Need a Netflix Login? You Can Buy One on the Black Market for 25 Cents.
I’ve had few experiences in the last year more disconcerting than this one: Logging on to Netflix, I was told that I was already online—and that I was, in fact, already streaming content from the service. More disconcerting still? Supposedly I was watching a movie titled Snow Buddies, which Netflix describes as “a family-friendly tale” in which “a feisty pack of golden retriever puppies embarks on an Alaskan adventure.”
At first I thought it might have been my ex, with whom I share my Netflix password. But my settings allow for simultaneous screening on two screens, so a third party with bad taste must have been using the account too. Plus, she just doesn't seem like the Snow Buddies kind. Now, thanks to recently published research by the cybersecurity company Symantec, I have a better idea what was likely going on.
In a blog post, Symantec’s Lionel Payet describes an active black market for Netflix passwords, one in which account information may be available for as little as 25 cents. One such service examined by Symantec claims that it has 300,000 passwords in stock and that it offers a seven-day guarantee on purchases. Its terms of service—yes, even pirates have them—instruct purchasers to avoid changing info on the stolen accounts, as doing so makes it more likely that the legitimate account holder will notice that something has gone wrong.
Payet describes two primary pathways through which these marketers acquire the accounts: First, they harvest account information from malware, “malicious files posing as Netflix software on compromised computers’ desktops.” According to Symantec, these deceptive programs are often downloaded when users click through “fake advertisements.” Account black marketers also collect passwords through more traditional phishing schemes, in which “attackers redirect users to a fake Netflix website to trick users into providing their login credentials.”
Symantec offers a handful of suggestions for account protection, though most of them fall under the rubric of common sensible cyber hygiene precautions: The company “advises users to only download the Netflix application from official sources. Additionally, users should not take advantage of services that appear to offer Netflix for free or a reduced price, as they may contain malicious files or steal data.”
But as far as I know, I hadn’t taken either of those missteps, and yet Snow Buddies still lingers in my account history, suggesting that somehow, somewhere, I (or my ex) went wrong. I know this much: As Trevor Mogg suggests, account black market sites may only become more common as Netflix continues to expand its global reach. Strategies for stealing our information will likely become cleverer as the demand grows.
The Malware Museum Shows Just How Cute the Internet Was in the ’80s and ’90s
When it comes to cybersecurity, we spend so much time talking about the future of Internet threats—how terrifying and destructive they could become, what we should do about them, why they’re getting more dangerous every day—that it can be easy to forget about their past. Enter the Malware Museum, a site launched last week by Jason Scott with help from Mikko Hypponen through the Internet Archive. It attempts to re-create and commemorate some highlights from the library of malicious programs distributed in the 1980s and 1990s, when computer-based threats were still in their infancy.
There is something strangely soothing and hypnotic about the collection, which allows viewers to simulate the experience of having their computers infected by the featured pieces of malware by showing the animations that would appear on the screens of infected machines. (Needless to say, all of the malware in the museum has been effectively neutered—you can experience what you would have seen on the screen of an infected computer, but your computer will not actually be infected by viewing those simulations.) The animations can be transfixing—take, for instance, the CRASH checkerboard pattern of characters and colors, or the aptly named LSD rainbow shifting shapes—or ominous, like the scrolling countdown in NAMELESS, or just plain silly, as in the MARINE animation of a small sailboat going back and forth, or the paean to Italy offered by ITALIAN.
In this format, with their destructive capabilities removed and the ability to pause or close out of them at any point—rather than being forced to stare helplessly as your screen flashes text or patterns of bright colors at you—many of the viruses seem more like primitive pieces of digital artwork than threats.
How benign everything looks—and how distinctly dated. Not just the fonts, graphics, colors, music, and cultural references (though those are, indeed, dated) but also the notion of malware as a lark—a vehicle for silly pictures and dumb messages and corny animations. Nowadays, we tend to talk about online threats only in the most apocalyptic terms: We worry about power grids being shut off, or banks being compromised, or our computerized cars running away with us.
