• Risks Digest 32.78 (1/2)

    From RISKS List Owner@21:1/5 to All on Wed Jul 28 03:30:41 2021
    RISKS-LIST: Risks-Forum Digest Tuesday 27 July 2021 Volume 32 : Issue 78

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/32.78>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Russia Disconnects from Internet in Tests as It Bolsters Security (Reuters) ‘Advanced’ Nuclear Reactors? Don’t Hold Your Breath (Scientific American) Space Data Integrator (faa.gov)
    What Ever Happened to IBM's Watson? (NYTimes)
    A Severe Drought Is Threatening the Hoover Dam Reservoir -- and Water
    Throughout the West (Mother Jones)
    The end of open source? (Shaun O'Meara)
    Niemoeller's Boiled Frog: Weaponization of App Data (Josephy Cox via
    Henry Baker)
    Hoe no! Facebook snafu spells trouble for gardening group (AP News)
    Hackers Turning to 'Exotic' Programming Languages for Malware Development
    (The Hacker News)
    Disinformation for Hire, a Shadow Industry, Is Quietly Booming (Max Fisher) What Should Happen to Our Data When We Die?] (NYTimes)
    Breast Cancer Patient Attacked by Violent Anti-Mask Protest Outside
    Los Angeles Clinic (Vice)
    'STFU' is anti-science (Tunku Varadarajan via Henry Baker)
    The Problem With Stealing High-End Electronics and Beer (Now I Know)
    Re: Traffic Analysis and Herd Immunity (anthony youngman}
    Re: Rounding errors could make certain stop-watches pick wrong race winners
    (Jim Garrison)
    Re: YouTube fined 100 000 Euros delaying court order to restore video
    (Dick Mills)
    Re: A secret algorithm is transforming DNA evidence. This defendant could be
    the first to scrutinize it. (Michael Black))
    Re: Some locals say a bitcoin mining operation is ruining one of the Finger
    Lakes. Here's how. (David B. Horvath)
    Re: RFI on scientific integrity (David B. Horvath)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 26 Jul 2021 11:56:56 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Russia Disconnects from Internet in Tests as It Bolsters Security
    (Reuters)

    Alexander Marrow and Dmitry Antonov, Reuters, 22 Jul 2021,
    via ACM TechNews, 26 Jul 2021

    Russia reportedly disconnected from the global Internet during tests in June and July, according to a report by the RBC daily that cited documents from
    the working group responsible for strengthening Russia's Internet security under the 2019 *sovereign Internet* law, which aims to prevent Russia from being cut off from foreign infrastructure. A working group source said the purpose of tests was ``to determine the ability of the 'Runet' to work in
    case of external distortions, blocks and other threats.'' The Internet Research Institute's Karen Kazaryan said, ``Given the general secrecy of the process and the lack of public documents on the subject, it is difficult to
    say what happened in these tests.'' https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c0d1x22c833x072256&

    ------------------------------

    Date: Sun, 25 Jul 2021 10:35:53 +0800
    From: "Richard Stein" <rmstein@ieee.org>
    Subject: ‘Advanced’ Nuclear Reactors? Don’t Hold Your Breath
    (Scientific American)

    https://www.scientificamerican.com/article/lsquo-advanced-rsquo-nuclear-reactors-don-rsquo-t-hold-your-breath/

    The essay discusses current commercial interests that promote sodium metal-cooled nuclear reactors in the ~300 Mwatt range, but argues against
    them based on historical evidence.

    "Nuclear Plant Accidents: Sodium Reactor Experiment" discusses this ~60 year old experimental failure based on an analogous design. https://allthingsnuclear.org/dlochbaum/nuclear-plant-accidents-sodium-reactor-experiment/

    While nuclear fission is carbon-free, there's no US-approved repository
    to safely and permanently dispose of radioactive reactor effluence.
    Sweden's is operational, and Finland is finishing construction of
    theirs: See "Into Eternity," https://www.amazon.com/Into-Eternity-Entos-aioniotitas-Onkalo/dp/B07Q39FQV3/ref=sr_1_9
    (retrieved on 25JUL2021).

    Machinery failure (Three Mile Island) or human error (Chernobyl), or combinations of both, contribute to nuke plant accidents.

    If "fat fingers" in a control room are a cause for concern, what about AI to safely operate a fission reactor? See "AI finds a place in nuclear O&M,"

    https://www.reutersevents.com/nuclear/ai-finds-place-nuclear-om

    "While AI and machine learning offer a number of benefits for the nuclear
    power industry as it moves toward a new generation of reactors, its range,
    for the moment, is limited.

