The investor Chamath Palihapitya described how he claims to think about Bitcoin – as a hedge against the collapse of the financial system as a result of poor governmental policies:
Given the events of the last couple days, this clip about #Bitcoin from the Unchained interview with @chamath came to mind … if you missed the full episode be sure to check it out! pic.twitter.com/bbODjsKe4p
If the government itself just continues to make a string of bad decisions that then have rising consequences… Bitcoin to me is the only think that I’ve seen so far that is really fundamentally uncorrelated to that decision making process and to that decision making body. Because at the end of the day, any other asset class – equities debt, real estate, commodities, they’re all tightly, tightly coupled to a legislative framework and an interconnectedness in the financial markets that brings together many of the governments that are… behaving in this way.
So [Bitcoin] is almost like a bet against the ruling class in some ways and making sure you have a small amount of insurance because… insurance is not something that pays off 50 cents to the dollar, insurance is something that pays off… 1000 bucks to a buck. You want these massive, massive asymmetric payoffs because you want to be sure that a small amount of insurance can basically make you whole…
that’s why I just think that… you should take 1% of your portfolio, put it in Bitcoin, never look at it. Don’t look at the price. Don’t look at anything and hope that that 1% goes to zero. Then you have the 99%. But in the case where that 99% goes to zero, that 1% will probably be worth 120%. And you’ll feel like a genius.
Last week, a friend of mine called me saying she had been locked out of her Whatsapp account on her phone, and someone else was logged in to Whatsapp as her.
My friend had received a message from one of her friends, saying that a code had mistakenly been sent to her number as an SMS, and could she please send it. Since the message came from a person my friend trusted, and in parallel, she had in fact received an SMS, she sent it.
Right away, she was logged out of her Whatsapp app.
My friend had been phished.
Phishing is an example of social engineering techniques used to deceive users.
Users are lured by communications purporting to be from trusted parties [such as friends]… typically carried out by email spoofing, instant messaging, and text messaging
My friend then told me that this attacker had then gotten control of friends’ and relatives’ accounts by simply repeating what the attacker had done with her.
The friend could not log right back into her account because Whatsapp imposes a limit on how frequently you can log into new phones. This is presumably to guard against situations like this, but the result was that the legitimate owner of the account had been locked out.
Eventually the attacker tried to get control of my account. This is the message I received from my friend’s Whatsapp:
And of course, in parallel, I had received a message from Whatsapp itself:
You can see how, if you’re in the middle of something, that you could distractedly copy and paste the OTP text – and lose control of your account before you knew what happened.
The attacker had simply entered my number into a Whatsapp login screen on a phone, triggering an OTP to my phone. Since they already had control of my friend’s account, they then messaged me as her, saying exactly what they had at the beginning of this post – that the OTP was meant for her but was sent to my number, could I please send it?
“So what? You can’t log into my bank from Whatsapp”
In a discussion about this later, someone had asked
“What do you get by hacking someone’s WA. It’s not like you can use the OTP for logging into bank accounts?”
Even if damage is not financial, it could be worse. A compromised Whatsapp account is a form of identity theft. This friend is in a leadership position. Whatsapp is a big part of their engagement – her team and key customers are all on Whatsapp. As are groups with parents, family, friends, professional groups.
My friend later wrote to me
The person who took over btw after a while went nuts…booted people out of my groups where I am admin, started writing gibberish and changed group names to angry faces etc
This is embarrassing, and it could have been a lot worse. Plus, after the fact, she had to do a form of contact tracing to find out who else had been phished via this compromised account, and if they had suffered any reputational damage.
How to protect yourself from such an attack
Turn on two-step verification. It’s under Whatsapp ➝ Settings ➝ Account
Do it now. Stop reading this article and do it, and then read on. It takes under one minute to setup.
To reduce the chances of you forgetting your six digit code, Whatsapp will occasionally ask you to enter it when you launch the app – not every time, but just enough that you stay familiar with what it is.
Here is why two-step verification (also called two-factor authentication) makes it all but certain you will never fall for a phishing attack:
When you set up Whatsapp on a new phone, or re-install it on the same phone, you now need to go through two verification steps. One, you enter an OTP that’s sent to your phone. And two, you enter this six-digit code.
