(Source)

Malwarebytes

All Gmail users at risk from clever replay attack

All Google accounts could end up compromised by a clever replay attack on Gmail users abusing Google infrastructure.

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials. This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS). Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did. Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email. If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials. Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account. The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

How to avoid scams like this

Don’t follow links in unsolicited emails or on unexpected websites.

Carefully look at the email headers when you receive an unexpected mail.

Verify the legitimacy of such emails through another, independent method.

Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

Technical details Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb. DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication. So, what the cybercriminals did was: Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.” Register an OAuth app and set the app name to match the phishing link Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name. Forward the message untouched which keeps the DKIM signature valid. Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com. Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

Link

..... uhhhhhhh you want to run all that by me again? what the fuck? no really what the fuck?

She fully didn't watch the segment because Jon did a very nuanced, thoughtful segment. He drilled down to kids just wanting to have a community and have fun.

What these TERFS are pissed off about is that he showed how disingenuous y'all are when you go "omg that trans athlete hit a ball really hard and it hurt a cis women" because when you look into it cis women even on their team hit harder then them. Because he pointed out that cis girls harm each other in sports all the damn time. He pointed out that when there was a bill to protect cis women athletes against sexual predators like coaches. Y'all decided not to pass that while passing an anti-trans bills all while claiming you just care about protecting women.

It's a pretty place!

Belgium - Brussel in one minute

Paying consumer debts is basically optional in the United States

The vast majority of America's debt collection targets $500-2,000 credit card debts. It is a filthy business, operated by lawless firms who hire unskilled workers drawn from the same economic background as their targets, who routinely and grotesquely flout the law, but only when it comes to the people with the least ability to pay.

America has fairly robust laws to protect debtors from sleazy debt-collection practices, notably the Fair Debt Collection Practices Act (FDCPA), which has been on the books since 1978. The FDCPA puts strict limits on the conduct of debt collectors, and offers real remedies to debtors when they are abused.

But for FDPCA provisions to be honored, they must be understood. The people who collect these debts are almost entirely untrained. The people they collected the debts from are likewise in the dark. The only specialized expertise debt-collection firms concern themselves with are a series of gotcha tricks and semi-automated legal shenanigans that let them take money they don't deserve from people who can't afford to pay it.

There's no better person to explain this dynamic than Patrick McKenzie, a finance and technology expert whose Bits About Money newsletter is absolutely essential reading. No one breaks down the internal operations of the finance sector like McKenzie. His latest edition, "Credit card debt collection," is a fantastic read:

https://www.bitsaboutmoney.com/archive/the-waste-stream-of-consumer-finance/

McKenzie describes how a debt collector who mistook him for a different PJ McKenzie and tried to shake him down for a couple hundred bucks, and how this launched him into a life as a volunteer advocate for debtors who were less equipped to defend themselves from collectors than he was.

McKenzie's conclusion is that "paying consumer debts is basically optional in the United States." If you stand on your rights (which requires that you know your rights), then you will quickly discover that debt collectors don't have – and can't get – the documentation needed to collect on whatever debts they think you owe (even if you really owe them).

The credit card companies are fully aware of this, and bank (literally) on the fact that "the vast majority of consumers, including those with the socioeconomic wherewithal to walk away from their debts, feel themselves morally bound and pay as agreed."

If you find yourself on the business end of a debt collector's harassment campaign, you can generally make it end simply by "carefully sending a series of letters invoking [your] rights under the FDCPA." The debt collector who receives these letters will have bought your debt at five cents on the dollar, and will simply write it off.

By contrast, the mere act of paying anything marks you out as substantially more likely to pay than nearly everyone else on their hit-list. Paying anything doesn't trigger forbearance, it invites a flood of harassing calls and letters, because you've demonstrated that you can be coerced into paying.

But while learning FDCPA rules isn't overly difficult, it's also beyond the wherewithal of the most distressed debtors (and people falsely accused of being debtors). McKenzie recounts that many of the people he helped were living under chaotic circumstances that put seemingly simple things "like writing letters and counting to 30 days" beyond their needs.

This means that the people best able to defend themselves against illegal shakedowns are less likely to be targeted. Instead, debt collectors husband their resources so they can use them "to do abusive and frequently illegal shakedowns of the people the legislation was meant to benefit."

Here's how this debt market works. If you become delinquent in meeting your credit card payments ("delinquent" has a flexible meaning that varies with each issuer), then your debt will be sold to a collector. It is packaged in part of a large spreadsheet – a CSV file – and likely sold to one of 10 large firms that control 75% of the industry.

The "mom and pops" who have the other quarter of the industry might also get your debt, but it's more likely that they'll buy it as a kind of tailings from one of the big guys, who package up the debts they couldn't collect on and sell them at even deeper discounts.

