This is troubling:
Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.
Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.
But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.
Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…
Slashdot thread. Hacker News thread.
EDITED TO ADD (4/22): Another article, this one about the debate over disclosing security vulnerabilities.
Posted on April 21, 2015 at 5:26 AM •
New research: Geotagging One Hundred Million Twitter Accounts with Total Variation Minimization,” by Ryan Compton, David Jurgens, and David Allen.
Abstract: Geographically annotated social media is extremely valuable for modern information retrieval. However, when researchers can only access publicly-visible data, one quickly finds that social media users rarely publish location information. In this work, we provide a method which can geolocate the overwhelming majority of active Twitter users, independent of their location sharing preferences, using only publicly-visible Twitter data.
Our method infers an unknown user’s location by examining their friend’s locations. We frame the geotagging problem as an optimization over a social network with a total variation-based objective and provide a scalable and distributed algorithm for its solution. Furthermore, we show how a robust estimate of the geographic dispersion of each user’s ego network can be used as a per-user accuracy measure which is effective at removing outlying errors.
Leave-many-out evaluation shows that our method is able to infer location for 101,846,236 Twitter users at a median error of 6.38 km, allowing us to geotag over 80% of public tweets.
Posted on March 10, 2015 at 6:50 AM •
Here are two articles about how effectively the Islamic State of Iraq and Syria (ISIS)—the militant group that has just taken over half of Iraq—is using social media. Its dedicated Android app, that automatically tweets in its users’ names, is especially interesting. Also note how it coordinates the Twitter bombs for maximum effectiveness and to get around Twitter’s spam detectors.
Posted on June 17, 2014 at 10:17 AM •
This is a pretty horrible story of a small-town mayor abusing his authority—warrants where there is no crime, police raids, incidental marijuana bust—to identify and shut down a Twitter parody account. The ACLU is taking the case.
Posted on May 19, 2014 at 7:07 AM •
Clever, but make sure to heed the caveats in the final two paragraphs.
Posted on May 12, 2014 at 4:04 PM •
Interesting research into figuring out where Twitter users are located, based on similar tweets from other users:
While geotags are the most definitive location information a tweet can have, tweets can also have plenty more salient information: hashtags, FourSquare check-ins, or text references to certain cities or states, to name a few. The authors of the paper created their algorithm by analyzing the content of tweets that did have geotags and then searching for similarities in content in tweets without geotags to assess where they might have originated from. Of a body of 1.5 million tweets, 90 percent were used to train the algorithm, and 10 percent were used to test it.
Posted on March 26, 2014 at 1:10 PM •
There’s an interesting project to detect false rumors on the Internet.
The EU-funded project aims to classify online rumours into four types: speculation—such as whether interest rates might rise; controversy—as over the MMR vaccine; misinformation, where something untrue is spread unwittingly; and disinformation, where it’s done with malicious intent.
The system will also automatically categorise sources to assess their authority, such as news outlets, individual journalists, experts, potential eye witnesses, members of the public or automated ‘bots’. It will also look for a history and background, to help spot where Twitter accounts have been created purely to spread false information.
It will search for sources that corroborate or deny the information, and plot how the conversations on social networks evolve, using all of this information to assess whether it is true or false. The results will be displayed to the user in a visual dashboard, to enable them to easily see whether a rumour is taking hold.
I have no idea how well it will work, or even whether it will work, but I like research in this direction. Of the three primary Internet mechanisms for social control, surveillance and censorship have received a lot more attention than propaganda. Anything that can potentially detect propaganda is a good thing.
Three news articles.
Posted on February 21, 2014 at 8:34 AM •
This is a pretty impressive social engineering story: an attacker compromised someone’s GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It’s a complicated attack.
My claim was refused because I am not the “current registrant.” GoDaddy asked the attacker if it was ok to change account information, while they didn’t bother asking me if it was ok when the attacker did it.
It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.
The misuse of credit card numbers as authentication is also how Matt Honan got hacked.
Posted on January 31, 2014 at 6:16 AM •
I have an official Twitter feed of my blog; it’s @schneierblog. There’s also an unofficial feed at @Bruce_Schneier. I have nothing to do with that one.
I wouldn’t mind the unofficial feed—if people are reading my blog, who cares—except that it isn’t working right, and hasn’t been for some time. It publishes some posts weeks late and skips others entirely. I’m only hoping that this one will show up there.
It’s also kind of annoying that @Bruce_Schneier keeps following people, who think it’s me. It’s not; I never log in to Twitter and I don’t follow anyone there.
So if you want to read my blog on Twitter, please make sure you’re following @schneierblog. And if you are the person who runs the @Bruce_Schneier account—if anyone is even running it anymore—please e-mail me at the address on my Contact page. I’d rather see it fixed than shut down, but better for it to be shut down than continue in its broken state.
Posted on January 7, 2014 at 4:53 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.