Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.

On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.

As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.

Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Judge Says Controversial FBI Searches Require a Warrant**

A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.

**Cloudflare Function Could Expose App Users’ Rough Location**

An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.

**Trump Administration Disbands Review Board Investigating China’s Salt Typhoon Attacks**

In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”

US Privacy Snags a Win as Judge Limits Warrantless FBI Searches

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru's location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

A year of location data for Sam Curry’s mother’s 2023 Subaru Impreza that Curry and Shah were able to access in Subaru’s employee admin portal thanks to its security vulnerabilities.

Screenshot Courtesy of Sam Curry

“You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account to both reassign control of cars’ Starlink features and also access all the vehicle location data available to employees, including the car’s location every time its engine started, as shown in their video below.

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies' web tools that have yet to be discovered.

In Subaru's case, in particular, they also point out that their discovery hints at how pervasively those with access to Subaru's portal can track its customers' movements, a privacy issue that will last far longer than the web vulnerabilities that exposed it. “The thing is, even though this is patched, this functionality is still going to exist for Subaru employees,” Curry says. “It's just normal functionality that an employee can pull up a year's worth of your location history.”

When WIRED reached out to Subaru for comment on Curry and Shah's findings, a spokesperson responded in a statement that “after being notified by independent security researchers, \[Subaru\] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevancy, who can access location data." The company offered as an example that employees have that access to share a vehicle's location with first responders in the case when a collision is detected. “All these individuals receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” Subaru's statement added. “These systems have security monitoring solutions in place which are continually evolving to meet modern cyber threats.”

Responding to Subaru's example of notifying first responders about a collision, Curry notes that would hardly require a year's worth of location history. The company didn't respond to WIRED asking how far back it keeps customers' location histories and makes them available to employees.

Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. “There were really multiple systemic failures that led to this,” Shah says.

The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee's account, and immediately found that they could use that staffer's access to look up any Subaru owner by last name, zip code, email address, phone number, or license plate to access their Starlink configurations. In seconds, they could then reassign control of the Starlink features of that user's vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.

Those vulnerabilities alone, for drivers, present serious theft and safety risks. Curry and Shah point out that a hacker could have targeted a victim for stalking or theft, looked up someone's vehicle's location, then unlocked their car at any time—though a thief would have to somehow also use a separate technique to disable the car's immobilizer, the component that prevents it from being driven away without a key.

Those car hacking and tracking techniques alone are far from unique. Last summer, Curry and another researcher, Neiko Rivera, demonstrated to WIRED that they could pull off a similar trick with any of millions of vehicles sold by Kia. Over the prior two years, a larger group of researchers, of which Curry and Shah are a part, discovered web-based security vulnerabilities that affected cars sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce, and Toyota.

More unusual in Subaru's case, Curry and Shah say, is that they were able to access fine-grained, historical location data for Subarus going back at least a year. Subaru may in fact collect multiple years of location data, but Curry and Shah tested their technique only on Curry's mother, who had owned her Subaru for about a year.

Curry argues that Subaru's extensive location tracking is a particularly disturbing demonstration of the car industry's lack of privacy safeguards around its growing collection of personal data on drivers. “It's kind of bonkers,” he says. “There's an expectation that a Google employee isn't going to be able to just go through your emails in Gmail, but there's literally a button on Subaru's admin panel that lets an employee view location history.”

The two researchers’ work contributes to a growing sense of concern over the enormous amount of location data that car companies collect. In December, information a whistleblower provided to the German hacker collective the Chaos Computer Computer and Der Spiegel revealed that Cariad, a software company that partners with Volkswagen, had left detailed location data for 800,000 electric vehicles publicly exposed online. Privacy researchers at the Mozilla Foundation in September warned in a report that “modern cars are a privacy nightmare,” noting that 92 percent give car owners little to no control over the data they collect, and 84 percent reserve the right to sell or share your information. (Subaru tells WIRED that it “does not sell location data.”)

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” Mozilla's report reads.

Curry and Shah's discovery of Subaru's security vulnerabilities in its tracking demonstrate a particularly egregious exposure of that data—but also a privacy problem that's hardly less disturbing now that the vulnerabilities are patched, says Robert Herrell, the executive director of the Consumer Federation of California, which has sought to create legislation for limiting car's data tracking.

“It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information,” Herrell says. “People are being tracked in ways that they have no idea are happening.”

_Update 4:23 pm EST, January 23, 2025: The article's subheadline has been updated to clarify the scope of the researcher's work._

Subaru Security Flaws Exposed Its System for Tracking Millions of Cars

Chinese hacks, rampant ransomware, and Donald Trump’s budget cuts all threaten US security. In an exit interview with WIRED, former CISA head Jen Easterly argues for her agency’s survival.

When I walk into Jen Easterly’s office on a bright January day in Arlington, Virginia, I’m greeted by a giant shark head lurking on the floor. I instantly spot a Rubik’s Cube—an Easterly hallmark—emblazoned with the logo of the organization she’s run for the past three and a half years—the Cybersecurity and Infrastructure Security Agency, or CISA, which President Donald Trump created during his first term.

Easterly, who is 56 years old, jumps to her feet to greet me. The first thing that hits me is her denim pants, which have a dragon on one leg and a serpent on the other. Then she launches into updates on CISA’s animated “Secure Our World” video series and, in the same breath, laments that she hasn’t had time for a private guitar lesson in weeks. Seemingly a regular day on the job for her, except for one thing. As of January 20, Inauguration Day, Easterly’s time at CISA would be over. Trump had fired the agency’s first director, Chris Krebs, after CISA refused to question the integrity of the 2020 election, and Easterly now says she wasn’t asked to stay. Rumors are swirling that CISA programs—or even the entire agency—may soon be on Trump’s chopping block.

The timing couldn’t be worse for the nation to lose its top cybersecurity cop. A Beijing-linked group called Salt Typhoon spent months last year rampaging through American telecoms and siphoning call logs, recordings, text messages, and even potentially location data. Many experts have called it the biggest hack in US telecom history. Easterly and her agency unknowingly detected Salt Typhoon activity in federal networks early last year—warning signs that ultimately sped up the unraveling of the espionage campaign.

