Tag Archives: computer security

2024: The Year of Infinite Infosec Fail

Posted on by
1

First up in today’s game of “who fed it and who ate it:” Artificial Intelligence.

AI is everywhere. AI chatbots! AI image generators! And now, AI code assistants, that help developers write computer programs!

Only here’s the thing: AI doesn’t know anything. A lot of folks think these AI systems are, like, some sort of huge database of facts or something. They aren’t. They’re closer to supercharged versions of the autocomplete on your phone.

Which means if you ask an AI chatbot or code generator a question, it does the same thing autocomplete does: fills in syntactically correct words that are likely to come after the words you typed. There is no intelligence. There is no storehouse of facts it looks up.

That’s why AI is prone to “hallucinations”—completely imaginary false statements that the AI systems invent because the words it uses are somehow associated with the words you typed.

AI Fembot says: The Golden Gate Bridge was transported for the second time across Egypt in October of 2016. (Image: Xu Haiwei)

So, code generation.

AI code generation is uniformly terrible. If you’re asking for anything more than a simple shell script, what you get likely won’t even compile. But oh, it gets worse. So, so much worse.

AI code generators do not understand code. They merely produce output that resembles the text they were trained on. And sometimes, they hallucinate entire libraries or software packages that do not exist.

Which is perfectly understandable once you get how AI LLMs work.

What’s particularly interesting, though, is that malware writers can write malware, give it the same name as the packages AI code generators make up out of thin air, and devs will download and install them just because an AI chatbot told them to.

Bet you didn’t have that on your “Reasons 2024 Will Suck” bingo card.

And speaking of things that suck:

I woke this morning to a message from Eunice that a popular, trusted developer had inserted malicious code in an obscure Linux library he maintains, code that would allow him to log in and access any Linux system that his library is installed on.

In February, then again in March, the developer released updates to a library called “XZ Utils.” The update contained weird, obfuscated code—instructions that were deliberately written in a manner to conceal what they did—but because he was a trusted dev, people were just like 🤷‍♂️. “We don’t know what this code he added does, but he seems an okay guy. Let’s roll this into Linux.”

He seems a decent fellow. We don’t know what this code does, but what’s the harm? (Image: Zanyar Ibrahim)

Fortunately it was spotted quickly, befure it ended up widely used, so only a handful of bleeding-edge Linux distros were affected, but still:

What the actual, literal fuck, people??!

“This library contains obfuscated code whose purpose has been deliberately concealed. What’s the worst that can happen?”

Jesus. And it’s only March.

Developers should never be allowed near anything important ever.

The Lads from Cyprus: Now on Quora!

Posted on by
2

Back in March 2016, eight years and one day ago, I published an analysis of a spam ring advertising phony pay-for-play scam “dating sites.” This particular group was responsible for about 90% of the “Hot Lady Wants to F*ck You” spam in circulation. The spam contained links to hacked sites that the spammers placed malicious redirectors on, that would redirect to other sites that redirected to other sites that redirected to a site that would promise sex and ask you a bunch of questions about what you were looking for, then take you to the actual scam site.

I called these guys “the Lads from Cyprus” because invariably the scam dating sites were registered to a shell company organized in Cyprus.

Times have changed, and the Lads from Cyprus have changed with them. While they still do send spam emails, I rarely see them any more—perhaps six or eight times a year, where I used to see them multiple times per day.

Instead, they’ve moved on…to Quora.

The Quora Connection

I spend most of my time on Quora these days. A few years back, I started noticing a certain type of profile: large number of profiles with consistent behavior: a profile pic of a hot woman in a kind of blandly generic Instagram pose, answering questions at an enormous rate (sometimes once a minute or more), with the answers all being a sentence or so that might or might not be related to the question, but that always included a photo of a scantily-dressed woman.

The profiles look like this:

The links (“Latest Nude Videos and Pics,” “Hookup [sic] with me now”) all lead to domains that are registered on Namesilo, usually with ultra-cheap TLDs like “.life,” that—rather amazingly—are still using the exact same templates I saw in 2016.

Go with what works, eh?

Anyway, these sites ask you a bunch of questions, tell you you’re about to see nude photos, then redirect you to a scam dating site—in this case, one called onlylocalmeets.com”—where you will immediately see a direct message request the moment you connect, though of course you’ll need to pay if you want to receive it.

It’s actually kind of amazing to me that they’re still running the same scams essentially unchanged, using the same templates they used eight years ago. They’ve clearly got this down to an art—the redirection sites even do some spiffy geolocation and collect as much information from your browser fingerprint as they can before sending oyu off to the scam site.

There are at least hundreds, possibly thousands, of these fake profiles on Quora, all of which use stolen photos of Instagram models, and all of which link back, through various intermediaries, to the same scam dating site.

I started recording the scam profiles in a Notes file. I deliberately didn’t go out searching for them; instead, I just browsed Quora as I normally do, and made a note whenever I encountered one of these scam profiles (and if I was in the mood, did a reverse image search to see whose photos were stolen for that profile).

There are…a lot of them.

Based on what I’ve seen, I’d say probably 800 on the low end and 1,500 on the high end.

One of them even used stolen Instagram photos of pro golfer and model Paige Spiranac. When I reverse image searched the photos, I looked up the email address of her agent (who was easy to find) and sent an email saying “hey, just so you know, your client’s photos are being used in a catfishing scam, here’s the link.” The profile was banned a few days later, so maybe she or her agent filed a DMCA takedown request.

I find it interesting that this organized spam gang is still at it, still running the same scam they’ve been running for at least ten years, but always looking for new ways to find fresh crops of victims.

I also find it interesting that it works. These scam profiles quickly end up with thousands, sometimes tens of thousands, of followers.

And finally, if you’ve ever wondered what it’s like to be a woman online, just look at the comments to the spam posts, which range from the drearily predictable:

To the completely unhinged:

(And what is it with these people not knowing the difference between “your” and “you’re”? You can be a completely deranged psycho who abuses women online or you can spell, but not, it seems, both.)

To the…well, I don’t know what the fuck this is. I’ve deliberately cropped off this fellow’s username.

Jesus, I do not understand why any woman would ever voluntarily go online.

On the one hand, it’s kinda hard to feel sorry for some of these blokes, who will no doubt be fleeced of all their money. That particular combination of toxic entitlement toward access to women’s bodies and aggressive stupidity makes it really hard to sympathize with the folks being ripped off here.

On the other, any scam is wrong, regardless of the victims it targets.

fly.io, SMS spam, and malware

Posted on by
2

[Edit 11-Jan-2023] I’ve received a reply from Fly.io; see end of this entry

Ah, a new year has come. Out with the old, in with the new…strategies for phish and malware sites, that is.

And what would phish and malware sites be without complicit webhosts and web service providers?

So today I’m going to dive into an enormous quantity of SMS text message spam I’ve been flooded with over the past couple of months, who’s behind it, and what it’s doing.

It started in mid-November of last ear (2023), with a text message saying “The USPS package arrived at the warehouse but could not be delivered” and a link to a site that was just a random collection of letters and numbers. No biggie, I get these all the time. Standard run of the mill phish attempt. If you visit the link, you’re taken to a site that looks like the Post Office, but it’s a fake, of course. They ask you to type a bunch of personal information, which the people responsible will use to steal your identity, get loans in oyur name, whatever.

Then I got another. And another. And another. And another. And then dozens more, coming in one, two, three, four, sometimes five or more a day.

And they haven’t stopped.

Text message after text message after text message. “You’ve been infected with viruses.” “Your cloud service has been terminated.” “We couldn’t deliver your package.”

All of them with URLs that looked like random strings of letters and numbers.

So my spidey sense was activated, and I looked up all those URLs.

Surprise, surprise, every single one is hosted on the same web service provider, an outfit called fly.io.

And there are a lot of them.

*** CAUTION *** CAUTION *** CAUTION ***
THESE LINKS ARE LIVE AS OF THE TIME OF WRITING THIS. Many of these links will bring you to malware or phish sites. DO NOT visit these links if you don’t know what you’re doing.

I started collecting the URLs from the text messages:

  • http://eonmpxm.com/OR73bg5L
    FakeAV malware site
  • http://wkcetku.com/G1LO5X38
    Fake “government subsidy” site
  • http://nztkspy.com/MK2RVeJg
    FakeAV malware site
  • http://lkxsxef.com/KJeQ09Vp
    FakeAV malware
  • http://klxnitq.com/oxp18G47
    Equifax phish
  • http://epgguli.com/0M37VmkO
    McAfee phish
  • http://yonxutn.com/1MZbOrZv
    FedEx phish
  • http://zveeyou.com/7Xy1E8G8
    FakeAV malware
  • http://mirumbf.com/KJeQ09Vp
    FakeAV malware
  • http://mirumbf.com/KJeQ09Vp
    FakeAV malware
  • http://qjkwmww.com/yng4eExR
    Fake USPS phish
  • http://wnddwet.com/KJe40qm5
    FakeAV malware
  • http://pdxftwt.com/ER39R0rR
    XFinity phish
  • http://plefaas.com/rNzdEAEW
    FakeAV malware
  • http://oitbaon.com/A3B6vBOe
    FakeAV malware
  • http://napiyib.com/nQ0mJKoZ
    FakeAV malware
  • http://kozqtlp.com/vGeO0XmX
    Xfinity phish
  • http://ugokulc.com/KJM89Mem
    USPS phish
  • http://iqbyojt.com/KJeQ09Vp
    FakeAV malware
  • http://sobagiw.com/nQVA0bVp
    Xfinity phish
  • http://oosjrjt.com/GRG8ML9n
    FakeAV malware
  • http://xqzfnuh.com/ZjgL4GbE
    Xfinity phish
  • http://tecvxzo.com/5aannZO7
    Google phish

I notified fly.io’s abuse team about the problem. And notified them. And notified them. And notified them. Each time, I received an identical reply, from a guy calling himself “Matt Braun,” saying only “I have let our customer know. Thanks!”

Matt Braun doesn’t appear to have grasped that their customer is the phisher. And lately, I haven’t even received these replies; they haven’t acknowledged recent abuse reports in days. Meanwhile (of course) all the links remain active because (of course)…their customer is the phisher.

Okay, so how does the scheme work?

I’ve spent some time mapping out the network. The quick overview:

  1. A text message is mass broadcast, advertising a URL on fly.io.
  2. Marks who click on the link in the message are redirected to a site called “track.palersaid.com,” hosted on Amazon AWS. Track.palersaid.com looks at the incoming fly.io URL, the type of computer or smartphone you’re using, and probably other stuff, then sends you on to another site.
  3. This site, track.hangzdark.com, is another tracking and redirection site also hosted on Amazon AWS.
  4. From there, marks are redirected to the actual target site, which might be a fake FedEx page, a fake UPS page, a fake “virus scan” page, or more. There are a lot of these destinations: read.messagealert.com, kolakonages.com, aca.trustedplanfinder.com, and more. Some of these destination sites are, no surprise here, hosted on Namecheap, which is in my opinion one of the scuzziest of malware and spam sewer hosts.

Example destination page

How the network works

This bears a strong resemblance to some of the malware and spam networks I’ve mapped out in the past, though the delivery network (SMS text messages) and the web service provider (fly.io) are different.

If you get these text messages, do not follow the links. If you are also seeing these messages, please let me know in a comment! I would love to know how big this network is. Fly.io seems reluctant to shut down these phishers, which leads me to wonder if they aren’t making quite a bit of money from them.

[Edit 11-Jan-2023] I’ve received a reply from Fly.io’s Abuse team:

Thank you for your patience with us over the holiday, and some follow up details.

Usually, when we have reports of spammer or abuser on our platform, our internal systems have a host of signals that we can look to to verify the report and take the appropriate action. In the vast majority of cases the signals are clear and unequivocal. However, in this instance, the signals were entirely the opposite: all signs pointed to a seemingly-legitimate user.

Our systems are set up for “either you are a customer or you are not”, and banning a customer would mean immediate and irrevocable loss of that’s customers data. That’s is not a risk we take lightly so we were not going to flip the switch and risk blowing away someone’s information without a smoking gun. I expect you and I have both seen dozens of those posts on Hacker News or elsewhere where an innocent user writes “Company has deleted my entire account without warning and I’ve lost years of data”. We don’t want to do that to someone.

So where does that leave us? The apparent reason for the behavior/signal disconnect is that it was our customer’s customer doing the abuse. Our customer has committed to evicting their customer today which should put an end to the redirection through our systems (though, unfortunately, I don’t expect that’ll have any impact on the SMS spam). If it doesn’t resolve things, let us know. We’re back online after the holiday and more in a position to chase things things down.

