scam but it highlights something that lots of people probably don't know: Walmart is trying to be Amazon, with a site that sells products from third party providers. Opens Walmart up to all the same scams/issues vice.com/en/article/ake
Replying to
Thousands of people have at least clicked on the link to this shortcut, the activist said vice.com/en/article/z3x
New: data broker SafeGraph has stopped selling location data of people who visit Planned Parenthood/family planning centers. Came after we found you could buy location data of people traveling to Planned Parenthood for $160. Saw sale stopped last night
New: the online advertising ecosystem is so bad—with risk of hackers and harvesting data on people—that U.S. intelligence community has deployed network-based ad blockers, according to letter sent by Congress. Shows just how malicious online advertising is
New: for years instead of getting a warrant, the DEA paid rogue employees inside U.S. airline, bus, and parcel private companies for access to reams of customer data. Bypassed the courts and simply bought info instead. Senators now trying to stop it.
New: obtained documents which show that Unity, the game engine company, made a dogfighting simulation for the US Air Force's 'kill chain' branch. Comes after we reported that some Unity employees were not even aware their company worked for the military.
This hoodie uses infrared LEDS usually found in CCTV cameras to blind cameras
New: it happened, AI voices are now a tool for harassment. Spoke to 4 victims. Attackers used AI to make a copy of their voice, had it read out the victim's address, post online. Anyone with their voice online—podcasters, streamers—could be victim to this
New: underground trade of bots that steal your 2FA codes. Bot places convincing automated call to target. Victim enters code, gets fed to hacker instantly. Dramatically lowers the barrier of entry for bypassing 2FA, no social engineering skills needed
New: Google has introduced "inclusive warnings", pop-ups in GDocs. Google said "landlord" was not inclusive; Google had no notes when we uploaded full text of an interview of former KKK leader David Duke in which he says N-word and hunting black people
New: pirates spammed UVB-76, an infamous short-wave radio station that is long suspected to be a communications tool for Russian intelligence, with memes. Also Gangnam Style.
New: court records shed light on a highly secretive anti-union program at Google called "Project Vivian." The program was explicitly to make workers think "that unions suck," a top executive said
Replying to
On its site, Trump's social network Truth Social says its code is proprietary. But it's clearly using the open-source Mastodon codebase, which has the requirement for people who fork the code to make it public. So Trump violating license, etc vice.com/en/article/5dg
New: we went into the wild underground world of car thieves who use tech hidden inside old Nokia phones and Bluetooth speakers. Lets them steal luxury cars without the key in seconds. Walk up, plug in, open door, start engine, go. Happening across U.S.
Replying to
Of course, if you can get OpenSea to load a third party IP logger for you, you can probably get it to load any number of other, more malicious things. Not hard to imagine how NFT listings could be used vice.com/en/article/xgd
Replying to
Even when the drivers are actually doing safe behavior, such as looking in their mirrors before changing lanes, Amazon's AI camera will tell the driver they're distracted because they turned their face to the mirror vice.com/en/article/88n
New: here is the contract showing the FBI bought access to mass internet data. Netflow can show which server communicated with another, used to trace activity through virtual private networks, etc
New: last year NYT ran a blockbuster investigation w/ calls of Russian soldiers criticizing the war. NYT only used first names to protect. We found the article actually had the soldiers' phone numbers in the page source code, exposing them for *months*
New: docs say a hacked company hired a third-party firm to secretly buy exclusive access to the data for $150,000. The idea was to stop the leak. It failed. Docs don't name companies but we found it was T-Mobile, and Mandiant did the incident response
New: leaked videos show how Disney is the biggest ad tech giant you've never heard of. Videos explain how to exploit Disney's first partner data; explains that it sources location data; planned to explore pharma data. All presented by Disney characters
New: a sweeping piece of legislation would outlaw the sale of location data. Comes directly after we reported that a broker was selling the location data of people visiting abortion clinics. Hugely ambitious. Led by senator Warren
Replying to
Here's one of the NFTs displaying my IP back at me in the NFT itself. Works because OpenSea lets NFT creators add metadata to the NFT listing, which can accept formats like HTML. Put an IP logger in the HTML. vice.com/en/article/xgd
New: in what might become one of the most significant Tor onion services ever launched, Twitter now has a version on Tor. Potentially makes it easier to access the social network from Russia + other countries, and comes as Russia blocked Twitter last week vice.com/en/article/v7d
Replying to
Musk claimed he bought Twitter in part for his views on free speech. A Tor onion service, which lets people access Twitter from countries where it is banned, is unambiguously good for free speech. Musk however has let it die. His priorities are elsewhere vice.com/en/article/3ak
New: recently BMW announced plans to charge a subscription for heated seats. We spoke to the grey market hackers prepared to bypass that lock, and who already remotely access BMWs to permanently unlock features as more cars move to a subscription model
Replying to
SungWon Cho, also known as ProZD, said its "disrespectful to the craft".
