In the parallel universe of last year’s Weird: The Al Yankovic Story, Dr. Demento encourages a young Al Yankovic (Daniel Radcliffe) to move away from song parodies and start writing
original songs of his own. During an LSD trip, Al writes “Eat It,” a 100% original song that’s definitely not based on any other song, which quickly becomes “the biggest hit by
Later, Weird Al’s enraged to learn from his manager that former Jackson 5 frontman Michael Jackson turned the tables on him, changing the words of “Eat It” to make his own parody,
Your browser does not support the video tag.
This got me thinking: what if every Weird Al song was the original, and every other artist was covering his songs instead? With recent advances in A.I. voice cloning, I realized
that I could bring this monstrous alternate reality to life.
This was a terrible idea and I regret everything.
Everything that is wrong with, and everything that is right with, AI voice cloning, brought together in one place. Hearing
simulations of artists like Michael Jackson, Madonna, and Kurt Cobain singing Weird Al’s versions of their songs is… strange and unsettling.
Some of them are pretty convincing, which is a useful and accessible reminder about how powerful these tools are becoming. An under-reported story from a few years back identified what might be
the first recorded case of criminals using AI-based voice spoofing as part of a telephone scam, and since then the technology
needed to enact such fraud has only become more widely-available. While this weirder-than-Weird-Al project is first and foremost funny, for many it foreshadows darker things.
We’re going to use ENF matching to answer the question “here’s a recording, when was it was (probably) taken?” I say “probably” because all that ENF matching can give us is a
statistical best guess, not a guarantee. Mains hum isn’t always present on recordings, and even when it is, our target recording’s ENF can still match with the wrong section of the
reference database by statistical misfortune.
Still, even though all ENF matching gives us is a guess, it’s usually a good one. The longer the recording, the more reliable the estimate; in the academic papers that I’ve read 10
minutes is typically given as a lower bound for getting a decent match.
To make our guess, we’ll need to:
Extract the target recording’s ENF values over time
Find a database of reference ENF values, taken directly from the electrical grid serving the area where the recording was made
Find the section of the reference ENF series that best matches the target. This section is our best guess for when the target recording was taken
We’ll start at the top.
About a year after Tom Scott did a video summarising how deviation over time (and location!) of the background electrical “hum”
produced by AC power can act as a forensic marker on audio recordings, Robert Heaton’s produced an excellent deep-dive into how you
can play with it for yourself, including some pretty neat code.
I remember first learning about this technique a few years ago during my masters in digital forensics, and my first thought was about
how it might be effectively faked. Faking the time of recording of some audio after the fact (as well as removing the markers) is challenging, mostly because you’ve got to ensure you
pick up on the harmonics of the frequencies, but it seems to me that faking it at time-of-recording ought to be reasonably easy: at least, so long as you’re already equipped with a
mechanism to protect against recording legitimate electrical hum (isolated quiet-room, etc.):
Taking a known historical hum-pattern, it ought to be reasonably easy to produce a DC-to-AC converter (obviously you want to be running off a DC circuit to begin with, e.g. from batteries, so you
don’t pick up legitimate hum) that regulates the hum frequency in a way that matches the historical pattern. Sure, you could simply produce the correct “noise”, but doing it this way
helps ensure that the noise behaves appropriately under the widest range of conditions. I almost want to build such a device, perhaps out of an existing portable transformer (they come
in big battery packs nowadays, providing a two-for-one!) but of course: who has the time? Plus, if you’d ever seen my soldering skills you’d know why I shouldn’t be allowed to work on
anything like this.
There’s a bird feeder in my garden. I’ve had it for about a decade now – Ruth got it for me, I think, as a thirtiethbirthday present – and it’s still going strong and mostly-intact, despite having been uprooted on several
occasions to move house.
I like that I can see it from my desk.
This month, though, it lost a piece, when one of its seed cages was stolen in a daring daylight heist by a duo of squirrels who climbed up the (“climb-proof”) pole, hung upside-down
from the hooks, and unscrewed the mechanism that held the feeder in place.
Not content to merely pour out and devour the contents, the miscreants made off with the entire feeder cage. It hasn’t been seen since. I’ve scoured the lawn, checked behind
the bushes, peered around bins and fence posts… it’s nowhere to be found. It’s driving me a little crazy that it’s vanished so-thoroughly.
I can only assume that the squirrels, having observed that the feeder would routinely be refilled once empty, decided that it’d be much more-convenient for them if it the feeder were
closer to their home:
“Every time we steal the nuts in this cage, more nuts appear…”
“Yeah, it’s a magic cage. Everysquirrel knows that, Peanut!”
“…but we have to come all the way down here to eat them…”
“It’s a bit of a drag, isn’t it?”
“…so I’ve been thinking, Coco: wouldn’t it be easier if the cage was… in our tree?”
I like to imagine that the squirrels who live in whatever-tree the feeder’s now hidden in are in the process of developing some kind of cargo cult around it. Once a week, squirrels sit
and pray at the foot of the cage, hoping to appease the magical god who refills it. Over time, only the elders will remember seeing the feeder ever being full, and admonish their
increasingly-sceptical youngers ones to maintain their disciplined worship. In decades to come, squirrel archaeologists will rediscover the relics of this ancient (in squirrel-years)
religion and wonder what inspired it.
Or maybe they dumped the feeder behind the shed. I’d better go check.
There’s a lot of talk lately about scam texts pretending to be from Royal Mail (or other parcel carriers), tricking victims
into paying a fee to receive a parcel. Hearing of recent experiences with this sort of scam inspired me to dissect the approach the scammers use… and to come up with ways in which the
scams could be more-effective.
Let’s take a look at a scam:
Anatomy of a Parcel Fee Scam
A parcel fee scam begins with a phishing email or, increasingly, text message, telling the victim that they need to pay a fee in order to receive a parcel and directing them to a
website to make payment.
If the victim clicks the link, they’ll likely see a fake website belonging to the company who allegedly have the victim’s parcel. They’ll be asked for personal and payment
information, after which they’ll be told that their parcel is scheduled for redelivery. They’ll often be redirected back to the real website as a “convincer”. The redirects
often go through a third-party redirect site so that your browser’s “Referer:” header doesn’t give away the scam to the
legitimate company (if it did, they could e.g. detect it and show you a “you just got scammed by somebody pretending to be us” warning!).
Many scammers also set a cookie so they’ll recognise you if you come back: if you return to the scam site with this cookie in-place, they’ll redirect you instantly to the genuine
company’s site. This means that if you later try to follow the link in the text message you’ll see e.g. the real Royal Mail website, which makes it harder for you to subsequently
identify that you’ve been scammed. (Some use other fingerprinting methods to detect that you’ve been victimised already, such as your IP address.)
Typically, no payment is actually taken. Often, the card number and address aren’t even validated, and virtually any input is accepted. That’s because this kind of scam isn’t
about tricking you into giving the scammers money. It’s about harvesting personal information for use in a second phase.
Once the scammers have your personal information they’ll either use your card details to make purchases of hard-to-trace, easy-to-resell goods like gift cards or, increasingly, use all
of the information you’ve provided in order to perform an even more-insidious trick. Knowing your personal, contact and bank details, they can convincingly call you and pretend to be your bank! Some sophisticated fraudsters will even highlight the parcel fee scam you
just fell victim to in order to gain your trust and persuade you that they’re genuinely your bank, which is a very powerful convincer.
Why does the scam work?
A scam like the one described above works because each individual part of it is individually convincing, but the parts are delivered separately.
Being asked to pay a fee to receive a parcel is a pretty common experience, and getting texts from carriers is too. A lot of people are getting a lot more stuff mail-ordered than they
used to, right now, and that – along with the Brexit-related import duties that one in ten people have had to pay – means that it seems perfectly reasonable to
get a message telling you that you need to pay a fee to get your parcel.
Similarly, I’m sure we’ve all been called by our bank to discuss a suspicious transaction. (When this happens to me, I’ve always said that I’ll call them back on the number on my
card or my bank statements rather than assume that they are who they claim to be. When I first started doing this, 20 years ago, this sometimes frustrated bank policies, but
nowadays they’re more accepting.) Most people though will willingly believe the legitimacy of a person who calls them up, addresses them by name and claims to be from their bank.
Separating the scam into two separate parts, each of which is individually unsuspicious, makes it more effective at tricking the victim than simpler phishing scams.
Anybody could fall for this. It’s not about being smart and savvy; lots of perfectly smart people become victims of this kind of fraud. Certainly, there are things you can do (like learning to tell a legitimate domain name from a probably-fake one and only ever talking to your bank if you
were the one who initiated the call), but we’re all vulnerable sometimes. If you were expecting a delivery, and it’s really important, and you’re tired, and you’re
distracted, and then a text message comes along pressuring you to pay the fee right now… anybody could make a mistake.
The scammers aren’t really trying
But do you know what: these scammers aren’t even trying that hard. There’s so much that they could be doing so much “better”. I’m going to tell you, off the top of my head,
four things that they could do to amplify their effect.
Wait a minute: am I helping criminals by writing this? No, I don’t think so. I believe that these are things that they’ve thought of already. Right now, it’s
just not worthwhile for them to pull out all the stops… they can make plenty of money conning people using their current methods: they don’t need to invest the time and energy into
doing their shitty job better.
But if there’s one thing we’ve learned it’s that digital security is an arms race. If people stop falling for these scams, the criminals will up their game. And they
don’t need me to tell them how.
I’m a big fan of trying to make better attacks. Even just looking at site-spoofing scams I’ve
been doing this for a couple of decades. Because if we can collectively get ahead of security threats, we’re better able to defend against them.
So no: this isn’t about informing criminals – it’s about understanding what they might do next.
How could the scammers be more effective?
I’d like to highlight four ways that this scam could be made more-effective. Again, this isn’t about helping the criminals: it’s about thinking about and planning for what
tomorrow’s attacks might look like.
1. SMS Spoofing
Most of these text messages appear to come from random mobile numbers, which can be an red flag. But it’s distressingly easy to send a text message “from” any other number or even from
a short string of text. Imagine how much more-convincing one of these messages would be if it appeared to come from e.g. “Royal Mail” instead?
A further step would be to spoof the message to appear to come from the automated redelivery line of the target courier. Many parcel delivery services have automated lines you can call,
provide the code from the card dropped through your door, and arrange redelivery: making the message appear to come from such a number means that any victim who calls it will hear a
genuine message from the real company, although they won’t be able to use it because they don’t have a real redelivery card. Plus: any efforts to search for the number online (as is
done automatically by scam-detection apps) will likely be confused by the appearance of the legitimate data.
SMS spoofing is getting harder as the underlying industry that supports bulk senders tries to clean up its image, but it’s still
easy enough to be a real (yet underexploited) threat.
2. Attention to detail
Scammers routinely show a lack of attention to detail that can help give the game away to an attentive target. Spelling and grammar mistakes are commonplace, and compared to legitimate
messages the scams generally have suspicious features like providing few options for arranging redelivery or asking for unusual personal information.
They’re getting a lot better at this already: text messages and emails this year are far more-convincing, from an attention-to-detail perspective, than they were three years ago. And
because improvements to the scam can be made iteratively, it’s probably already close to the “sweet spot” at the intersection of effort required versus efficacy. But the bad guys’
attention to detail will only grow and in future they’ll develop richer, more-believable designs and content based on whatever success metrics they collect.
3. Tracking tokens
On which note: it amazes me that these SMS scams don’t yet seem to include any identifier unique to the victim. Spam
email does this all the time, but a typical parcel scam text directs you to a simple web address like https://royalmail.co.uk.scamsite.com/. A smarter scam could
send you to e.g. https://royalmail.co.uk.scamsite.com/YRC0D35 and/or tell you that your parcel tracking number was e.g. YRC0D35.
Not only would this be more-convincing for anybody who’s familiar with the kind of messages that are legitimately left by couriers, it would also facilitate the gathering of a great
deal of additional metrics which scammers could use to improve their operation. For example:
How many, and which, potential victims clicked the link? Knowing this helps plan future scams, or for follow-up attacks.
Pre-filling personal data, even just a phone number, acts as an additional convincer, or else needn’t be asked at all.
Multivariate testing can determine which approaches work best: show half the victims one form and half the victims another and use the results as research for future evolution.
These are exactly the same techniques that legitimate marketers (and email spammers) use to track engagement with emails and advertisements. It stands to reason that any
sufficiently-large digital fraud operation could benefit from them too.
4. Partial submission analysis
I’ve reverse-engineered quite a few parcel scams to work out what they’re recording, and the summary is: not nearly as much as they could be. A typical parcel scam site will
ask for your personal details and payment information, and when you submit it will send that information to the attacker. But they could do so much more…
I’ve spoken to potential victims, for example, who got part way through filling the form before it felt suspicious enough that they stopped. Coupled with tracking tokens, even
this partial data would have value to a determined fraudster. Suppose the victim only gets as far as typing their name and address… the scammer now has enough information to
convincingly call them up, pretending to be the courier, ask for them by name and address, and con them out of their card details over the phone. Every single piece of metadata has
value; even just having the victim’s name is a powerful convincer for a future text message campaign.
There’s so much more that parcel fee SMS scammers could be doing to increase the effectiveness of their campaigns, such as the
techniques described above. It’s not rocket science, and they’ll definitely have considered them (they won’t learn anything new from this post!)… but if we can start thinking
about them it’ll help us prepare to educate people about how to protect themselves tomorrow, as well as today.
Thieves didn’t even bother with a London art gallery’s Constable landscape—and they still walked away with $3 million.
This comic is perhaps the best way to enjoy this news story, which describes the theft of £2.4 million during an unusual… let’s call it an “art heist”… in 2018. It has many the
characteristics of the kind of heist you’re thinking about: the bad guys got the money, and nobody gets to see the art. But there’s a twist: the criminals never came anywhere near the
This theft was committed entirely in cyberspace: the victim was tricked into wiring the money to pay for the painting into the wrong account. The art buyer claims that he made
the payment in good faith, though, and that he’s not culpable because it was the seller’s email that must have been hacked. Until it’s resolved, the painting’s not on display, so not
only do the criminals have the cash, the painting isn’t on display.
The first thing people usually want to know is what getting stabbed feels like. The
answer is that it feels like getting punched really hard. Or at least, I assume it’s what getting hit feels like. I’ve never been punched. I have been stabbed six times.
I’ll back up. And I’ll try not to make this too writerly, but I’m fighting my instincts. I wanted to add a quote from an Auden poem about suffering, but I desisted. Please admire my
You have to understand, this kind of thing doesn’t happen in Wellington. It doesn’t happen in most places, but it especially doesn’t happen in a small city in New Zealand, in a
park, at 11:30 a.m.
I go back and forth. It wasn’t that bad, I tell myself. It could have been much worse, people have survived much worse. And then I look at my scars, still red
and new, and I think: But it was pretty bad, wasn’t it? It is possible I could have died. What if I hadn’t had my phone? If I hadn’t met someone on the path? I could
have bled out somewhere between the trees. But of course, it’s useless to think about what-ifs. What if he had stabbed me in the heart? What if I hadn’t gone to
the park at all? What if I died in a car crash tomorrow? It’s a pointless exercise.
Author Emma Berquist writes about her experience of the (extremely unusual) incident she was involved in, of being stabbed by a stranger in a park in Wellington. An inspiring personal
A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the
fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s
AdSense account for suspicious traffic.
The shape of our digital world grows increasingly strange. As anti-DoS techniques grow better and more and more uptime-critical
websites hide behind edge caches, zombie network operators remain one step ahead and find new and imaginative ways to extort money from their victims. In this new attack, the criminal
demands payment (in cryptocurrency) under threat that, if it’s not delivered, they’ll unleash an army of bots to act like the victim trying to scam their advertising network,
thereby getting the victim’s site demonetised.
For the past month or two, my place of work (this very website) has been plagued by a relatively harmless but deeply mystifying figure: the phantom lunch thief. What’s happened since
has followed a trajectory sure to be familiar to anyone who’s ever worked in an office with more than, say, 30 employees: a menacing, all-caps Post-It note was posted, instructing the
thief: “PLEASE DO NOT TAKE FOOD THAT DOESN’T BELONG TO YOU.” The appropriate authorities were alerted. The authorities sent out slightly mean emails about how we’re all adults here,
and even those of us who didn’t do anything wrong were embarrassed. For a few days, no lunches were stolen. But then, just when you thought it was safe to leave an Amy’s frozen
burrito in the shared fridge for 12 days, the lunch thief struck again. Collectively, and publicly — all wanting to make very clear that we were innocent — my colleagues and
I wondered: who does this? What kind of person steals lunch from people they work with, and why?
To find out, I had to identify one such person. First, I offered my own office lunch thief immunity (or, well, anonymity) if they came forward to tell me their life story, but nobody
took me up on it. I asked Twitter, where many people expressed outrage over the very idea of lunch theft, but again, no actual thieves surfaced. I even made a Google Form about it,
and nobody filled out my Google Form. I was very nearly too dejected to continue my search when I remembered: Reddit. If not there, where?
On Reddit, I found a few lunch theftdiscussion threads, and messaged about 15 or 20 users who indicated that they had
stolen, or would steal, lunch from a co-worker, several of whom sounded very pleased with themselves. I told them I was a reporter, and asked if they’d be willing to
elaborate on their experiences in lunch theft. Unfortunately, most relevant postings I found were from, like, four years ago, and again it seemed no one would come forward. But then
someone wrote me back. Eventually he agreed to speak with me, and we arranged a phone call. His name is Rob, and he’s a programmer in his early 40s. Together we decided there are
probably enough programmers in their 40s named Rob that divulging this amount of personal information was okay.
As a non-lunch-stealer, I’ve never understood the mentality either (I’ve been the victim once or twice at work, at more-often way back when I lived in student accommodation), and this
interview really helped to humanise a perpetrator. I still can’t condone it, but at least now I’ve got a greater understanding. Yay, empathy!
Nowadays, fraudulent online stock-trading schemes are common. But even before the first electric telegraph, two bankers committed the equivalent of modern-day Internet stock fraud.
Nowadays, fraudulent online stock-trading schemes are common. But even before the first electric telegraph, two bankers committed the equivalent of modern-day Internet stock fraud.
Fabulous article from 1999 about how two bankers in 1837 hacked additional data into the fledgling telegraph system to surreptitiously (and illicitly) send messages to give
them an edge at the stock exchange. Their innovative approach is similar to modern steganographic systems that hide information in headers, metadata, or within the encoding of invisible characters.
Tens of thousands of people every year are packed into vans run by for-profit companies with almost no oversight.
In July 2012, Steven Galack, the former owner of a home remodeling business, was living in Florida when he was arrested on an out-of-state
warrant for failing to pay child support. Galack, 46, had come to the end of a long downward spiral, overcoming a painkiller addiction only to struggle with crippling anxiety. Now, he
was to be driven more than a thousand miles to Butler County, Ohio, where his ex-wife and three children lived, to face a judge.
Like dozens of states and countless localities, Butler County outsources the long-distance transport of suspects and fugitives. Galack was loaded into a van run by Prisoner
Transportation Services of America, the nation’s largest for-profit extradition company.
Crammed around him were 10 other people, both men and women, all handcuffed and shackled at the waist and ankles. They sat tightly packed on seats inside a cage, with no way to lie
down to sleep. The air conditioning faltered amid 90-degree heat. Galack soon grew delusional, keeping everyone awake with a barrage of chatter and odd behavior. On the third day, the
van stopped in Georgia, and one of two guards onboard gave a directive to the prisoners. “Only body shots,” one prisoner said she heard the guard say. The others began to stomp on
Galack, two prisoners said.
The guards said later in depositions that they had first noticed Galack’s slumped, bloodied body more than 70 miles later, in Tennessee. A homicide investigation lasted less than a
day, and the van continued on its journey. The cause of death was later found to be undetermined.
“This is someone’s brother, father, and it’s like nobody even cared,” said Galack’s ex-wife, Kristin Galack.
In early June 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone
haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long
haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major
jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating…
As a result of a couple of different health issues and the death of my
old and much-loved mobile, August wasn’t shaping up to be a very good month already. But the biscuit was really taken this week during what turned into An Unexpectedly Expensive
An Unexpectedly Expensive Night Out
It started okay: Ruth and went out for tapas, then for cocktails, and then to the cinema to watch the
(pretty disappointing) Cowboys & Aliens. So a good start, getting worse. The
food was cheap (hooray for vouchers!), the cocktails were reasonably priced (although we did have… a few of them), and the cinema was aided by Orange Wednesdays, so all seemed to be going pretty well, so far, until we came to going home.
Because when we got back to the cycle racks, my bike wasn’t there. By the look of things, somebody cut through my bike lock and had away with it, rendering me bikeless. Suddenly, it
became a far more-expensive night out than I’d planned for.
They say that you haven’t lived in Oxford until you’ve had your bike stolen. Well: now I have, and I’ve learned an important lesson about the ineffectiveness
of moderate-security cable locks like the Kryptonite HardWire (the lock I was
using) when up against thieves who are willing to put in the effort to, for example, bring bolt cutters on a night out.
I spoke to a police officer yesterday who’s going to see if any of the nearby CCTV cameras are going to be of any use in finding the bugger. But in the meantime, I’ve had enough
of August. It’s had highlights, like Liz & Simon’s wedding, but mostly it’s been
A conversation I had this morning with JTA, via text message:
Boiler update: this is getting silly. The probability-weighted Markov-chain based predictive text system I’m using this morning saw me type “boi” and suggested “Boiler update:”? /sighs/
On the upside, I’ve successfully arranged for the new distributor valve to be installed on Friday, when I’ll be around.
To give a little background, we’re having trouble with the boiler on Earth. You may have observed that
it broke last year, and then again this year: well – it’s still broken, really. Nowadays it’ll only produce a
little hot water at a time, and makes a noise like that scene in Titanic where the ship begins to tear
in two. You know – a bad noise for a boiler to make. Over the last two or three weeks we’ve repeatedly fought to get it repaired, but it’s been challenging: more on that
in a different blog post, if JTA doesn’t get there first.
On the plus side, at least this saga is overriding your phone’s memory of your previous life as a male prostitute. :-)
I was once mistaken for a gay prostitute, actually – by a gay prostitute – but that’s another story, I guess. In any case, I responded:
Until now! you’ve just mentioned that again, which means it’ll be the “last message received” when the paramedics go through my phone if I’m killed on the way to work this morning. And
they’ll say, “yeah; I’d pay to have sex with him.”
Quickly followed by:
And his mate will say:
“Now he’s dead, you don’t HAVE to pay.”
If my corpse is raped by a paramedic, I’m blaming you.
To which JTA said:
You’re talking about people who drive blacked out vans full of drugs. I’m pretty sure they never pay.
From prostitution to necrophilia to date rape over the course of only a handful of text messages. What a great start to a Wednesday morning. I do like the image of an ambulance as “a
blacked out van full of drugs,” though…
If you’re not following Castle, yet, you should be. I can’t believe that I’ve not
recommended this more loudly by now, but seriously, this show is awesome. And I’m not just saying that because the episode I watched most-recently was the single best bit of Whedonverse fan service outside of the Whedonverse. And would be great even if it
The ten second-summary for those of you with short attention spans: Nathan
Fillion (of Buffy/Firefly/Dr. Horrible fame) plays Richard Castle, a crime fiction writer who’s drafted into helping the NYPD on a murder case. He then
continues to hang around (thanks to his connections with the mayor and the chief of police) with detective Kate Beckett – played by Stana Katic (she was in Quantum of Solace, but we remember her most-fondly from the third Librarian film) – in an
effort to use her as the inspiration of his next fictional crime fighter, Nicky Heat. Its cleverly-spun mysteries will appeal to mystery lovers and its comedic elements – generally
quite dry but sometimes verging on the silly – prevent the show from being “just another crime drama.”
The third season’s broadcasting right now (and you can also watch it on Hulu, assuming that you’re in the USA or you know how to Google
for how to “watch Hulu without a proxy or VPN”), and the first two seasons are available on DVD. You’ve got my recommendation; now go try it.