$5 Billion A Year Market For DisInformation (#GotBitcoin?)
Aglaya’s latest product, dubbed SpiderMonkey, a device that detects “Stingrays” or IMSI-catchers, the surveillance gizmos used by police and intelligence around the world to track and intercept cellphone data. $5 Billion A Year Market For DisInformation (#GotBitcoin?)
But Aglaya had much more to offer, according to its brochure. For eight to 12 weeks campaigns costing €2,500 per day, the company promised to “pollute” internet search results and social networks like Facebook and Twitter “to manipulate current events.” For this service, which it labelled “Weaponized Information,” Aglaya offered “infiltration,” “ruse,” and “sting” operations to “discredit a target” such as an “individual or company.”
In the summer of 2014, a little known boutique contractor from New Delhi, India, was trying to crack into the lucrative $5 billion a year market of outsourced government surveillance and hacking services.
To impress potential customers, the company, called Aglaya, outlined an impressive—and shady—series of offerings in a detailed 20-page brochure. The brochure offers detailed insight into purveyors of surveillance and hacking tools who advertise their wares at industry and government-only conferences across the world.
The leaked brochure, which had never been published before, not only exposes Aglaya’s questionable services, but offers a unique glimpse into the shadowy backroom dealings between hacking contractors, infosecurity middlemen, and governments around the world which are rushing to boost their surveillance and hacking capabilities as their targets go online.
The sales document also outlines how commonplace commercial spy tools have become. For €3,000 per license, the company offered Android and iOS spyware, much like the malware offered in the past by the likes of Hacking Team, FinFisher, and, more recently, the NSO Group, whose iPhone-hacking tool was just caught in the wild last week. For €250,000, the company claimed it could track any cell phone in the world.
“[We] will continue to barrage information till it gains ‘traction’ & top 10 search results yield a desired results on ANY Search engine,” the company boasted as an extra “benefit” of this service.
Aglaya also offered censorship-as-a-service, or Distributed Denial of Service (DDoS) attacks, for only €600 a day, using botnets to “send dummy traffic” to targets, taking them offline, according to the brochure. As part of this service, customers could buy an add-on to “create false criminal charges against Targets in their respective countries” for a more costly €1 million.
Also starting at €1 million, customers could purchase a “Cyber Warfare Service” to attack “manufacturing” plants, the “power grid,” “critical network infrastructure,” and even satellites and airplanes. Aglaya even claimed to sell unknown flaws, or zero-days, in Siemens industrial control systems for €2 million.
Some of Aglaya’s offerings, according to experts who reviewed the document are likely to be exaggerated or completely made-up. But the document shows that there are governments interested in these services, which means there will be companies willing to fill the gaps in the market and offer them.
“Some of this stuff is really, really, sketchy,” Christopher Soghoian, the principal technologist at the American Civil Liberties Union, who has followed the booming market of surveillance tech vendors for years. “When you’re offering the ability to attack satellites and airplanes, this is not lawful intercept. This is basically ‘whatever you want we’ll try to do it.’ These guys are clearly mercenaries, what’s not clear is if they can deliver on their promises. This is not a company pretending that it’s solely focusing on the lawful intercept market, this is outsourcing cyber operations.”
Ankur Srivastava, the CEO and founder of Aglaya, did not deny that the brochure is legitimate, only saying this particular product sheet was passed on only to “one particular customer.”
“These products are not on our web site, with our customers and nor do they represent the vision of our product portfolio,” Srivastava said in an email. “This was a custom proposal for one customer only and was not pursued since the relationship did not come to fruition.”
Srivastava added that he regretted attending ISS because Aglaya was never able to close a deal and sell its services. He also claimed that the company doesn’t offer those kind of services anymore. (One of the organizers of ISS World did not respond to a request for comment, asking whether the conference vetted or condoned companies offering such services.)
“I would go the distance to aim to convince you that we are not a part of this market and unintentionally underwent a marketing event at the wrong trade-show,” he added.
When asked a series of more detailed questions, however, Srivastava refused to elaborate, instead reiterating that Aglaya never did any business as a government hacking contractor and that attending ISS was “an exercise of time and money, albeit, in futility.” He complained that his company’s failure was likely due to the fact that it is not based “in the West,” hypothesizing that most customers want “western” suppliers.
Asked for the identity of the potential customer who showed interest for these services, Srivastava said he did not know, claiming he only dealt with a reseller, an “agent” from South America who “claimed to have global connections” and “was interested in anything and everything.”
The document itself doesn’t offer any clues as to the country interested. But Latin American governments such as the ones in Mexico and Ecuador are known to have used Twitter bots and other tactics to launch disinformation campaigns online, much like the ones Aglaya was offering. Mexico, moreover, is a well-known big-spender when it comes to buying off-the-shelf spyware made by the likes of Hacking Team and FinFisher.
Srivastava also dodged questions about his company’s spyware products. But a source who used to work in the surveillance tech industry, who asked to remain anonymous to discuss sensitive issues, claimed to have seen a sample of Aglaya’s malware in the wild.
“It was crap,” the source said. “The code was full of references to Aglaya.”
One of his customers was targeted with it at the end of last year, when he received a new phone via mail, under the pretense that he had won a contest that turned out to be made up, according to the source. As ridiculous as this might be, this is actually how Aglaya targeted victims, given that they couldn’t admittedly get around Apple’s security measures and jailbreak the device to infect it with malware.
This sloppy workaround was described in an article in the spyware trade publication Insider Surveillance.
“For installation, Aglaya iOS Backdoor requires an unattended phone and a passcode,” the article read. “By ‘unattended’ we’re hoping they mean ‘idle,’ not ‘impounded.’ Or that they’re not expecting agents to sneak into the target’s bedroom to plant the malware…or wait for him to divulge the password while talking in his sleep.”
The anonymous source, in any case, said that there is certainly a market for the services offered by Aglaya, including the sketchier ones.
“I think it’s credible that there is interest for these type of services at least in certain countries in the Middle East,” the source said.
Another source, who also requested anonymity to speak freely, said that an Aglaya representative once claimed that his company had customers in the Middle East. The source also said that Aglaya’s claims of having abandoned the surveillance tech business are “a lie,” adding that he has seen an updated version of that brochure last year.
Aglaya might have some customers, but it’s likely a small fish in the surveillance and hacking business. There are certainly many more companies, likely with better services and more customers, that we don’t know about. We also might never know about them, unless they get caught because customers abuse their tools—as in the cases of NSO Group and Hacking Team—or their marketing materials leak online.
Often, these companies peddle both defensive and offensive services. Srivastava, after dodging most of our questions, offered to let us take a look at Aglaya’s latest product, dubbed SpiderMonkey, a device that detects “Stingrays” or IMSI-catchers, the surveillance gizmos used by police and intelligence around the world to track and intercept cellphone data.
“Please do keep us in mind,” he said, likely repeating a line that he told his unknown “one” customer two years ago.
Facebook Bans Deepfakes but Permits Some Altered Content
The social-media giant seeks to combat misleading content altered with artificial-intelligence tools.
Facebook Inc. FB 0.22% is banning videos that have been manipulated using advanced tools, though it won’t remove most doctored content, as the social-media giant tries to combat disinformation without stifling speech.
But as with many efforts by social-media companies to address content on their sites that is widely seen as problematic, Facebook’s move swiftly drew criticism for not going far enough and having too many loopholes.
The policy unveiled Monday by Monika Bickert, Facebook’s vice president for global policy management, is the company’s most concrete step to fight the spread of so-called deepfakes on its platform.
Deepfakes are images or videos that have been manipulated through the use of sophisticated machine-learning algorithms, making it nearly impossible to differentiate between what is real and what isn’t.
“While these videos are still rare on the internet, they present a significant challenge for our industry and society as their use increases,” Ms. Bickert said in a blog post.
Facebook said it would remove or label misleading videos that had been edited or manipulated in ways that would not be apparent to the average person. That would include removing videos in which artificial intelligence tools are used to change statements made by the subject of the video or replacing or superimposing content.
Social-media companies have come under increased pressure to stamp out false or misleading content on their sites ahead of this year’s American presidential election.
Late last year, Alphabet Inc. ’s Google updated its political advertisement policy and said it would prohibit the use of deepfakes in political and other ads. In November, Twitter said it was considering identifying manipulated photos, videos and audio shared on its platform.
Facebook’s move could also expose it to new controversy. It said its policy banning deepfakes “does not extend to content that is parody or satire, or video that has been edited solely to omit or change the order of words.” That could put the company in the position of having to decide which videos are satirical, which aren’t and where to draw the line on what doctored content will be taken down.
Henry Ajder, head of research analysis at cybersecurity startup Deeptrace, said deepfakes aren’t expected to be a big problem ahead of the election because the technology to make them hasn’t advanced enough. “That’s why some people think Facebook is focused on the long-term problem while neglecting to tackle the problem that’s right here right now.”
Facebook has already been trying to walk a thin line on other content moderation issues ahead of this year’s presidential election. The company, unlike some rivals, has said it wouldn’t block political advertisements even if they contain inaccurate information. That policy drew criticism from some politicians, including Sen. Elizabeth Warren, a Democratic contender for the White House. Facebook later said it would ban ads if they encouraged violence.
A Facebook spokeswoman said the company’s ban of deepfake videos will apply to political ads and they will be removed.
The new policy also marks the latest front in Facebook’s battle against those who use artificial intelligence to spread messages on its site. Last month, the company took down hundreds of fake accounts that used AI-generated photos to pass them off as real.
In addition to Facebook’s latest policy on deepfakes, which generally rely on AI tools to mask that the content is fake, the company also will continue to screen for other misleading content. It will also review videos that have been altered using less sophisticated methods and place limits on such posts.
The Facebook ban wouldn’t have applied to an altered video of House Speaker Nancy Pelosi. That video of a speech by Mrs. Pelosi—widely shared on social media last year—was slowed down and altered in tone, making her appear to slur her words. Facebook said the video didn’t qualify as a deepfake because it used regular editing, though the company still limited its distribution because of the manipulation.
Hany Farid, a computer science professor at the University of California, Berkeley called Facebook’s announcement “a positive step,” though one, he said, that was also too narrow. “Why focus only on deepfakes and not the broader issue of intentionally misleading videos?” he said, pointing to Facebook’s decision not to remove the altered video involving Ms. Pelosi and a similar one about former Vice President Joe Biden. “These misleading videos were created using low-tech methods and did not rely on AI-based techniques, but were at least as misleading as a deepfake video of a leader purporting to say something that they didn’t.”
Facebook’s Ms. Bickert, in the blog post, said, “If we simply removed all manipulated videos flagged by fact-checkers as false, the videos would still be available elsewhere on the internet or social-media ecosystem. By leaving them up and labeling them as false, we’re providing people with important information and context.”