In most fields, artifacts that are only 20 or 30 years old would probably not be considered museum-worthy, but when it comes to malware, the ’80s and ’90s really do feel a little like a long-lost era that’s been nearly obliterated in the present day—a period in need of conservation. So it’s not hard to see why the site has already drawn more than 100,000 visitors, many of them, no doubt, attracted to the site’s evocation of the simpler times of the early Internet and the laughable bits of mischief that were perpetrated on it.
Not every piece of malware from the 1980s and ’90s was adorable, of course—and not even all of the featured pieces in the museum were harmless when active. But even at their most malicious, they were still a far cry from the kinds of threats we worry about—and witness—now.
That’s in large part because 30 years ago there was very little money online—for the most part, people weren’t going online to summon cars or buy shoes or deposit checks or pay bills. With the rise of the commercial Internet in the late 1990s and early 2000s, online crime became big business and began attracting the sorts of serious-minded, organized criminals who were out to make money, not just the tech-savvy mischief-makers out to concoct cute animations and wreak havoc.
Nostalgia for the malware of the 1980s and ’90s isn’t just about regretting the loss of a particular brand of computer viruses or even a particular breed of cybercriminals—it’s also, in its way, about regretting the loss of the low-stakes Internet. It was an Internet where nothing terribly important was going on in the first place, so there was only so much to fear from it when something went wrong.
And of course, for the most part, we don’t actually want that Internet back—and even if we did, it’s not clear we could have it—because being able to summon cars and buy shoes and pay bills online is incredibly, wonderfully convenient. High-stakes crime and threats are part of the price we pay for having an Internet that’s more than just an academic or recreational pursuit.
All the same, it can be a little startling to go back through the archives of malware written not so long ago and realize how unrecognizable much of it now looks. Not just because the code and the people who were writing it—along with everything and everyone else in technology—got faster and better and more effective but also because they were driven by very different motivations than our modern-day online enemies.
Browsing through the newly launched site and realizing how much has changed in such a short period—how radically and irrevocably the landscape of computer security has been altered—you wonder how dated our current threats will look 20 or 30 years from now and what will have replaced them.
Can you picture the malware museum of the 2000s and 2010s? The exhibits for Conficker, Stuxnet, Flame, Zeus; the brief descriptions of the size and scope of each, how much damage was done, the sums of money lost, the number of victims affected. Will people browse through nostalgically and say to themselves: “How quaint, how adorable, can you believe they thought that was malware?”
India Doesn’t Need Facebook’s Free Mobile Internet Access. It Needs Nationwide Broadband.
Mark Zuckerberg has not had a good week. First, Free Basics—his company’s attempt to offer free Internet access within a Facebook-approved ecosystem of apps and platforms—was blocked by India’s telecoms regulator in a historic, stern, and unequivocal ruling against anyone who tries to offer differential pricing for data services in India.
Then, he had to publicly chastise one of his own board members, venture capitalist Marc Andreessen, who had issued an ill-conceived flurry of tweets in which he called Free Basics and colonialism forces for good and criticized Indians for rejecting both. (Andreessen has since apologized.)
To preserve the neutrality of its Internet, India has decided to ban all attempts to build walls around certain kinds of privileged content. India’s Internet will remain open, allowing its users to decide how it will develop.
The decision by the Telecoms Regulatory Authority of India, or TRAI, an independent body, followed sustained pressure from campaigners who correctly argued that the Free Basics plan would have created a multitiered Internet—better, faster, more open access for the rich and restrictions on those with lower incomes. These restrictions could stifle innovation and entrepreneurship, which are are both important factors in escaping poverty. They would also prevent new Internet users from discovering the breadth of available content.
“Connecting India is an important goal we won't give up on,” Zuckerberg posted on Facebook after the ruling was issued. “Because more than a billion people in India don't have access to the internet.” The real challenge lies in building India's digital infrastructure, which has been neglected for a long time. If Facebook really cares about poor people having access to the Internet, this would be a more useful place to spend its money.
India’s bigger cities and urban areas generally have wired Internet access, of varying standards. But in rural areas, where more than 800 million people live, there are simply not enough wires in the ground. In December 2014, only 1.2 percent of Indians had access to wired broadband; the global average was 9.4 percent. Speeds are generally on the slow side.