An attacker who has phished your friend’s Whatsapp account may trigger an OTP for your number to your phone, and may message you asking for it. You may even be fooled into sending it to them. But Whatsapp will then ask for your six digit code. Now the attacker can’t pull the same trick saying they need a six digit code for their account – no, they have to explicitly ask you for your account’s six digit code.
Even if they’re posting as your friend, it is highly likely you’ll suspect something’s up.
So.
Do protect your Whatsapp account with two-factor authentication. Do get your parents, siblings and friends to set this up. Phishing is social engineering, and, like so many of our problems, has a social solution.
End note: What happens if you do forget your six digit two step verification code?
Well, Whatsapp will send login instructions to the email account that you provide when you set up two-step verification.
But what happens if the attacker first gets control of my email address? The verification code will be sent to an inbox that the attacker has access to.
Well. You protect your other accounts with two factor authentication as well. Especiallty your email address – for many, also their Google account. This is my guide on how to do that, without needing to remember several such six-digit two-factor codes:
The youtube-dl project is no longer available on Github. A crying shame. youtube-dl is used not just to pirate – it’s also to archive videos of protests & rights violations before they’re taken down – depiction of violence is a violation of YT’s TOS! 1/
Youtube-dl is a legitimate tool with a world of a lawful uses. Demanding its removal from Github is a disappointing and counterproductive move by the RIAA. https://t.co/VUbTokd4cP
It’s to archive videos of public events, which may have nothing to do with music. Even when they do have to do with music, as this artist says, youtube-dl was why he had a copy of his *own* performance: 2/
I've used YouTube-DL to download lectures, free documentaries, debates and discussions, interviews, and NASA video footage. But because the program can be used to download music, it clearly should be taken down.
I use the tool occasionally to create a copy of rare versions of 50-year-old+ Hindi film songs that perhaps a few dozen people are interested in anymore, and which you won’t find on iTunes or any store. But they’ll be lost to the world if that YT account ever goes offline. 3/
youtube-dl will likely be down until the creators find an alternative repository, which will likely also be an RIAA target, very likely pushing it onto the Tor network, which’ll definitely get it labelled in the mainstream press as a piracy enabler – that‘ll be the narrative. 4/
More than anything, Github’ acquiescence sets a very worrying precedent. As this tweet says, cURL (& wget) are widely used open-source projects to download a wide variety of content. You could make the same case to shut these projects’ hosting down. 5/
Do I know anyone at @Github? This is bullshit. We’ve used youtube-dl before for a project archiving activist videos about BLM/police brutality.
This should be a loud wake-up call for the @mozilla Foundation, the Electronic Frontier Foundation , the Free Software Foundation – on their watch, a Microsoft business unit became the world’s most popular code hosting service, including for critical Internet projects 6/
The FSF had plans for its own code hosting service in Feb but it doesn’t look like they’ve reached a decision, much less begun execution. Sadly, paid, full-time teams will almost always execute *faster* than volunteer teams like in the FOSS world. 7/ https://libreplanet.org/wiki/FSF_2020
Censorship-resistance needs to be a top-level criterion for evaluation, for anyone who is building anything of value for the Internet. A strictly free (or open source) code hosting platform is of no use if it or its projects can be taken down just like with youtube-dl. 8/
This should be an equally strident wake-up call for other projects – such as @The_Pi_Hole, which I have written about so often, and which are hosted on github. If the RIAA has gotten its way, the much larger online advertising industry could very easily act next. 9/
There are so many other projects that survive publicly ONLY because they either fly under the radar or have not yet been targeted. Two that immediately come to mind are the Calibre project and its (independent) Kindle De-DRM plugin. 10/
Another thought that struck me after the thread is that a USA-centric industry association filed a notice under USA law to a USA-based company, Github/Microsoft, and knocked offline a project that
had contributors from all over the world
was forked by people all over the world
made a tool that was used by people from across the world
to download videos and knowledge created and posted by people from around the world
We think of the Internet as a shared resource. Practically, it is subject to the laws of just a few countries, especially the USA, and a few massive companies, also mostly registered in, and subject to the laws of, the USA. This is not a criticism of the country – such centralisation of authority and control in the hands of any one or few countries is detrimental to the future of the Internet as we know it.
