Social media services support account spoofing

coderman coderman at protonmail.com
Tue Jun 18 14:13:50 PDT 2019 

On Tuesday, June 18, 2019 4:32 PM, Ryan Carboni <33389 at protonmail.com> wrote:

> Social media services support account spoofing, this simplifies the creation of government sockpuppets. Government sockpuppets can also assume the history of other accounts (this is a simple series of mysql commands, any codebase can accomplish this by copying entries and assigning them to a new ID),
>
> This is a substantial concern to privacy rights.
>
> I am being harassed when I attempt to form new friends over the internet. The US government has effectively controlled my entire life, and I condemn it entirely.

back in dec 2015 the US Gov. executed an attack on my dedicated server (i describe how to detect this here: https://ello.co/ohj2eevi/post/jwqux_ngf4ohtajxdyszjg to identify SSL/TLS MitM via behavior of request signal changes when under active interception.)

during this attack, nearly every single online service was unavailable to me - whether accessing those accounts via Tor or VPN.  this coincided with local technical surveillance efforts.

this informed me of some facts:

- US based services are at the command of the intelligence community and federal law enforcement. this is long noted (NSLs), but the mechanism is more dynamic than I expected. E.g. by account and email, in addition to IP, etc.

- US based services are used as vehicle to deploy malware to target under some circumstances. E.g. malicious javascript from Gmail web interface, not sent to other accounts.

- Denial of Service is trivial with PRISM access; e.g. a single UPDATE to target row renders accounts inaccessible. note that when all of your accounts are targeted concurrently, there is no effective account recovery process to regain control of these accounts. back up email accounts, SMS, and other recovery techniques are simply unusable.

- the services which did work were decentralized or little known. for a while my ello account contained two additional posts that i kept up to date regarding incident response during this event. (notifying of attack, revoking certificates, attempting to turn off servers, etc.)  sadly, you can see that 2 of my 5 posts were later taken down. NLSs reach everywhere, if you're a business in the US :)   https://ello.co/ohj2eevi - 5 posts, but only 3 available.

some services which continued to work:
- XMPP over Tor with OTR to a hidden service XMPP server.
- Etherpad on Tor hidden service.
- Tor hidden services in general :)
- IRC via VPN or Tor as anonymous / random account.

services which were perfectly blocked by account, IP, and email:
- Gmail
- Hotmail
- Twitter
- Facebook (even hidden service)
- Reddit
- cell phone
- non-VPN SMTP, IMAP, TLS (to many dests),

... so what does this mean?  simply: you cannot trust US based services backed by a business. you may not be able to trust a service run by an individual, either, but they are at least not inherently compromised via NSLs and other legally justified privacy destruction and interference.

good luck :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3808 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20190618/5f75f9e1/attachment.txt>

More information about the cypherpunks mailing list