Fighting the fraudulent privacy gadget epidemic
Digital privacy and security took center stage in 2013, when we learned the extent of government surveillance on citizens under the Patriot Act. This paved the way for the success of privacy and security focused gadgets such as Blackphone, which received $30 million in investment before a prototype was even made.
Combined with increasing public concern about hacking and security, a never-ending wave of too-good-to-be-true privacy gadgets have been raking in the dough through crowdfunding websites such as Indiegogo and Kickstarter.
None in the wave of magic gadgets has yet to deliver a single working product -- and funders are getting restless.
With the exposure of yet another fake magic privacy box on Kickstarter, and its subsequent silent shutdown, it's clear this problem isn't going away anytime soon.
Bottled rainwater
Right now, pretty much anyone can buy a generic router box on Alibaba, write a promo page saying it guarantees security, privacy and anonymity (as well as protecting users from hackers and malware) and stick it up on Kickstarter to walk away with piles of cash. And they are.
Nearly 100 years ago, famed magician and escape artist Harry Houdini turned his focus from occult showmanship to debunking the world of spirit mediums. Like modern privacy profiteers, these fake psychics bilked people out of cash using mystery and fear; and like Houdini, a wave of extremely annoyed information security professionals have been going after our modern charlatans for turning their hard work into scam material.
Unfortunately, getting the powers that be to listen has been nigh to impossible -- and the past six months has seen upwards of half a million bucks disappear into the ether.
Despite debunkings and calls for crowdfund campaign cancellations, these gadgets are closing funding rounds well over their minimums.
Anonabox, promising Tor in a box and famously outed in press and blogs for assorted misrepresentations, then ejected from Kickstarter, conned trusting Indiegogo funders out of a tidy $82,643. Some boxes were delivered, then recalled for failing security basics -- many funders still haven't gotten their box.
Wemagin's Kickstarter completed at $54,607. It was actually called WEMAGIN PRIVACY GADGET, and debunked publicly. Wemagin still has not shipped.
Webcloak, which would have "singlehandedly prevented the Sony Pictures Entertainment hack," walked away with $61,215 in Kickstarter cash, and still hasn't delivered.
The backers who paid $174,382 for iGuardian (now SHIELD) are also waiting for their products.
So are the backers who paid $57,794 for LogmeOnce: The most Secure USB + Password Manager.
The latest entry in the privacy gadget chicanery sweepstakes is Sever: The Anti-Villain Box, whose Kickstarter page shuttered abruptly this week with no explanation -- though its cancellation was in the wake of a lengthy blog post debunking its wild claims made the rounds on Twitter infosec communities over the weekend.
Despite debunkings, these "magic box" charlatans keep coming, people keep funding them, and crowdfunding sites don't seem well-equipped to stop them.
On top if it all, the security reporting gold rush has produced a green crop of security reporters who, for now at least, are easily fooled into believing these entrepreneurs' claims and unintentionally send trusting funders into the fray.
I can imagine some readers saying, "It doesn't really hurt anyone, I mean, I haven't heard of this stuff actually being dangerous to anyone."
If a woman bought one of these products believing its claims, and she was trying to hide from an abusive ex, would we hear about it if it failed? No, I don't think we would.
But that can't be proven, some might say. A privacy fool and their money are soon parted, so there. Only dumb people believe wild security claims! You might argue, they're stupid to trust Anonabox, or even Indiegogo, or Kickstarter, for that matter. It's natural selection! It's tough love, infosec style!
And that may be true, to some extent. But take a look at how much care and commentary was put into debunking Sever, and its comments, and you'll see that even the scaliest of infosec hearts retch at how badly people are being lied to by these guys.
If you see these claims, RUN
Perhaps crowdfunding sites can learn from the recent past, and post a set of consumer guidelines for security gadgets. Based on the recent spate of well-informed criticism by infosec pros on illogical claims made by security snake oil salesmen, it wouldn't be too difficult.
A cheat sheet for non-technical people might look like this...
- Protects against crypto-lockers. Sever: Nothing at this point in history protects against cryptolockers.
- Would have stopped the Sony hack. Webcloak: The Sony hack was initiated by a disgruntled employee, not script kiddies.
- Run far and fast from anything the confuses (or conflates) privacy and anonymity, promises super speeds, is a privacy product that comes with an app store. (Sever)
- When people ask technical questions and the inventor goes on the attack, avoids the question, uses a barrage of buzzwords, or plays mind games. Anonabox attacked, then avoided questions on Reddit and in Kickstarter comments. Wemagin's creator went on outrageous rants about being persecuted and attempted to publish private details on at least one critic in Wemagin's comments. Sever made a bizarre video to mock the highly respected infosec professionals who asked questions and wrote criticism.
- Promises a "powerful new" or "secret" encryption algorithm, describes basic internet or computer functions as if they are special features, , or claims to be open source and proprietary at the same time (Sever).
- Claims "No more backdoors!" Anonabox: Since it was revealed that the creators didn't build the product, or really build the software, they can't make that claim.
- It "leaves no trace" on your computer.Wemagin.
- Uses "top secret level" or "government-level" encryption. Webcloak, Sever: Unless this has been released to the public, this claim is a complete lie.
- Says it can defeat Chinese censorship. Wemagin: Inexplicably, Wemagin's latest update of excuses for late delivery says that they're working with the Chinese government on the feature that circumvents Chinese censorship.
- "It can be used inside countries like North Korea safely." Wemagin: Scan the Iran Prisoner List and you'll see plenty of arrests, charges, imprisonments in Evin prison, and death sentences for bloggers, webmasters, engineers, website designers, numerous "netizens," journalists, "web activists" and computer experts. An ordinary VPN alone is not enough to protect you from a nation-state.
A little digging goes a long way
Do they claim to make the whole thing from scratch, or suggest a fishy history of prototypes?
In October, Anonabox's creator claimed it had been working on multiple custom prototypes over a span of four years.
Intrigued, I did a Google "search by image" on Anonabox's press photos and found the rig for sale on a Chinese website.
.@marcwrogers @stonemirror Nifty side-by-side screenshot with Germar's image from @a_greenberg's Wired piece: pic.twitter.com/U95vkCcPhr
-- Violet Blue ® (@violetblue) October 15, 2014
Researcher Rajan found Wemagin's custom USB gadget -- claiming "Four separate molds have been made" and "There are 4 manufacturers on standby" -- was actually an off the shelf USB stick from China.
Speaking of researchers, read the comments. Security professionals are very interested in these gadgets, and you'll often find the comments on a Kickstarter brimming with questions and answers... and they're not shy about pointing out when something is fishy, or false.
Lastly, use the power of search. Google for blog posts, where researchers might have debunked crazy claims, and definitely search Twitter, where infosec communities will chat about the gadgets and pick them apart. Search by using the product's name as a hashtag.
Right now, the environment is ripe for privacy and anonymity snake oil salesmen, from consumer to enterprise.
The problem is real, and solving it isn't going to be simple.
Few people understand security minutiae, let alone the basics in ways security pros do -- so it remains all too easy for fakers to hype the hacking fears, make impossible promises, take the money, and run.
It's kind of heartbreaking.
But I have to admit -- watching infosec pros skillfully Harry Houdini these fakesters into raving, paroxsymal fits online is ridiculously entertaining.