Additionally, there were two other concerns we need to address internally:
1) We don’t have the ability to suspend users. This is something that I’m going to pursue as we need something more nuanced than our all-or-nothing approach so that we’re able to move on complaints sooner without risk of harming someone innocently caught in the middle of things.
2) We did not follow up with the customer as often as we should have after their initial acknowledgement of the problem and indication that they would address it. That’s a coordination process breakdown exacerbated by people taking time off during the holidays and not having the usual “obviously-abuse” signals. Additionally, we need to come up with an approach to our abuse ticketing system that allows for long-lived cases.

You can email me, personally, if you feel you aren’t getting attention on this (email redacted) and I’m sincerely sorry for the delay in letting you know where things stood or getting things sorted with the customer.

It seems Fly.io is one of the good guys.

The spam stopped for a few days, though it has resumed again. This time, the SMS spam domains are hosted on Alibaba rather than Fly.io.

Hacking as a tool of social disapproval

Posted on by
Reply

“The street finds its own uses for things.” —William Gibson, Burning Chrome

Last year, my wife, my co-author, and I launched a new podcast, The Skeptical Pervert. We talk about sex…and more specifically, we talk about sex through a lens of empiricism and rationality.

The Skeptical Pervert’s website runs WordPress. Now, I’ve been around the block a few times when it comes to web security, and I know WordPress tends to be a rather appetizing target for miscreants, so I run hardened WordPress installs, with security plugins, firewalls that are trained on common WordPress attack vectors, and other mitigations I don’t talk about openly.

I run quite a few WordPress installs. My blogs on franklinveaux.com and morethantwo.com run WordPress. So does the Passionate Pantheon blog, where Eunice and I discuss the philosophy of sex in a far-future, post-scarcity society. In addition, I host WordPress blogs for friends, and no, I won’t tell you who they are, for reasons that will soon become clear.

I automatically log hack attacks, including failed login attempts, known WordPress exploits, and malicious scans. I run software that emails me daily and weekly statistics on attacks against all the WordPress sites I own or host. I also subscribe to WordPress-specific infosec mailing lists, so I am aware of the general threat background.

Because WordPress is such a common target—it’s the Microsoft Windows of the self-hosted blog world, with everything that implies—any WordPress site will get a certain low level of constant probes and hack attempts. It’s just part of the background noise of the Internet. (If you run WordPress and you’re not religiously on top of security updates, by the way, you’ve already been pwn3d. I can pretty much guarantee it.)

The fact that I host WordPress sites not connected with me to the outside world gives me a good general baseline reading of this background noise, that I can use to compare to hack attacks against sites that are publicly connected with me.

And the results…well.

In all the years I’ve been on the Web—and I started running my own Web sites in the mid-1990s—I have never seen anything even remotely close to the constant, nonstop barrage of attacks against the Skeptical Pervert site. Joreth and Eunice are probably quite sick of my frequent updates: “Well, the firewall shows over a thousand brute-force hack attempts against the Skeptical Pervert site so far today and it isn’t even noon yet” (seriously, that’s a thing that happened recently).

Here’s a graph showing what I mean. This graph covers one week, from June 13, 2022 to June 20, 2022. The “baseline” in the graph is an average of several WordPress sites I host that aren’t in any way connected to me in the eyes of the Internet at large—I don’t run them, I don’t put content on them, my name isn’t on them, I merely host them.

Note that the attacks don’t scale with traffic; the More Than Two blog has the most traffic, followed by franklinveaux.com, then the Passionate Pantheon blog, then the Skeptical Pervert.

So what to make of this?

Part of it is likely the long-running social media campaign my ex has been running. Attacks on franklinveaux.com and morethantwo.com increased in the wake of her social media posts.

But that doesn’t explain what’s happening with the Skeptical Pervert, which has turned out to be targeted to an extraordinary degree.

Now, I don’t know who’s attacking the site, or why, so this is speculation. It’s hard to escape the idea, though, that when a site and podcast explicitly about sex, co-hosted by two women of color, talking about non-traditional sexual relationships is targeted, at least part of the answer might simply be the same old, same old tired sex-negative misogyny and racism we see…well, everywhere, pretty much. The fact that my ex doesn’t like me (and will say or do anything to get other people not to like me) doesn’t explain what’s happening here.

It’s easy to blame conservative traditionalists, but Eunice reminded me there’s another factor at work as well. The Skeptical Pervert approaches sexuality from a rational, evidence-based, skeptical lens. In the United States, there’s a stubborn streak of misogyny amongst the dudebros of the skeptics community. A podcast with two women that looks at sex from a highly female-focused, feminist point of view taking on the mantle of skepticism? It’s possible there are dudebros who will perceive that as an encroachment into their space.

In short, I don’t think this is about me. I think this is about women talking openly about real-world non-traditional sex, and getting the same pushback that women always get when they dare to do that.

If the podcast were just me, or me with obviously male co-hosts, I don’t think the level of Web attacks would be anywhere near the same.

The street finds its own uses for things. In the hands of people threatened by or frightened of non-traditional voices, the Internet has become a safe, anonymous tool of harassment.

Chasing Down a Malware Network

Posted on by
3

A few days ago, I leveled a Horde frost mage to max level in World of Warcraft. Anyone familiar with the game knows exactly what happens next: the mad scramble to gear up a new Level 60 to be able to run mythics and raids, so that you can get even more loot to run higher-level mythics and raids…thus does the MMO hamster wheel go ’round and ’round.

So I did what every newly-minted level 60 does, of course: I turned to Google. My new 60 has a rather abysmal heirloom staff, so my first priority was finding the best way to loot better weapons.That’s when it started.Take a look, dear readers, at this Google search, and see if you can tell me what’s peculiar.

These results outstrip some of the most popular WoW sites on the Net, which is a bit peculiar itself…but more to the point, what are they doing on a site about pilates? And a German photography site? And why are they all called “untitled”?

Curious, and smelling something weird and sinister, I did what I always do when I see something that might be the tip of some kind of mass hack or compromise: I clicked on the links.

And each one of them bounced me back to a new Google page.Even more curious, I copy-pasted one of the links (after unmangling it, of course; damn you, Google, for mangling link URLs in your search links), and saw:

This is a “keyword stuff”—a page designed to appeal to Google, not to any human reader, simply by being crammed full of popular Google keywords and search phrases.

But look at the bottom of the page. It’s a bunch of randomly-generated three-character links.Curiouser and curiouser.Now well and truly engaged, cup of tea forgotten next to my keyboard, I logged out of WoW and fell down the rabbit hole.

Where do those links point? To other pages stuffed with keywords, of course.

This is how these results ranked so high in Google Search, above even well-regarded WoW sites like Icy Veins: Automated black hat SEO. Each page is populated with automatically-generated links to other pages also stuffed with keywords, which in turn point to still other pages stuffed with keywords…at least hundreds, possibly thousands, in all.

But why?The ‘why’ is suggested by some very peculiar behavior of these pages.

Continue reading

The Return of the Spam Tsunami

Posted on by
Reply

As regular readers of this blog know, I am an amateur infosec researcher, and I track spam and malware as a hobby. And, as many of you know, there are certain names–ISPs, people, affiliate networks, content delivery networks–that tend to come up again and again whenever you do a deep dive into the seedy, twisted world of spam and malware.

A while back, I wrote a blog post about a prolific spammer named Mike Boehm, who makes money sending spam emails that advertise affiliate links on affiliate Web sites. Every time someone clicks a link in one of his spam emails, they’re redirected through a network of computers, all designed to put distance between the spam email and the final site, until eventually arriving at an affiliate Web site, which pays Mr. Boehm for the referral.

Lately, I’ve found myself buried under a blizzard–nay, dare I say, a tsunami–of spam emails that all have very similar characteristics. They advertise a site, usually with a cheap top level domain that nobody wants such as .stream or .science or .faith. Visiting the site shows a plain white page with an animated “Loading” graphic. Then, after a few seconds, you end up on a completely different site, the one actually advertised in the spam.

These spam emails have some but not all of the characteristics of Mike Boehm spam. It’s been hard to track them, because they use complex JavaScript to attempt to hide how the redirection works, what affiliate network they’re using, and where they redirect to. I’ve been collecting examples, and as the number of these spam emails arriving in my inbox has risen, so too has my blood pressure.

Today, it finally reached the point where I sat down and did the work to take apart the tricky JavaScript redirectors and figure out what’s happening.

Lo and behold, the JavaScript is used to redirect visitors through Clickbank, a favored affiliate network used by Mike Boehm in the past.

The system works like this:

Basically, the spamvertised site contains hidden iFrames and/or hidden divs that have a redirection JavaScript. The redirection JavaScript attempts to conceal where the page is redirecting to. The code on the Spamvertised pages looks like this:

<script type=”text/javascript” src=”hxxp://[spamvertised domain]/ajax/get_js/main/”></script>
<title>Loading…</title>
<meta hxxp-equiv=”content-type” content=”text/html; charset=UTF-8″ />
</head>
<body>
<div style=”position:absolute;top:-1000px;left:-1000px;height:0px;width:0px;”><a href=”hxxp://www.buzsounds.faith/tr11/6/685/416/510/81/26391725/index.htm” style=”border=0;”><div></div></a></div>
<div id=”show_loading”>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</div>
<div id=”content” style=”display:none;”>
<iframe id=”content_window”>
<html>
<body>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</body>
</html>
</iframe>
</div>
<script type=”text/javascript”>
$(document).ready(
function() {
if (ajax._loaded == false) {
var _doc = ajax.getIframeCW(document.getElementById(‘content_window’));
_doc.body.innerHTML = ‘<html><body><center><br /><br /><img src=\’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/\’ /></center></body></html>’;
}
}
);
ajax.getMainPage(
param1,
param2,
param3,
param4,
param5,
param6,
param7,
qs
);
</script>

The JavaScript loaded from the script tag assembles a URL from the parameters, then loads the content of that URL.

getMainPage : function(m,l,li,s,u,o,c) {
var _u = “”;

if (u == ”) {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+o+’/’+c+’/’;
}
}else {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’+o+’/’+c+’/’;
}

}

if(qs != ”) {
_u = _u+”qs/?”+qs;
}

$.ajax({
url: _u,
success: function(data) {

if (pg_st == 0) {
var _w = window;
_w.location = data;
}else{
$(‘#show_loading’).css(‘display’,’block’);
$(‘#content’).css(‘display’,’none’);
var _doc = document.getElementById(‘content_window’);
_doc.src = data;
_doc.onload = ajax.flip;
}
}
});
},

The URL that’s assembled contains nothing but a text string to yet another URL. And, as it turns out, that URL belongs–surprise!–to Clickbank.

In the past, Clickbank has been reasonably responsive to spam complaints. I won’t say they’re great (they’re slow and often don’t take action until I’ve complained multiple times), but they do eventually shut down spamming affiliates.

They shut Mike Boehm down multiple times, and for a while, I was seeing very little spam from him.

This new tsunami of spam, accompanied by the sneaky attempts to conceal the Clickbank redirects, suggests that he’s back to his old tricks, but this time trying to prevent anyone from complaining and having him shut down again.

I’ve managed to find the affiliate IDs he’s using and file complaints with Clickbank. I hope they shut him down again.

There’s a degree of entitlement among spammers I rarely see outside abusers.

Mapping a network of malware sites, and a distressing discovery

Posted on by
Reply

Right now, I am in the remote cabin in the woods where we wrote More Than Two, working on two new books: a nonfiction book called Love More, Be Awesome and a novel called Black Iron.

The cabin has very limited Internet access that’s approximately the same speed as old-fashioned dialup, so fetching email is always a bit dicey. Imagine my disappointment at the timing, then, of a large-scale malware attack.

The emails are all very simple: just two lines and a bit.ly URL shortener address. They come from a wide range of IP addresses with a large number of different forged From: addresses, and they all look exactly the same:

The system behind this email, however, is anything but simple.

The Network

The emails all contain a URL shortening address that uses the popular bit.ly URL shortener service. There’s a complex network behind that short URL, that does a number of different things: promotes dodgy products such as supposed “brain boosting” pills, and attempts to download malware and trick people into phoning phony tech support Web sites that scam victims for hundreds of dollars in fake tech support charges (and also dupe victims into downloading more malware).

*** WARNING *** WARNING *** WARNING ***

All the sites mentioned in this post are live at the time of writing this. Most of them will attempt to download malware or redirect you to sites that attempt to download malware. Do not visit these sites if you don’t know what you’re doing.

When you click the link in one of these emails, you’re redirected via several steps to a site called wholesoil.com that then sends you off to one of many, many possible destinations, some of which are typical run-of-the-mill spam sites and some of which are malware sites. The network looks like this:

This chart is not complete; there are many, many other malware sites that you may be redirected to. I charted well over a dozen more such sites before I quit looking.

Clicking on the link contained in the email enters you into a lottery of suck: Will you get spam? Will you get pwn3d? Hard to say!

I’m not 100% certain it’s entirely random. There may be some element of looking at the browser’s user agent or the visitor’s IP address; visiting wholesoil.com repeatedly in a short span of time will tend to result in getting redirected to the same spam URL over and over after a while.

