hello world [what’s up]

Habari Cartomancers! 

This is the first newsletter since I finally launched the cartomancylabs.com (hope you like it) website. That move has probably broken some things on the newsletter,  so it’s with bated breath that I’ll be clicking publish on this one. You are likely receiving this newsletter from a new email address, so please make sure to mark this newsletter as “not spam” so you continue to get this juicy (if intermittent) feed of info.

Let’s get into it:

• News nuggets 

  • A Bad Storm [of Bad Information] Rising: Post-hurricane thoughts on bad weather, bad information, and bad intentions.

  • u/whitehouse Enters the Chat: The u/whitehouse forum launches on Reddit, and some thoughts on how roles in social media are shifting.

  • Quick Scan of the Cybers: Some other items that have come up in the world of cyber, T&S, and privacy.

a noodle from the lab [what we’re working on]

Right now I’m considering what I think about the MasterCard acquisition of Recorded Future. If you have opinions or want to direct me towards interesting analysis, LMK.

training data [what’s news]

🗨️ A Bad Storm [of Bad Information] Rising

I’m living in the U.S. Southeast right now, so I’m seeing the effects and aftermaths of the string of natural disasters. Years working in fraud prepared me for the scams that typically follow natural disasters - fake charities spring-up by the dozens, and often there are also scam artists that prey on the folks affected by the disasters. This situation is no different and the unscrupulous continue to come out of the woodwork. Homeowners looking for help after Helene are targets for scammers, state agencies say 

I was less prepared for the wave of misinformation lobbed at first responders. Certainly, in a crisis, it’s easy to point out how the government could be doing more, doing better, and providing more care. And oftentimes the critiques are true. But, once I had power and internet back, seeing the difference between what was being posted by people who I know who are on the ground, and people who are dipping-in from elsewhere to try to find help or point fingers - was vast. It has been bad enough that had to FEMA put up an FAQ specifically addressing Hurricane Helene Rumors and Scams. Still, the FAQ hasn’t stopped the spread of theories and lies:

• Antisemitism and Threats Directed at Officials Over Storm Response | The New York Times 

• ‘It’s mindblowing’: US meteorologists face death threats as hurricane conspiracies surge | The Guardian 

• Some FEMA operations paused in North Carolina after reports National Guard troops saw ‘armed militia’ threatening them | CNN 

And, typical to this year, deepfakes also playing a role.(Hurricane Helene and the ‘F**** It’ Era of AI-Generated Slop). I didn’t examine the picture of the little girl in the rowboat holding a puppy too closely, but in an disaster when whole houses started floating down rivers, seemed plausible. Still, my Facebook feed was flooded (pun semi-intended) with garbage, as conspiracy-sympathizers pointed towards rumors as proof of malice on the part of the government, folks trying to help amplified both good and bad information in equal measure, and civilians and bots debated non-stop in the weirdly politically polarized comment sections on weather reports.

No one expects the Spanish inquisition, just like no one expects multiple 1000 year floods within a month - but that doesn’t mean we can’t get a response plan ready. Cyber nerds know that October is Cybersecurity Awareness Month, but how many of you know/knew that September was National Preparedness Month? If you’ve been unnerved by both the natural disasters and the human response, I invite you to take the rest of October to revisit how you can help friends and family get ready, so they can always be ready, for whatever happens next.

🗨️ u/whitehouse Joins the Chat

Speaking of information quality and avoiding scams & misinformation, I was interested to see a LinkedIn post from the Reddit corporate account come through explaining that u/whitehouse has launched:

The quick take: Initially I just thought, “oh, cool, sure - they want another forum to make official announcements and interact with citizens” and then I remembered…I used to go to Twitter for that. Do you remember when Twitter became the “faster” way to get / see information than the news? But a lot of the changes that have been made since Twitter became X make it harder to rely on that platform. (Besides the fact that management is specifically partisan and is hostile to moderation as a concept)

Interesting dynamics to consider:

• First, a ton of users have abandoned the Twitter aka X platform and are now spread out across a bunch of different social platforms.

• But second - Reddit’s the major platform that doesn’t require you have an account. Almost all of Reddit’s forums are publicly available to view and explore. Twitter used to be this way - you could read without having an account. But that’s gone now (login prompts start popping-up pretty quickly), which means Reddit likely provides a much bigger and clearer megaphone.