The work of banishing Chinese spies from victim networks isn’t over, but the walls are already closing in on CISA. Trump's nominee to run the Department of Homeland Security, Kristi Noem, told a senate committee last week that CISA needs to be “smaller” and “more nimble.” And a day after the inauguration, all members of the Cyber Safety Review Board—who were appointed by Easterly and were actively investigating the Salt Typhoon breaches—were let go.

When Easterly officially became the agency’s second director, in 2021, the government was still reeling from a different blockbuster hack—SolarWinds. Kremlin-backed intruders had compromised widely used software to infiltrate the networks of US agencies and other targets. Helping US institutions defend themselves became an even more urgent and daunting project. CISA doesn’t enforce laws or collect intelligence; its job is to evangelize digital security measures and offer free services, so institutions can see what they need to do to not get hacked or—more realistically—get hacked less badly. Easterly got to work building relationships across the federal government and with state and local officials, corporate executives, and utility managers. In crises like the Salt Typhoon campaign, these relationships are crucial to quickly containing the damage.

It takes a determined person, and perhaps a charismatic one, to build rapport with such a wide-ranging group of people. Easterly has the background for it: She has worked in the Army (with multiple deployments), the National Security Agency, and the National Security Council under Barack Obama, and she spent nearly five years in charge of Morgan Stanley’s global cybersecurity. She also helped establish US Cyber Command within the Department of Defense. Somehow, though, she’s chill. To break the ice, and probably to make an impression, Easterly has leaned into her passions while in office, cubing and jamming with executives and utility operators around the country. And, yes, there’s her eclectic style—high fashion (by cybersecurity standards, anyway) mixed with bell-bottoms and Birkenstocks—but also her quiet, intense obsession with trying to solve the puzzle that is digital defense.

_This interview has been edited for length and clarity, combining on-camera and off-camera portions. Check out_ WIRED’_s YouTube channel_ _for the video._

**You’re in your last days as the director of CISA. How's it going?**

It's a little bittersweet.

**Why are you leaving?**

Well, at the end of the day, I'm a Senate-confirmed political appointee. We serve at the pleasure of the president. I've not been asked to stay.

**There are signs that the Trump administration may be hostile to some of CISA’s goals. Do you think the agency has proven it's valuable?**

We are America's cyberdefense agency, but our budget is less than $3 billion. I think the American people are getting an incredible return on investment. Anybody who looks at it will see that there's been an enormous amount of progress made in reducing risk to the critical infrastructure Americans rely on every hour of every day. We're talking water, power, transportation, communication, finance. It's not a political or partisan issue, and these threats are only getting more complicated, more dangerous. Any stepping back of what we've put in place will be to the detriment of the safety and security of the American people.

**One threat that’s top of mind is Salt Typhoon. How have past foreign espionage campaigns, like Russia’s SolarWinds attacks, informed the work you all are doing?**

What we saw in December 2020, with the revelations about the Russian intrusions into US federal government networks, as well as businesses around the world, was a pretty sophisticated supply-chain espionage operation. I would say the bumper sticker was to finally allow CISA to manage the .gov federal digital assets as one enterprise, not as a disparate tribe of a hundred separate departments and agencies. It's still a work in progress, but what we've put in place across the government over the past three and a half years has given us enormous visibility and has allowed us to detect intrusions much more rapidly, to be able to remediate them and to get ahead of future intrusions.

**It’s concerning how difficult it seems to have been for the telecoms to eradicate the Chinese hackers from their networks.** **Has there been progress in terms of that transparency and insight you're talking about?**

After the revelations of these breaches, we stood up what's called a unified coordination group. So we're responding, the FBI is investigating, folks like the National Security Agency are using what we see in the intelligence to understand the extent and the depth of this intrusion. And we're coming together to work with the victims. We've been doing that for months. This has unfortunately been out in the press a lot—

**I would say fortunately!**

Anything that gets out there has the downside of having adversaries change their tactics. So, while I think the transparency to consumers is important, it also makes it more difficult to then find these actors within the network. I don't expect it to be remediated in the short term.

**What about in the long term?**

Everybody should assume that our adversaries, in particular China, are attempting to go after our critical infrastructure. The private sector, they are on the front lines of this fight, because they own and operate the vast majority of our critical infrastructure. It's why companies need to put collaboration over self-preservation.

I want a future where something like a ransomware attack is a shocking anomaly. Where damaging software vulnerabilities exploited by nation-state actors are as infrequent as plane crashes. A world where the technology that we've come to rely on every hour of every day is first and foremost secure.

**It feels like hackers always find new ways to get where they want to go. Can you win at defense?**

I mean, you're right. Defense is hard. I say that as America's cyber head goalie. And that's why it has to be a team. As much as we work to hunt for and eradicate Chinese actors, our partners need to hold those actors accountable, whether that's through offensive cyber capabilities or indictments or sanctions. But, yes, we're on the defensive side, and it's a challenge.

Former CISA director Jen Easterly left office on Inauguration Day as rumors swirled about the fate of the agency.Photograph: Dana Scruggs

**Right now is a very scary and precarious time in cyberspace.**

I spent a lot of time in counterterrorism, and people would often say, “What keeps you up at night?” But it's really not what keeps me up at night. It's all about what gets you up in the morning. I love my team. I love the mission. Not every day is the best day ever, but you work through the issues, you stay resilient, you stay focused.

**Probably a necessary attitude for this type of work. But I just have to be that guy who asks you one more time: What keeps you up at night?**

A major conflict in Asia—the potential invasion or blockade of Taiwan by the People’s Republic of China—could have very real consequences here in the US. You could see pipelines and water being affected, telecommunications being severed, rail lines, power. That is all part of a very deliberate effort by the People’s Republic of China to incite what they call “societal panic” and to deter our ability to marshal military might and citizen will. We have to acknowledge that disruption may occur.

**Is the public paying too much attention to espionage campaigns like Salt Typhoon? Should we all be more worried about threats to critical infrastructure, like China’s Volt Typhoon?**

We are very focused overall on PRC cyber actors. CISA is one of the few agencies in the government that has been able to find both Volt Typhoon within critical infrastructure as well as Salt Typhoon. In fact, it was our work several months ago to find Salt Typhoon that then led to law enforcement identifying virtual private servers that were being leased by the adversaries, and then that unraveled the wider campaign.

**You and I have talked before about how Ukraine has faced years of punishing digital attacks and, of course, an ongoing kinetic war with Russia. CISA has partnered for a few years now with its counterpart agency in Ukraine. Do you have concerns that the Trump administration won't prioritize that relationship?**

Ukraine is under active assault by a very sophisticated threat actor. What we are learning from how they are dealing with those attacks actually helps us understand and mitigate similar threats to our own infrastructure. Cyber is a borderless space, and what our foreign partners see can absolutely benefit us. We need to ensure that all of us—from the vendors that create technology to companies that buy technology to citizens that consume technology—recognize our shared role in a collective defense of cyberspace and critical infrastructure.

**Do you feel that there are too many cooks in the US federal cybersecurity kitchen? Has that been an issue?**

It really has not. A lot of people have asked that question, but when the SolarWinds incident occurred I was looking at it as both the cyber policy lead for the Biden-Harris transition team and, perhaps more importantly, from my day job at Morgan Stanley. One advisory came out from CISA that was very SolarWinds-specific. We didn't have SolarWinds in our infrastructure. Another one came from NSA that was focused on VMware, and we did have VMware in our systems. It was not clear how these things were connected. And then you would see an FBI private-sector notice about something else. At this point I've already been in government for 27 years. I'd been in the military, the Department of Defense, the intelligence community, the White House. It's like, I know this. I thought I understood the government. And I couldn't make sense of what the government was trying to tell us about this Russian espionage campaign. It was one of the motivating things about coming to CISA. How do we bring together the federal cyber ecosystem?

The relationships with NSA, FBI, and CISA have never been better. Some of that is personalities, but I think we have actually developed institutional connective tissue, so that it will last. It's very, very clear what CISA’s role is. Now, you often talk about, what does the National Security Council do? What does the Office of the National Cyber Director do? I think we've sorted out the relationships at that level with policy and strategy, but really at the operational level where CISA lives, those relationships across the federal cyber ecosystem I think have never been better.

**You said that there is unfinished business as you prepare to leave CISA. Where do you wish you could have done more?**

There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day. But ransomware is still a problem. We have been laser-focused on PRC cyber actors. That will continue to be a huge problem. I'm really proud of where we are, but there's much, much more work to be done. There are things that I think we can continue driving, that the next administration, I hope, will look at, because, frankly, cybersecurity is a national security issue.

**I have to ask you, there are rumors: Are you or are you not going on tour when you leave CISA?**

You know, I certainly hope to. I played piano and guitar when I was young, but I started taking up electric guitar, and that has become my passion, my obsession. So my big postretirement plan several years from now is to start a bar in lower Manhattan, to have a band. We're going to do magic. We're going to do improv. I'm going to be the bartender.

**And will there be Rubik's Cubes at every table?**

There will be Rubik's Cubes. I'm obsessed with the Rubik's Cube. When I was 11 these things were introduced across the world, and I was a huge puzzler and a video game person. I learned how to solve it, and then I would go to toy stores—I was this little kid with pigtails—and say, “Hey, if I can solve this in less than two minutes, will you give me a free one?” So I was able to amass this whole set of them.

**You must see some sort of connection between that and your day job.**

Ernő Rubik, who invented the thing, said something like, if you are curious, you will find puzzles around you. And if you are determined, you will solve them. And when I think about the incredible technical talent that we have here at CISA, it’s the intellectual curiosity, it’s the hacker mindset, it’s the problem solver. But it's also the determination, the relentless drive to solve the most complicated problems out there.

_Let us know what you think about this article. Submit a letter to the editor at_ _mail@wired.com._

Under Trump, US Cyberdefense Loses Its Head

Donald Trump pardoned the creator of the world’s first dark-web drug market, who is now a libertarian cause célèbre in some parts of the crypto community.

A little over 11 years and three months ago, Ross Ulbricht was arrested in the science fiction section of a public library in San Francisco, caught with his laptop still logged in to the Silk Road, the world’s first dark-web drug market that he created and ran under the pseudonym the Dread Pirate Roberts.

Now, after being sentenced to life in prison and spending more than a decade behind bars, Ulbricht will walk free, thanks to Donald Trump—and to the president’s ever-closer ties to the American cryptocurrency world.

“I just called the mother of Ross William Ulbright to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross,” president Trump wrote on Truth Social on Tuesday evening, misspelling Ulbricht's last name. “The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!”

For close to two and a half years after Ulbricht created the Silk Road in 2011, the dark-web site facilitated the sale of vast amounts of narcotics, as well as counterfeit documents, money laundering services and, at times, guns, for hundreds of millions of dollars in bitcoin payments. After the FBI located the Silk Road’s server in Iceland in 2013 and arrested then 29-year-old Ulbricht in San Francisco, he was convicted on seven charges relating to the distribution of narcotics, money laundering, and computer hacking, as well as a “continuing criminal enterprise” statute—sometimes known as the “kingpin statute”—usually reserved for mob bosses and cartel leaders. In 2015, he was sentenced to life in prison, a punishment beyond even the 20-plus years that prosecutors in the case requested.

Since then, a Free Ross movement has steadily pressed for Ulbricht’s release, first in a failed appeal, then in petitions for clemency. Many of Ulbricht’s supporters have long argued that the Silk Road was a principled libertarian experiment in free trade, one in which Ulbricht allowed only “victimless crime”—despite prosecutors arguing during his trial that at least six people died of opioid overdoses from drugs linked to the Silk Road. They point out that Ulbricht never actually sold or possessed drugs himself, and rather ran a website that facilitated their sale. And they argue that by moving the sale of narcotics online, he reduced violence in the drug trade and committed no violence himself.

That argument has been complicated, however, by allegations that Ulbricht tried to have six people killed who presented a threat to him or the Silk Road. Ultimately all six alleged murders-for-hire were fake—one was staged by undercover DEA agents and five more were a scam. Ulbricht was charged with only one of those alleged paid killings in a separate prosecution in Maryland, which was then dropped after he received a life sentence in his New York trial. But evidence presented at Ulbricht’s trial showed him allegedly arranging those killings and even pinpointed transactions on Bitcoin’s blockchain that showed a payment for them from Ulbricht’s laptop to the would-be killer.

Those allegations of murders-for-hire, in fact, dissuaded the first Trump administration from granting clemency to Ulbricht. The White House in 2020 considered freeing Ulbricht but ultimately rejected the idea because of the alleged role of violence in the case, according to one former government official involved in the process who spoke to WIRED on condition of anonymity.

Since then, however, the Trump administration has shifted its stance on Ulbricht’s case—in part, perhaps, due to its embrace of the libertarian cryptocurrency community, for whom Ulbricht has become a martyr and cause célèbre. At the Libertarian National Convention in Washington, DC, last May, then presidential candidate Trump promised to commute Ulbricht’s sentence “on day one” if reelected. (Ultimately, day one passed with no clemency for Ulbricht, even as Trump pardoned more than a thousand participants in the January 6, 2021, insurrection at the US Capitol, though Trump ally Elon Musk promised in a post to X on Monday evening that “Ross will be freed too.”)

Just what role Ulbricht will play in the free world is far from clear. Even in his statement to the judge at his sentencing hearing in 2015, Ulbricht never fully acknowledged the harm inflicted by the Silk Road’s drug sales. And according to Jared Der-Yeghiayan, a former Homeland Security Investigations agent who infiltrated the Silk Road during the investigation, Ulbricht still shows little remorse for his actions in his public posts to X.

“The idea of him being released doesn’t bother me in the least,” says Der-Yeghiayan, who now works as the head of strategic intelligence at cryptocurrency tracing firm Chainalysis. “I do get bothered if there’s now a perception that he did nothing wrong; that doesn’t acknowledge the facts of the case.”

Among some advocates of criminal justice reform, however, Ulbricht has become an exemplar of oversentencing, particularly given that he was technically charged with nonviolent crimes. “Ross has served more than enough time. He has been a model prisoner. He’s a first-time, nonviolent offender. He poses zero safety risk to the community,” Alice Johnson, CEO of the justice reform foundation Taking Action for Good, told WIRED in November. Johnson spent two decades in prison herself for attempted possession with intent to distribute before Trump commuted her life sentence in 2018 and pardoned her in 2020. “I believe that Ross’ case is going to pave the way for many others who have been unjustly given these draconian sentences to come home.”

On Tuesday night, Ulbricht's supporters celebrated his freedom and voiced their gratitude to Trump for his clemency. “Words cannot express how grateful we are,” reads a tweet from @Free\_Ross, an X account devoted to the more than decade-long effort on Ulbricht's behalf. “President Trump is a man of his word and he just saved Ross's life. ROSS IS A FREE MAN!!!!!"

_Additional reporting by Joel Khalili_

Trump Frees Silk Road Creator Ross Ulbricht After 11 Years in Prison

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

After an opaque and uncertain saga, TikTok went dark on millions of phones across the United States on Saturday evening around 10:30 pm EST. Google Play and Apple’s App Store both pulled the app late Saturday as well. If it was already installed prior to Saturday evening, the app is still there on your phone, but launching it only reveals a pop-up warning about the ban. As the deadline loomed, TikTok users had been bracing for the change and flooding other platforms, including the Chinese social app Xiaohongshu or “RedNote.” But if you’re not quite ready to give up the latest skin-care hacks, budgeting tips, and pet tortoise influencers, there are some options for circumventing the ban and continuing to use the platform.

“Sorry, TikTok isn’t available right now,” the app alert reads. “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now. We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” Other ByteDance-owned apps, including CapCut and Lemon8, also disappeared from US app stores.

Such a ban has never existed in the US before, so the technical methods being employed to implement it are still evolving, and circumvention techniques may need to change as well. The law driving the situation, the Protecting Americans From Foreign Adversary Controlled Applications Act (PAFACA), doesn’t make it illegal to have TikTok on your phone. And, notably, it also doesn’t say that TikTok itself has to stop the app from working in the US.

Nonetheless, the company said in the days before the law took effect that it planned to make the app inaccessible to US users—a level of cooperation and accommodation that the outgoing Biden White House called a “stunt” on Saturday afternoon. Even if TikTok itself had obligations under the law, the Biden White House had signaled that it did not plan to enforce the ban before Trump took office on Monday.

Rather than putting the pressure on TikTok, PAFACA requires app stores and cloud hosting services to stop doing anything to “distribute, maintain or update” TikTok. That puts the pressure on Apple and Google to stop new users from downloading TikTok, as well as infrastructure providers like Oracle to keep new content or software updates from reaching the app’s users. Over time, TikTok would likely degrade and become unusable.

Officials in India banned TikTok in 2020, and the company also proactively blacked out the app in that case. When Indian users who already had the app installed tried to launch it, a pop-up appeared telling them that they couldn’t access the service.

Devashish Gosain, a network analysis researcher and assistant professor at the Indian Institute of Technology Bombay, says that in India, TikTok users must remove their Indian SIM card from their phone or use an international SIM card and then run a VPN in order to load content in the app.

“Even VPNs do not lead to circumvention” in India, Gosain told WIRED.

In the early hours of the US ban, it was unclear exactly how feasible it would be to get around the restrictions for US accounts. It seemed that TikTok had taken a more extreme approach, turning any US builds of the app dark—blacking out versions of the TikTok app software that had been made to be downloaded and used by US users. It also seemed that US-linked accounts were being blocked regardless of IP address or SIM country information.

Running a VPN alone was certainly not enough to circumvent the ban and get back on TikTok. But seemingly using a non-US TikTok account after removing a SIM (or on a device without a US SIM card/US phone number) worked when combined with a VPN. Similarly, using a VPN with a desktop browser or the Tor Browser was enough to get a non-US TikTok account to load in the US early on Sunday morning, though TikTok’s desktop version has always been much more limited than its mobile app.

“TikTok inspects the source IP of the network packets—if the source IP belongs to India, it drops the packets,” Gosain explains, of the restrictions in India. “Also, the TikTok app fetches the country information embedded in the SIM card, and if the country code is ‘IN,’ it filters the network connection. When we remove the SIM card, the TikTok app fails to identify Indian users from the SIM card, and when we use VPNs, the IP address changes, and it no longer belongs to the Indian IP range. Thus, TikTok again fails to identify that the user is accessing from India. This is how we bypass the filtering.”

Virtual private networks, or VPNs, work by passing your internet traffic through servers that are physically maintained in locations around the world, so you can select an IP address that is tied to a different location than where you physically are. For example, American TikTok users can use VPNs to make it look like they are accessing the internet from outside the US. VPNs also stop your internet service provider (ISPs) from seeing your browsing data, adding an extra potential layer of privacy. When you’re using a VPN, your ISP will simply see connections to the VPN instead of having access to the detailed list of all the websites you’re visiting.

As a result of these capabilities, VPNs are frequently used in attempts to get around digital geolocation restrictions, like those on Netflix or other streaming platforms. They’re also an important, and familiar, tool for circumventing internet censorship programs for people living under authoritarian regimes like those in Russia, China, and Iran.

Using a VPN comes with caveats, though. Some commercial VPNs log people’s browsing history, which essentially just shifts data collection from ISPs to VPN makers. This means that the data isn’t more protected, and that law enforcement could request it from a VPN provider in the same way that they make requests to ISPs. As a result, picking a free VPN is generally not a good idea—with some even selling access to your home internet connections. But some VPNs publish no-logging policies and offer third-party audits and other transparency features in an attempt to show their compliance.

For now, it seems that TikTok’s efforts to block US users are extremely draconian, and even a non-US SIM card or no SIM card plus a VPN may not be a workable path to getting back on the app with a US TikTok account. But the restrictions may only be temporary anyway. In practice, there seems to be little appetite for a permanent ban in the US. And, in spite of originating the idea, President Trump has said in recent days that he doesn’t want the app to be banned.

“My decision on TikTok will be made in the not too distant future, but I must have time to review the situation,” Trump said in a Truth Social post on Friday. “Stay tuned!”

How to Get Around the US TikTok Ban

Plus: New details emerge about China’s cyber espionage against the US, the FBI remotely uninstalls malware on 4,200 US devices, and victims of the PowerSchool edtech breach reveal what hackers stole.

As the Biden administration comes to a close, the White House released a 40-page executive order on Thursday aimed at shoring up federal cybersecurity protections and placing guardrails on the US government’s use of AI. WIRED also spoke with outgoing US ambassador for cyberspace and digital policy, Nathaniel Fick, about the urgency that the Trump administration not cow to Russia and China in the global race for technical dominance. Outgoing FCC chair Jessica Rosenworcel details to WIRED the threats facing US telecoms, at least nine of which were recently breached by China’s Salt Typhoon hackers. Meanwhile, US officials are still scrambling to get a handle on multiple espionage campaigns and other data breaches, with new revelations this week that a breach of AT&T disclosed last summer compromised FBI call and text logs that could reveal the identity of anonymous sources.

Huione Guarantee, the massive online marketplace that researchers say provides an array of services to online scammers, is expanding its offerings to include a messaging app, stablecoin, and crypto exchange and has facilitated a whopping $24 billion in transactions, according to new research. New findings indicate that GitHub’s efforts to crack down on the use of deepfake porn software are falling short. And WIRED did a deep dive into the opaque world of predictive travel surveillance and the companies and governments that are pumping data about international travelers into AI tools meant to detect people who might be a “threat.”

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Names One of the Chinese Hackers Allegedly Behind Massive Salt Typhoon Intrusions**

China spies, the US spies, everybody spies. Mutual espionage is a geopolitical game played by virtually every nation in the world. So when the US government singles out a single hacker for espionage-focused intrusions, naming him and targeting him with sanctions, he must have spied aggressively—or effectively—enough to have made powerful people very angry.

The US Treasury on Friday imposed sanctions on Yin Kecheng, a 39-year old Chinese man accused of being involved in both the breach of nine US telecommunications companies carried out by the Chinese hacker group known as Salt Typhoon, as well as another recent breach of the US Treasury. In a statement about the news, Treasury alleges that Yin is affiliated with China’s Ministry of State Security and has been a “cyber actor” for over a decade. It also imposed sanctions on Sichuan Juxinhe Network Technology, a company that Treasury says is also associated with Salt Typhoon.

Salt Typhoon’s breach of US telecoms gave Chinese hackers enormous access to the real-time texts and phone calls of Americans, and was reportedly used to spy on president-elect Donald Trump and vice president-elect JD Vance, among other targets. FBI director Christopher Wray has called the telecom breaches China’s "most significant cyberespionage campaign in history.”

**China’s Silk Typhoon Hackers Targeted Sanctions and Intelligence in Treasury Breach**

As the Treasury hits back at China’s spy operations, it’s also still working to determine the scope of the intrusion some of those same hackers carried out inside its network. An internal Treasury report obtained by Bloomberg found that hackers had penetrated at least 400 of the agency’s PCs and stolen more than 3,000 files in a recent breach. The espionage-focused intrusion appears to have gone after sanctions and law-enforcement related information, the report found, as well as other intelligence materials. Despite that vast access, the intruders didn’t gain access to Treasury’s emails or classified portions of its network, the report states, nor did they leave behind malware that would suggest an attempt at maintaining longer-term access.

**FBI Uninstalls Chinese PlugX Malware From Thousands of Machines**

The Justice Department revealed this week that the FBI carried out an operation to delete a specimen of malware known as PlugX from 4,200 computers around the world. The malware, which was typically transmitted to computers via infected USB drives, has persisted for at least a decade and been used at times by Chinese state-sponsored hacker groups to target Chinese dissidents. In July of last year, cybersecurity firm Sekoia and French law enforcement took over the command-and-control server behind the malware. This week, the FBI obtained a court order that allowed the bureau to send a self-destruct command to the software on infected machines.

**Victims of “PowerSchool” Edtech Data Breach Say “All” of Their Student and Teacher Info Was Stolen**

After news earlier this week of a cyberattack in December that breached the US education technology platform PowerSchool, school districts targeted in the intrusion told TechCrunch on Thursday that attackers gained access to “all” stored student and teacher data in their accounts. PowerSchool is used by more than 60 million K-12 students in the US. Hackers gained access to the information by stealing login credentials that gave them access to the company’s customer support portal. The attack has not yet been publicly linked to a specific perpetrator. PowerSchool has not yet disclosed the exact number of victim schools nor whether all of its customers were affected.

US Names One of the Hackers Allegedly Behind Massive Salt Typhoon Breaches

As the US faces “the worst telecommunications hack in our nation’s history,” by China’s Salt Typhoon hackers, the outgoing FCC chair is determined to bolster network security if it’s the last thing she does.

As the United States scrambles to kick China out of its communications networks, Jessica Rosenworcel, the outgoing Democratic chair of the Federal Communications Commission, says it’s vital for her Republican successor to maintain strong oversight of the telecommunications industry.

The government is still reeling from the Chinese “Salt Typhoon” hacking campaign that penetrated at least nine US telecom companies and gave Beijing access to Americans’ phone calls and text messages and the wiretap systems used by law enforcement. The operation exploited US carriers’ shockingly poor cybersecurity, including an AT&T administrator account that lacked basic security protections.

To prevent a repeat of the unprecedented telecom intrusion, Rosenworcel used the waning days of her FCC leadership to propose new cybersecurity requirements for telecom operators. On Thursday, the commission narrowly voted to approve her proposal. But those rules face a bleak future, with president-elect Donald Trump preparing to take office and control of the FCC transferring to commissioner Brendan Carr, a Trump ally who voted against Rosenworcel’s regulatory plan.

In an interview days before Trump’s inauguration, Rosenworcel is adamant that regulation is part of the answer to America’s telecom security crisis. And she has a stern message for Republicans who think the solution is to let the telecoms police themselves.

“We are wrestling with what has been described as the worst telecommunications hack in our nation's history,” she says. “Either you take serious action or you don't.”

**“The Right Thing to Do”**

Rosenworcel’s plan consists of two steps. First, the FCC formally declared that the 1994 Communications Assistance for Law Enforcement Act (CALEA), which required telecom companies to design their phone and internet systems to comply with wiretaps, also requires them to implement basic cyber defenses to prevent tampering. Next, the FCC proposed requiring a wider range of companies regulated by the commission to develop detailed cyber risk-management plans and annually attest to their implementation.

The outgoing chairwoman describes the rules as a commonsense response to a devastating attack.

“In the United States in 2025, it would shock most consumers to know that our networks do not have minimum cybersecurity standards,” Rosenworcel says. “We're asking the carriers to develop a plan and certify they follow that plan. That's the right thing to do.”

Absent these standards, she adds, “our networks are going to lack the protection they need from nation-state threats like this in the future.”

But Republicans are unlikely to embrace the new regulations on telecom networks. The powerful telecom industry tends to staunchly oppose any new regulations, and Republicans almost always side with the industry in these debates.

Senator Ted Cruz, a Texas Republican who now chairs the Commerce Committee, called Rosenworcel’s plan “a Band-Aid at best and a concealment of a serious blind spot at worst” during a hearing in December.

Carr—who last month called Salt Typhoon “deeply concerning”—voted against Rosenworcel’s proposal, along with his fellow Republican commissioner Nathan Simington. Carr’s office didn’t respond to a request for comment about the new regulations. But he has repeatedly criticized Rosenworcel’s approach to enforcing rules on the telecom industry, accusing her of overreach and warning that the FCC must rein itself in or face pushback from courts.

Once Carr takes over as FCC chairman, he could call a new vote of the commission to rescind Rosenworcel’s regulations. Or he could let Republican lawmakers do it for him—the GOP-controlled Congress is already planning to undo another FCC rule and might be happy to add this one to their list.

Rosenworcel dismisses the idea that her plan is radical. “We are not reinventing the wheel here,” she says. The new cyber requirements would be pegged to existing consensus standards from the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency.

“Voices from the left and the right have called this the worst telecommunications hack in our nation's history,” Rosenworcel says. “It deserves a serious response.”

**Modernizing an Old Law**

One potential challenge facing Rosenworcel’s plan is that it hinges on the 30-year-old CALEA, which says almost nothing about cybersecurity.

Section 105 of the law does require telecoms to ensure that wiretaps “can be activated only in accordance with a court order or other lawful authorization,” which Rosenworcel reads as a requirement to protect telecom networks from unauthorized access. But after the US Supreme Court’s recent ruling that courts shouldn’t defer to agencies as the experts in their policies, the FCC will almost certainly face an industry lawsuit as it tries to implement Rosenworcel’s plan.

Carr may have opposed the proposal in part for that reason. He has repeatedly cheered court decisions invalidating Biden administration tech policies and the FCC’s own previous actions, and in congressional testimony last July, he cited the risk of courtroom setbacks in opposing FCC subsidies for school and library Wi-Fi hot spots (the FCC program that Congress is preparing to invalidate). “Following the Supreme Court’s decision,” he said, “courts will not defer to an FCC decision to read into the Communications Act a grant of authority that Congress did not provide.”

Rosenworcel defends the use of CALEA, saying “we have to step back and look at it from a broader point of view.” Section 105 clearly supports the conclusion that “every telecommunications carrier has a legal obligation to secure their networks against unlawful access and interception,” she argues.

The chairwoman admits that her proposal is “a modern way to think about” CALEA, but she says her staff “worked closely with our general counsel's office” to ensure its legality.

“This is the right and proper interpretation of the law that meets the moment we're in and the threats we face,” she says.

**New Sheriff in Town**

As the Rosenworcel era gives way to the Carr era at the FCC, one open question is how the commission’s relationship with the telecom industry will change, and how that will affect the companies’ commitment to improving cybersecurity.

Businesses typically have friendlier relationships with independent regulators when they’re led by Republicans, who tend to favor hands-off approaches to overseeing their industries. From that perspective, telecom firms—which slammed the FCC for its recently thwarted attempt to reinstate net neutrality—are likely to welcome Carr’s promises to rein in the commission’s “overreach.”

But it is unclear how that shift will affect the incentives driving telecoms’ investments in better cybersecurity practices. Security experts have already expressed concerns about the broader Trump administration’s likely retreat from Biden-era cyber rules for critical infrastructure operators. A similar trend could play out with the FCC in the telecom space.

**Uncertain Future for an Ambitious Agenda**

Even beyond Salt Typhoon’s breach of US telecom systems, there are many questions about how the FCC will tackle cybersecurity after Rosenworcel departs.

“One of the hallmarks of my tenure has been that we put network security and national security front and center,” she says. “I've been in and around the FCC for a long time, and this issue has never had top-tier billing like it has during my time here.”

Rosenworcel’s initiatives included banning Chinese wireless firms from providing services in the US, prohibiting telecom equipment manufacturers linked to foreign adversaries from selling their products in the US, and running a multibillion-dollar program to help US carriers “rip and replace” that risky equipment.

Under Rosenworcel, the FCC also proposed rules to secure the internet’s traffic-routing system, protect undersea cables from tampering, and update 16-year-old data-breach notification procedures; launched a privacy and data protection task force; created a pilot program to help schools and libraries improve their cyber defenses; and fined the major US wireless carriers for selling access to customers’ locations. Most recently, Rosenworcel worked with the White House to launch an FCC-run security labeling program for internet-of-things devices.

The rip-and-replace program is an especially ambitious effort. More than 100 US wireless carriers have reported using equipment made by risky companies like China’s Huawei. But Rosenworcel is confident that the program—which recently received a $3 billion infusion from Congress—is on the right track. “We're doing a good job working with carriers to take this equipment out,” she says.

Rosenworcel isn’t worried that carriers will simply refuse to participate. “If you have this equipment in your networks, you can't get funds from FCC programs,” she says. “Right there, you have a pretty powerful incentive.” She thinks that incentive will be especially strong for the most vulnerable organizations: the small, rural carriers that heavily depend on federal subsidies.

The IoT labeling program, known as the US Cyber Trust Mark, might be even more ambitious, given that its goal is to completely change how consumers and businesses think about the importance of cybersecurity in home appliances. But Rosenworcel says a lot of manufacturers are “very excited” about getting their products tested and marked with the federal seal of approval, because “they see it as a way to differentiate their products in the marketplace.”

As for consumers, Rosenworcel admits that they may not start shopping based on security right away, but she compares the program to Energy Star, which launched in 1992 and is now a household name. “This is an iterative process,” she says. “It's going to create its own momentum over time, and these are just early days.”

While a group of FCC-designated organizations devise specific testing criteria for the program, Rosenworcel is concerned that other countries may leap ahead with their own security labels. South Korea and Singapore signed an agreement in December 2023 to mutually recognize each other’s labels. The US and the European Union are working on similar reciprocity. “There will be a race globally to develop these kind of marks,” Rosenworcel says. “This is an area where I think the US should really invest some time, energy, and effort, because I would like us to lead.”

**Escaping the “Analog Era”**

As she counts down her final days atop the FCC, Rosenworcel is preoccupied with how Salt Typhoon has highlighted alarming vulnerabilities in systems that underpin American prosperity.

“Network security is national security,” she says. “Communications is an input in everything we do in day-to-day life. You don't have health care, manufacturing, energy, transportation, any of it without secure communications.”

Those dependencies have put the US in increasing jeopardy as foreign government hackers exploit these networks’ complexity and inconsistency.

“We have portions \[of networks\] that are gleaming new and operate on internet protocols, and we've got others that are built for the analog era,” Rosenworcel notes. “There are consequences to having networks like this that are overseen by commercial actors … Some equipment and facilities have not been updated.”

Republicans may be tempted to leave it up to the industry to shore up these vulnerabilities. But Rosenworcel says that would be a costly mistake.

“We have a choice to make,” she says. “We take action to prevent this from happening in the future, or we turn the other way, cross our fingers, and hope it never happens again. I like hope, but hope isn't a plan. And when you look at the scope of the threats that we're facing, it would be foolhardy to just rely on hope at this point.”

The FCC’s Jessica Rosenworcel Isn’t Leaving Without a Fight

A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption.

The United States telecom giant AT&T disclosed a breach in July involving call and text messaging logs from six months in 2022 of “nearly all” its more than 100 million customers. In addition to exposing personal communication details for a slew of individual Americans, though, the FBI has been on alert that its agents’ call and text records were also included in the breach. A document seen and first reported by Bloomberg indicates that the bureau has been scrambling to mitigate any potential fallout that could lead to revelations about the identities of anonymous sources connected to investigations.

The breached data didn't include the content of calls and texts, but Bloomberg reports that it would have shown communication logs for agents' mobile numbers and other phone numbers they used during the six months period. It is unclear how widely the stolen data has spread, if at all. WIRED reported in July that after the hackers attempted to extort AT&T, the company paid $370,000 in an attempt to have the data trove deleted. In December, US investigators charged and arrested a suspect who reportedly was behind the entity that threatened to leak the stolen data.

The FBI tells WIRED in a statement: “The FBI continually adapts our operational and security practices as physical and digital threats evolve. The FBI has a solemn responsibility to protect the identity and safety of confidential human sources, who provide information every day that keeps the American people safe, often at risk to themselves.”

AT&T spokesperson Alex Byers says in a statement that the company “worked closely with law enforcement to mitigate impact to government operations” and appreciates the “thorough investigation” they conducted. “Given the increasing threat from cybercriminals and nation-state actors, we continue to increase investments in security as well as monitor and remediate our networks,” Byers adds.

The situation is surfacing amid ongoing revelations about a different hacking campaign perpetrated by China's Salt Typhoon espionage group, which compromised a slew of US telecoms, including AT&T. This separate situation exposed call and text logs for a smaller group of specific high-profile targets, and in some cases included recordings as well as information like location data.

As the US government has scrambled to respond, one recommendation from the FBI and the Cybersecurity and Infrastructure Security Agency has been for Americans to use end-to-end encrypted platforms—like Signal or WhatsApp—to communicate. Signal in particular stores almost no metadata about its customers and would not reveal which accounts have communicated with each other if it were breached. The suggestion was sound advice from a privacy perspective, but was very surprising given the US Justice Department's historic opposition to the use of end-to-end encryption. If the FBI has been grappling with the possibility that its own informants may have been exposed by a recent telecom breach, though, the about-face makes more sense.

If agents were following protocol for investigative communications strictly, though, the stolen AT&T call and text logs shouldn't pose a big threat, says former NSA hacker and Hunter Strategy vice president of research Jake Williams. Standard operating procedure should be designed to account for the possibility that call logs could be compromised, he says, and should require agents to communicate with sensitive sources using phone numbers that have never been linked to them or the US government. The FBI could be warning about the AT&T breach out of an abundance of caution, Williams says, or it may have discovered that agents' mistakes and protocol errors were captured in the stolen data. “This wouldn't be a counterintelligence issue unless someone was not following procedure,” he says.

Williams adds, too, that while the Salt Typhoon campaigns are only known to have impacted a relatively small group of people, they affected many telecoms, and the full impact of those breaches still may not be known.

“I worry about the FBI sources who might have been affected by this AT&T exposure, but more broadly the public still doesn't have a full understanding of the fallout of the Salt Typhoon campaigns,” Williams says. “And it seems that the US government is still working on getting a grasp of that as well.”

Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants

Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?

European governments wonder if Trump will continue US support of Ukraine and NATO in a conflict with Russia that has partly played out in cyberspace. Fick’s team was instrumental in establishing a process for rapidly delivering cyber-defense aid to Ukraine’s battered government.

“I was in Ukraine right before Christmas, I was in Poland, I was in Estonia, kind of up and down NATO's eastern flank,” he says, adding that he sensed “both a deep desire for the United States to stay engaged and a recognition that European partners are going to need to do their share—which they, by the way, increasingly are doing.”

More broadly, Fick has heard “a strong desire among many allies and partners” for the US to continue going toe to toe with China and Russia in tech and cyber discussions in international bodies like the UN and the Group of 20.

“Without the United States deeply involved, you're going to see the Chinese more deeply involved, you're going to see the Russians more deeply involved,” Fick says. “There's a pretty broad view \[globally\] that the US needs to, for its own interests and for the interests of our allies and partners, stay engaged in multilateral organizations.”

Fick sympathizes with Republicans who consider these multilateral organizations too slow and timid, but he wants Trump’s team to “recognize that the alternative is not diminished influence of these organizations; the alternative is simply that they become playgrounds for our competitors and our adversaries.”

**Celebrating “a Sea Change”**

Looking back on his time as America’s cyber ambassador—which saw him spend a total of more than 200 days traveling the world on nearly 80 trips to visit key US allies and partners—Fick is proud of how his team launched an entirely new bureau inside the State Department, grew it to around 130 employees, and delivered results that he says are transforming digital diplomacy.

One of his biggest accomplishments was the launch of a foreign cyber aid fund that will support programs to deploy security assistance to hack-stricken allies, subsidize new undersea cables, and train foreign diplomats on cyber issues.

The security-assistance project saw an early test in November when Costa Rica faced another major ransomware attack. “We had people on a plane the next morning, Thanksgiving morning, with hands on keyboards alongside Costa Rican partners that night,” Fick says. “That’s amazing. That is a sea change in how we do this, and it’s going to strengthen our hand in providing support to these middle-ground states.”

Fick has also focused on preparing the Foreign Service for the modern world, meeting his goal of training at least one tech-savvy diplomat for every foreign embassy (around 237 total) and successfully lobbying to add digital fluency to the State Department’s criteria for career ambassador positions. He has also helped State counterbalance the Pentagon in White House discussions about foreign tech issues—putting “American diplomacy literally back at the table in the Situation Room on technology topics.”

And then there’s his team’s support for US cyber aid to Ukraine, from security software to satellite communications to cloud migration for vital government data—work that he says offers a template for future public-private foreign-aid partnerships.

**One Final Warning**

Fick has shared his thoughts about China, 5G, AI, deterrence, and other cyber issues with Trump’s transition team, and he says there’s still more to do to keep cyber diplomacy “front and center” at State. But as he prepares to leave government, he has one major piece of advice for the incoming administration.

“It is essential to have a bias for action,” he says. “We end up admiring a problem for too long rather than taking a decisive step to address it … That decisive step may be imperfect, but indecision is a decision, and the world moves on without you.”

Put another way: In an era of rapidly evolving technologies and intensifying geopolitical competition, massive bureaucracies like the State Department sometimes need to be jolted into action.

“The job of the leaders in these big organizations,” Fick says, “is to move the org to change a little bit faster than it would on its own.”

Biden's Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight

Over a dozen programs used by creators of nonconsensual explicit images have evaded detection on the developer platform, WIRED has found.

“When we look at intimate image abuse, the vast majority of tools and weaponized use have come from the open source space,” says Ajder. But they often start with well-meaning developers, he says. “Someone creates something they think is interesting or cool and someone with bad intentions recognizes its malicious potential and weaponizes it.”

Some, like the repository disabled in August, have purpose-built communities around them for explicit uses. The model positioned itself as a tool for deepfake porn, claims Ajder, becoming a “funnel” for abuse, which predominantly targets women.

Other videos uploaded to the porn-streaming site by an account crediting AI models downloaded from GitHub featured the faces of popular deepfake targets, celebrities Emma Watson, Taylor Swift, and Anya Taylor-Joy, as well as other less famous but very much real women, superimposed into sexual situations.

The creators freely described the tools they used, including two scrubbed by GitHub but whose code survives in other existing repositories.

Perpetrators on the prowl for deepfakes congregate in many places online, including in covert community forums on Discord and in plain sight on Reddit, compounding deepfake prevention attempts. One Redditor offered their services using the archived repository’s software on September 29. “Could someone do my cousin,” another asked.

Torrents of the main repository banned by GitHub in August are also available in other corners of the web, showing how difficult it is to police open-source deepfake software across the board. Other deepfake porn tools, such as the app DeepNude, have been similarly taken down before new versions popped up.

“There’s so many models, so many different forks in the models, so many different versions, it can be difficult to track down all of them,” says Elizabeth Seger, director of digital policy at cross-party UK think tank Demos. “Once a model is made open source publicly available for download, there’s no way to do a public rollback of that,” she adds.

One deepfake porn creator with 13 manipulated explicit videos of female celebrities credited one prominent GitHub repository marketed as a “NSFW” version of another project encouraging responsible use and explicitly asking users not to use it for nudity. “Learning all available Face Swap AI from GitHUB, not using online services,” their profile on the tube site says, brazenly.

GitHub had already disabled this NSFW version when WIRED identified the deepfake videos. But other repositories branded as “unlocked” versions of the model were available on the platform on January 10, including one with 2,500 “stars.”

“It is technically true that once \[a model is\] out there it can’t be reversed. But we can still make it harder for people to access,” says Seger.

If left unchecked, she adds, the potential for harm of deepfake “porn” is not just psychological. Its knock-on effects include intimidation and manipulation of women, minorities, and politicians, as has been seen with political deepfakes affecting female politicians globally.

But it’s not too late to get the problem under control, and platforms like GitHub have options, says Seger, including intervening at the point of upload. “If you put a model on GitHub and GitHub said no, and all hosting platforms said no, for a normal person it becomes harder to get that model.”

Reining in deepfake porn made with open source models also relies on policymakers, tech companies, developers and, of course, creators of abusive content themselves.

At least 30 US states also have some legislation addressing deepfake porn, including bans, according to nonprofit Public Citizen’s legislation tracker, though definitions and policies are disparate, and some laws cover only minors. Deepfake creators in the UK will also soon feel the force of the law after the government announced criminalizing the creation of sexually explicit deepfakes, as well as the sharing of them, on January 7.

Source

Wired