Funding isn’t necessarily the problem. In 2011, the Indian government launched the National Optic Fiber Network project. Its aim was to connect hundreds of thousands of villages over a period of three years, at an estimated cost of $3 billion. It has been a spectacular failure, with less than 5 percent of its targets achieved. Billions of dollars remain unspent.
India has instead relied on telecoms companies to develop mobile Internet, which is how the vast majority of new users are gaining access, usually via increasingly affordable smartphones. We keep hearing that 4G is on its way, but many places are still stuck with erratic 2G. Even in major cities, cellphone coverage drops in and out. But 4G is not enough. At its best, mobile Internet simply does not have the capacity of a high-speed wired connection (which you still need in order to then get Wi-Fi).
Free Basics was available for a year before it was banned, and since Facebook did not supply user numbers to TRAI, it is a fair guess that it was not particularly popular. A popular service would be much harder to ban. Various reports suggest that most of the people who signed up were already Internet users looking for a way to get free data, rather than the truly disconnected poor. In any case, even poor people will buy smartphones and pay for basic data connections if they feel it's worthwhile. Still, entry-level smartphones using 2G are at best only a gateway to more serious Internet participation.
A resilient wired Internet will require the hard work of digging up the ground; laying cables full of optical fibers; and, crucially, maintaining and upgrading them. This is a major task in any country, let alone one of this size and complexity. Like the United States, India is a federation of states, all of which have considerable autonomy. National development projects can stall because of interstate disagreement over funding and control or even cultural differences.
India also has many other infrastructural and social challenges that are arguably even more pressing. Three hundred million don’t have electricity, and a similar number are illiterate. Half the population doesn’t even have a toilet at home. But the U.N. has declared Internet access a basic human right, and it can and probably must be addressed separately from other concerns, however important they are. Otherwise nothing will get done.
“What do we need to do?” asked TRAI in May last year, in a simple and blunt subtitle to its extensive, 120-page report on improving broadband access in India. TRAI’s recommendations are unsurprising. It criticizes the lack of planning and coordination that has led to the present situation. It proposes common standards be implemented, so that everything across the country works harmoniously. And it wants the various agencies, partners, and state and central governments to simply get a move on, as India is already behind and there isn’t any more time to waste. The lack of reliable Internet penetration in India is hurting its economic prospects.
India has a can-do mentality that enables it to keep functioning and thriving, despite disparaging remarks from places like Silicon Valley. It’s not dissimilar to the spirit that has made the Internet itself a realm of possibility. Splendidly, the 2015 TRAI report ends with a quote from Machiavelli: “The one who adapts his policy to the times prospers, and likewise that the one whose policy clashes with the demands of the times does not.” India paid attention, Facebook did not.
Amazon Hides a Zombie-Outbreak Reference in New Terms of Service. Hilarious.
It’s hard to imagine the kind of person who would read all the way through Amazon Web Services’ massive terms of service agreement. At more than 26,000 words, the document is denser and more digressive than Tristram Shandy, a veritable post-apocalyptic wasteland of legalese that dictates how users can and cannot employ products from the e-retailer’s massively profitable cloud computing division. Formidable as it is, however, someone managed to make it through. And he or she found something wonderful—possibly with a slight nudge from Amazon itself, though it’s conceivable that it was discovered independently.
As various sources—Venture Beat seems to have been among the first—have reported, the company’s latest update to its ToS (announced on Monday, Feb. 8) contains a clause voiding some of its restrictions in the event of a zombie outbreak. Of course, it doesn’t actually say zombie anywhere, instead cloaking the viral menace in winkingly formal language:
However, this restriction will not apply in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.
The restriction in question bars users from integrating Amazon Web Services’ new Lumberyard gaming engine “with life-critical or safety-critical systems,” including medical or military equipment. Basically, that means you can’t use the software to program robot doctors or control weaponized drones, a requirement unlikely to come into play, unless Lumberyard is far more powerful than it appears. In that sense, the zombie exception makes light of a concern that is only marginally more probable than a plague of walking dead.
Charming as it is, clauses like this one don’t actually encourage us to read the terms of service. Instead they mostly work to make a joke of our failure to do so. A few publications that have reported on the zombie clause have taken the story as an opportunity to point out other, less sexy, details from the document. Ars Technica’s Kyle Orland, for example, notes that the engine collects information about where, how, and when it gets put to work. It’s not clear, though, that this is especially sinister, let alone that different from the data collection practices of other software companies.