"Going down this road runs the risk of people thinking that voice-over can be replaced entirely by AI, which really makes my stomach turn."
vice.com/en/article/5d3
New: the Robinhood hackers accessed an internal tool that gave them the option of removing 2FA from accounts, blocking login sessions, more. Robinhood says no accounts tampered with, but shows risk of hackers beyond just stealing data vice.com/en/article/epx
New: researcher publishes code for a set of iPhone exploits. Exploits on Github; decided to share them after their "frustrating experience participating in Apple Security Bounty program." Another researcher said took them 30 mins to reproduce the vulns
New: obtained documents that show the U.S. Army wanted to spend millions to reach "Gen-Z," "females, Black & Hispanics", much through sponsorship deals with Call of Duty. Includes sponsoring individual YouTubers, tournaments, events. Also $600k for IGN
Replying to
Drivers, having known they didn't make a mistake, have contacted Amazon asking them for the photos of the alleged violation. Amazon doesn't even bother to respond, just lets the flawed AI decide a driver messed up, which can then determine their pay vice.com/en/article/88n
New: Twitter's most important anti-censorship tool is currently dead. It's Tor onion service, which it launched so Russians could still access the site, is offline. At the time, Twitter said this was a priority. Those priorities appear to have shifted
New: a damning internal Facebook document shows the company admitting it doesn't actually know what it does with users' data, nor where it ends up. Compares to ink falling from a bottle.
"It flows ... everywhere." vice.com/en/article/akv
New: CIA funding arm gave encrypted messaging app Wickr ~$1.6 million recently. Solidifies Wickr's position as an encrypted chat platform for government agencies.
Co-founder of WhatsApp is the new acting CEO of Signal as Moxie steps down
New: this is wild. Frank Ocean fans were in a frenzy over newly leaked music from the reclusive artist. The leaker sold some tracks for thousands of dollars to collectors.
But most were fake, AI-generated. Communities now in disarray over what to trust
New: TikTok is removing educational hacking/cybersecurity videos. YouTube does it too, but TikTok very aggressive it seems. Means creators are self-censoring, avoiding even the word 'hack.' TikTok reinstated a video after we flagged, then banned again vice.com/en/article/akg
New: here's the FBI's own guide for getting data from AT&T, T-Mobile, and Verizon. Document lays out in unusually granular detail what data is available, how long telecoms retain it for, the software used to analyze it
New: #1 period tracking app on App Store says it may simply hand over data to cops without a warrant.
Stardust has gained momentum by pitching itself as a privacy period app. But its policy says it may give cops data "whether or not legally required"
New: lawyers working for social network codebase Mastodon have sent formal letter to Trump's upcoming social network 'Truth Social' telling them to make its source code public. Comes after Truth Social used Mastodon code (license says code must be public)
Replying to
It took some time to get the voice just right to follow my cadences, but it worked eventually. Multiple banks use similar voice ID systems. Some say the voice print is "unique," "no one has a voice just like you." TD, Chase, Wells Fargo vice.com/en/article/dy7
New: ExpressVPN says in a statement that it knew the 'key facts' of the employment history of one of its executives, Daniel Gericke. On Tuesday Gericke was revealed in court records to have worked on the UAE's hacking and spying operation
New: an established location data firm, which gets GPS coordinates via ordinary apps installed on peoples' phones and then sells that data, is still receiving GPS data even when people *explicitly* opt-out. Shows just how shaky this billion $ industry is
New: scammers are leveraging a flaw in NFT marketplace OpenSea to buy NFTs at rock bottom prices. Use API to call an earlier listing price, meaning they can non-consensually buy an NFT from someone for a cheap price, immediately sell for profit vice.com/en/article/y3v
New: another location data provider providing details on where people visiting abortion clinics live. With this one the data was *free* to access; site provided very easy to understand heat maps. Company only removed after Motherboard asked for comment vice.com/en/article/g5q
A ransomware group has apologized to Arab royal families after leaking their data.