The people who make the calls are often barely better off than the people they're calling. They're minimally trained and required to work at a breakneck pace. Employee turnover is 75-100% annually: imagine the worst call center job in the world, and then make it worse, and make "success" into a moral injury, and you've got the debt-collector rank-and-file.

To improve the yield on this awful process, debt collection companies start by purging these spreadsheets of likely duds: dead people, people with very low credit-scores, and people who appear on a list of debtors who know their rights and are likely to stand on them (that's right, merely insisting on your rights can ensure that the entire debt-collection industry leaves you alone, forever).

The FDPCA gives you rights: for example, you have the right to verify the debt and see the contract you signed when you took it on. The debt collector who calls you almost certainly does not have that contract and can't get it. Your original lender might, but they stopped caring about your debt the minute they sold it to a debt-collector. Their own IT systems are baling-wire-and-spit Rube Goldberg machines that glue together the wheezing computers of all the companies they've bought over the last 25 years. Retrieving your paperwork is a nontrivial task, and the lender doesn't have any reason to perform it.

Debt collectors are bottom feeders. They are buying delinquent debts at 5 cents on the dollar and hoping to recover 8 percent of them; at 7 percent, they're losing money. They aren't "large, nationally scaled, hypercompetent operators" – they're shoestring operations that can only be viable if they hire unskilled workers and fail to train them.

They are subject to automatic damages for illegal behavior, but they still break the law all the time. As McKenzie writes, a debt collector will "commit three federal torts in a few minutes of talking to a debtor then follow up with a confirmation of the same in writing." A statement like "if you don’t pay me I will sue you and then Immigration will take notice of that and yank your green card" makes the requisite three violations: a false threat of legal action, a false statement of affiliation with a federal agency, and "a false alleged consequence for debt nonpayment not provided for in law."

If you know this, you can likely end the process right there. If you don't, buckle in. The one area that debt collectors invest heavily in is the automation that allows them to engage in high-intensity harassment. They use "predictive dialers" to make multiple calls at once, only connecting the collector to the calls that pick up. They will call you repeatedly. They'll call your family, something they're legally prohibited from doing except to get your contact info, but they'll do it anyway, betting that you'll scrape up $250 to keep them from harassing your mother.

These dialing systems are far better organized than any of the company's record keeping about what you owe. A company may sell your debt on and fail to keep track of it, with the effect that multiple collectors will call you about the same debt, and even paying off one of them will not stop the other.

Talking to these people is a bad idea, because the one area where collectors get sophisticated training is in emptying your bank account. If you consent to a "payment plan," they will use your account and routing info to start whacking your bank account, and your bank will let them do it, because the one part of your conversation they reliably record is this payment plan rigamarole. Sending a check won't help – they'll use the account info on the front of your check to undertake "demand debits" from your account, and backstop it with that recorded call.

Any agreement on your part to get on a payment plan transforms the old, low-value debt you incurred with your credit card into a brand new, high value debt that you owe to the bill collector. There's a good chance they'll sell this debt to another collector and take the lump sum – and then the new collector will commence a fresh round of harassment.

McKenzie says you should never talk to a debt collector. Make them put everything in writing. They are almost certain to lie to you and violate your rights, and a written record will help you prove it later. What's more, debt collection agencies just don't have the capacity or competence to engage in written correspondence. Tell them to put it in writing and there's a good chance they'll just give up and move on, hunting softer targets.

One other thing debt collectors due is robo-sue their targets, bulk-filing boilerplate suits against debtors, real and imaginary. If you don't show up for court (which is what usually happens), they'll get a default judgment, and with it, the legal right to raid your bank account and your paycheck. That, in turn, is an asset that, once again, the debt collector can sell to an even scummier bottom-feeder, pocketing a lump sum.

McKenzie doesn't know what will fix this. But Michael Hudson, a renowned scholar of the debt practices of antiquity, has some ideas. Hudson has written eloquently and persuasively about the longstanding practice of jubilee, in which all debts were periodically wiped clean (say, whenever a new king took the throne, or once per generation):

https://pluralistic.net/2020/03/24/grandparents-optional-party/#jubilee

Hudson's core maxim is that "debt's that can't be paid won't be paid." The productive economy will have need for credit to secure the inputs to their processes. Farmers need to borrow every year for labor, seed and fertilizer. If all goes according to plan, the producer pays off the lender after the production is done and the goods are sold.

But even the most competent producer will eventually find themselves unable to pay. The best-prepared farmer can't save every harvest from blight, hailstorms or fire. When the producer can't pay the creditor, they go a little deeper into debt. That debt accumulates, getting worse with interest and with each bad beat.