Cutesy aberrations train us to look for anomalies instead of encouraging us to make sense of the norms that actually shape our lives. Last year, Slate’s Lily Hay Newman examined the all-caps sections in terms of service agreements. Such sections were once meant to clarify what we should pay attention to, but in reality, our eyes tend to skip right over them. A more idiosyncratic approach to intelligibility shows up in R. Sikoryak’s comic book adaptation of the iTunes terms and conditions. That method, alas, is unlikely to see widespread adoption.
Amazon’s jape feels more like viral marketing for Lumberyard than an invitation to look carefully—or at all, for that matter. At best, it’s a reminder that most of us have become zombies of a sort, the kind that click without reading. Can anyone help us find some brains?
Microsoft’s Fetch! App Is Terrible at Identifying Dog Breeds. That’s What Makes It Great.
In April researchers at Microsoft released How-Old.net. Using machine learning, the software guessed the age of people in photos. The results were, ahem, not very accurate, but people loved submitting photos of themselves and their friends. Now a new project through Microsoft's experimental program Garage is doing a similar thing for identifying dog breeds. And it's terrible in the best way.
You can use Fetch! through a website, What-Dog.net, or an iOS app. When the service evaluates a dog photo and settles on a breed, it provides a rating of how strong it thinks the match is, and also lists runner-up breeds that it considered. Then it lists characteristics of the breed it assigned, like disposition and size.
With How-Old.net, Microsoft researchers seemed a bit out of touch with how Internet users would interact with the service. (They expected most people to try the service out on stock photos, not personal photos). Fetch! is much sleeker, but like with How-Old.net, the true joy of using it doesn't really come across in the description, which says: "This is the kind of app you’re going to take out when you’re with your friends. You’ll make fun of each other, comparing which breeds you look like, and posting the tagged photos."
The Fetch! mode that allows people to be assigned a dog breed is kind of funny, sure, but I was much more interested in throwing other animals and inanimate objects at the A.I. What would it think about a photo of a plate of bagels?! (To the service's credit, it did realize that the bagels were not a dog.)
When I wasn't trying to trick it, the service did make some impressive guesses. But it also made a lot of mistakes. Maybe Fetch! will get better as more people feed it data to learn from. For now it's pretty delightful as is and a great excuse to look at dog photos.
Netizen Report: The EU Wrestles With Facebook Over Privacy
The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world. It originally appears each week on Global Voices Advocacy. Mahsa Alimardani, Ellery Roberts Biddle, Hae-in Lim, and Sarah Myers West contributed to this report.
In the latest development in the negotiations between the United States and European Union over data transfer rules, Reuters reports France’s data protection authority gave Facebook three months to stop tracking non-users’ Web activity without their consent, and ordered Facebook to cease some transfers of personal data to the United States or face fines. In response, Facebook asserted it does not use the now-defunct Safe Harbor agreement to move data to the United States and instead has set up alternative legal structures to keep its data transfers in line with EU law. Despite this, Facebook was forced last year to stop tracking Belgian non-users after it was taken to court by the Belgian regulator. Last week, the United States and European Union agreed upon a new legal framework to replace Safe Harbor, but as it is not yet operational, several European data protection authorities are still deciding whether data transfers should be restricted.
Google’s new scheme to combat online extremism
In an effort to combat groups like ISIS that recruit online, Google has launched a pilot scheme to point users who search for extremist terms toward anti-radicalization links. It announced the new effort on Feb. 2 at a meeting with the U.K. Home Affairs Select Committee on Countering Extremism. Representatives of Twitter and Facebook were also challenged by members of Parliament on their role in combatting the spread of terrorist material. Twitter also announced last week that it had suspended 125,000 accounts associated with extremism since mid-2015 in response to pressure from the US government. However, as the New York Times’ Mike Isaac notes, “these companies must walk a fine line between bearing responsibility for their platforms and avoiding becoming the arbiter of what constitutes free speech.”
What’s going to happen to Ukraine’s database of “explicit content”?
