#internet security

The internet censorship and serveillance bill KOSA (the Kids Online Safety Act) is back and rearing its ugly head and has been reintroduced. But this time Senator Richard blumenthal and Known Transphobe Senator Marsha Blackburn are determined to get it through by including it a House Energy and Commerce Commitee “child safety” package that is set to be voted on after the shutdown is over. We CANNOT let this happen. This weekend I need to see and hear everyone call House leadership and bug the hell out of them to not support KOSA. Call them. Email them. FAX them as well. Waste their ink. We beat kosa before and we can do it again. It hasn’t moved in the house or senate, but we need to do everything we can to make sure it stays that way. Remember the UK’s “Online Safety Act” is a KOSA copycat bill. They got their bs from us. So if you don’t want us to end up like that and be forced to verify your age to access stuff on the internet (aka that new bs policy on YouTube) and give the government or anybody who can hack the power to watch and track everything you say and do on the internet, fight this!

The second the govt shutdown is over, they are going to move on this bill. We need to jump ahead of the curve. FFTF recently sent out an email saying they are expecting a House vote soon.

We need to mass call, email, and fax House Leadership to tell them that we don’t want this! We beat KOSA before and we can do it again!

Call Script located in this Google doc

PEOPLE TO CALL:

Republican:

Steve Scalise: (202) 225-3015

Mike Johnson: (202) 225-2777

Brett Guthrie: (202) 224-3501

Gus Bilrakis: (202) 225-5755

Richard Hudson: (202) 225-3715

Democrat:

Frank Pallone: (202) 225-4671

KathyCastor: (202) 225-3376

Doris Matsui: (202) 225-7163

Scott Peters: (202) 225-0508

Debbie Dingell: (202) 225-4071

Call as many members as you can and SPREAD THE WORD!

You know, the thing we were taught as children to never share, especially after we become adults.

YouTube and Google do, in fact, count as strangers on the internet. Do not succumb to their tricks. Their "age verification" AI is not to protect children. If you ever believed that, you're simply gullible. It is for money and power, for profit and control. It is a scam and a violation of your privacy and safety. They are only going to sell your information if you are willing to give it to them, as they've always done and always will, and your information will be somewhere on the internet where it can easily be hacked into and stolen.

Do not give YouTube or Google your personal information.

Update: This now applies to Discord too! Their asses just got caught red-handed selling personal information related to your face and ID to AI! They literally LIED TO YOUR FUCKING FACES and we found out about it immediately because their security is fucking ASS.

Rule number 1 of Internet Safety:

Never give anyone or anything your private information. This includes your face, your location, your age, your real name and other things I'm probably forgetting right now.

This was common and widespread knowledge, until companies realized they could sell your information for more money than they need. Until they realized people who will use your information with malicious intent are very willing to pay for it.

Are you really going to let them get what they want without even a little bit of kicking and biting?

the internet is full of creeps, just because someone is interested in the same things as you does not mean that theyre not a threat, just because someone is queer doesn't mean that theyre not a threat to you.

this is coming from someone who got groomed for two years by another minor (though much older) within the lgbtq community because i, as a 12 year old, assumed that she was safe.

i have had people like 11/12/13 tell me that they saw my pronouns and assumed im safe. i may be. not every non-binary 17 year old on the internet is.

being friends with another minor, as a minor, may not seem like a big deal but the emotional maturity at 16/17/18 is vastly different from 11-15, and no matter how mature you consider yourself, you cant race ahead of your brain development.

you never know any true information about anyone on the internet, just what they want you to know. makinh friends with in your age range is the safest bet, but if youre forming other friendships, never rush into them, never give your address/full birthname/any sort of information that can be traced back to you.

also, people do often pose on the internet to entice and draw in people, dont let yourself fall for it.

internet security is important.

So we're talking about cybersecurity again today. Specifically, social engineering. As a note, I have received permission from the owner of the hacked account to write this as a cautionary article, because this was an impressively sophisticated attack.

Yesterday, I received this set of DMs from a friend—someone I know and would generally trust if they sent me a link. Reading back over this now I'm like "c'mon man this isn't even that good of an impersonation" but at the time. Well. I've been fried from work.

The second they said "Nice, im waiting" is when the alarm bells started firing. If you recall my last cybersecurity post, scams employ a sense of urgency because the longer you take to do what they want, the more time you have to figure out it's a scam.

Shortly after, a mutual friend announced this user had been hacked in a shared server that this user moderates. A few minutes later, the hacker deleted the entire shared server. So yeah, that sucked. But it is a good learning experience in how hackers operate on the modern internet, so let's break it down.

