I spent a lot of time in my work tracking APTs [ advanced persistent threats ] all over the world and it wasn't receiving a lot of attention from security vendors because there wasn't money in it.
-
-
Prikaži ovu nit
-
And there wasn't glory for the reverse engineers, because it was simple malware. But it did protect journalists and activists!
Prikaži ovu nit -
And then I discovered that one of my research partners was a serial rapist. And I talked to one of his victims and she said that he'd threatened to break into her devices. And I didn't want that to ever happen again. So I tweeted.
Prikaži ovu nit -
So I woke up to zillions of messages about the worst thing that had ever happened to them. Men who were abused by men, women who were abused by women, men who were abused by women... but overwhelmingly women who were abused by men.
Prikaži ovu nit -
[ many terrible stories of outings, blackmail with naked pictures ] Mostly a saw a lot of confusion over what people's problems are. Data is like water and there are all sorts of leaks.
Prikaži ovu nit -
Leaks were often someone's friends. Other form of compromise: account compromise. All kinds of accounts (had to learn what a TikTok was). Good news about that: we have advice for account compromise! Look at who's been logging into your account and where.
Prikaži ovu nit -
We have good advice for locking down their accounts: change passwords, make them strong/unique, use a password manager. Use security questions as more passwords, because people who are close to you may know about your high school or first dog.
Prikaži ovu nit -
Is some 2 factor is better than no 2factor? Do you have to use a security token? My philosophy is to meet people where they are, tell people to use as much 2 factor as they can.
Prikaži ovu nit -
Sometimes it really is a rat (remote access tool also adorable critter). Often linked to sustained harassment, physical violence, kidnapping of children. We don't have a lot of advice for people who have RATs on their devices.
Prikaži ovu nit -
This is often called "stalkerware" or "spouseware" -- designed to be covertly installed and covertly exfiltrate that data to the person who controls that software. It's extremely easy to find. Just type in "how to spy on my girlfriend" into a search engine.
Prikaži ovu nit -
There are a variety of products. For Android in Play Store or a package to download/install. Seen a proliferation of these but also efforts to combat them.
Prikaži ovu nit -
Then you give the stalkerware company your credit card # and pay for a monthly subscription to a portal with the exfiltrated information. They store it for you.
Prikaži ovu nit -
-
Stalkerware ads. This software is in the side of the abuserpic.twitter.com/BbCjMLmzkR
Prikaži ovu nit -
There is an entire industry to catch unwanted software on your devices. Antivirus! How does it do at catching this? ... not well. 7-10/60 would catch.
Prikaži ovu nit -
So went to the antivirus companies. Started with Kaspersky because they had a bad year and they agreed to create a new privacy alert for stalkerware. Then you can remove it -- but you may not want to, because angering your abuser might mean they escalate to violence.
Prikaži ovu nit -
Data showed that incidence closely tracked %age of population using Kasperskypic.twitter.com/m0BgI4YfxQ
Prikaži ovu nit -
There are a lot of people talking about stalkerware as a potential threat and some antivirus companies finding it, but what next? Because having
@evacide as a one-woman helpline for all the women in the world. This is the hero model and burns people out. Don't do this.Prikaži ovu nit -
Instead: Coalition Against Stalkerware Agenda: * educate potential victims * make detection of stalkerware by AV products the new normal * educate law enforcement to recognize stalkerware and take it seriously
Prikaži ovu nit -
* encourage law enforcement and the FTC to pursue stalkerware devs and distributers who are violating the law * work with Google and Apple to keep stalkerware out of their app stores
Prikaži ovu nit -
My sneaky broader agenda: reaching out to people in the security industry, people work on UI, people who work in product development, get them to THINK ABOUT THE DOMESTIC ABUSE USE CASE. What happens when they kick out a roommate, has an abusive spouse, etc? [ YESSSSSSSSSSSSS ]
Prikaži ovu nit -
We need to think about this in a much broader and more serious way. I get told it's an edge case. [ Also YESSSSSSS. Also have you seen my talk?
]
Calling this an edge case means that you're ignoring one of the most important problems I see every day.Prikaži ovu nit -
I don't do this alone! Shout out to journalists who worked on the "When Spies go Home" series, other organizations in the Coalition including Operation Safe Escape, and individuals like Harlowe Holmes [ crud I'm typing fast can't remember how to spell her name ]
Prikaži ovu nit -
Q
@n2vi : it sounds like it's incredibly effective for law enforcement to subpeona credit cards and get abusers off the street. Does this work well? A: this is very much a next stepPrikaži ovu nit -
Q
@thinkpanzer: I wanted to share a mechanism which I find to help when talking about human "edge cases" and you can aikido them into caring about it to call it a "stress case" to make your system more resiliant. A: good.Prikaži ovu nit -
Q: what would you tell a mother who is trying to figure out whether their husband is going to a drug dealer so she can get custody? A: there is *no* legitimate use case




Prikaži ovu nit -
Q: what are other ways to do it? A: how about talking? you can go to a PI? You can subpoena this information in the course of your divorce.
Prikaži ovu nit -
Q
@estark37: have you or the AV companies studied how users respond to their alerts? Do they understand? Do they remove? A: I don't have access to that information and would like to see them include that information in their reports.Prikaži ovu nit -
Q: GDPR and CCPA do a decent job on privacy but some of the earlier drafts include private right of action. Would this help? A: I'm suspicious about putting this into people's hands. Worried about the abuser asking for the user's personal information.
Prikaži ovu nit -
Q: new rules? A: a lot of the rules already exist. Q: what if the OS enforced rather than Play Store? A: but that can be circumvented, still
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