The Ukrainian censorship body, the National Expert Commission for Protection of Public Morality, dissolved last year, but its legacy lives on as a database of “explicit content” that no one in the government seems to know what to do with. The database includes a sizeable amount of content “containing elements of sexual nature and erotica,” but the commission was also well known for its attempt to ban Spongebob Squarepants, Shrek, and Teletubbies. Users have suggested the team responsible for dissolving the commission make the content more widely available, so they can see where taxpayers’ money went.
Taking on Russia’s invasive surveillance
Two Russian Internet service providers are taking the Federal Security Service to court to challenge the surveillance system employed by Russian federal police to spy on Internet use. ISPs play a critical role in making surveillance possible, by installing expensive equipment that provides police access—making this case a significant affront to Russia’s invasive surveillance apparatus.
Telegram in Iran
Messaging app Telegram’s growing influence is being characterized as a major factor in the dissemination and spread of information leading up to Iran’s Feb. 26 parliamentary elections, but the platform’s susceptibility to state manipulation is also becoming more apparent. After the arrest of former BBC journalist Bahman Doroshafaei, the government took over his Telegram account and started to message his contacts. Some believe this was an effort to extract sensitive information or to distribute spyware. Fatemeh Shams, a friend of Doroshafaei, posted the following warning to her Facebook account:
Someone has been talking to me for two hours from Bahman's hacked Telegram account and now is chatting with my friends with my account..If anyone messaged you on Telegram [from my account] please ignore it. I've lost access to my account.
Future Tense Event: Can We Engineer Away the Zika Virus?
In a matter of weeks, the Zika virus has gone from being a virtually unknown phenomenon to a “Public Health Emergency of International Concern.” And for good reason: The virus—for which there is no treatment—is spreading quickly through the Americas, carried by the Aedes aegypti mosquito.
Human development, climate change, and droughts will only make mosquitos more widespread, allowing them to carry diseases like dengue and malaria to new places. Around the world, researchers are trying to genetically engineer mosquitoes so that they can’t transmit dangerous viruses. But anyone who has seen Jurassic Park knows that a little change to the ecosystem can have serious effects. What might be the consequences of messing with the world’s deadliest animal? Are there other diseases that we may want to engineer away? If so, how should we proceed?
On Tuesday, Feb. 23, join Future Tense in Washington, D.C., for a lunchtime conversation on Zika as a case study in potential technical solutions to deadly diseases. For more information and to RSVP, visit the New America website.
Professor, School for the Future of Innovation in Society, Arizona State University
Director of the Risk Innovation Lab, Arizona State University
Assistant professor and principal investigator, Sculpting Evolution Group, MIT Media Lab*
Technology development fellow, Wyss Institute for Biologically Inspired Engineering, Harvard Medical School
Senior associate and scholar, Science and Technology Innovation Program, Woodrow Wilson International Center for Scholars
Carnegie Fellow, New America
Director of Global Policy Initiatives, Broad Institute, MIT & Harvard
Director, Immigrant Health Initiative, Microbiology & Immunology Department, Georgetown University Medical Center
Science correspondent, National Public Radio (on leave)
Visiting scholar, Consortium for Science, Policy & Outcomes, Arizona State University
Update, Feb. 11, 2016: This post was updated to include an additional affiliation for Kevin Esvelt.
Can You Be an Environmentalist Without Embracing Nuclear Energy?
Thirty-nine years after the meltdown at Three Mile Island and almost five years post-Fukushima, nuclear power seems to be emerging from its long funk as a promising alternative to the carbon economy. Innovative new designs are changing the landscape of nuclear power and have the potential to redefine affordable, emission-free, and carbon-free clean energy. So why is it still a hotly contested issue?
Will proliferation of nuclear energy be among the solutions the world seeks, or will our long memory of the fallout from first and second generation reactors prevent us from embracing the promise of clean energy that new models provide?
Join Future Tense on Monday, Feb. 22, at 12:15 p.m., for lunch and conversation in Washington, D.C., to consider whether you can truly be an environmentalist without embracing nuclear energy. For more information and to RSVP, visit the New America website.