    "A lack of real, operational data from operating nuclear power stations, a varying degree of opinion as to which systems would work best, and the sometimes-mysterious mechanizations within a so-called 'intelligent' system,
    or its 'black box' nature, pose potential problems for AI’s use in nuclear."

    [A machine-based lesson learned can be hazardous to your health.]

    ------------------------------

    Date: Tue, 13 Jul 2021 09:47:50 +0800
    From: "Richard Stein" <rmstein@ieee.org>
    Subject: Space Data Integrator (faa.gov)

    https://www.faa.gov/news/fact_sheets/news_story.cfm?newsId=23476

    Ever experience a commercial flight ground stop? Here's the tool that
    will minimize delay attributed to an exo-atmospheric vehicle launch or
    re-entry in the vicinity of your next flight.

    "The SDI operational prototype is designed to accept launch and reentry
    vehicle state vector data gathered from operators such as vehicle
    position, altitude, and speed. SDI will then process the data, display
    it, and distribute it to Traffic Flow Management System (TFMS). SDI
    allows the FAA to track the actual versus planned trajectory of launch
    and reentry operations, the status of various mission events, and the
    display of Aircraft Hazard Areas (AHAs). SDI sends vehicle position and
    AHAs to the TFMS for display on the TFMS Traffic Situation Display at
    the Command Center."

    Risk: Protracted vehicle launch or reentry delay

    ------------------------------

    Date: Fri, 16 Jul 2021 18:27:49 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: What Ever Happened to IBM's Watson? (NYTimes)

    A decade ago, IBM’s public confidence was unmistakable. Its Watson supercomputer had just trounced Ken Jennings, the best human “Jeopardy!” player ever, showcasing the power of artificial intelligence. This was
    only the beginning of a technological revolution about to sweep through society, the company pledged.

    “Already,” IBM declared in an advertisement the day after the Watson victory, “we are exploring ways to apply Watson skills to the rich,
    varied language of health care, finance, law and academia.”

    But inside the company, the star scientist behind Watson had a warning:
    Beware what you promise.

    David Ferrucci, the scientist, explained that Watson was engineered to
    identify word patterns and predict correct answers for the trivia game.
    It was not an all-purpose answer box ready to take on the commercial
    world, he said. It might well fail a second-grade reading comprehension
    test.

    His explanation got a polite hearing from business colleagues, but
    little more.

    “It wasn’t the marketing message,” recalled Mr. Ferrucci, who left IBM the following year.

    It was, however, a prescient message.

    https://www.nytimes.com/2021/07/16/technology/what-happened-ibm-watson.html?referringSource=articleShare

    ------------------------------

    Date: Fri, 16 Jul 2021 18:23:36 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: A Severe Drought Is Threatening the Hoover Dam Reservoir -- and
    Water Throughout the West (Mother Jones)

    Things will be fine: The governor of Utah has resorted to asking <https://www.deseret.com/utah/2021/6/7/22522740/utah-gov-cox-called-on-utahns-to-pray-for-rain-some-criticized-him-heres-how-responded-lgbt-drought> people
    to pray for rain.

    Except: The west has gone through periods like this “megadrought”, with only occasional respite, for the past two decades. But scientists have
    made clear the current conditions would be virtually impossible without human-caused climate change, pointing to a longer-term “aridification <https://www.pnas.org/content/117/22/11856.short>” of the region. All of
    the water conservation efforts that have kept shortages at bay until now
    risk being surpassed by the rising heat. [...]

    Even with these adaptions, however, the decline of Lake Mead has caused the amount of hydropower generated by the dam to drop by around 25 percent. The drought is expected to cause https://www.cnn.com/2021/06/17/us/california-drought-oroville-power/index.html the hydro facility at Lake Oroville, California, to completely shut down, prompting a warning from the United States Energy Association that a “megadrought-induced electricity shortage could be catastrophic, affecting everything from food production to industrial manufacturing”. The association added that such a scenario could even force people to move east,
    in what is called a “reverse Dust Bowl exodus”.

    https://www.motherjones.com/environment/2021/07/a-severe-drought-is-threatening-the-hoover-dam-reservoir-and-water-throughout-the-west/

    [Why is this RISKS-relevant? Because almost everything is interrelated.
    PGN]