I will probably have more to say about this, but this is it for this post.
“Hard times are coming, when we’ll be wanting the voices of writers who can see alternatives to how we live now, and can see through our fear-stricken society and its obsessive technologies to other ways of being, and even imagine real grounds for hope. We will need writers who can remember freedom – poets, visionaries – the realists of a larger reality.”
Ursula K. Le Guin
This was part of Le Guin’s acceptance speech in 2014 for the National Book Foundation’s Medal for Distinguished Contribution to American Letters. This is the video; the introduction is by Neil Gaiman, and this quote starts at about 7 minutes 30 seconds in:
Speculative fiction is influenced by today’s technology, but it influences tomorrow’s. We’ve had a couple of decades of dystopian fiction, including that which is set in the near-future.
Fiction that is both optimistic and realistic is hard. As we saw in our recent series on Misinformation and how to counter it, these are hard problems that require both large-scale cooperation and innovative solutions.
And that is why fiction that imagine such futures – ones that face and overcome such problems – are not just inspiring, hope-giving, but at their best they are a spark that lights, however slightly or briefly, a path to an actual real-world solution.
Finally, Google operates its core search engine, which is the home page for every Chrome browser and used daily by nearly every person connected to the Internet (except by those in China).
This puts Google in a uniquely powerful position to tackle misinformation on the Internet. It could build those misinformation blocklists into the browser itself. It could make them part of its public DNS resolution. It could build them into into search results, warning people before they even clicked on the search result to a navigate to the website.
Unfortunately, it has little incentive to do so. Google’s business is built on advertising. If it blocks misinformation but not intrusive advertising, it is hypocritical. If it blocks intrusive advertising but not its own ads, it is even worse hypocrisy (even though it has begun to block some of the worst offender).
Finally, Google’s positioning of neutrality on the Internet is an asset in its efforts to avoid being labelled and prosecuted as a monopolist. It cannot afford accusations of actively and flagrantly censoring web search results, as necessary and healthy for the Internet as it may be.
To conclude
Over this series, we’ve seen how harmful to a society misinformation can be, how, just like spam, it’s cheap to create and propagate but hard to research and refute.
We’ve seen how it is not in social media’s interests to tackle misinformation, how it’s a community problem and incumbent on us to solve. To that, we have explored possible ways and existing/past services to counter misinformation – on the web, Twitter and other social media. Not all of them exist or are even simple, but they are all opportunities.
Finally, this post was a thought experiment about bending the Internet’s neutrality to make it a safer place. We saw how Google is in the most powerful position to identify and hamper misinformation, but how doing so would threaten it both commercially and politically.
It doesn’t make for hopeful reading. But it’s becoming even clearer to me that the solution to misinformation – just like the solution to spam – is bottom-up and community-led, not top-down. We have grown accustomed to a steady stream of free-to-use services and apps from large tech companies. As a consequence we look to them to solve our problems. We, especially the readers of this site and similar ones, must recognise that tech companies benefit by enabling our addictive behaviours, not by encouraging thoughtful and responsible ones.
So one could imagine a situation where Cloudflare creates/maintains a list of sites and URLs that are known for spreading misinformation, or are known to contain incorrect/false data. Or syncs with a crowdsourced list of such lists, much like the public ad-block lists we saw earlier.
When you click/tap a link that leads you to one of these websites or URLs, Cloudflare could first show you a page warning you about misinformation. If you still want to visit it, you can. This’ll go a long way towards staying safe and informed.
The advantage of this approach is that it’s baked into the internet itself. While yes, the Internet was designed to be neutral, it’s expanded to well beyond its user based fifty years ago – the scientific, academic and military community. Neutrality is a key tenet of the Internet, but when it begins causing harm, it needs to be revisited.
Either way, you’d still have to set Cloudflare as your DNS provider. A vanishingly small percentage of people change their DNS settings. Even if Cloudflare – or any of the other public DNS providers – actually implemented this sort of misinformation warning system, only those that were vigilant about it in the first place would care to use it.
For this block-list approach to be useful, you’d need to bake it into something on people’s computers and phones. That’s the web browser.
Ever since most browsers began supporting extensions, they have had the ability to block ads – there are excellent, actively maintained ad-blocking extensions that don’t sell your data – like Privacy Badger by the Electronic Frontier Foundation and uBlock Origin. These and similar extensions can be extended via blocklists to block – or warn of – misinformation. Browsers today also warn you of websites that may be suspicious, or do not secure traffic:
But just like with DNS, the number of people who install ad blocking extensions is tiny, and are biased towards those who are aware of the dangers of the Internet to begin with.
However, there is one company – Google – that is in a position to solve this for most of the Internet.
The excellent Block Together was a great idea – to share block lists between people on Twitter. As this Jan 2019 article described, you could discover block lists, add them to your account and pre-emptively block tens of thousands of accounts right away.
Earlier in 2020, though, its only developer declared that they were no longer able to develop it, and eventually shuttered the service.
I'm sad to be putting this project behind me, and disappointed that Twitter hasn't picked up this functionality and improved on it, but I am happy to have helped protect people against some of the abuse on Twitter, for a little while.
Not only could you import and export easily, Twitter intended for you to share block lists with/from your friends and followers. No longer.
In 2020, that functionality is no longer available. Twitter states that
… block list, a feature for people to export and import a CSV file of blocked account lists through twitter.com, is no longer available. However, you can still view and export a list of the accounts you have blocked through Your Twitter Data, found under your account settings.
Yes – it actually removed the bulk blocking feature – one that’s more important now than ever before. Exporting your block lists is now cumbersome because it’s part of your overall Twitter data export. For me, this export took about a day to be available. Creating public block lists, while possible, is harder than just five years ago.
The Twitter API still allows for blocking users, so one could create a Twitter app for the purpose of importing a publicly available block list into one’s account.
Other social media
While the concept of block lists is less applicable to Linkedin and Whatsapp, as we had seen in our article on spam, we should report misinformation in the same way we do unsolicicted mesages.
Web and email
Medium and Substack are two of the most popular publishing platforms as of 2020. Medium has the ability for readers to report articles. Substack doesn’t seem to have any such support.
Whoever builds a search and recommendation engine for newsletters should include in their algorithm a warning flag for those that spread misinformation or hate.
(Part 4 – how can web browsers and DNS providers help?)
Online reputation will become increasingly important, even critical. In today’s world, Twitter’s ‘verified’ status should represent whether the person is known to post verified information or not, not whether the person is a known celebrity.
But since that is not the case, and Twitter as of this writing has shown little evidence of such a system, we will need to build this database on our own, first for ourselves, and then share it with our communities.
One idea on Twitter is to create Twitter Lists of people who you trust. We could each create lists, interest or topic wise, for ourselves and make the available as public lists with friends so they too can follow them.
You could extend this to whole websites with shared OPML lists, i.e. lists of RSS feeds of website that you know and trust. Unlike Twitter lists, though, you’d still have to import this OPML file periodically into your RSS reader.
Shutting out misinformation
While we work to amplify the voices of individuals and publications we trust, we must also work to block out those bad actors. One way is with shared block lists, just like publicly available ad-block lists for the web.
If ad-blocking lists and software were the counter to oppressive and intrusive ads, we need their equivalent for the misinformation and abuse on social media.
What would those look like?
(Part 3 – Misinformation on Twitter, other social media. And an idea)
Most Trump voters I met had clear, well-articulated reasons for supporting him: he had lowered their taxes, appointed antiabortion judges, presided over a soaring stock market. These voters wielded their rationality as a shield: their goals were sound, and the President was achieving them, so didn’t it make sense to ignore the tweets, the controversies and the media frenzy?
But there was a darker strain. For every two people who offered a rational and informed reason for why they were supporting Biden or Trump, there was another–almost always a Trump supporter–who offered an explanation divorced from reality. You could call this persistent style of untethered reasoning “unlogic.” Unlogic is not ignorance or stupidity; it is reason distorted by suspicion and misinformation, an Orwellian state of mind that arranges itself around convenient fictions rather than established facts.
The cost of spreading misinformation is nothing – social media and messaging services have spent years reducing the friction of sharing.
In comparison, they have spent almost no resources to determine and signal whether information is accurate or not. Recommendation algorithms simply don’t distinguish between what’s accurate and what isn’t. On YouTube, watching one conspiracy video and clicking on ‘Also watch’ recommendations can quickly lead one down a dark path, as the Guardian article describes.
It goes beyond just neglect. Social media companies have historically distinguished themselves from regular news media, arguing that they are merely platforms on which other people express their opinion, and that they can’t be held liable for what is posted by such people. However, they also argue that only they are in a position to create and apply policies regarding hate speech, abuse and misinformation. For example, see this WIRED article on Facebook’s weak efforts to self-regulate.
In short, they’d like to have it all. And so far, they have succeeded.
This imbalance by new media companies means that you and I must pick up the slack. Checking the accuracy of information means verifying the source, and then verifying the source of the source, and so on. It means looking at the bigger picture to judge if comments were taken out of context. It means determining if someone’s opinion was presented as fact. All this takes time. This example of fake national glorification took me several minutes to locate and correct:
And then there’s the social angle. Correcting someone on Whatsapp or a more public channel is almost never rewarding. The person who shared the original piece of misinformation, like anyone, has had their ego hurt and will push back. At best, it makes your real-life relationship awkward. At worst, it exposes you to online abuse. But we will need to power through this.
We’ve often spoken on this site about ad and tracker spam on the web. But this year there’s also been an increase in spam across other mediums – phone, SMS, Whatsapp, Linkedin, Twitter and email. It’s likely this is partly because there are vastly fewer people outdoors, making any form of real-world advertising and messaging ineffective.
In any case, our messaging apps are our highest-priority inboxes. We leave notifications on because chat is both asynchronous and real-time, both personal and work related. That’s why spam on these messaging apps make a higher claim on our attention than, say, email.
Given how fragile and limited our attention is , we must take such casual abuse of attention very seriously. Each of these apps has methods to report and/or block spam. We should all use them mercilessly. It just makes your life better.
But not only is the payoff high for you, your effort makes other people’s online lives better too, by taking spammer accounts offline. None of the services we’ve listed above – and others ones you use – are decentralised. Certainly not Whatsapp, Linkedin, Twitter. Email’s become synonymous with Gmail. Your reporting and marking as spam blacklists that account for everyone else on the service. We have often discussed the dangers of ceding control of your data to large tech companies, but in this case we can use it to our advantage.
Spam is a community problem – and the only way we’ll tackle it is as a community.
Phone and SMS
India has had a do-not-distrub regulatory framework for dealing with spam for over ten years now. First, find out from your mobile operator how to get on the do-not-call registry. As of this writing, you can also send ‘START 0’ as an SMS to 1909 to opt-out of all promotional messages – but as with most government services, this doesn’t always work.
Then install the TRAI DND reporting app (iOS App Store, Google Play Store). Report every single spam SMS and phone call you get. Here’s me reporting spam:
Here’s a screenshot of my operator confirming complaints from other spammers:
I’m sure this doesn’t work 100%. See this article from the publication Moneylife on TRAI’s ineffectiveness. But I have seen a sharp decline in the SMS and phone spam I receive now versus a couple of years ago.
Email
On Gmail, when you report as spam, don’t bother with the ‘report spam and unsubscribe’ option that Gmail presents you. Bad actors take your unsubscribe response itself as proof that your account is active, resulting in further spam. Just stick to ‘report spam’:
If you’re using Gmail in another email app like Apple’s Mail.app, don’t mark as spam in that app – that feeds Apple’s filters. Take the trouble of addressing the problem at its source – go to the Gmail site or the Gmail app and mark as spam there.
Messaging apps
As for Whatsapp and Linkedin and other messaging services – reporting and blocking is 100% effective for you, and goes a long way to making sure that account doesn’t bother anyone else:
We are even more powerful on these new mediums: Whatsapp is tied to your phone number. If enough people report a spammer on Whatsapp, we’ll end up knocking that number off the service. The spammer now needs to get a new phone number, which requires going to a store and performing KYC. And yes, KYC in India can be spoofed, but the costs of getting a new number and a new SIM card are much higher than creating hundreds of new email addresses to spam from.
We can win
Just as spamming is asymmetric – a small number of spammers can impact many orders of magnitude more people – marking as spam is also asymmetrical. It only takes a small number of us to take a lot of spammers offline.