"We found that our sample data was not properly reviewed before being uploaded to the blog" vice.com/en/article/n7n
I broke down why Elon Musk's Elden Ring build sucks
New: biohacker collective has created business cards that are embedded with three doses of misoprostol, a medication that safely and effectively induces an abortion. Idea is to make it possible to mail the treatment undetected.
"This Card is an Abortion"
Replying to
This quote from a prosecutor who has used the location data tool without a warrant is wild. Says people have given up reasonable expectation of privacy by downloading free apps. I *promise* you most people have not given informed consent to this tracking apnews.com/article/techno
New: a Deputy US Marshal was just charged for allegedly using a cop phone location service for tracking people he knew personally and their spouses. Happened in Uvalde, where police have been widely criticised for their failure to stop a mass shooter
New: NSO Group gave a demo of its Pegasus malware to an audience that included the NYPD. Specifically NYPD intel. Comes after report that FBI bought Pegasus for evaluation purposes. Email mentioning NYPD included brochure specifically for Pegasus
Scoop: new internal Roblox documents show how the massive gaming platform—played by half of all children in the U.S.—planned to go all in on Chinese censorship. Documents also show Roblox thought that its Chinese partner, ultimately Tencent, might hack it
New: the "insanely broad" RESTRICT Act—the proposed legislation that could be used to ban TikTok—also threatens a bunch of other services, potentially including VPNs, digital rights experts said.
"Raises serious human and civil rights concerns."
New: LastPass shouldn't be trusted with your passwords. Companies hacked all the time, but PW managers are not ordinary companies. You shouldn't expect anything less than world class.
- 7 breaches in 10 years
- dev accessing crown jewels from home computer
New: a stalkerware company that sells malware for Android and Windows is exposing screenshots harvested from target devices. The company, pcTattleTale, explicitly encourages illegal spying, tells users to install malware when spouse is sleeping.
New: the FBI previously said around 15 users of its secretly backdoored 'Anom' phones were in the U.S.
Files we've obtained show that actually over 100 Anom phones were shipped into the U.S, including New York, raising Qs on Anom use in the country
New: I tried Pretty Good Phone Privacy (PGPP), the pseudo-phone network that aims to delink your ID from your phone usage. Cycles through new IMSIs on demand, routes all device internet traffic through two hops, data-only eSims. It's interesting for sure vice.com/en/article/n7z
Rather than mocking top level officials who take cybersecurity risks seriously, maybe coverage should highlight the actual threats
Kamala Harris Is Right: Bluetooth Is a Security Risk
New: today we pull back the curtain on one of the most important tech companies for organized crime called No. 1 BC
We found its the encrypted phone of choice for the Italian mafia. Former sellers, industry sources, sensitive docs
"Big on the market"
This is one of the most important pieces of journalism ever produced.
Washington Post gets permission from parents of mass shooting victims to create 3D models of what AR-15s did to their children’s bodies. As close as we’ll get to publishing photos
Replying to
These executive salaries and bonuses are included in this publicly available document, filed yesterday as part of VICE's bankruptcy proceedings cases.stretto.com/public/X234/12
New: data marketplace selling information about which specific devices downloaded period tracking apps. Concern is that period tracking apps could be used in a post-abortion rights America to identify suspects. Company removed after we contacted
New: docs on CDC's phone tracking. Saw if people complying with curfews. Bought for COVID response, but said it will use for lots of non-COVID too. Monitoring schools, places of worship. Data came from company funded by former Saudi intel head, Peter Thiel
Grimes admitted federal crimes, says she hacked a site and destroyed its backups after photos of her at a party appeared on the site and went viral.
New: the IRS wants to buy an internet mass monitoring tool. This tool allows investigators to see what is happening on the wider internet beyond their own network; asks for "65 days traffic history." The tool can be used to trace activity through VPNs