    ------------------------------

    Date: July 26, 2021 2:13:53 JST
    From: Dewayne Hendricks <dewayne@warpspeed.com>
    Subject: The end of open source? (Shaun O'Meara)

    [Note: This item comes from friend David Rosenthal. DLH
    (via Dave Farber)

    Shaun O’Meara, TechCrunch, 18 Jul 2021 <https://techcrunch.com/2021/07/18/the-end-of-open-source/>

    Several weeks ago, the Linux community was rocked by the disturbing news
    that University of Minnesota researchers had developed (but, as it turned
    out, not fully executed) a method for introducing what they called
    “hypocrite commits” to the Linux kernel — the idea being to distribute hard-to-detect behaviors, meaningless in themselves, that could later be aligned by attackers to manifest vulnerabilities.

    This was quickly followed by the — in some senses, equally disturbing — announcement that the university had been banned, at least temporarily, from contributing to kernel development. A public apology from the researchers followed.

    Though exploit development and disclosure is often messy, running
    technically complex “red team” programs against the world’s biggest and most
    important open-source project feels a little extra. It’s hard to imagine researchers and institutions so naive or derelict as not to understand the potentially huge blast radius of such behavior.

    Equally certain, maintainers and project governance are duty bound to
    enforce policy and avoid having their time wasted. Common sense suggests
    (and users demand) they strive to produce kernel releases that don’t contain exploits. But killing the messenger seems to miss at least some of the point — that this was research rather than pure malice, and that it casts light on a kind of software (and organizational) vulnerability that begs for
    technical and systemic mitigation.

    I think the “hypocrite commits” contretemps is symptomatic, on every side, of related trends that threaten the entire extended open-source ecosystem
    and its users. That ecosystem has long wrestled with problems of scale, complexity and free and open-source software’s (FOSS) increasingly critical importance to every kind of human undertaking. Let’s look at that complex of problems:

    • The biggest open-source projects now present big targets.
    • Their complexity and pace have grown beyond the scale where traditional
    “commons” approaches or even more evolved governance models can cope.
    • They are evolving to commodify each other. For example, it’s becoming
    increasingly hard to state, categorically, whether “Linux” or “Kubernetes”
    should be treated as the “operating system” for distributed
    applications. For-profit organizations have taken note of this and have
    begun reorganizing around “full-stack” portfolios and narratives.
    • In so doing, some for-profit organizations have begun distorting
    traditional patterns of FOSS participation. Many experiments are
    underway. Meanwhile, funding, headcount commitments to FOSS and other
    metrics seem in decline.
    • OSS projects and ecosystems are adapting in diverse ways, sometimes
    making it difficult for for-profit organizations to feel at home or see
    benefit from participation.

    Meanwhile, the threat landscape keeps evolving:

    • Attackers are bigger, smarter, faster and more patient, leading to long
    games, supply-chain subversion and so on.
    • Attacks are more financially, economically and politically profitable
    than eve.
    • Users are more vulnerable, exposed to more vectors than ever before.
    • The increasing use of public clouds creates new layers of technical and
    organizational monocultures that may enable and justify attacks.
    • Complex commercial off-the-shelf (COTS) solutions assembled partly or
    wholly from open-source software create elaborate attack surfaces whose
    components (and interactions) are accessible and well understood by bad
    actors.
    • Software componentization enables new kinds of supply-chain attacks.
    • Meanwhile, all this is happening as organizations seek to shed
    nonstrategic expertise, shift capital expenditures to operating expenses
    and evolve to depend on cloud vendors and other entities to do the hard
    work of security.

    The net result is that projects of the scale and utter criticality of the
    Linux kernel aren't prepared to contend with game-changing, hyperscale
    threat models. In the specific case we’re examining here, the researchers were able to target candidate incursion sites with relatively low effort
    (using static analysis tools to assess units of code already identified as requiring contributor attention), propose “fixes” informally via email, and leverage many factors, including their own established reputation as
    reliable and frequent contributors, to bring exploit code to the verge of
    being committed.

    ------------------------------

    Date: Fri, 23 Jul 2021 10:02:27 -0700
    From: "Henry Baker" <hbaker1@pipeline.com>
    Subject: Niemoeller's Boiled Frog; Weaponization of App Data

    The heat on Niemoeller's Frog is being turned up as we speak...

    First they came for the gay priests [...]
    and [by then] there was no one left to speak for me.

    https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app

    The Inevitable Weaponization of App Data Is Here

    Joseph Cox 21 Jul 2021
    A Substack publication used location data from Grindr to out a priest
    without their consent.