In the previous scam example, the attack was a phishing scheme asking the target to share their credit card information. This time, we've got a social engineering attack distributing malware (a variant of a "baiting" attack).

Social engineering works in four steps: Prepare, Infiltrate, Exploit, and Disengage. By hacking into an account that already has an established relationship with a target, the hacker is able to skip step 2. The hacker was likely logged in to the account for several days so they could research the user they would be impersonating (step 1) and create a plausible transmission vector for their malware (step 3). The user has game development experience, and I am a gamer, so their transmission vector ("My friend made a game; can you beta test?") was actually impressively plausible and effective.

I haven't been able to find this text anywhere else, but considering this is a fake game page it was probably written by AI. The screenshots, however, are stolen from the game Arietta of Spirits. This fooled me because I have not played the game (although my husband recognized it immediately lol). But! Once the suspicion that this was not a real game set in, I pulled one of the images into reverse image search:

Yeah bud, either this is fake, or this "friend of a friend" is going to have some legal problems.

At this point, the hacker had stopped responding to my messages (Step 4: Disengage). I wasn't able to identify their goal in this attack (I wasn't about to download their exe onto my actual computer and I don't have a forensic lab set up), but it was likely to gain access to my account(s) through token theft or install some sort of ransomware. We've reported them and Discord will deal with them now.

All that said, this absolutely would have taken time to prepare and plan, so let's go over some mitigation for this sort of situation. Like a meatspace virus, the target may be infected well before it becomes apparent to outsiders, so there's a couple extra things to check. (I didn't ask how the hacker got into the account, so this is general advice.)

First, password best practices: Passwords should be long, random, and unique. You should NEVER use the same password in more than one place. If a hacker breaks into one site, they will sell or use the passwords (whether they be stored in plaintext or encrypted) to break into other sites. You can check if your email account or passwords have been distributed in data breaches with Have I Been Pwned (This site is owned and operated by Troy Hunt, a web security consultant and regional director at Microsoft. It is the only site I trust for this purpose.)

To help manage your password and ensure uniqueness between logins, use a password manager like Bitwarden (which is free and open source). For making a secure but memorable master password, I'm a fan of the Correct Horse Battery Staple method.

Second, since we know this attacker had time to prepare, you should also check for unknown devices logged in to your account. In Discord, this is in the user settings page under Devices:

There is a button at the bottom of that page to log out of all devices, just in case there is one that you don't recognize.

The most damaging thing the hacker did was delete several of the Discord servers the user had ownership of. Fortunately, the inhabitants of the server I frequent grabbed a list of members just in time to rebuild it (in one hell of an impressive barn raising maneuver). So my last pieces of advice are to mitigate the damage and enable rapid rebuilding.

For one, I have a private single-person Discord server in which I jot down notes. I'm probably going to be moving that over to Obsidian, because it would kinda suck if my account got hacked and that server got deleted.

Discord also has a feature for server administrators to generate a template of a server (in the Server Settings, right above Delete Server way at the bottom of the list). Backing up a template can help in restoring a server quickly if needed.

The members of the server also took screenshots of the member list so we could reinvite everyone to the new server. We lost a lot of chat history, and it truly sucks, but we still have the most important thing: the people.

I signed up for Express VPN a few months back because I heard it was better than Nord (it's not, much slower, but that's another issue) and ended up canceling after my first month. Today, I got an email from them saying that my automatic subscription renewal had been turned back on and that they charged me $28 dollars. I thought the email might have been a phishing scam, so I went to the Express VPN site and check, and what do you know, my subscription that I canceled months ago had been turned back on and now expires in one month. I canceled it, again, and contacted customer support. Here's a screenshot of that conversation

Now what I want to point out here is that this chat has been edited by Express VPN. At first, there was nothing between "Please bear with me while I quickly review your account" and "Rest assured there were no charges made and that your subscription is canceled". When I asked my follow up questions, suddenly the part about "Thank you for waiting, this has been escalated to our internal team..." popped into existence, and the chat went dead. As I was typing this, I began typing a follow up question about the "internal team" but before I could even finish typing it up, I got another message saying that the internal team would be looking into the issue. They also never acknowledged that I wanted my credit card info deleted.

So far, I have no support ticket for this and no emails acknowledging that my complaint has been forwarded to a different support team. I searched around t he internet and found this reddit thread where other people have been having this same issue going back 4 years.