Washington correspondent, Quartz
Future Tense fellow, New America
Adjunct professor, Center for Security Studies, Georgetown University
Chief scientist and principal, Founders Fund
Assistant professor, School for the Future of Innovation in Society and School of Social Transformation, Arizona State University
Technical director, Nuclear Energy R&D, Argonne National Laboratory
Founding editor, ClimateProgress.org
Senior fellow, Center for American Progress
Author, Climate Change: What Everyone Needs to Know
325,000 People Have Now Registered Drones With the FAA. That’s Not Enough.
When the Federal Aviation Administration launched its national, mandatory drone registration initiative in mid-December 2015, nobody really knew whether drone owners would comply. It’s not that the registration process is onerous—registrants must pay $5 and provide some basic identifying information in exchange for a registration number to be visibly inscribed on all of the registrant’s drones. But it still requires effort, awareness, and a sense of personal responsibility, and some drone hobbyists have been known to flout the latter two virtues. Indeed, the whole reason why the FAA fast-tracked this registry in the first place is because too many operated their drones in a reckless manner.
But here we are, about a month and a half after the program’s launch, and, lo and behold, it isn’t a total flop. On Monday, FAA Administrator Michael Huerta announced that his agency had processed approximately 325,000 drone registrations since Dec. 21. This number exceeds the number of manned aircraft registered with the FAA, and I guess this isn’t very surprising, given that manned aircraft cost many hundreds of thousands of dollars. At a drone-industry gathering on Monday, according to the Hill, Huerta lauded the speed with which the registry was conceived and implemented and called it “proof that when government and industry partner, we can innovate, cut through red tape and use technology to tackle emerging risks.” I give Huerta and his collaborators immense credit for devising and launching the drone registry with such seamlessness and speed, and they certainly deserve to celebrate the number of registrations logged thus far. But while that 325,000 number is impressive, it might mean less than the FAA would have you believe.
Near the end of last year, the FAA estimated that 1.6 million consumer drones would be sold in America in 2015, with approximately half of those sales coming during the holiday shopping season. I’m not a math guy, but I’m pretty sure that 325,000 is smaller than 1.6 million. Now, of course, the number of registrations doesn’t directly reflect the number of drones, because one registration number can apply to a drone owner’s entire fleet. So let’s be charitable and double that sum and assume that the 325,000 registration numbers apply to 650,000 drones. Let’s also be charitable and cut the FAA’s sales estimate in half, and let’s also not worry about drones that were sold before 2015. So, great, that makes 650,000 drones registered out of 800,000 drones total. That’s a lot of drones that have been registered. But that’s also a lot of drones that haven’t been registered. And this brings me back to what I was saying earlier about awareness, effort, and personal responsibility. Even the most charitable reading of the current FAA drone registration totals implies that there are hundreds of thousands of drones in America that have not yet been registered. And these unregistered drones are probably the ones that ought to inspire the most concern. Because the sort of person who is careless enough to, say, crash his drone into a packed football stadium is probably also the sort of person careless enough to not bother registering his drone with the government.
This article is part of a Future Tense series on the future of drones and is part of a larger project, supported by a grant from Omidyar Network and Humanity United, that includes a drone primer from New America.
Highway Safety Admin. Says A.I. in Autonomous Cars Can Legally Count as the Driver
The National Highway Traffic Safety Administration told Google last week that federal law could view the artificial intelligence systems controlling the company's autonomous vehicles as "drivers." The recognition is significant for Google and other companies that are trying to bring true self-driving cars to market—ones that don't rely on a licensed human driver as a backup.
According to Reuters, the administration sent a letter to Google on Thursday in response to a November proposal from the company. The letter explained, "NHTSA will interpret 'driver' in the context of Google's described motor vehicle design as referring to the (self-driving system), and not to any of the vehicle occupants."
The decision contrasts with legislative discussion in states like California, where the state Department of Motor Vehicles proposed in December that licensed drivers and manual controls be required in autonomous vehicles. And NHTSA noted that some existing federal car safety laws (related to things like brake systems, for example) would conflict with a new definition of "driver" and won't be simple to change or revise.
Ars Technica points out that the United Kingdom is having similar debates about autonomous vehicles right now. Like in the United States, self-driving cars in the U.K. can be tested on public roads only if a licensed driver is in the car and has access to full manual controls.
It might not be time to give up your car and driver just yet, but maybe soon you'll have a car/driver.