Amazon’s Decentralization Plan
*epilepsy warning*|Hatemail: Newsletter and Intel from the LaBac Hacker Collective
Amazon Highlights the Moral Ambiguity of Decentralization
From cryptocurrency to mesh networks, many technologists agree that decentralization is a major philosophical underpinning to the development of cutting-edge internet technologies. There are many benefits to decentralization which, at its core, involves moving the functions of a technology or platform from a centralized decision-making hub (for example, Facebook’s massive data collection and content moderation projects) to a more user-controlled experience.
A decentralized web means that authoritarian regimes cannot censor content, or that we can save bandwidth by sharing it. A decentralized financial system would cut out market power from a consolidated few market makers and boost individual standing in a digital credit system. In New York City, we enjoy the NYC Mesh, one of many regional mesh-based internet service providers that expand internet accessibility for all.
But in these early days of decentralized technology, application and implementation are critical to its usability and safety. After all, it’s still a cutting-edge concept in technology, and it will come with many challenges that could threaten the security and privacy of users. Leave it to a morally ambiguous tech behemoth like Amazon to stress test this.
This week marks a radical expansion for Amazon’s Sidewalk product, a mesh network that seeks to render Amazon hardware devices into decentralized internet nodes. Amazon has tried to get ahead of the inevitable privacy debate by producing a detailed white paper on the security challenges. But despite robust technical controls and policies, along with all the proper encryption you would expect, there is nonetheless a deficit of understanding between the philosophy of decentralization and the technology.
Our biggest problem with Amazon Sidewalk is best described as an utter lack of consent on the part of the company. For one, Amazon is automatically entering all supported hardware into the Sidewalk mesh network. For those Amazon Echo owners who aren’t keeping up with tech news like us nerds, that means that a device they own is now part of a large-scale mesh network, sharing its internet connection with strangers’ devices that need it, likely without their knowledge.
Now, there are some actually cool techniques that the Sidewalk network uses to ensure that the connection you are sharing is abused by a malicious actor. The Sidewalk technical whitepaper notes mechanisms like continuous network monitoring, multiple authentications at ingress and egress, and the use of various identifiers and authentications to ensure only legitimate packets are honored onto the network.
Nonetheless, it’s only through practical usage that hackers and security researchers discover all the gaps in the approach, and potential areas where privacy and security may be at risk. For one, we are looking at how network hardware identifiers such as MAC addresses and transaction IDs can be fingerprinted and profiled via the Sidewalk network, and how a user might be triangulated.
Ransomware Hacks and Crackdowns
[DOJ] [NYTimes] [Twitter] On Monday, the U.S. Department of Justice announced that the department had recovered the $5 million cryptocurrency ransom paid by Colonial Pipeline to DarkSide, the Russian group that claimed responsibility for the ransomware attack on the company last month.
[DOJ] [ABC] [Washington Post] On Tuesday the U.S. Department of Justice announced that 500-plus arrests were made worldwide as part of a law enforcement operation that used phones loaded with an encrypted messaging app controlled by the FBI.
[Wired] Reports are emerging that the pipeline firm LineStar Integrity Services was hacked around the same time as Colonial Pipeline, resulting in 70GB of the company’s data being leaked. The group DDoSecrets was reportedly the first to find the leaked data online.
[Reuters] The U.S. to give ransomware hack investigations similar priority as terrorism, and guidance that investigations should be centrally coordinated with an already existing and newly formed task force in Washington, D.C.
[U.S. Supreme Court] [SCOTUS Blog] Last week the Supreme Court ruled in the case Van Buren v. United States, a case which had major repercussions for the interpretation of one of the “most important criminal statutes involving computer-related crime.”
Headlines in Cryptocurrency
[arsTechnica] On Wednesday El Salvador’s president officially signed a new law that states that companies must accept bitcoin as a form of payment. El Salvador is the first nation in the world to officially accept and use the cryptocurrency.
[Verge] Cryptocurrency is more popular than ever and there appears to be a boom in cryptocurrency scams as blockchain technology makes it difficult for victims to find any sort of recourse.
[The Guardian] The Basel Committee on Banking Supervision, a group comprised of regulators from prominent financial institutions, is proposing strict regulations on cryptocurrency.
[Bleeping Computer] Norton has released new functionality to allow users to mine Ethereum called Norton Crypto to deter users from unsafely mining for cryptocurrency. It works by utilizing GPU available and transferring out to a cloud-hosted Norton wallet.
On Our Radar...
[Politico] [Verge] Last week, Politico reported that the newspaper publisher Gannet was fighting a subpoena signed by a senior FBI agent which seeks the internet addresses and mobile information of those who accessed a USA Today article online.
[Graphika] Far-right American communities are being targeted by Russian information operations on platforms such as Gab and Parlerm according to this report by Graphika.
[Media Matters] [VICE] According to research conducted by Media Matters, so far 19 people who have publicly supported QAnon have announced their intention to run for House and Senate seats throughout the country in the 2022 midterm elections.
Hate speech website: 9gag[.]com
Who hosts: Amazon, Cloudflare, Fastly
Today’s site is 9gag[.]com. As reporting in the past couple of years has shown, memes are a powerful mechanism for the spread of hate speech and disinformation. One of the most popular meme sites for off-kilter content is 9gag, which has previously admitted it has a hate speech problem.
We have observed that 9gag’s site resolves to an IP address hosted by Amazon Web Services, at 54.219.159[.]28. They also use Cloudflare and Fastly to protect their site.
DEF CON: Hardware Hacking Village - Call For Papers (Exact Times TBD: August 5th-8th, 2021) – One of the many villages at DEF CON returning this year is the Hardware Hacking Village. Their call for papers is currently open. Submissions and talks will be streamed virtually again this year, as they were last year. Additionally, the HHV village is looking for volunteers to help coordinate (see information in the link above). See Twitter post here:
Transparency & Tech: Where are we headed with transparency reporting? (Friday, Dec. 11, 11:30 am ET) – Access Now is hosting a webinar that examines the future of how tech companies produce and distribute transparency reports, periodic compilations of security, trust and safety, and harassment data. Guest panelists include Google, Discord, Reddit, and more!