The people behind this network have gone to considerable lengths to hide themselves. For example, one step of the redirection happens via a domain parking service called tracted.net. The redirection script that relays traffic through this site scrubs the referrer header. When you travel from one Web site to another, your browser sends a “referrer header” that tells the new site where you came from; this is how people can tell where they’re getting traffic from. But this network carefully removes that information, so that the owners of tracted.net can not easily detect this traffic.

The most common spam destination is a subdomain on a site called fastgoodforms.com. These subdomains change often: 570-inteligen.fastgoodforms.com, 324-brain.fastgoodforms.com, 923-inteligen.fastgoodforms.com, and so on.

But more often than spam, users will get redirected to a phony tech support page that displays a fake Windows error message. These sites look like this:

These sites attempt to download malware—specifically, a remote control program that allows attackers to take control of an infected computer. They also attempt to prevent the user’sWeb browser from leaving the site, and display popups over and over and over again telling the user that the computer has been infected by a virus and to call Microsoft Support at a toll-free number.

The toll-free number is owned and operated by the scammers. If you call it, you’re sent to a person in India who will attempt to get your credit card number, and will try to talk you into installing software on your computer to “fix” the “problem.” This software is, of course, remote control malware.

How the mighty fall

While I was tracing out this network, I discovered many, many, many of these fake tech support Web sites that are being used to spread malware and try to con users.

And that’s where I noticed an interesting pattern.

The overwhelming majority of these malware sites are hosted, not on dodgy services in China or the Netherlands as you might normally expect, but on GoDaddy.

Not all of the malware sites are hosted on GoDaddy (I found one hosted on One, one hosted on Hostwinds, and one on IX Web Hosting, for example), but the vast majority—literally dozens—are.

I believe that GoDaddy is the choice of malware hosts because their abuse and security teams, which once upon a time had an excellent reputation in the Web hosting industry, have been pared back to the point they can no longer keep up…or perhaps simply no longer care. (GoDaddy was bought out by an investment group a few years back, which is when its reputation began to decline.)

I reported the Hostwinds-hosted malware site to Hostwinds abuse; it was removed about ten hours later. I reported the malware site on IX Web Hosting; it was gone in 17 minutes. But malware and phish sites on GoDaddy remain, in my experience, for an average of about a month before GoDaddy acts, and spam sites remain essentially forever.

Spammers and malware distributors are adaptable. They move Web hosts often, leaving hosting companies that take rapid action against them and congregating on tolerant sites that permit spam and malware. I suspect the fact that so many malware and fake tech support sites are hosted on GoDaddy is a consequence of the indifference or inability of their abuse and security teams.

To be fair, if you make enough noise, GoDaddy will eventually act. I have engaged with GoDaddy on Twitter, and when I do that, they will generally take down a site I complain about within a few days. The dozens of other sites, however, remain.

I am currently a GoDaddy customer. I do not use GoDaddy for Web hosting, but I do have a large number of domains registered there. I intend to begin removing my domains from GoDaddy, because I do not like supporting spam-tolerant companies. (Ironically, this was the reason I left Namecheap to go to GoDaddy; Namecheap is owned by a company called Rightside, that has become notorious for willingly hosting some of the biggest players in the spam business.)

So if you have a domain registrar you use, please leave a comment! I would love to find a replacement for GoDaddy and pull all my domains away from them. (If you’re using GoDaddy for Web hosting or domains, I advise you to do likewise, unless you fancy staying with a company whose approach to security and malware is so lax.)

I would also like to invite GoDaddy representatives to offer their side of the story in the comments as well.

MacKeeper: The Gift that Keeps On Giving

Posted on by
Reply

Stop me if you’ve heard this one before:

A shady, disreputable company makes a dodgy bit of software they claim will protect a computer from malware, but that actually does nothing (at best) or harms your computer (at worst). They sell this software by creating fake Web sites that throw up phony “virus warnings” to visitors pushing the dodgy software, then use a number of devious and underhanded tricks to steer traffic to the fake antivirus pages. They get caught, they find themselves on the receiving end of a class-action lawsuit, and they sell the software to a new company, which promises to clean up its act but which ends up doing exactly the same thing.

If you’re a Mac user, you probably recognize this story. It’s the story of MacKeeper, a bogus bit of software that bills itself as a security and general cleanup app.

MacKeeper is a bit of software with a long and ignoble history. It was originally written by a company called Zeobit, which was so aggressive in marketing the software by shady means that it got hammered with a $2 million settlement in a class action lawsuit. Business Insider magazine has recommended that users stay away from it.

In 2013, a company called Kromtech bought MacKeeper from Zeobit. Kromtech claims to be a German company, but it’s incorporated in the Virgin Islands and all its owners are in the Ukraine. And Kromtech is continuing the practice of pushing the software with phony antivirus sites and fake claims.

The scam works like this:

Booby-trapped ads on legitimate Web sites and redirectors placed on hacked Web sites steer users to fake antivirus pages. These antivirus pages, which live at URLs that look like official Apple URLs, pop up phony warnings of non-existent viruses.

These Web sites attempt to prevent you from leaving, and pop up alert box after alert box warning of a completely phony virus.

When you click on the button to do a “virus scan,” you are shown–surprise!–a report that says your system is infected.

The supposed “tapsnake virus” that this warning talks about is bogus. Tapsnake does not exist; it is a scareware scam used to frighten naive computer and smartphone users into thinking they are infected with a virus.

And, naturally, when you click the “Remove Virus Now” button, you’re taken to…wait for it…

Meet the new MacKeeper owners, same as the old MacKeeper owners.

I’ve seen a considerable uptick in phony antivirus sites trying to con people into buying MacKeeper lately, particularly in the last six weeks.

There is no Tapsnake virus, and your Mac is not infected. It’s a con, designed to sell you a worthless piece of software.

Stay safe out there in cyberspace.

The Lads from Cyprus: Analysis of an Organized Hacking Gang

Posted on by
Reply

I get, as readers of this blog will know, a lot of spam. I’ve been using the same email address for decades (my AOL address since 1992, my own domain address since 1996), so I’ve had plenty of time to get on a lot of spam lists.

Recently, I started to see a whole series of very similar spam messages, all variations on the same message (“Hot Lady Wants You to F*ck Her,” “Invited to H00kup”) and all advertising redirectors on hacked Web sites. I’ve received a ton of these spam messages–about 75 in the last three weeks alone, with more coming every day.