    It finally happened. After years of warning from researchers, journalists,
    and even governments, someone used highly sensitive location data from a smartphone app to track and publicly harass a specific person. In this case, Catholic Substack publication The Pillar said it used location data
    ultimately tied to Grindr to trace the movements of a priest, and then outed him publicly as potentially gay without his consent. *The Washington Post* reported on Tuesday that the outing led to his resignation.

    The news starkly demonstrates not only the inherent power of location data,
    but how the chance to wield that power has trickled down from corporations
    and intelligence agencies to essentially any sort of disgruntled,
    unscrupulous, or dangerous individual. A growing market of data brokers that collect and sell data from countless apps has made it so that anyone with a
    bit of cash and effort can figure out which phone in a so-called anonymized dataset belongs to a target, and abuse that information.

    "Experts have warned for years that data collected by advertising companies from Americans' phones could be used to track them and reveal the most
    personal details of their lives. Unfortunately, they were right," Senator
    Ron Wyden told Motherboard in a statement, responding to the incident. "Data brokers and advertising companies have lied to the public, assuring them
    that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus--individuals can be tracked and identified."

    In short, The Pillar says that Msgr. Jeffrey Burrill, who was the general secretary of the U.S. bishops' conference (USCCB) before his resignation, visited gay bars and other locations while using gay dating app Grindr. "An analysis of app data signals correlated to Burrill's mobile device shows the priest also visited gay bars and private residences while using a location-based hookup app in numerous cities from 2018 to 2020, even while traveling on assignment for the U.S. bishops' conference," the outlet
    wrote. The Pillar says the location data is "commercially available records
    of app signal data," and that it obtained the records from "a data vendor"
    and then authenticated them with a data consulting firm.

    The data itself didn't contain each mobile phone user's real name, but The Pillar and its partner were able to pinpoint which device belonged to
    Burrill by observing one that appeared at the USCCB staff residence and headquarters, locations of meetings that he was in, as well as his family
    lake house and an apartment that has him listed as a resident. In other
    words, they managed to, as experts have long said is easy to do, unmask this specific person and their movements across time from an supposedly anonymous dataset.

    A Grindr spokesperson told Motherboard in an emailed statement that
    "Grindr's response is aligned with the editorial story published by the Washington Post which describes the original blog post from The Pillar as homophobic and full of unsubstantiated innuendo. The alleged activities
    listed in that unattributed blog post are infeasible from a technical standpoint and incredibly unlikely to occur. There is absolutely no evidence supporting the allegations of improper data collection or usage related to
    the Grindr app as purported."

    It is not clear what Grindr sees as "infeasible from a technical
    standpoint." In January the Norwegian Data Protection Authority fined Grindr $11.7 million for providing its users' data to third parties, including
    their precise location data. Almost prophetically, Norwegian authorities
    said at the time that Grindr users could be targeted with this sort of information in countries where homosexuality is illegal.

    Researchers have repeatedly shown that it is possible to figure out who a
    phone in an allegedly anonymized set of location data belongs to sometimes
    with a few points of reference, such as their home or place of work. The spokesperson did not respond to a request to elaborate on what Grindr
    believes is technically infeasible.

    "The research from The Pillar aligns to the reality that Grindr has historically treated user data with almost no care or concern, and dozens of potential ad tech vendors could have ingested the data that led to the doxxing," Zach Edwards, a researcher who has closely followed the supply
    chain of various sources of data, told Motherboard in an online chat. "No
    one should be doxxed and outed for adult consenting relationships, but
    Grindr never treated their own users with the respect they deserve, and the Grindr app has shared user data to dozens of ad tech and analytics vendors
    for years."

    Journalists have also used location data in similar ways before in their reporting. In February, The New York Times' opinion section married location and advertising data to reveal the movements and identities of specific
    people who attended the January 6 Capitol riots.

    "While there were no names or phone numbers in the data, we were once again able to connect dozens of devices to their owners, tying anonymous locations back to names, home addresses, social networks and phone numbers of people
    in attendance. In one instance, three members of a single family were
    tracked in the data," the piece read.

    Last week, Motherboard reported on the so-called "identity resolution" industry, in part by posing as a customer looking to buy sensitive
    data. These companies promise to match mobile advertising IDs--unique codes assigned to mobile phones by their operating systems, and which tech
    companies have repeatedly assured consumers are anonymous, or at least pseudonymous--to real-world identities. This makes unmasking people in
    datasets even easier; why bother trying to figure out which phone belongs to who when you can just buy that information instead.

