Tag: youtube

We Have a RAT Problem Says DCA

“We the consumers are outgunned and outmanned. We don’t have the tools needed to protect ourselves.  While you are still better off having a 2013 anti-virus program, it won’t protect you against zero-day malware anymore than the polio vaccine will protect you from Ebola.”

That quote is from the introduction of a new report published last week by the Digital Citizens Alliance entitled Selling “Slaving.”  It focuses on an especially pernicious form of malware called RATs (Remote Access Trojans); the users of these applications; their victims; and the enablers — both corporate and criminal — that help spread and even monetize this growing trend in what sounds a bit like hobbyist hacking.  I have never explicitly recommended reading a whole report of this nature before — often the bulk of a study contains a lot of data supporting the main findings — but I do recommend reading all of this one.  Not only does it discuss a cybersecurity threat of concern to any computer or device user anywhere, but the report reads much more like a very long article that provides insight into the nature, motives, methods, and victims of this class of hackers called ratters.  Their brands of mischief include a wide range — from pranking people for sophomoric amusement; to identity and data theft; to slaving built-in webcams on the computers of women and girls to record Peeping Tom photos and videos that may or may not be used for the purposes of extortion and/or sold through black-market channels trading in child pornography.

The DCA report indicates that ratting is on the rise — and going mobile — but readers should take particular note of the lack of sophistication required relative to the amount of harm that can be caused to victims who fall prey to RATs.  In fact, many ratters can hardly be called hackers at all because they don’t hack into computers by means of any remarkable coding skills. Instead, the unsuspecting victim inadvertently downloads malware to her operating system, and a ratter is then able to control that computer (slave it) using one of a handful of cheap, easy-to-acquire, easy-to-operate software applications. An attack can be targeted (i.e. aimed at a specific victim like someone the ratter knows and has a motive to assault), but it seems that most victims are random people downloading files they assume are innocuous but that contain RAT malware.

Probably the most archetypal story of a malicious and targeted RAT assault — one the DCA report cites in some detail — is that of Cassidy Wolf, the California teenager, who was voted Miss Teen USA in 2013.  In the months leading up to her pageant victory, Wolf was the victim of a ratter, who turned out to be a teenage boy at her high school named Jared Abrahams.  Abrahams had taken control of Wolf’s computer as well as her entire social media presence, and she was completely unaware that he had been slaving her webcam to capture naked images of her until the day she received an anonymous email threatening to leak these images and other personal information on the Web, saying that he would ruin her career plans by turning her into an “internet porn star.”  His demand in trade for his silence was that she provide him with a “sexually explicit” video; and Wolf has been rightly praised for her courage in standing up to her assailant, even after he made good on his threat to release compromising images. She contacted the FBI, went public with her story, and used her pageant celebrity status to raise awareness of the problem. Her decision helped lead to the identification and conviction of Abrahams, and by the time authorities caught up with him, they discovered he had been “slaving” the devices of approximately 150 young women and female minors around the world.  He served 18 months and is currently under house arrest.

Abrahams was a relatively sophisticated hacker — and he clearly chose to target Cassidy Wolf — but many ratters are more casual, random, and technologically inept than Abrahams, so they turn to the same resource many of us use for How-To advice — YouTube.  The fledgling ratter (sometimes called a script kiddie) need not find some remote corner of the dark web in order to learn how to spread and use RAT malware because there are dozens — if not hundreds — of tutorial videos on YouTube right now that provide complete, step-by-step guides to ratting along with helpful comments and links by fellow ratters.  (See, the Web really is about community!) In addition to these tutorials, we find ratter “fan vids,” which are not so much tutorial in nature as  vicarious viewing, so you can watch a ratter harass or spy on a victim while narrating his  observations like “Dude, watch this!” and “Oh, fuck, did you see that?  This shit is sick.”

RATs on YT
Just one of many ratter videos on YouTube. All the visible titles suggest tutorials in how to be a ratter.

Collectively, both the tutorial and the ratter “fan videos” have tens of thousands of views, and the DCA report indicates that about 38 percent of these videos are ad-supported, which means that both Google and the ratter are earning some revenue from the ad buys of major brand advertisers.  This means Google has a problem that reads something like this:  “This illegal invasion of an underage girl’s bedroom brought to you by Procter & Gamble.”  And as much as I criticize Google for profiting from the exploitative aspects of digital life, I would not be surprised if the company seeks to mitigate its role as an enabler of ratting just as it has with a zero-tolerance approach to keeping child pornography out of the Google-verse.  The DCA recommends Google assign a “human team” to address the role that both search and the YouTube platform are playing in this regard, but it cannot be overlooked that the Internet industry’s larger policy agenda, advocating a “hands off” approach to all things Web, provides cover for bad actors in a variety of ways.

And that brings us to one of the primary channels through which RATs are spread (and you’ll be terribly surprised), which is illegal file-sharing sites.  Because Trojan Horse malware is delivered by sneaking the virus into an OS while the user downloads a file he/she assumes is safe, it stands to reason that the black-market world of illegal media and software provides an ideal hunting ground for ratters to set their traps.  In fact, some of those tutorials on YouTube demonstrate how a ratter can download a file from, say, kickasstorrents, modify the file with his RAT, then re-upload the newly infected file awaiting random downloaders because, y’know, “sharing.”

By these methods, ratters trap random prey to be fed upon at leisure and prioritized according to the intent of the ratter.  This may include mining victims for credit card or other sensitive information;  or the ratter may slave the computer to mine bitcoins or to spread RAT infiltration to a larger system, like the victim’s place of business.  But in many cases, it seems, the goal of many a low-skilled ratter (i.e. teenage boys and young men) is to gain access to the computers of women and girls who have webcams.  Thus, as ratters manage to trap these prized victims (often with the enthusiasm of trophy hunters), they sell the IP addresses to other ratters — like commodities in their own little RAT exchange — where access to a boy’s computer sells for about $1 while access to a girl’s computer sells for about $5, according to the DCA.

Now, I have at least implied in the past that piracy sites should be boycotted by anyone who considers herself — or himself — a defender of feminist principles.  In addition to the fact that the site owners directly profit from advertising links to “services” that are tied to varying degrees of exploitation of women (e.g. MEET ASIAN GIRLS NOW!!), this DCA study of RATs demonstrates that these sites also unintentionally provide fertile ground for spreading malware that is consistently used to exploit girls, which is apparently valued at a 5:1 ratio over the exploitation of boys. I’m not sure what else needs to be said about that.

Finally, the DCA report does contain some indication as to how Internet companies, users, and law enforcement might actually work to address the challenge of this growing risk of personal invasion.  But in order to get there, the public will first have to accept that Internet companies and law enforcement have a role to play, that our RAT infestation is just more evidence that a free-for-all policy on the Web is a fundamental failure.

Zoë Keating Ponders YouTube Service

I have to direct readers’ attention to this blog post by composer and cellist Zoë Keating.  It is the clearest articulation I have yet read about the rock-and-hard-place terms demanded of artists who are considering participation in YouTube’s paid streaming service Music Key.  Keating outlines some of the non-negotiable terms she doesn’t like, for instance that her entire catalog becomes fair game anywhere on YouTube and that she must release new work on Music Key simultaneous with any other release. And if Keating or any other artist does not wish to participate in Music Key, no problem, Google will simply throw your work to the wolves.

What does that mean?

Presently, Keating and other artists participate in YouTube’s Content ID program. The way it works is when someone uploads a video with Keating’s music on it, robots identify the track and send her a notice giving her options, including an option to monetize the video.  Many artists, Keating included, choose either to let the video remain without ads, or choose to monetize it with ads; and they typically only seek removal of offensive or unlicensed commercial uses.  But for all the noise people like to make about “new business models,” the Content ID program cannot generally be called an opportunity for artists, so much as it is a band-aid applied long after the bleeding of music’s value had begun.  It’s YouTube saying, “Well, people are going to use your music online and we’re going to monetize that, and there’s not much you can do about it, so here’s a slice of the pie.”  But nobody should think for a minute that Content ID is a revenue stream that most artists consider a portion of sustainable income. Still, it does provide artists a view of where their music is being used on the service, and this certainly has value.

But along comes Music Key with terms artists don’t like — last year there were several reports about the meager revenue shares in the offer — but an artist who declines to participate in Music Key will automatically lose his/her Content ID account.  As Zoë Keating describes, this puts her in the unfortunate position of potentially removing almost 10,000 videos and upsetting thousands of fans, or gritting her teeth and accepting YouTube’s exploitative terms for Music Key. But, the implication here is actually worse…

If an artist were to decline the Music Key deal, and next month there were 40,000 videos using her music, she could neither participate in the revenue nor very effectively remove those videos due to the slow and cumbersome DMCA notice-and-takedown process. Plus, Google’s bots are no longer identifying her music for her because she’s had that account revoked.  And if she did avail herself of DMCA for removal of any videos, YouTube will show users its frowny face icon, and the EFF will catalog the removal with the Chilling Effects database, making the artist look like she’s being a greedy, mean, censor.  See, it’s not so much a new model as it is a very old model coming back into vogue.

But Zoë Keating makes a very important point in her article about copyright itself.  If you pay attention to the facts she lays out — and she’s much friendlier about it than others, including me — you will notice that the central conflict she has with the YouTube predicament is the limiting of her choices as an artist.  This is something people continue to overlook:  that in most cases, what the artist wants is to retain his or her right to decide how works are used — by whom, for compensation or not, the timing and manner of presentation and distribution, etc.  People talk about copyright as though its last remaining use is for big media corporations to scrape every nickel out of a property it bought forty years ago. And they like to make generalizations like, “the labels have screwed artists for years.” But no label was ever able to say, “Hey, take this deal, or I’ll just give your music away and sell ads to the crowds I draw.” Here’s Keating on the comparison between the old boss and the new boss:

“But I want to decide what to do when. That is a major reason why I decided in 2005 to self-publish rather than chase after a record deal. I am independent because I didn’t want a bunch of men in suits deciding how I should release my music. For 10 years I have managed to bushwhack a circuitous path around them but now I’ve got to find a away around the men in hoodies and crocs . . .”

Others have said it before, and Keating is saying it again. The new boss wears a new uniform, but he’s just another boss. Only this time he has a worse deal in one pocket and a rock in the other.  Or as Keating puts it, having been an early evangelist of the Internet’s cultural potential, “the revolution has been corporatized.”

“More YouTube’s” My Foot

First of all, name if you can the serious competitors of any of the following: Facebook, YouTube, Amazon, eBay, Twitter, Google.

Go back ten years, name the biggest sites on the web, and you might notice that some of those names are either gone or really quite small compared to the dominant sites today. It isn’t even necessarily sinister, but it is a fact that the Web doesn’t tend to foster competition so much as it fosters monopolies — some short-term, others long-term.  In the potentially short-term monopoly category, we might look at Facebook’s current dominance and recognize that the company could make a misstep that turns us all off (or we could just get bored), and the site would evaporate into MySpace obscurity.  In the long-term category of web-based monopolies, we look at an Amazon and understand that its elaborate and capital-intensive fulfillment system would be very hard to replicate or beat rapidly enough to realistically grab much of its market-share.  And then, we look at a YouTube, which is somewhere between a Facebook and an Amazon inasmuch as there are other video hosting options but none that are owned by the company that also owns (i.e. controls) more than 90% of search worldwide. So, if you want to use video to promote yourself, your business, your ideas, your work, or even your shaking booty, YouTube is really your only option. And Google likes it that way.  What company wouldn’t?

Still, mere market dominance and unlimited wealth isn’t enough for some people; they want your soul, and they’ll tell you any lie in order to get it.  For instance, I offer this brief article about a panel discussion called Expand NY on which some of the usual suspects sat agreeing with one another about the future of copyright, all predicated on the assumption that copyright is just one legal framework that remains an out-of-date barrier to future economic growth in the digital age.  But even if you don’t give a damn about copyright, pay attention, because like I say, these people want your soul, by which I mean to argue that companies like Google ultimately want a world where people no longer believe they have a right to privacy or a right to control how their words or images are used.  The war against copyright should be viewed by the general public as the precedent-setting, legal groundwork for a world in which certain civil rights simply cease to exist.  And when your kids’ birthday video can be used to sell McDonalds without your permission, you might find the expression “steal your soul” is no exaggeration.

But what does that have to do with the panel discussion in New York? If a premise is false, the conclusion is also false. And the reason I draw attention to this discussion is not to argue about its conclusions — that copyright may or may not need updating — but that people with false, even dangerous, premises have no business in the debate. The premise being put forth is that a framework like copyright is stifling economic potential in the digital age, but the reason we can know this is a false premise — other than the 20 years of history — is that Julie Samuels of the Electronic Frontier Foundation says it’s a false premise when she overreaches with a really big and tactically dumb lie.  At the bottom of the article, Samuels is quoted as saying, “We want a thousand more YouTubes,” and this is meant to be an example of that as-yet untapped potential growth supposedly being stymied by pesky copyrights.  But who is it that wants a thousand more YouTubes?  Google certainly does not, and anyone who believes otherwise is a sucker.

So, if by “we,” Samuels presumes to mean “we the people,” then we the people can do the math and see that there will never be so many as three more YouTubes in a world where there remains only one Google encoding the fate of all Internet search. At a certain point, the cost of entry for a presumptive competitor is too high for the same reason you’d be hard-pressed to replicate what Amazon does. And that financial threshold was crossed a long time ago. As Google now earns an estimated $52 billion in annual revenue, I double-dog dare anyone to approach a VC with a business plan to be the “next YouTube.” Copyright may indeed be due for review and even revision to reflect new technological realities, and I certainly agree with one point made by panelist Mike Masnick, that copyright review could be “good or bad depending on who’s involved.” So, if he and his colleagues would stop promoting utter bullshit, maybe responsible review can proceed.