jsrailton.bsky.social
Chasing digital badness. Senior Researcher at Citizen Lab, but words here are mine.
462 posts
25,271 followers
448 following
Regular Contributor
Active Commenter
comment in response to
post
This is an interesting idea & has been experimented with by some cool artists & projects
(also me, more informally)
But it only works on certain kinds of optical facial recognition that depend on infrared illuminators.
FR that does visual spectrum stuff is not bothered by this.
comment in response to
post
That's cool! And it's the right thing to make exceptions for use cases that help people with accessibility.
That said, I am comfortable criticizing products designed & overwhelmingly used for corporate surveillance.
And to discourage their proliferation.
comment in response to
post
Computer vision & HUDs are cool. AI augmented reality is fascinating.
But this is a trojan horse for megacorp to get into *all* your interactions.
Friends don't let friends bring Zuck in a backpack on their adventures.
comment in response to
post
Or, wear these Dorkleys yourself & become an NPC constantly asking your eyewear 'hey meta is this real?'
comment in response to
post
Sometimes I think that the big phishing operations have probably developed a more applicable & empirically tested understanding of human motivation and cognition than psychologists...
Tens of thousands of behavioral A/B tests a day...and that would be a low number.
comment in response to
post
17/ Do you think you face increased risk because of who you are & what you do? Use Google's free Advanced Protection Program.
SET IT UP NOW: landing.google.com/intl/en_in/a...
And exercise extra skepticism when unsolicited interactions slide into suggesting you change account settings!
comment in response to
post
16/ Easter Egg: I can't decide if the attackers did this MS DoS thing...
- As a troll
- Coincidence, didn't notice (are they zoomers?)
- As a credibility enhancing thing
- An LLM came up with it
- ....?
comment in response to
post
you bet it does!
comment in response to
post
15/ Plus, a special thanks to @keirgiles.bsky.social for graciously working with us to understand & get his case shared.
We are all safer when people share their experiences with hacking & social engineering. They are paying it forwards.
comment in response to
post
14/ Coda: Every @citizenlab.ca report is a team production. Especially when they come together fast.
Big props to my coauthors Rebekah Brown & @billmarczak.org
& and the many colleagues, collaborators & coworkers that jumped in here to help out and get this report done!
comment in response to
post
13/ What next? Well if experience is a guide... I agree with Keir here. There's a good chance that whatever the attackers got will be manipulated, sprinkled with fake stuff & misleadingly framed in some future information operation.
bsky.app/profile/keir...
comment in response to
post
12/ I recommend the Google blog post on this attack.
It's great that GTIG decided to post on this & go public with attribution.
Helpful to victims & other research teams that don't share Google's terrifying actor visibility.
By Gabby Roncone & @wxs.bsky.social
cloud.google.com/blog/topics/...
comment in response to
post
My theory is that it's about trying to prevent enumeration.
comment in response to
post
11/ Targeting App-Specific Passwords is novel.
But it's just part of a trend of state-backed attackers innovating.
The folks @volexity.com have some great recent work on similar novel Russian attacks.
www.volexity.com/blog/2025/04...
comment in response to
post
10/ Takeaway: some gov-backed groups are feeling pressure & experimenting.
Moving from smash & grab phishing... to subtler, slower & perhaps less detectable.
By me @jsrailton.bsky.social with Rebekah Brown & @billmarczak.org
citizenlab.ca/2025/06/russ...
comment in response to
post
9/ There were so many clever bits to this attack, it's easy to imagine a lot of people falling for it.
Everything was clean. Foc looked real. The language was right. Email addresses at the State Dept. seemed to be CC'd.. I could go on.
They even had Keir enter "ms.state. gov" into the ASP name...
comment in response to
post
8/ Who targeted @keirgiles.bsky.social ? Enter the Google
Threat Intelligence Group w/analysis & attribution!
Great!
Our bad actors are: 🇷🇺 #UNC6293, a #Russian state-sponsored threat actor.
Google adds bonus additional low confidence association to #APT29 (that would be the #SVR).
Nice people.
comment in response to
post
7/ This attack was like slow food. 10 email exchanges over several weeks! No overt pressure!
Very much not your run-of-the-mill phishing.
Ultimately, @keirgiles.bsky.social realized something was wrong and got in touch with us @citizenlab.ca...but not before the attackers got some of his ASPs...
comment in response to
post
6/ What's an App-Specific Password? So, not every app supports Multi-Factor Authentication.
Some older email clients don't. So providers like Google let users create a special password just for those apps.
An ASP is a string of characters that give access to *everything*
See where this is going?
comment in response to
post
5/ The attack works like this: deceive
@keirgiles.bsky.social into creating & sending the attacker an App-Specific Password (ASP).
They do this by reframing ASPs as something that will let him access a secure resource (spoiler: not how this works)..
So, what IS an ASP for real tho?
comment in response to
post
3/ The attackers wait for the 2nd interaction to introduce the pivotal deception: getting @keirgiles.bsky.social to 'connect to a secure platform.
In the next days they patiently walk him through what they want him to do, even sending a very official looking (but fake) State Dept. document
comment in response to
post
3/ Strong credibility signal to have a bunch of .gov ppl on a CC line right?
Well, the #Russian attackers must've figured out that the State Dept mailserver just accepts all email to ANY @state.gov address without a bounce.
So they just added some fake State Dept staff names and addresses.
Smart!
comment in response to
post
2/ How the attack works:
First. @keirgiles.bsky.social gets a message purporting to be from the State Dept asking for a consultation.
Pretty common thing for him.
And these attackers did everything to make this outreach look credible...
Like CCing a bunch of @state.gov email addresses...
comment in response to
post
Glad I could help
comment in response to
post
NSO equipped an election-rigging plot in Ghana with their gear set up at a private warehouse. It was then smuggled to a secret apartment in Accra.
None of this is remotely good.
All of it shows a company that is absolutely not thinking about keeping us all safer.
comment in response to
post
Google's TAG has found NSO exploit code showing up just a few months later being used by a Russian gov hacking operation
How did that happen? No possible explanations are good. Maybe NSO sourced from the same players that supply exploits to the Russian SVR-backed group...Or their code leaked? Or?
comment in response to
post
An NSO employee went rogue, stole code & tried to sell it
Another used it to target a love interest..
comment in response to
post
For the record, society is less safe when dictators are equipped to go on hacking expeditions into democracies.
Society is also less safe because of NSO's nasty track record of losing control of their tech...with risks to it going to cyber criminals & hostile governments.
Let's recap...
comment in response to
post
big moves! glad to have you back in the mix Patrick
comment in response to
post
Remember: Congress runs on personal phones.
That nobody systematically secures.
The scale of the quiet breaches and surveillance issues that have likely happened...and gone undetected are literally unfathomable
So good that @wyden.senate.gov is getting this into the open.
comment in response to
post
3/ Here's the full letter.
Great to see Senator @wyden.senate.gov leaning in on privacy.
Yet again this is a reminder that just because nobody raises the alarm doesn't mean that things are going ok.
+ Big props for unlocking new commitments from companies.
www.wyden.senate.gov/imo/media/do...
comment in response to
post
2/ But @wyden.senate.gov didn't stop there.
In a letter to colleagues, the senator highlighted troubling evidence that when government-ordered surveillance of Senators took place, companies failed to notify Senators.
Drives home just how easy secret political surveillance could be.
comment in response to
post
16/ Bottom line: NSO's business is hacking US companies & selling resulting access to foreign governments.
Those governments will, as they always have done, target Americans. And the USG.
This is not a practice that should be given the cover of legitimacy by being supported with tax dollars.
comment in response to
post
15/ Remember, in court NSO tries to claim that it is above US law.
Mindset is probably why NSO kept hacking WhatsApp, an American company, even after they got caught and sued. And selling that tech to foreign governments.
Scofflaw stuff.