The spam messages all spamvertise malicious redirectors that are placed on hacked Web sites. The redirectors all go to a destination that says “This is NOT a dating site! WARNING! You will see nude photos. Please be discreet.”

There’s a lot of hacking activity going on. Every spam message points to a different hacked site, all of which redirect to a whole network of identical landing sites. This, then, is the work of an organized, deliberate hacker or (more likely) group of hackers, likely using automated tools to hack vulnerable Web sites and plant the malicious redirectors.

Curious, I decided to go down the rabbit hole, to see what I could find out. I started collecting the spam emails, tracking how often they came in, what URLs they spamvertised, and where those URLs redirected to.

I discovered an organized gang of hackers and fraudsters operating out of a series of companies organized in Cyprus, who had built a large network of hacked sites and were using the hacked sites to funnel traffic into a fake dating site that attempts to get rather a large amount of money from marks it cons into signing up.

I followed the link from one of the spam messages, a site called hypnotherapyandnlp.co.uk. This site had been hacked to have a redirection script placed on it that redirected me to juicy-hotgirls69.com which in turn redirected me to naughty-juicygirls.com, where I was asked a simple series of questions.

*** WARNING *** WARNING *** WARNING ***

The URLs mentioned in this post are live as of the time of writing this. I recommend you do not visit them if you don’t know what you’re doing. The URLs are compromised sites or sites owned by people who compromise Web sites. They may attempt other malicious actions.

The site naughty-juicygirls-com is registered to an outfit calling itself Tralox Overseas Limited, which lists its business address as

Mitsis Building 1, Stasinou Avenue
Nicosia, Cyprus

I answered the questions and filled out a signup form on naughty-juicygirls-com, and was taken to yet another site, sexmyamateurass.com. This site attempted to get me to enter a credit card number–purely to confirm my age, doncha know. At least that’s what the text on the left side of the Web page claimed. But what the left side giveth, the right side taketh away; text on the right side of the screen told me I’d be signing up for a “VIP membership” that would automatically renew at $49.95 per month.

The site at sexmyamateurass.com is also registered in Cyprus. It is registered to a company calling itself Canderstone Limited, whose address is given as

Peiraios 30, 3016
Limassol, Cyprus

If you are foolish enough to agree to give them a credit card number, totally just for age verification (and recurring membership fees of $49.95 per month), your credit card is sent to a Web site called statusfee.com. This site is also registered to Canderstone Limited in Cyprus.

From there, you’re taken to yet another site, megafuckbook.com. This claims to be a dating site, though as fraudulent dating sites go, it’s pretty transparent. Within fifteen seconds of being redirected to megafuckbook.com I received notification that a woman had sent me an email–which, naturally, I would need to pay money to see.

and ten seconds after that, I got a chat request, supposedly from a woman near me:

megafuckbook.com is registered, unsurprisingly, to Tralox Overseas Limited.

This is par for the course for Web sites that prey on lonely and desperate men. The employees of such sites keep stables of fake profiles, often hundreds of them, and message new users with the intent to entice them to pay for the service. I’ve known folks who’ve worked for such sites.

So, it’s an ordinary and common fraud, atypical only in that the people who own the fraudulent site are aggressive computer hackers who compromise large numbers of sites and ten send out barrages of spam containing links to redirectors on the hacked sites.

I took a look at the Web host responsible for megafuckbook.com. It’s hosted on a Web hosting company called RackCo. RackCo looks to be a Virginia company that’s basically Yet Another Managed Hosting Provider, nothing particularly interesting about them. However, a quick check at Spamcop did turn up something interesting: Rackco is specifically not interested in hearing complaints about megafuckbook.com.

So what’s happened is a group of folks operating out of Cyprus are running aphony, and very expensive, dating Web site. They are aggressively hacking large numbers of other sites, which they use as a redirection network. They spam their redirection network to funnel people into the fake dating site. The ISP hosting the fake dating site has explicitly said it refuses to hear spam complaints regarding the fake dating site.

The overall system looks like this:

So this is a group of sleazy operators in the sleazy fake dating sphere, who have crossed over from sleazy to outright criminal activity in using hacking to compromise Web sites and enlist them as traffic redirectors.

People often ask me, “what’s the big deal if I don’t stay on top of security for my little WordPress site? There’s nothing on it. I only get three visitors a month, and one of them is my mom. Why would anyone want to hack me?”

The answer is “people don’t hack you to get whatever’s on your site. They hack you so they can use your site for their own purposes–placing illegal content on your site, hosting phish pages on your site, planting malware on your site, putting redirectors on your site which they can then use in spam campaigns. It’s not about you. Obscurity doesn’t matter.”

Secure your Web sites. If you have a presence on the Web, it’s on you to prevent operators like these from hijacking you.

I have reached out to Rackco to see if they’re willing to explain why they host this site and refuse to accept spam reports about it. I’ll update this blog post if I get a reply.

Apple vs the FBI: Whoever wins, it’s a mess

Posted on by
Reply

Apple and the FBI. It’s the Rock ‘Em Sock ‘Em Robots fight that the movie Alien vs Predator should have been, but unlike Alien vs Predator, this one so far has failed to disappoint.

On one side, we have a giant tech megacorp that makes cellphones. Also other stuff, I hear, but these days mostly cellphones. On the other, we have the full force and might of the United States Government, in the form of the Federal Bureau of Investigation. In between, we have: Terrorists! Encryption! Civil liberties! Donald Trump spouting off!

The Internet is filled with conversations about the spat, much of which are either not technically correct or overtly technical. It’s my goal here to try to explain a very complex situation in a way that doesn’t require a high level of technical mastery. However, this is a technical issue, so there will be some geeky bits.

The Background

Last year, a couple of assholes named Syed Rizwan Farook and Tashfeen Malik decided they were going to express religion of peace by blowing away a bunch of people in San Bernardino, California. They decided, you see, that something something holy war something martyr God, and something something kill people whatever…I don’t know or particularly care about the details, and they’re not really relevant here. So far, so boring: some yahoos think there’s an invisible dude in the sky who wants them to kill some other people, it all ends in tears–a story that’s been playing out with minor unimportant variations since the dawn of civilization. The FBI investigated and decided they were “homegrown extremists” (no idea if they were organic or GMO-free) and not affiliated with any other terrorist groups or cells.

This is the part where things get interesting.

During the investigation, the FBI discovered that the yahoos had Android smartphones, which they destroyed prior to going on their rampage of murderous idiocy, and that one of them had an iPhone 5C provided by the company he worked for.

This is the logic board from an iPhone 5c. Like all iPhones, the user data on an iPhone 5c is encrypted. You need to unlock the phone in order to get at its contents. By default, the phone is locked with a 4-digit numeric code. If you don’t enter the code, the phone’s contents remain encrypted.

You can’t just read the information from the phone’s flash memory, because it’s encrypted. The FBI wants to read the contents of the phone, for reasons that aren’t clear to me (if there was anything sensitive on it, it’s hard to imagine he wouldn’t have smashed the phone before running off to kill people who had nothing to do with whatever grudge he imagined his invisible sky-man carried, like he did with his other phones), but whatever.

The FBI tried to read the phone’s contents, and discovered that the iPhone is actually rather secure. If you want to know the full details of how secure, there’s a PDF on Apple’s iPhone security here.

So they went to Apple.

This is where things get really interesting, and a lot of the conversation about the situation gets some important facts wrong.

The Problem

The iPhone’s files and such are encrypted. This is not simple home-grown encryption, either; it’s military-grade 256-bit AES encryption. It can not be defeated by any known attack. All the world’s computers combined would take about a billion years to brute-force the encryption, which is a bit more time than the FBI prefers to spend on this.

Now, there are some important things to understand here.

One is that nobody can break the encryption, not even Apple. Apple has no secret back doors or master passkeys to get at the contents of a locked phone, and that’s not (exactly) what the FBI is asking them to do.

The other is that the four-digit code you type into an iPhone is not the encryption key. The encryption key is made up of a secret, random number embedded into each phone at the moment of manufacture, combined with the passcode you set by means of some arcane mathematics that are beyond the scope of this blog post. Apple does not know the encryption key; they do not have a way to set the unique hardware number, and in any event it’s all tangled up with the passcode the user enters in order to create the encryption key anyway.

So here’s where things sit: The phone’s contents are encrypted. The FBI wants access to the phone for whatever reason. Apple can’t decrypt the phone. So what’s the deal?

The Tussle

The fact that the phone in question is an iPhone 5c is really, really important. If it had been a 5S or a 6, it wouldn’t matter, because Apple made a change in the inner workings of the later phones to prevent it from being asked to do precisely what it’s being asked to do.

So, here’s how it works.

iPhones run an operating system called iOS. iOS is digitally signed; that means Apple has a secret encryption key it embeds into iOS. The phone carries a special, immutable boot ROM that contains the decryption code for this key. If it starts to boot and sees an operating system not signed by Apple, or if the operating system is tampered with in any way, the phone refuses to boot. (This is different from and not related to jailbreaking an iPhone. Even a jailbroken phone will not boot a copy of iOS not signed by Apple.)

What does that mean? It means nobody on earth–literally–can make an operating system the phone will boot, except for Apple. If the FBI or anyone else tries to modify the iOS boot loader, the phone will not boot. Only Apple knows the key needed to change the iOS boot loader.

Now, a few other things you need to know about how an iPhone works.

If you type the wrong passcode into an iPhone, the phone lets you try again. If you get it wrong again, the phone lets you try again, but after that, things start getting harder. The phone starts introducing a delay before you can try again. That delay gets longer and longer the more you enter the wrong code. By the ninth time you enter the wrong code, the phone refuses to allow you to try again until an hour has passed.

There are 10,000 different possible combinations of four digits. If you can only try one per hour, it will take you more than a year to try them all. Good luck trying to brute force the passcode!

There’s another complication too. If you get it wrong 10 times, the phone wipes itself.

Here’s where the 5c thing gets important.

Starting with the iPhone 5S, Apple introduced the “Secure Enclave.” The Secure Enclave is a special chip (well, actually, it’s a special section of the processor chip) that has its own memory. It’s basically a tiny, highly secure, tamper-resistant computer.

The Secure Enclave keeps the phone’s decryption key in its own special memory and talks to the phone over a special-purposes, encrypted communication link. The rest of the phone does not know, or have access to, any information stored in the Secure Enclave.

When you enter the passcode, the phone sends the passcode to the Secure Enclave. The Secure Enclave says “yes” or “no” about whether the right code was entered. If the right code was entered, the Secure Enclave decrypts the phone. If it wasn’t, the Secure Enclave refuses to do so. It also starts a timer. While the timer is running, the Secure Enclave refuses to process any more passcode requests. That timer runs for longer and longer as you keep entering the wrong code. If you enter the wrong code 10 times, the Secure Enclave wipes the encryption key from its own memory and that’s it, you’re done. Trying to get at the phone’s contents after that means you’ll be banging away at it until the stars burn out.

But… This is not an iPhone 5S or later, it’s a 5c!

On the 5c, the time delay and wiping the phone are not handled by the Secure Enclave, they’re handled by the operating system. The operating system enforces the longer and longer delay and the operating system wipes the phone if you enter the wrong code 10 times.

The Secure Enclave is a bit of hardware that can’t be tampered with. But the operating system can be changed. So if you have an older iPhone, you could, in theory, put a different version of iOS on it. A special version, with the timer and the phone wipe disabled.

Except, oh no you can’t, because the phone will not run an operating system that isn’t signed by Apple.

So the FBI wants Apple to create a new version of iOS. A modified version that has no time delay if you get a wrong passcode and no phone wipe. And then they want Apple to sign it and put that new version of iOS onto the phone.

This will not give them the contents of the phone. What it will do is let them try passcode after passcode as fast as possible until they break in. Without a phone wipe, they can keep trying as many times as it takes. Without a delay, they can try all 10,000 combinations in days or weeks instead of years.

Of course, there’s an added wrinkle to all this. The FBI already has a copy of the phone’s data.

iPhones come with a subscription to Apple’s cloud service, iCloud. iPhone users can choose to have their data backed up to iCloud. The backup feature was turned on on this phone. The FBI asked for, and got, a copy of the phone’s data backed up on iCloud.

Unfortunately, the copy they got is out of date. They screwed up and asked the company that owns the phone to change the iCloud password in order to have a look at what was there. The company complied. The FBI looked at the iCloud backup. Then they turned on the iPhone. The iPhone couldn’t make a new backup to the cloud…because the password had been changed. The FBI thinks it’s possible there’s information on the phone that’s newer than the information in the cloud backup. They’re not sure, though, because…they can’t get into the phone.

The Rationalization

If an iPhone were a safety deposit box and Apple had the key, the government would normally just issue a subpoena for Apple to produce the key, assuming they didn’t just take a blowtorch to the box and be done with it.

But that’s not what the government has done here. They can’t subpoena Apple to produce the encryption key or the passcode because Apple does not have and can not get the encryption key or the passcode, and Apple has no magic backdoor.

So instead, they’ve turned to the All Writs Act of 1789, a law signed by this dude.

The All Writs Act is a law that allows the government to issue “all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Essentially, it lets Federal courts issue orders to private citizens in order to accomplish legal ends. A writ was originally a written order given by a monarch to a citizen compelling the citizen to do something. The way it’s used in the All Writs Act, it’s an order from a court compelling a citizen to do something.

Like, for example, write a new operating system. Because the court says so.

The All Writs Act was signed into law before the Bill of Rights existed. The Bill of Rights would seem to put some limits, at least, on what the government can order people to do. In this case, the FBI thinks that ordering a company to write a piece of software is within those limits.

It should be noted that this isn’t a matter of commenting out a few lines of code and hitting “compile.” There are, for good reason, legal guidelines that must be followed when writing investigatory forensic software. These legal guidelines are necessary to preserve the chain of evidence and show in court that the software didn’t modify the information on the device being investigated. The standards are fairly complex and are outlined on this page on the Digital Forensic Investigator Web site.

Basically, the gist of it is the software must be documented, must be subject to peer review, must be tested on target devices similar to the device being investigated to show that it works and won’t corrupt, delete, or modify information, and must pass independent judicial review of its reliability.

So basically, the FBI is asking Apple to go to considerable trouble to build a new operating system, test it, document it, submit it for examination, and load it onto an iPhone 5c, for the purpose of allowing the FBI to keep trying all 10,000 possible passcodes until they finally unlock it. They’re using a law written before the Bill of Rights existed that authorizes Federal courts to issue orders to private citizens to do this. Basically, the All Writs Act says “the government can order people to do any legal thing.” It has zero to say on the subject of what constitutes a “legal thing.”

The Real Battle

The FBI wants Apple to create a new version of its operating system, with certain key security features disabled, and load it onto the phone so that its passcode can be brute-force hacked and the contents read. They’re not asking Apple to decrypt the phone; Apple can’t do that. They’re not asking Apple to provide the passcode; Apple can’t do that either. They’re asking for a new operating system.

Would this new operating system allow them to get at any locked phone? No, it would not. iPhone 5s and later models have these security features in hardware, etched in silicon on the Secure Enclave. A new operating system can’t change that.

So what’s the big deal? Is Apple coddling terrorists, like the FBI director implies and Donald Trump spouts all over Twitter from his iPhone?

No. As with an argument between two lovers that ultimately ends in divorce, this fight is’t really about the stuff this fight is about. This fight isn’t about a work phone that used to belong to a terrorist asshole and probably contains fuckall of interest to the FBI. The terrorism angle is a convenient excuse, because the word “terrorism” is kind of magic spell that causes a whole lot of people (including, bizarrely, conservatives whose entire political philosophy is built on the foundation of distrusting the government) to take leave of their senses and do whatever they’re told.

But this fight isn’t about this phone.

Washington is afraid of encryption. Much as gun lovers and survivalists love to think Washington is afraid of their guns (which is laughable in its absurdity–the military has way more guns than you do, Tex), Washington is afraid of encryption.

This fight has been a very long time coming. The government has always hated and feared encryption, even as it has invested tremendous resources in making encryption better.

In the early 90s, the US passed laws banning export of encryption products. I still own a T-shirt that was legally classified as a “munition” back then, and that you could be arrested on Federal charges for wearing outside the US or showing to foreign nationals, because it’s printed with source code for encryption software. Finally, in 1996, Bill Clinton scrapped laws against exporting encryption software, largely because they were hurting US businesses overseas, and besides, the Russians already had strong crypto because–surprise!–they had mathematicians too.

The fear of the Russkies has faded into nothing–there’s an entire generation now old enough to read this blog post that grew up with the Cold War being something you read about in history books, not something you lived through. Now, the bogeyman du jour is terrorists, or maybe pedophiles, or hell, why not both?

Police don’t like locked phones and encrypted comms, and Congress has been wrestling with what to do about that for years.

The government has mulled banning strong encryption. Not just the US government, but every government. China wants to ban it. France just debated banning it. India is planning to ban it. The UK wants to ban it. Congress has considered banning it no fewer than three times in the last two years.

The arguments are always always the same: If people can talk without the government listening, the terrorists win. Or the pedophiles win. Or the pedophile terrorists win. Law enforcement can’t do its job without being able to see what’s on your smartphone, because reasons.

Apple argues that if the government succeeds in ordering it to write a new version of iOS to help them get onto this phone, they will feel free to order it to write other software for them as well. Write us software to let us turn on this suspect’s cell phone camera and microphone remotely! Write us software to make copies of this suspect’s email! No legal principle exists that would limit the authority of the government’s ability to order Apple to do things like this.

And that’s a nice, cuddly government filled with the milk of human kindness, like the US government believes the US government is. If Apple has the ability to do these things and can be compelled to do so, the Chinese will really like that. Apple argues that if the FBI succeeds, it will basically have to create a whole new software department–call it the Department of Undermining Our Security Department–to handle the flood of orders coming in to write custom software to disable this or that or the other security feature. And they might be right.

The government says nobody else will get this hacked iOS version (or versions, if other requests start rolling in). Apple says that’s naive. Hard to say what’s scarier, the FBI with rogue Apple-signed iOS software, the Chinese with rogue Apple-signed iOS software, or rogue Apple-signed iOS software leaking into the hands of organized crime.

There’s also the very real possibility that if the government has success here, sooner or later it will realize that a terrorist using an iPhone 6 will still be able to secure a phone in a way that neither Apple nor the government can do anything about, and start calling on Apple (and other companies) to weaken their encryption. The Secure Enclave with its hardware timer and self-vaporizing key is pretty damn secure. What happens if the government decides to tell Apple to tone things down a bit for the iPhone 7? That’s not impossible, and if Apple can be forced to write a new operating system to help law enforcement, changing the design of their chips to help law enforcement is a doddle.

Encryption is math. Math is math; math doesn’t care about bad guys or good guys or legal oversight. If there is a way to slip past an encryption method, that way works for everyone, good guys and bad guys alike, because math is math and math doesn’t care. If it works for the FBI, it works for Igor in the Russian mafia as well.

So that’s what’s going on, and that’s what’s at stake. It’s a problem that doesn’t readily boil down to sound bites or Tweets, and that means, I fear, that the public won’t really understand what’s happening until it’s been decided for them.