• Bonus points: It also doesn’t hurt that (as we’ve seen play out in last year’s charging-for-the-API-controversy and also in deals Reddit’s taken on this year), the search engines love Reddit content, which makes content shared on Reddit more “findable” in general.) Might this make information shared via Reddit more accessible and stickier?

The longer view: I wonder if this means we’ll see other government or activist groups flip their efforts onto Reddit. As long as they’re open to feedback from Reddit’s vocal user base, of course. (Here’s where I disclose that I used to work for Reddit - go team, go)

• A further aside as a non-neutral third-party: Opinions and hot takes on content moderation versus free speech continue to rage, but I’ve always been bullish on Reddit’s more user-driven model as being the most “democratic” and naturally anti-viral of the large social networks. The model and execution are far from perfect, but it’s still (IMO) the most scalable and effective option

So far u/whitehouse has been focused on providing updates on government responses to this month’s natural disasters, but I do think this is a great addition to their portfolio of citizen-facing comms.

🗨️ A Scan of the Cybers

Speaking of moderation strategy, here’s a few quick thoughts on things happening elsewhere in the cyber, T&S and privacy worlds. 

• Hacked ‘AI Girlfriend’ Data Shows Prompts Describing Child Sexual Abuse: The headline says it all, you don’t even really need to click into the article.

  • This example is both awful and unsurprising: anyone who’s ever worked on a platform featuring User Generated Content (UGC) knows that you design the product one way, and no matter how it’s designed, your users will work past your design straight into spam, scams, and adult content. And if there are no guardrails in place, it’s going to get ugly.

  • In addition to the AI-generated CSAM, the lack of guardrails in this case also involved some pretty poor privacy and cybersecurity controls, which means that user prompts for their “adult time” content could be matched back to their email addresses.

  • Even if the behavior on the site wasn’t illegal, that’s a cache of extortion material in the making - and of course not a new threat, as Wired reported earlier in 2024 (‘AI Girlfriends’ Are a Privacy Nightmare).

• Internet Archive hacked, data breach impacts 31 million users: If you are a user of "The Wayback Machine", it’s time to go change some passwords. The website was compromised and the authentication database (31 million unique records) was stolen.

• Study: Reports of nonconsensual nude images are ignored on X - unless the reports are filed as copyright violations The worst kept secret in social media is that reports tagged as intellectual property disputes, such as trademark and copyright violations, are the fastest route to getting policy enforcement actions like takedowns. Wired discussed the trend of using DMCA to expedite revenge porn takedowns earlier this year, with Google’s efforts to screen web-based deepfakes as the focus (Google Is Getting Thousands of Deepfake Porn Complaints | WIRED). (Note: URLs reported to Google that get taken down are removed from Google search results - versus a takedown of the host)

• College students used Meta’s smart glasses to dox people in real time: The Verge reports that someone has created a mashup of the Meta smart glasses’ picture/video taking capabilities with AI-driven facial recognition. This reminds me a bit of how geolocation tags have been abused in the past, but worse.

find more cartomancy [what’s out there]

coming soon

▶️ Plans are still shaping-up, but I’m looking to be in Atlanta at the end of October, and in NYC for an event in December.

on demand

▶️ I attended Black Hat USA and the CISO Summit this summer in Las Vegas (early August). As a member of the review board (selection committee) for both events, it was fantastic to see and hear from so many innovators as they shared their experiences and research. I got to introduce a couple of great talks, and also got to have my own (on camera) discussion with Jeff Man - it was streamed live, but if you weren’t able to catch the stream you can catch the replay here:

▶️ I had so much fun with my talk (entitled “Watching the Detectives: Scam Artistry, Deep Fakery, Fraudsters, Frame-ups & Other Highlights of the High Speed Card Chase“) at BSides Knoxville’s 2024 event (their 10 year anniversary!). The discussion focused on parallels and differences between the evolution of detection technology in fraud/T&S versus cyber, and how Maturity Frameworks might apply to fraud programs. Here’s video (below) of the full talk:

A bit of a throwback to but it was so much fun chatting with Andy Ellis, and so much in here is true even a couple of years later.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle