Beware Your BOWKYs!
From the Authenticity Dictionary: BOWKY, n: BOt Who Knows You.
Your BOWKYs Are More Dangerous Than Traditional Botnets
What's a BOWKY, you ask?
Well, the BO is for Bot. We'll get to the WKY in a moment, but first let's take a look at the largely hidden world of bots and botnets.
You’ve probably been the target of a botnet.
Let’s review how botnets have targeted you.
Botnets have been around for years. Traditionally, a human bot herder invents a batch of a few dozen fake identities, each with a different name, personality, and set of interests. An algorithm then sends them out, each to befriend individuals in social networks whose attributes match those with a particular fake person. So, one bot may befriend tens of thousands or even millions of real people, harvesting likes and follows and eventually money.
Your money.
Or, instead of befriending, the bot may be assigned to launch a phishing campaign, or send out fake invoices for something a particular batch of people will recognize as something they may have ordered, given the target’s interests – which of course the bot knows about.
Or, a would-be dictator uses a botnet to get the people to believe that their nation is being attacked by a neighboring country, or infiltrated by criminal gangs, or whatever source of fear works best.
Where do the bots get their information about each of us?
They get it from Silibandia of course.
All that personal information about you is gathered – stolen, really – by the companies of Silibandia, that is, Silicon Valley plus the broadband and media industries plus their feeders. In effect, they burglarize your “information home,” the collection of digital spaces that you trust with your PII – your big dossier of personally identifiable information. The personal information is then sold by information brokers to buyers from every kind of organization, from legitimate retailers to those who use botnets to perpetrate fraud and theft.
Until now, botnets have been crafted by hand, as Sutton Smith explains in this video.
(She talks really fast, so here’s the the text from that video):
I’m a former tech employee who created and sustained a bot farm between 2015 and 2018 in California USA.
I wanna give you guys some information because American bot farm operators are pretty rare. Most bot farms operate overseas. I don’t know if there’s anyone like me in the US that can tell you this stuff is all I’m saying.
I’m typically way more secretive about this but it’s gotten so bad I need to talk about it.
So what is a bot farm? It’s something that a company or individual purchases – you get a set amount of bots that look like normal people to go out and spread your message.
And here’s the work that goes into that:
I as the operator have to create each individual fake person. I have to create a bio, a picture, a username, a real name. Then I have to generate content that has to be supportive of the message that the client is paying for. Positive opinion of the company or the individual.
If anyone has ever tried to create content [you know that] that takes time. It also takes ideas.
Finally you need to program those bots based on activity. Bots respond to what you do. You think that you going around and liking things is invisible – it’s not. You’re leaving a footprint across the app. That footprint is tracked by people like me, so based on what other people like or comment on, I program my bot to go and search for those people, find them and interact with them with my content that supports the message that I’ve created.
This programming also includes research to find the people that are the most susceptible to believing the message that you’re selling, and targeting those people.
This is just scratch on the surface of like what it takes to program one of these, and people are buying hundreds of them.
Now here’s the interesting part: the software to run all those bots is not free. And the time that it takes to create all the things that I just told you about – also not free. All of this stuff costs money. If you’re seeing nonstop videos posted with a certain agenda, someone is paying for that! So when you see a dump / a ton of media that’s telling you all the same message, do not say wow, what a thing happening right now. Please instead say wow, who’s trying to buy my opinion on this topic.
On X, Smith was asked whether she does political bots, to which she answered
No fam, I'm not THAT dirty!
But of course there are plenty of botnet builders who aren’t so fastidious.
But Wait, There’s (or will be) More!
Seemingly every industry is being transformed by artificial intelligence, and the botnet industry is no different. Artificial intelligence is supercharging the botnet industry. Those old labor intensive methods described by Sutton Smith are about to be replaced by AI generation of bots and AI research.
BOWKY, n: BOt Who Knows You.
A BOWKY is a bot who knows you as well as your social media “friends” do.
Actually, each of your BOWKYs knows literally more about you than your mother knows about you. It has at its digital fingertips, and uses, a huge database about you, collected by Silibandia. It's your history of everything you have ever done or written online, or spoken in the presence of some “smart speakers.”
BOWKY Gang, n: A group of BOWKYs, each of whom has access to the same large database of information about you, and who together engage you in chats as though you’re with friends in a cafe or bar, sharing information about human acquaintances and getting you to believe and act as they want you to believe and act.
You will have hundreds of BOWKYs, all directed by their owners to get you to believe whatever they want you to believe, and do whatever they want you to do.
Prepare for the day when that dictator purchases a swarm of ten million BOWKYs to seek out members of an opposition group. The BOWKYs will be instructed to convince you and me that the opposition is a dire threat, that they should be dealt with harshly because they are your evil enemy.
“Sure, no problem, Your Excellency. That BOWKYnet will be 10 bitcoins please. Soon as we receive the funds we’ll get right on it.”
You might dismiss the threat by saying, "I can tell whether it's really my friend Joe Jones or Sally Smith in that video..." But if Joe or Sally has ever posted or even sent a video with their face and voice in it, your BOWKY can craft a convincing video using their facial image, a sample of their voice, plus the database about them, to create a video, or simply an email, urging you to do whatever the owner of your BOWKY herd wants you to do. You'll trust it because hey, Joe and Sally are your friends and you trust their judgment, right?
The scammers begin creating their videos using with real photos and voice samples of real people, from which an AI video generator will create a very convincing video of the person speaking words they never actually spoke and never intended to speak.
Is there a solution to the BOWKY threat?
Yes, there is a solution. But the solution is not to get people to be vigilant. People are told to scrutinize emails and social media posts for signs of fakery.
I'd call it bad advice, but until we do things differently, it’s all we can do.
Scams are everywhere.
And as they get more and more sophisticated, they’re draining the bank accounts of not just the gullible but those who exercise healthy skepticism as well.
Unfortunately things are going to get much worse when the bowky-based botnets start proliferating.
It's great that bloggers, podcasters and journalists are calling attention to the ever more convincing scam videos. Unfortunately they tend to offer a non-solution as though it's a remedy: "Be on guard! Recognize the fakes!" - right after showing how difficult it is even for experts to recognize the fakes.
An anecdote will illustrate why we need to do better. Every year I go to the AGC and RSA cybersecurity conferences in San Francisco and the many evening parties sponsored by exhibitors. At the parties, I'll arrange to chat over a beer with a CISSP-certified security expert. After a while I'll say (disingenuously, I confess) "You know, I have to admit, I've clicked on an occasional bad link and bad email attachment..."
Over fifty per cent of the time, the person I'm talking to, you know, the expert whose job is to educate their organization's staff to watch for and recognize phishing emails, bad links and bad attachments, will respond, "Yeah, I know, I've done that too..."
So there's a quick assessment of the value of eternal vigilance to fight fakes: It does not work. Full stop.
The sad thing is that there exists a very well proven set of solutions to the problem of fakes, and it's based on the same technology that you, dear reader, are using right now, as evidenced by the "https://" that starts the address for this page. But SSL / TLS, as is so often the case, has been deployed by technologists who have less of an understanding of the real world they're attempting to protect their users from than the typical user themselves.
It’s an old movie trope: a bright but naive technologist installs a crime prevention device which is then easily bypassed by a not particularly bright criminal.
Dare I blatantly stereotype engineers as being naive about real bad guys in the real world?
Well, that's obviously too broad. Engineers in what I call the CTBG ("catch the bad guys") portion of the cybersecurity, which includes practically the whole industry, do spend their days in futile speculation over how cybercriminals tell the world what they're up to. (Spoiler alert: They don't. But lots of money is made chasing the un-catchable.)
You know the other old movie trope where the grizzled old detective teaches his young replacement to “think like a criminal”?
Yeah, the engineers who built the internet don’t know how to do that. They’re just way too nice.
SSL/TLS relies on sources of authority (certification authorities) which, like StartCom, can be, and are, bought and sold. (StartCom had a reputation for integrity. Can you guess what buyer might be particularly interested in a CA that has a reputation for integrity, that is, has an integrity asset?) But the technologists who came up with the cite certificate system tended not to understand such real world opportunities for corruption. (Search StartCom for the grim details.)
While the technologists beg to be guided by people with a wider understanding of the problem they've been asked to solve, typically the user recoils from the thought of learning enough of the technology to know what's possible and how it can be applied. So the technology is put to use by those who, like Blanche DuBois, say to the world "Whoever you are, I have always depended on the kindness of strangers."
Again, we can solve the problem; but solving the problem requires doing things differently.
The first step is to step back and think about our assumptions about our online world.
The internet used to be called an "information highway" and the name still fits.
So... what is a highway? How do we use highways?
A highway is an outdoor public transport system, right?
And don't we typically use highways to get from one building to another? Because in real life we need these accountability spaces, indoor spaces where you tend to know who's in the room with you. We use the outdoor highway to get to those accountability spaces called buildings – but the buildings are apart from the highway.
Also, the decision to design and construct a new building, a new accountability space for our own purposes, has little or nothing to do with a decision to change the way a highway works. If you want to change red lights to blue, that would be an impossibly immense project, involving roadway intersections around the world. By contrast, your building needs only to comply with building codes and to serve your own purposes and no one else's.
It's often noted that what the internet has lacked, at least since the addition of the markings and signage layer called the World Wide Web, is accountability. "On the internet, no one knows you're a dog"... or a fake person.
Well, accountability is what's lacking in all outdoor spaces, whether physical or digital. On the highway or in a public park, it's no one's business who you are unless you choose to disclose that to others (or unless you're caught snatching a purse.)
So the point is, humankind came up with buildings to 1) provide shelter from the elements, and 2) provide spaces of accountability. In the physical world, buildings do both jobs well.
And in both physical and digital online spaces, highways do their job well.
But while our digital online world has a wonderful highway system... where are the indoor online accountability spaces that are accessed via, but are separate from, the highway?
Answer: they don't exist.
Yes, we have VPNs and portals that resemble public accommodations and we have "zero trust" assumptions that go with them. But... if what's lacking is accountability, why do we not have digital buildings?
In fact, the technology mentioned earlier that gives us "tunnels" through the internet. That is, ssl/tls and https:// is a wonderful set of construction materials for building a tunnel. But hey, think about a tunnel: is it a building? Well, a tunnel is secure in the middle, yes, so the claims of ssl-tls-https are legitimate.
But would you hold your meetings, keep your files, and let your kids hang out in a tunnel? Of course not – because a tunnel is wide open at the ends, free for any fraudster or thief to come in and mess up your life.
Instead of a tunnel, picture an enclosed pedestrian footbridge between two office buildings. There's a reception lobby in each building, and a receptionist whose job it is to ensure that people entering either have employee badges or else their ID has been checked and they've been issued visitor badges, and probably disclosed who they're visiting.
So I mentioned that the construction material for buildings is old and proven, and in fact the rest of the methods and technologies (mostly methods) with which to have secure accountability spaces are old and proven as well. But there are lots of such components because, buildings are at least as complex as highways, and the methods for constructing and managing buildings (occupancy permits etc.) have accumulated over centuries.
So allow me to introduce the world's ugliest acronym. Lots of letters, but I guarantee that if you build spaces that check off each letter, you will have a digital building (residence, clubhouse, office building, office-retail complex, stadium, etc.) that provides exactly the solution to the problem presented in that video about deep fakes.
Here's the acronym and what it stands for:
The Ugly Acronym is
DIBPKICMUPFDICTDSMERIOUPAA.
It stands for
DIgital Buildings
that are built with
PKI Construction Materials
and which are accessed by
Universal Password-Free Digital Identity Certificates
which also enable
True DIgital Signatures
and which represent
MEasurably Reliable Identites
and also which are
Owned by the User
and which protect
Privacy
through
Accountable Anonymity
As I said, ugly. But it solves the problem. If you were to build a space for your people that checks off all the boxes, you would be able to assure them that every image, every video, is digitally signed by the individual human being who takes responsibility for its content, and that every person you encounter is accountable for what they say and do - even if they don't disclose their identity. (Think about your car's license plate. It makes you accountable for what happens on public roadways, but no one gets to know your identity unless there's been an incident.)
And, oh yes, there’s this: you can't change so much as a single pixel on a digitally signed image or video without the signature showing up as invalid. If someone captures your video explaining your views on a subject and decides to change the parts they don't like, the video will tell the viewer that it's been tampered with and not to trust it.
The digital world that we spend more and more of our lives in every year can be fixed. But it can't be fixed by telling people to be vigilant.
We have to do things differently.
We have to stop living, working, and letting our kids hang out in cardboard boxes beside the information highway.