    "Anyone and everyone who has a phone and has installed an app that has ads, currently is at risk of being de-anonymized via unscrupulous companies," Edwards told Motherboard at the time when presented with our findings.

    Senator Wyden called for the Federal Trade Commission to act on the data
    broker industry. "Last year, I led a bipartisan letter to the FTC calling
    for a broad probe of the industry. The FTC needs to step up and protect Americans from these outrageous privacy violations, and Congress needs to
    pass comprehensive federal privacy legislation," he added.

    Motherboard has also shown how wide spanning the customer base for this sort
    of location data is, with the U.S. military and various law enforcement agencies also purchasing it, skirting the need to obtain a warrant. And although the data was based on that generated by telecom networks and not
    apps, we also previously spoke to Ruth Johnson, a woman who was stalked and harassed by someone who gained access to her phone's location. Johnson said T-Mobile put her "life in danger." Motherboard also tied black market
    location data to the spot of a triple murder.

    ------------------------------

    Date: Sat, 24 Jul 2021 23:51:05 -0400
    From: "Gabe Goldberg" <gabe@gabegold.com>
    Subject: Hoe no! Facebook snafu spells trouble for gardening group (AP News)

    https://apnews.com/article/lifestyle-technology-oddities-business-gardening-9c9f431f91ba450537974758de4f14d2

    [Noe now, brown cow? PGN]

    ------------------------------

    Date: Tue, 27 Jul 2021 12:33:46 -1000
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Hackers Turning to 'Exotic' Programming Languages for Malware
    Development (The Hacker News)

    Threat actors are increasingly shifting to "exotic" programming languages
    such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering
    efforts.

    "Malware authors are known for their ability to adapt and modify their
    skills and behaviors to take advantage of newer technologies," said <https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks> Eric Milam, Vice President of threat research at BlackBerry. "That tactic
    has multiple benefits from the development cycle and inherent lack of
    coverage from protective products."

    On the one hand, languages like Rust are more secure as they offer
    guarantees like memory-safe programming <https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>,
    but they can also be a double-edged sword when malware engineers abuse the
    same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts
    to activate a kill-switch <https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render
    them powerless.

    Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot
    adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with
    droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems. [...]

    https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html

    ------------------------------

    Date: July 26, 2021 21:57:01 JST
    From: Dewayne Hendricks <dewayne@warpspeed.com>
    Subject: Disinformation for Hire, a Shadow Industry, Is Quietly Booming
    (Max Fisher)

    Back-alley firms meddle in elections and promote falsehoods on behalf of clients who can claim deniability, escalating our era of unreality.

    Max Fisher, The New York Times, 25 Jul 2021 <https://www.nytimes.com/2021/07/25/world/europe/disinformation-social-media.html>

    In May, several French and German social media influencers received a
    strange proposal. A London-based public relations agency wanted to pay them
    to promote messages on behalf of a client. A polished three-page document detailed what to say and on which platforms to say it. But it asked the influencers to push not beauty products or vacation packages, as is typical, but falsehoods tarring Pfizer-BioNTech’s Covid-19 vaccine. Stranger still, the agency, Fazze, claimed a London address where there is no evidence any
    such company exists.

    Some recipients posted screenshots of the offer. Exposed, Fazze scrubbed its social media accounts. That same week, Brazilian and Indian influencers
    posted videos echoing Fazze’s script to hundreds of thousands of viewers.

    The scheme appears to be part of a secretive industry that security analysts and American officials say is exploding in scale: disinformation for hire.

    Private firms, straddling traditional marketing and the shadow world of geopolitical influence operations, are selling services once conducted principally by intelligence agencies. They sow discord, meddle in
    elections, seed false narratives and push viral conspiracies, mostly on
    social media. And they offer clients something precious: deniability. “Disinfo-for-hire actors being employed by government or government-adjacent actors is growing and serious,” said Graham Brookie, director of the
    Atlantic Council's Digital Forensic Research Lab, calling it “a boom industry.”

    Similar campaigns have been recently found promoting India's ruling party, Egyptian foreign policy aims and political figures in Bolivia and Venezuela. Mr. Brookie's organization tracked one operating amid a mayoral race in
    Serra, a small city in Brazil. An ideologically promiscuous Ukrainian firm boosted several competing political parties.

    In the Central African Republic, two separate operations flooded social
    media with dueling pro-French and pro-Russian disinformation. Both powers
    are vying for influence in the country.

    A wave of anti-American posts in Iraq, seemingly organic, were tracked to a public relations company that was separately accused of faking
    anti-government sentiment in Israel. Most trace to back-alley firms whose legitimate services resemble those of a bottom-rate marketer or email
    spammer.

    Job postings and employee LinkedIn profiles associated with Fazze describe
    it as a subsidiary of a Moscow-based company called Adnow. Some Fazze web domains are registered as owned by Adnow, as first reported by the German outlets Netzpolitik and ARD Kontraste. Third-party reviews portray Adnow as
    a struggling ad service provider.

    European officials say they are investigating who hired Adnow. Sections of Fazze's anti-Pfizer talking points resemble promotional materials for Russia’s Sputnik-V vaccine.

    For-hire disinformation, though only sometimes effective, is growing more sophisticated as practitioners iterate and learn. Experts say it is becoming more common in every part of the world, outpacing operations conducted
    directly by governments.

    The result is an accelerating rise in polarizing conspiracies, phony citizen groups and fabricated public sentiment, deteriorating our shared reality
    beyond even the depths of recent years.

    The trend emerged after the Cambridge Analytica scandal in 2018, experts
    say. Cambridge, a political consulting firm linked to members of Donald
    J. Trump’s 2016 presidential campaign, was found to have harvested data on millions of Facebook users.

    The controversy drew attention to methods common among social media
    marketers. Cambridge used its data to target hyper-specific audiences with tailored messages. It tested what resonated by tracking likes and shares.

    The episode taught a generation of consultants and opportunists that there
    was big money in social media marketing for political causes, all disguised
    as organic activity.

    Some newcomers eventually reached the same conclusion as Russian operatives
    had in 2016: Disinformation performs especially well on social platforms.

    At the same time, backlash to Russia’s influence-peddling appeared to have left governments wary of being caught -- while also demonstrating the power
    of such operations.

    “There is, unfortunately, a huge market demand for disinformation,”
    Mr. Brookie said, “and a lot of places across the ecosystem that are more than willing to fill that demand.”

    Commercial firms conducted for-hire disinformation in at least 48 countries last year — nearly double from the year before, according to an Oxford University study. The researchers identified 65 companies offering such services.

    Last summer, Facebook removed a network of Bolivian citizen groups and journalistic fact-checking organizations. It said the pages, which had
    promoted falsehoods supporting the country’s right-wing government, were fake.

    Stanford University researchers traced the content to CLS Strategies, a Washington-based communications firm that had registered as a consultant
    with the Bolivian government. The firm had done similar work in Venezuela
    and Mexico.

    A spokesman referred to the company’s statement last year saying its
    regional chief had been placed on leave but disputed Facebook’s accusation that the work qualified as foreign interference.

    Eroding Reality

    New technology enables nearly anyone to get involved. Programs batch
    generate fake accounts with hard-to-trace profile photos. Instant metrics
    help to hone effective messaging. So does access to users’ personal data, which is easily purchased in bulk.

    The campaigns are rarely as sophisticated as those by government hackers or specialized firms like the Kremlin-backed Internet Research Agency.

    But they appear to be cheap. In countries that mandate campaign finance transparency, firms report billing tens of thousands of dollars for
    campaigns that also include traditional consulting services.

    The layer of deniability frees governments to sow disinformation more aggressively, at home and abroad, than might otherwise be worth the
    risk. Some contractors, when caught, have claimed they acted without their client's knowledge or only to win future business.

    Platforms have stepped up efforts to root out coordinated
    disinformation. Analysts especially credit Facebook, which publishes
    detailed reports on campaigns it disrupts.

    Still, some argue that social media companies also play a role in worsening
    the threat. Engagement-boosting algorithms and design elements, research
    finds, often privilege divisive and conspiratorial content.

    Political norms have also shifted. A generation of populist leaders, like Rodrigo Duterte of the Philippines, has risen in part through social media manipulation. Once in office, many institutionalize those methods as tools
    of governance and foreign relations.

    In India, dozens of government-run Twitter accounts have shared posts from India Vs Disinformation, a website and set of social media feeds that
    purport to fact-check news stories on India.

    India Vs Disinformation is, in reality, the product of a Canadian communications firm called Press Monitor.

    Nearly all the posts seek to discredit or muddy reports unfavorable to Prime Minister Narendra Modi's government, including on the country’s severe Covid-19 toll. An associated site promotes pro-Modi narratives under the

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)