Run this process long enough and the entire productive economy will be captive to lenders, who will be able to direct production for follies and fripperies. Farmers stop producing the food the people need so they can devote their land to ornamental flowers for creditors' tables. Left to themselves, credit markets produce hereditary castes of lenders and debtors, with lenders exercising ever-more power over lenders.

This is socially destabilizing; you can feel it in McKenzie's eloquent, barely controlled rage at the hopeless structural knot that produces the abusive and predatory debt industry. Hudson's claim is that the rulers of antiquity knew this – and that we forgot it. Jubilee was key to producing long term political stability. Take away Jubilee and civilizations collapse:

https://pluralistic.net/2022/07/08/jubilant/#construire-des-passerelles

Debts that can't be paid won't be paid. Debt collectors know this. It's irrefutable. The point of debt markets isn't to ensure that debts are discharged – it's to ensure that every penny the hereditary debtor class has is transferred to the creditor class, at the hands of their fellow debtors.

In her 2021 Paris Review article "America's Dead Souls," @MollyMcGhee gives a haunting, wrenching account of the debts her parents incurred and the harassment they endured:

https://www.theparisreview.org/blog/2021/05/17/americas-dead-souls/

After I published on it, many readers wrote in disbelief, insisting that the debt collection practices McGhee described were illegal:

https://pluralistic.net/2021/05/19/zombie-debt/#damnation

And they are illegal. But debt collection is a trade founded on lawlessness, and its core competence is to identify and target people who can't invoke the law in their own defense.

Going to Defcon this weekend? I’m giving a keynote, “An Audacious Plan to Halt the Internet’s Enshittification and Throw it Into Reverse,” today (Aug 12) at 12:30pm, followed by a book signing at the No Starch Press booth at 2:30pm!

https://info.defcon.org/event/?id=50826

I’m kickstarting the audiobook for “The Internet Con: How To Seize the Means of Computation,” a Big Tech disassembly manual to disenshittify the web and bring back the old, good internet. It’s a DRM-free book, which means Audible won’t carry it, so this crowdfunder is essential. Back now to get the audio, Verso hardcover and ebook:

http://seizethemeansofcomputation.org

If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2023/08/12/do-not-pay/#fair-debt-collection-practices-act

This Twitter post was written by a northern Virginia SUV driver, who cut off three people while tweeting and makes jokes about Maryland drivers because they’re too afraid to go into most of DC

Hey, look at me. Look at me. I’ve said it once and I’ll say it again: you need to condition yourself to being okay with being inconvenienced by things. The first time I spoke about this I meant it in a mental health way- it is good to go out to the store and see people versus just ordering alone at home- but there is another more pressing societal issue you should be more concerned about as well.

Any service you rely on for convenience can be weaponized against you the moment you begin to rely on it. Streaming used to be a cheap and convenient way to see movies at home. It is now exorbitantly expensive, you need multiple accounts just to get what you want, and any of those movies can be taken from you at any time. And unless you have gotten used to going through the “inconvenience” of owning physical media, you can do nothing about it. Same goes for buying things on Amazon. Same goes for any service like DoorDash etc. These companies WANT you to be reliant on them for convenience so they can do whatever they want to you because, well, what else are you gonna do?

Same thing goes for the uptick in AI. If you train yourself to become reliant on AI for doing basic things, you will be taken advantage of. It is only a matter of a couple years before there are no free AI services. Not only that, but in the usage of AI’s case, it is robbing you of valuable skills that you need to curate that you will be helpless without the moment the AI companies drive in the knife the way they have done with streaming. Delivery. Cable. Internet. Etc. It will happen to AI too. And if you are not practicing skills such as. Writing. You are not only going to be at the mercy of AI companies in the digital world, but you are going to be extremely easy to take advantage of in real life too.

I am begging you to let go of learned helplessness. I am begging you to stop letting these companies TEACH you helplessness. Do something like learn to pirate. It is way more inconvenient at the beginning, but once you know how, it is one less way companies can take advantage of you. Garden. Go to the thrift store (older clothes hold up better anyway). These things take more time and effort, yes, but using time and effort are muscles you need to stretch to keep yourself from being flattened under the weight of our capitalist hellscape.

Inconvenience yourself. Please. Start with only the ways you are able. Do a little bit at a time. But do something.

So I ended up with free time at the end of my first class today, so I was like "do yall wanna see a vintage meme?" and turned on "what does the fox say". Expected like. A laugh from the kids, or even just a "wtf is this mx?" which is. A reasonable reaction to What Does The Fox Say.

But instead of a reasonable reaction. all of my students watched the first 60 seconds with jaws agape. And then this one kids turns to me like the fucking eye of Sauron and literally goes: