The first booking photo of a US president stands out among a sea of photoshops and AI-generated images online.

For months, Etsy has become littered with a new genre of T-shirt: the Donald Trump mug shot. And they’re available in two main styles: Guity AF and Not Guilty. The shirts are adorned with photos of the former US president appearing as if he’d just been booked, but until very recently, they’ve been fakes—most of them unconvincing ones. Etsy sellers have been uploading them to the platform since at least March, as Trump has been indicted for numerous alleged crimes. Even Trump’s own campaign released a fake mug shot T-shirt to raise money.

But yesterday, the 2024 Republican presidential candidate was finally subjected to the criminal tradition of a mug shot in Georgia, where he has been indicted on charges relating to attempts to overturn 2020 election results in the state. It’s the fourth indictment against Trump, who now faces 91 felony charges in four jurisdictions. Trump maintains that he committed “no crime.”

In an era where manipulated images have captured our attention, Trump’s real mug shot—a simple, poorly lit photo—has achieved historic hype. It’s not that the image alone is notable—Trump is among the most recognizable faces in the world, and he chose to pose for the shot with his eyebrows knitted in his signature, serious look.

Still, it’s the first mug shot of a US president. (Justice officials in the former president’s three other criminal cases opted to skip that part of the process.) And that image, as plain as it is, may become one of the most important photos Trump has ever taken.

“The AI-generated ones, no matter how good they are, will eventually be seen as AI-generated. Fakes will be known as fakes,” says Jonathan Finn, a professor of communication studies at Wilfrid Laurier University in Ontario, who wrote the book _Capturing the Criminal Image: From Mug Shot to Surveillance Society_. But the real mug shot “will last forever. It will have all the history and associations tied to it.”

After Trump’s mug shot was released last night, it flooded the internet, supplanting the fakes that spread before the real thing was released. It appeared on Instagram stories, as memes, and on Trump’s own social network, Truth Social. After surrendering to Georgia authorities, Trump even made his first post on X, formerly Twitter, since his account was reinstated by Elon Musk late last year. “Election interference, never surrender,” a post featuring the picture reads.

Mug shots serve a practical purpose: to identify the person accused of a crime, and document their physical status at the time of an arrest. But media coverage of crimes that included mug shots have contributed to harmful stereotypes of people of color, who are arrested at disproportionate rates. Their publication can also make a person appear guilty of the accusations against them before they’ve had a fair trial.

But Trump finds himself in a different position, where viewers of the mug shot will likely be split: Those who support Trump may see a man wrongfully accused while those who presume him guilty may see it as validation of their beliefs.

Trump's mug shot has already moved beyond its intended purpose of tying him to alleged crimes in Georgia. The different political alignments shared on social media with the mug shot, and even satirical uses, all advance the image out of its initial context. This is a common phenomenon of posts online: As images and posts move to large audiences, they can experience what is called context collapse. That’s when intent and common understanding around the source of a post disappears as it moves widely to other groups. With people giving the mug shot meme treatment or plastering it on partisan T-shirts, that’s already happening.

“I think it’s a certainty there will be context collapse around any prominent image that can be interpreted or misinterpreted by different communities, both wilfully and accidentally,” says Sam Gregory, executive director of Witness, a nonprofit organization focused on using images and videos for protecting human rights. And with numerous versions of a Trump mug shot circulating online, people may have different memories and associations of the historical event. “We’ll remember the one that we saw in a context that made it memorable to us,” Gregory says.

By this morning, a search for Trump mug shots on Etsy featured many new products sporting the real thing. Trump’s campaign is slapping the photo on mugs, T-shirts, and koozies. Fakes will remain, and some people will be duped. But the real Trump mug shot will be the one for the history books.

Donald Trump's Mug Shot Matters in a World of Fakes

Social norms—not laws—are the underlying fabric of democracy. The Georgia indictment against Donald Trump is the last tool remaining to repair that which he’s torn apart.

Donald Trump was arrested in Georgia tonight for his role in what prosecutors christened “a wide-ranging criminal enterprise” aimed at overturning the results of the 2020 election. Trump and 18 others—among them, his former lawyer, Rudolph Giuliani, and Mark Meadows, his former chief of staff—have been formally accused of 41 state-law felonies. The case is brought by Fani Willis, the district attorney of Fulton County, Georgia. Willis is not the first local prosecutor to charge a United States president with a felony, but she is the first to accuse one of trying to steal an election.

Among charges such as filing false documents and conspiracy to commit forgery, Trump is personally accused of trying to browbeat and suborn felony acts from high-ranking Georgia officials, including the chief elections supervisor, secretary of state Brad Raffensperger. Officials were pressed by Trump and other “co-conspirators” to take action to “decertify the election” and “unlawfully appoint presidential electors,” prosecutors claim. Together, the charges opened the door for Willis to pile on additional counts of racketeering. Filed under the state’s Racketeer Influenced and Corrupt Organizations Act, the charge would ask jurors to consider whether Trump and other defendants were involved in a single criminal undertaking. A conviction under RICO does not require that the defendants all know one another or be involved at the same time, so long as they’re all working toward a single corrupt goal.

RICO, which can carry up to a 20-year prison sentence, is a powerful and even dangerous legal weapon. Out of dozens of possible crimes, a prosecutor may have to prove only two to gain a conviction. The state is fairly ambiguous about what constitutes an “enterprise.” Jurors, meanwhile, may be shown a veritable tower of evidence and instructed, usually in some narrative fashion, to see a “pattern” in the defendants’ acts; something the human brain is naturally wired to do, even at a subconscious level. For Trump and his team, allowing the case to progress to the point where a jury is actually deliberating RICO is a doomsday scenario.

In addition to the Georgia prosecution, the cases against Trump include one in Manhattan over “hush money” paid to a porn star; a case filed in Florida federal court over his retention of classified documents; and a federal case in Washington, DC, for his role in the January 6 insurrectionist riot at the US Capitol and efforts to overturn the 2020 election. In total, Trump is facing 91 felony charges. He has pleaded not guilty to each one so far.

The indictment is the culmination of a political career that Trump built by ignoring checks and balances, mocking the law and the courts, and cheering on supporters who use violence in his name, including groups rooted in white nationalism and misogyny, prone to spontaneous and premeditated violence. More than 1,100 of his most committed supporters have been charged in the past 31 months with trying to physically stop Congress from certifying the results of the 2020 election. More than 80 of them have pleaded guilty to beating police officers who had ordered them to disperse. More than 140 officers were reportedly injured, and four of those would die by suicide within 200 days of the event.

These are not Trump's only casualties. Legal experts have long warned that Trump's personal brand of politics—acrimonious, wielding tools of harassment—while deceptively trivial in the face of actual death, millions in damages, and election interference—is corrosive to the very norms and conventions upon which the electoral process has long relied for stability. Prosecuting Trump may help distinguish lawful challenges in future elections from outright criminal acts. But even alone, his arrest has already made clear what norm-breaking behaviors the public will not condone—not now or in the future, regardless of the courts' own views.

In a 2018 book, Harvard University duo Steven Levitsky and Daniel Ziblatt put forward two criteria for the foundation of a healthy democracy: “social norms,” or unwritten codes of conduct upon which the people generally agree. The Trump administration, by the end of its first year, had managed to violate both with a quotidian efficiency. Levitsky and Ziblatt’s norms included “mutual tolerance” and “institutional forbearance.” The latter describes the need for politicians to show restraint in the exercise of their authority; not to gain the upper hand and immediately use that power to obliterate one’s rivals. “Think of democracy as a game we want to keep playing indefinitely,” they write.

Nothing in this century has done more to stamp out the mutual toleration of Americans than the presidency of Donald Trump. His strategy of painting political rivals as illegitimate and un-American has—for the better part of a decade—chipped away at social and democratic norms that titans of jurisprudence have—for more than a century—called indispensable to a functioning democracy. By the time President Joe Biden took office, the _Washington Post_ had cataloged a decidedly pathological 30,000 false or misleading claims uttered by his predecessor. The Trump administration's ever-broadening palette of ethics violations caused Americans to realize, perhaps for the first time on a national scale, that truly there are few if any laws against some of the most basic forms of corruption; that, instead, conventions and norms—an honor system, essentially—is all that stand between presidents and the gross abuse of their power.

Americans typically point to the US Constitution as the pinnacle of their legal system. Many modern legal theorists, and even the nation’s own founders, painted the concept of state authority in a different light. The Genevan philosopher Rousseau considered _la volonté générale_, or the “general will” of the people, the only legitimate source of state power. American revolutionaries believed that only laws written with the “consent of the governed” could be considered legitimate. Thomas Jefferson once said the only “fountain of power” is the people, and that only “from them” is power derived. Regarding politicians who believe “supreme power” resides in constitutions, early US Supreme Court justice James Wilson suggested they had perhaps neglected to consider, “with sufficient accuracy, our political system.”

Consequently, democratic institutions are effectively incapable of restraining elected autocrats by their own volition. Without robust norms, traditional checks and balances often prove useless. “The tragic paradox of the electoral route to authoritarianism,” write Levitsky and Ziblatt, “is that democracy's assassins use the very institutions of democracy—gradually, subtly, and even legally—to kill it.” The Georgia case yanks Trump and his associates out of the squishy realm of “norms violations” and drops them into the cold, hard box of criminality. The best argument for prosecuting Trump under RICO is that it seemingly leaves jurors room to consider both.

The prosecutions of Trump will do nothing to cement America’s deep partisan divide, of course. Legal scholars reasonably believe it will only further inflame hostilities and erode trust in US institutions. Republicans have meanwhile launched an aggressive PR campaign based on the notion of “letting voters decide.” But relying on the vote, rather than jurors who are obligated to consider evidence and draw inferences from facts alone, could itself create a new norm anathema to democratic values. Prosecution was not the first choice. But every other lever that might’ve been pulled to stop and counteract the damage wrought by Trump was left in its place; particularly by Republicans, who’ve never actually been deprived of the means or opportunity to hold the de facto leader of their party accountable. Relying on the very system that Trump previously poured tens of millions of dollars into destroying feels otherwise, at best, like a nation fulfilling a death wish.

For American democracy to thrive, or retain any semblance of the legitimacy it has left, the prosecutorial systems, judges, and jurors in New York, Georgia, Florida, and Washington must grind forward. The law may not always prevent people from profiting off the wrongs they commit. But it cannot be denied outright the chance to decide whether they're stripped of their ill-gotten gains.

Laws are ultimately made “real” by the people against whom they’re imposed, including state officials, who, unlike private citizens, cannot scrape by merely obeying the law. Were judges, legislators, and even presidents to consider only themselves, ignoring the actions of their supervisors, subordinates, and peers, the validity of the legal system—and eventually the system itself—would fall apart. The English legal theorist H. L. A. Hart once wrote that among the "necessary and sufficient” criteria for the existence of a legal system is the requirement that public officials consciously adopt common standards of behavior and “appraise critically their own, and each other’s deviations as lapses.”

For some observers, the concept of "norms violations" during Trump's presidency became erroneously interlinked with the perceived failures of federal oversight officials, mostly by people unaware they were a phantom bulwark all along. A lack of coherence in the mainstays of democracy during Trump’s initial years left too many too focused on the absence of criminal charges, even though equally essential but far less defensible democratic norms were being whittled into dust. Where criminals have laws and courts to contend with, and are beyond the public’s own power to prosecute, social norms are injusticiable—outside the realm of the law, defined by people, their values, and beliefs.

And it’s no secret. The only fleshed-out directive revealed thus far to be implemented by Trump’s hypothetical follow-up presidency aims to see more than 50,000 bureaucrats and civil servants fired in an effort to insulate Trump from legal scrutiny and shield him from potential prosecution down the line. Groups of lobbyists have, according to Axios’ Jonathan Swan, already compiled their “extensive” lists of individuals believed loyal to the president and who fill those ranks instead. This plan is notably the opposite of the restraint on which Levitsky and Ziblatt place so much significance in the upkeep of a healthy and functioning democracy.

Trump’s Prosecution Is America’s Last Hope

Russia tightly controls its information space—making it hard to get accurate information out of the country. But open source data provides some clues about the crash.

At around 5:30 pm Moscow time on August 23, the Embraer Legacy 600 private business jet took to the skies. Launching from an airport near the Russian capital, the 13-seater plane, which has a white body and blue tail, has been linked to Yevgeny Prigozhin, the head of the brutal Russian mercenary outfit Wagner Group.

At 5:46 pm, once the plane was clear of Moscow—an area where location-tracking GPS signals are frequently blocked—receivers belonging to flight-tracking network Flightradar24 started picking up signals from the Embraer Legacy. For the next 34 minutes, Prigozhin’s plane was sending out data about its altitude, speed, and autopilot settings that allowed its movements to be tracked.

During this time, the Embraer Legacy appeared to be fine. It reached a cruising altitude of 28,000 feet before briefly climbing to 30,000 feet, and it was traveling at around a ground speed of around 513 knots. Its flight path headed northwest, away from Moscow and in the direction of Russia’s second-largest city, St. Petersburg.

At 6:19 pm, around 30 seconds before the plane stopped transmitting data altogether, it plunged 8,000 feet toward the ground. Its last recorded altitude was 19,725, as it flew by the Kuzhenkino village in the Tver Region. The descent was “dramatic,” according to Flightradar’s analysis.

Since the plane smashed into the earth, killing all those onboard, Russian aviation services, Telegram channels linked to Wagner, and the country’s state-controlled media have reported that Prigozhin was listed as a passenger. The country’s aviation agency named the Wagner boss among 10 people on the plane, along with other senior Wagner members, including cofounder Dmitri Utkin and three crew members.

Officials, according to Russian state media, are investigating the crash and what may have caused it, and have reportedly recovered the bodies. It has been widely speculated that the plane could have been shot down by Russian air defenses, perhaps in response to Prigozhin’s attempted coup two months ago. No evidence to back this up has been presented yet, with Russian president Vladimir Putin saying he has sent his condolences to the families of the dead and investigations are looking into what happened. (One anonymous Western intelligence official told The New York Times that they believe Prigozhin was on the plane. Meanwhile, US president Joe Biden has said there is “not much that happens in Russia that Putin’s not behind.“)

Thanks to Russia’s heavy censorship and propaganda machines, the verifiable truth of what happened to the Embraer Legacy may never be known, experts say.

Amid the dramatic and unfolding incident, there has been a void of official information and a swirl of unconfirmed theories. However, the event highlights how powerful Russia’s grip on its information space is: The country controls its media, has banned independent outlets, and tightly censors the internet and online services available in the country. The episode also continues to show how useful even small amounts of open source information—such as photos or videos posted to social media and open source data, such as flight information—can be in establishing what may have happened. Open source intelligence, known as OSINT, is already being inspected by researchers.

FlightRadar is one of a tiny number of sources of verifiable information about the fate of the Embraer Legacy 600 and, by extension, those onboard the plane. Since the plane stopped transmitting data, one video has emerged on social media showing a plane in pieces dramatically falling toward Earth.

OSINT investigators have confirmed that this happened around the Tver region, the plane’s last known location, by comparing landmarks in the video, such as trees and metal pylons, with existing photos of the location. Another video of the crash site reportedly shows parts of the wreckage matching previous images of Prigozhin’s Embraer Legacy 600. (However, one false video posted to X, the platform previously known as Twitter, has been viewed around a million times.)

Elise Thomas, an investigator at the Centre for Information Resilience, a nonprofit that conducts open source research to expose human rights abuses and counter disinformation, says that within hours the FlightRadar data and confirmed videos from the site gave people a glimpse of what may have happened. “But at the end of the day, we are probably going to be dependent on Russian sources at some level,” she says. These could include Russian government agencies or Telegram channels, which may not be trustworthy. “In some ways, maybe the most likely outcome here is that we just never know the absolute truth of what happened,” she says.

Getting factual information out of Russia isn't easy—and it has become harder since the country’s full-scale invasion of Ukraine started in February 2022. “The information space has been tightening over time,” says Natalia Krapiva, tech-legal counsel at digital rights nonprofit Access Now. Over the past decade, Krapiva says, the Kremlin has passed laws and taken other measures to control the internet, censor what people can access, throttle the media, and outlaw independent reporting.

Almost all independent media in Russia has been “banned, blocked” or declared “foreign agents” since February of last year, according to media freedom organization Reporters Without Borders. “Those that survive have belonged to allies of the Kremlin for a few years, or they are forced to strict self-censorship, because of banned subjects and terms,” it says in its 2023 annual ranking. Freedom House, an organization that tracks threats to democracy and freedom, ranks Russia as one of the worst countries for online freedoms.

On top of this, Russia has for years run disinformation campaigns and appeared to lie about public incidents at home and abroad. Prigozhin ran the notorious Internet Research Agency, which created reams of fake news and meddled in the 2016 US elections. Two Russian agents who walked into the UK in 2018 and poisoned Sergei Skripal and his daughter Yulia later appeared on Russian state television and claimed that they were simply in the country to visit the British city of Salisbury to see its cathedral. And Russian officials changed their story multiple times around the downing of Malaysia Airlines flight MH17 in 2014, which killed 298 people—reams of open source evidence were presented by investigative journalism unit Bellingcat.

When it comes to Prigozhin and the crash, Russia’s informal network of so-called military bloggers is also involved. In the void of official information about Russia’s war, these military correspondents have appeared on Telegram, in some cases pushing their updates to more than a million people. These accounts are largely pro-Russia, although they often have different allegiances that further muddy the waters. “Some of these people were working for Prigozhin,” says Thomas. “Some of them we know have links to the FSB or GRU,” referring to Russia’s intelligence services. “Some of them probably have links to the Russian security services that we don’t know about.”

These channels have pushed a range of theories about the crash, claiming to have confirmed that Prigozhin is dead and suggesting that they would “march” on Moscow. There have also been reports on possible causes of the crash. According to _Meduza_, the widely read independent Russian news source, suggestions are being circulated on Telegram that investigators suspect a bomb could have been attached to the plane and that law enforcement may have a suspect in mind. Neither claim has been officially confirmed, _Meduza_ notes.

“Looking at the information that is either available or not available is not enough,” says Tanya Lokot, an associate professor in digital media and society at Dublin City University who researches internet and media freedom. Lokot says it’s essential to consider the context of any information published from official Russian sources or in Telegram channels. For instance, she says, it is important to scrutinize why certain information—such as a list of names—may have been released at a particular time.

Lokot says it is also important to understand the motives of whoever is in control of this kind of information and how and when they decide to release it, as that helps shape a bigger narrative. “How they are presenting this incident and the fallout from this incident is really important to understand because it helps us also understand how they’re trying to control the information space to make sure that it fits their broader strategic narrative,” she says. “The desired at least strategic narrative is the Russian state wants to show that it remains in control of the situation, whatever that situation is.”

The Last Hour Before Yevgeny Prigozhin's Plane Crash

Musician Alex Pall spoke with WIRED about his VC firm, the importance of raising cybersecurity awareness in a rapidly digitizing world, and his surprise that hackers know how to go hard.

On Saturday, with Hurricane Hilary looming, Alex Pall and Drew Taggart of the DJ duo The Chainsmokers performed a concert at Los Angeles State Historic Park that set an all-time attendance record for the venue. By Tuesday night, Pall was in Switzerland, speaking to WIRED on Zoom, but he had a different recent event on his mind: his and Taggart's first-ever trip earlier this month to the Black Hat security conference in Las Vegas.

On top of being DJs and electronic music producers, The Chainsmokers are also active tech investors. They founded a venture firm, Mantis VC, in 2019 with two other entrepreneurs and now have investments in a broad portfolio of fintech, machine learning, ecommerce, gaming, and healthcare startups. And though Mantis doesn't specifically focus on cybersecurity, the firm is starting to develop a reputation for identifying startups that are attempting to address esoteric yet critical digital security problems.

This morning, for example, the now-independent mobile security app iVerify announced a $4 million seed funding round that Mantis is participating in. The well-regarded app, which grew out of an incubator at the security firm Trail of Bits, aims to take on the mercenary spyware industry by making it easy for people or organizations to scan their iOS and Android devices for suspicious activity and malware. 

How did The Chainsmokers get interested in digital privacy, incident response, software supply chain security, and anti-spyware tools? And how did Pall, a celebrity DJ who performs all over the world, end up partying at Black Hat? He broke it down for us. Our conversation has been lightly edited for length and clarity.

**WIRED: I'm super curious, where does the security and privacy specialization come from?**

**Alex Pall:** I gotta give credit to Saveena \[Mandadi, a Mantis investor and director of operations\] who's definitely the leader of that space for us. She's done a terrific job building out our thesis around the space. But going back a little bit further, you look at our portfolio, and it probably seems a bit out of character for how you would imagine two musicians to be investing their time and money. And that was very much intentional. 

When you're an artist with a platform like ours, you're getting sought out for two things: distribution and marketing—consumer-related brands or creator, economy, and social. But a few years into it, we were reading the news, and you can't help but take a second look at your portfolio and be like, why are we not in companies like Palo Alto Networks and CrowdStrike? And it dawned on us that we were kind of falling victim to the consumer space in a way. We wanted to go out and invest in tools that, behind the scenes, could be the things powering society. And it was also just a challenge at first, like maybe we can be some of the first artists to show what kind of value we could bring outside of the typical ecosystem you'd imagine us investing into.

**Do you feel like you're raising awareness for other investors that security and privacy issues impact everyone's lives and everyone's work?**

People take for granted that if you type in your bank information, it's going to be secure. Or if you log in to your iPhone and send something private to somebody else, that it's not going to end up in the wrong hands. But we had a firsthand experience a number of years ago—our Twitter account got hacked while we were in London. It was a really, really awful experience to have somebody inside your system, speaking like they're you. And obviously, that was just a little taste of the larger consequences that can happen. 

You can easily invest in one really terrible cybersecurity company and say, 'We've made a huge mistake getting into this space.' So I think it's always been the strategy for us to be a part of the best businesses, even if it's not the most exciting work to the average person when you read it on paper. And hopefully, we de-risk it a bit for others by investing in people who are far more experienced than us.

**Why did you want to invest in iVerify? What's important about it and about focusing on the threat of spyware?**

Our phones aren't always as secure as people think, especially for people like journalists and politicians. Mobile device management is obviously a big issue, but there are lots of important people and organizations that probably don't focus enough on it. So it's critical that iVerify is a really powerful but also simple solution.

**What's it been like to connect with the security community? It sometimes has a reputation that it's a group of people who are really tinfoil-hat and hard to interact with or hard to break into.**

There's a lot of pressure on them. Not only do they have to make sure that everything's secure and safe and people are following the guidelines set by an organization, but the pace at which innovation is happening and you're adopting new technologies and bringing new software in—it's a lot of work while still keeping all the customers happy and hoping that the machine doesn't break down. That's a daunting task, and these things are only going to become more and more important as everything becomes more digital. 

In movies, they certainly don't paint \[hackers\] as the outgoing, fun people at the party. They're usually the ones saving the day, which is the truth. So that's something that we've kind of recognized and realized, which is, how do we, through whatever platform we have, bring more awareness to this space and get more people interested and excited about the applications of cybersecurity?

A lot of the time you're dealing with founders who are extremely technical and brilliant, but we all have our shortcomings. I'm not extremely technical or brilliant. So the idea is that we, hopefully, can come together and leverage each others' strengths to accomplish a really challenging goal.

**It sounds like you at least got to have some fun at Black Hat, right?**

We hosted an event at Black Hat for one of the companies we invest in, Chainguard \[which focuses on software supply chain security\]. And they're all wonderful, but I had no idea what kind of crowd we would be drawing on for this. I didn't think everyone was going to be terrible or boring or something, but I was surprised because everyone was awesome. We had a great night out. Eventually, I was like, I've got a show tomorrow, so we can't keep going all night!

**I think security folks are going to be** _**thrilled**_ **to hear that The Chainsmokers had fun partying with them.**

You know, growing up, I was on ClarisWorks pretending I was hacking into things, and I was a big fan of the movie _Hackers._ They were really cool to me. And this stuff is really important. As the world continues to advance with AI technology, we as a society will need more cybersecurity experts. And they deserve more recognition so they can secure all the new things that we're getting excited about. 

We all want to move as fast as possible, but at the end of the day, you can't have this system that's just jerry-rigged together. As new companies spring up and all the code that's being written—you need to have some sort of observability into this in real time to understand where the flaws are. Soon, all of our identities will just be in the metaverse or something. Who knows. So these things become more critical every day.

Why The Chainsmokers Invest in—and Party With—Niche Cybersecurity Companies

Here’s what the science really says about teens and screens—and how to start the conversation with young people of any age.

If you give a kid a smartphone, they’re going to want a social media account.

That’s not the start of a storybook. The average age for a kid getting their first smartphone is 10.3. Within a year, a child has likely made four or five social media accounts; by the age of 12, 90 percent of kids are already on social media, according to research by Linda Charmaraman, a senior research scientist who runs the Youth Media and Well-Being Research Lab at Wellesley College.

For parents and caregivers, the decision to let your youngster sign up for TikTok, Instagram, or Snapchat can feel like a daunting milestone. In May, the US surgeon general suggested that social media is contributing to a mental health crisis among the nation's youth. Around the world, lawmakers have been mounting pressure on the likes of Meta and TikTok to restrict the addictive design features that young users are subjected to. But social media can be valuable to young people too. Digital spaces can be beneficial settings to build friendships and receive social support from peers. So if your kid starts asking about social media (or you suspect that they already have secret accounts), what’s a parent to do?

“Social media is not inherently good or bad,” says Charmaraman, whose research focuses on adolescent development and social media. “It’s really about how people come to use social media, in what ways, and what kinds of supports they have to navigate it in a way that’s right for them.”

It’s absolutely possible for families to foster a healthy relationship with social media by understanding the science, starting conversations about social media and mental health, and setting boundaries on security settings and screen use. Here’s how to get started, whether your kid is 17 or approaching the age of 10.3.

What Does the Research Really Say?

It’s still too soon to determine any long-term effects of social media on youth mental health, says Charmaraman. She encourages parents to take a critical look at the popular studies that draw correlations between teens’ social media use and negative outcomes like depression and anxiety. “When you actually look at the statistical weight of how much we can explain the rise in rates of mental health difficulties due to social media or technology use, it’s less than 1 percent,” she says.

Correlational studies might also discount larger forces that contribute to mental health difficulties, like socioeconomic status or family relationships. For example, if a child is in a household where parents argue frequently, the child may turn to social media more often to seek support or distraction. That doesn’t mean social media is the problem. More restrictions on social media don’t correlate to a happier child, either, Charmaraman points out.

It’s also important to understand that much of the current research on social media and youth well-being has focused on middle-class white families. There’s still more to be learned about how social media impacts nonwhite, LGBT, or neurodivergent youth, or youth in unstable housing situations.

In other words, there’s no scientifically proven, one-size-fits-all social media rule. Tailor the following guidelines to _your_ family and _your_ kids, and be ready to adapt them as your kids grow older and their situations change. Don’t be afraid to set different guidelines for siblings too—kids in the same family could have different needs.

‘Onboard’ Your Kid Onto Social Media

You might want to start earlier than you think. “Don’t assume that your kid isn’t already on social media,” says Charmaraman. Especially if your child has an older sibling, or friends with older siblings, it’s likely that they’ve engaged with social media in some way.

Charmaraman recommends initiating a conversation about social media when a child is in late elementary or middle school, then gradually “onboarding” them onto social media with a lot of structure, rules, and oversight at first. It’s easier to be proactive about social media guidelines than to try to undo bad habits that have been cemented over years. “Prepare, as opposed to repair,” she says. (If you have an older teen, not all hope is lost—but more on that later.)

How to Talk to Your Kids About Social Media and Mental Health

Unlike web browsers, mobile apps increasingly make it difficult or impossible to see what companies are really doing with your data. The answer? An inspectability API.

In today’s digital world, injustice lurks in the shadows of the Facebook post that’s delivered to certain groups of people at the exclusion of others, the hidden algorithm used to profile candidates during job interviews, and the risk-assessment algorithms used for criminal sentencing and welfare fraud detention. As algorithmic systems are integrated into every aspect of society, regulatory mechanisms struggle to keep up.

Over the past decade, researchers and journalists have found ways to unveil and scrutinize these discriminatory systems, developing their own data collection tools. As the internet has moved from browsers to mobile apps, however, this crucial transparency is quickly disappearing.

Third-party analysis of digital systems has largely been made possible by two seemingly banal tools that are commonly used to inspect what’s happening on a webpage: browser add-ons and browser developer tools.

Browser add-ons are small programs that can be installed directly onto a web browser, allowing users to augment how they interact with a given website. While add-ons are commonly used to operate tools like password managers and ad-blockers, they are also incredibly useful for enabling people to collect their own data within a tech platform’s walled garden.

Similarly, browser developer tools were made to allow web developers to test and debug their websites’ user interfaces. As the internet evolved and websites became more complex, these tools evolved too, adding features like the ability to inspect and change source code, monitor network activity, and even detect when a website is accessing your location or microphone. These are powerful mechanisms for investigating how companies track, profile, and target their users.

I have put these tools to use as a data journalist to show how a marketing company logged users’ personal data even before they clicked “submit” on a form and, more recently, how the Meta Pixel tool (formerly the Facebook Pixel tool) tracks users without their explicit knowledge in sensitive places such as hospital websites, federal student loan applications, and the websites of tax-filing tools.

In addition to exposing surveillance, browser inspection tools provide a powerful way to crowdsource data to study discrimination, the spread of misinformation, and other types of harms tech companies cause or facilitate. But in spite of these tools’ powerful capabilities, their reach is limited. In 2023, Kepios reported that 92 percent of global users accessed the internet through their smartphones, whereas only 65 percent of global users did so using a desktop or laptop computer.

Though the vast majority of internet traffic has moved to smartphones, we don’t have tools for the smartphone ecosystem that afford the same level of “inspectability” as browser add-ons and developer tools. This is because web browsers are implicitly transparent, while mobile phone operating systems are not.

If you want to view a website in your web browser, the server has to send you the source code. Mobile apps, on the other hand, are compiled, executable files that you usually download from places such as Apple’s iOS App Store or Google Play. App developers don’t need to publish the source code for people to use them.

Similarly, monitoring network traffic on web browsers is trivial. This technique is often more useful than inspecting source code to see what data a company is collecting on users. Want to know which companies a website shares your data with? You’ll want to monitor the network traffic, not inspect the source code. On smartphones, network monitoring is possible, but it usually requires the installation of root certificates that make users’ devices less secure and more vulnerable to man-in-the-middle attacks from bad actors. And these are just some of the differences that make collecting data securely from smartphones much harder than from browsers.

The need for independent collection is more pressing than ever. Previously, company-provided tools such as the Twitter API and Facebook’s CrowdTangle, a tool for monitoring what’s trending on Facebook, were the infrastructure that powered a large portion of research and reporting on social media. However, as these tools become less useful and accessible, new methods of independent data collection are needed to understand what these companies are doing and how people are using their platforms.

To meaningfully report on the impact digital systems have on society, we need to be able to observe what’s taking place on our devices without asking a company for permission. As someone who has spent the past decade building tools that crowdsource data to expose algorithmic harms, I believe the public should have the ability to peek under the hood of their mobile apps and smart devices, just as they can on their browsers. And it’s not just me: The Integrity Institute, a nonprofit working to protect the social internet, recently released a report that lays bare the importance of transparency as a lever to achieve public interest goals like accountability, collaboration, understanding, and trust.

To demand transparency from tech platforms, we need a platform-independent transparency framework, something that I like to call an inspectability API. Such a framework would empower even the most vulnerable populations to capture evidence of harm from their devices while minimizing the risk of their data being used in research or reporting without their consent.

An application programming interface (API) is a way for companies to make their services or data available to other developers. For example, if you’re building a mobile app and want to use the phone’s camera for a specific feature, you would use the iOS or Android Camera API. Another common example is an accessibility API, which allows developers to make their applications accessible to people with disabilities by making the user interface legible to screen readers and other accessibility tools commonly found on modern smartphones and computers. An inspectability API would allow individuals to export data from the apps they use every day and share it with researchers, journalists, and advocates in their communities. Companies could be required to implement this API to adhere to transparency best practices, much as they are required to implement accessibility features to make their apps and websites usable for people with disabilities.

In the US, residents of some states can request the data companies collect on them, thanks to state-level privacy laws. While these laws are well-intentioned, the data that companies share to comply with them is usually structured in a way that obfuscates crucial details that would expose harm. For example, Facebook has a fairly granular data export service that allows individuals to see, amongst other things, their “Off-Facebook activity.” However, as the Markup found during a series of investigations into the use of Pixel, even though Facebook told users which websites were sharing data, it did not reveal just how invasive the information being shared was. Doctor appointments, tax filing information, and student loan information were just some of the things that were being sent to Facebook. An inspectability API would make it easy for people to monitor their devices and see how the apps they use track them in real time.

Some promising work is already being done: Apple’s introduction of the App Privacy Report in iOS 15 marked the first time iPhone users could see detailed privacy information to understand each app’s data collection practices and even answer questions such as, “Is Instagram listening to my microphone?”

But we cannot rely on companies to do this at their discretion—we need a clear framework to define what sort of data should be inspectable and exportable by users, and we need regulation that penalizes companies for not implementing it. Such a framework would not only empower users to expose harms, but also ensure that their privacy is not violated. Individuals could choose what data to share, when, and with whom.

An inspectability API will empower individuals to fight for their rights by sharing the evidence of harm they have been exposed to with people who can raise public awareness and advocate for change. It would enable organizations such as Princeton’s Digital Witness Lab, which I cofounded and lead, to conduct data-driven investigations by collaborating closely with vulnerable communities, instead of relying on tech companies for access. This framework would allow researchers and others to conduct this work in a way that is safe, precise, and, most importantly, prioritizes the consent of the people being harmed.

The Internet Is Turning Into a Data Black Box. An ‘Inspectability API’ Could Crack It Open

The hackers, who mostly targeted victims in Hong Kong, also hijacked Microsoft’s trust model to make their malware harder to detect.

Every software supply chain attack, in which hackers corrupt a legitimate application to push out their malware to hundreds or potentially thousands of victims, represents a disturbing new outbreak of a cybersecurity scourge. But when that supply chain attack is pulled off by a mysterious group of hackers, abusing a Microsoft trusted software model to make their malware pose as legitimate, it represents a dangerous and potentially new adversary worth watching.

Today, researchers on the Threat Hunter Team at Broadcom-owned security firm Symantec revealed that they'd detected a supply chain attack carried out by a hacker group that they've newly named CarderBee. According to Symantec, the hackers hijacked the software updates of a piece of Chinese-origin security software known as Cobra DocGuard, injecting their own malware to target about 100 computers across Asia, mostly in Hong Kong. Though some clues, like the exploitation of DocGuard and other malicious code they installed on victim machines, loosely link CarderBee with previous Chinese state-sponsored hacking operations, Symantec declined to identify CarderBee as any previously known group, suggesting it may be a new team.

Beyond the usual disturbing breach of trust in legitimate software that occurs in every software supply chain, Symantec says, the hackers also managed to get their malicious code—a backdoor known as Korplug or PlugX and commonly used by Chinese hackers—digitally signed by Microsoft. The signature, which Microsoft typically uses to designate trusted code, made the malware far harder to detect.

“Any time we see a software supply chain attack, it’s somewhat interesting. But in terms of sophistication, this is a cut above the rest,” says Dick O'Brien, a principal intelligence analyst on Symantec's research team. “This one has the hallmarks of an operator who knows what they’re doing.”

Cobra DocGuard, which is ironically marketed as security software for encrypting and protecting files based on a system of users' privileges inside an organization, has around 2,000 users, according to Symantec. So the fact that the hackers chose just 100 or so machines on which to install their malware—capable of everything from running commands to recording keystrokes—suggests that CarderBee may have combed thousands of potential victims to specifically target those users, O’Brien argues. Symantec declined to name the targeted victims or say whether they were largely government or private sector companies.

The Cobra DocGuard application is distributed by EsafeNet, a company owned by the security firm Nsfocus, which was founded in Mainland China in 2000 but now describes its headquarters as Milpitas, California. Symantec says it can't explain how CarderBee managed to corrupt the company's application, which in many software supply chain attacks involves hackers breaching a software distributor to corrupt their development process. Nsfocus didn't respond to WIRED's request for comment.

Symantec's discovery isn't actually the first time that Cobra DocGuard has been used to distribute malware. Cybersecurity firm ESET found that in September of last year a malicious update to the same application was used to breach a Hong Kong gambling company and plant a variant of the same Korplug code. ESET found that the gambling company also had been breached via the same method in 2021.

ESET pinned that earlier attack on the hacker group known as LuckyMouse, APT27, or Budworm, which is widely believed to be based in China and has for more than a decade targeted government agencies and government-related industries, including aerospace and defense. But despite the Korplug and CobraGuard connections, Symantec says it's too early to link the wider supply chain attack it has uncovered to the group behind the previous incidents.

“You can't rule out the idea that one APT group compromises this software, and then it becomes known that this software is vulnerable to this kind of compromise, and somebody else does it as well,” says Symantec's O'Brien, using the term APT to mean “advanced, persistent threat,” a common industry term for state-sponsored hacker groups. “We don't want to jump to conclusions.” O'Brien notes that another Chinese group, known as APT41 or Barium, has also carried out numerous supply chain attacks—perhaps more than any other team of hackers—and has used Korplug, too.

To add to the attack's stealth, the CarderBee hackers managed to somehow deceive Microsoft into lending extra legitimacy to their malware: They tricked the company into signing the Korplug backdoor with the certificates Microsoft uses in its Windows Hardware Compatibility Publisher program to designate trusted code, making it look far more legit than it is. That program typically requires a developer to register with Microsoft as a business entity and submit their code to Microsoft for approval. But the hackers appear to have obtained a Microsoft signature through either developer accounts they created themselves or obtained from other registered developers. Microsoft didn't respond to WIRED's request for more information on how it ended up signing malware used in the hackers' supply chain attack.

Malware that's signed by Microsoft is a long-running problem. Getting access to a registered developer account represents a hurdle to hackers, says Jake Williams, a former US National Security Agency hacker now on faculty at the Institute for Applied Network Security. But once that account is obtained, Microsoft is known to take a lax approach to vetting registered developers' code. “They typically sign whatever you, as the developer, submit,” Williams says. And those signatures can, in fact, make malware far harder to spot, he adds. “So many folks, when they threat-hunt, they start by exempting things that are signed by Microsoft,” Williams says.

That code-signing trick, combined with a well-executed supply chain attack, suggests a level of sophistication that makes CarderBee uniquely worthy of tracking, says Symantec's O'Brien—even for those outside of its current targeting in Hong Kong or Chinese neighbor countries. Regardless of whether you’re in China’s orbit, says O’Brien, “it’s certainly one to look out for.”

New Supply Chain Attack Hit Close to 100 Victims—and Clues Point to China

Telehealth companies that provide abortion pills are surging in popularity. Which are as safe as they claim to be?

A new class of health care startups has emerged in response to the US Supreme Court’s decision to overturn the federal right to abortion last year. These “digital abortion clinics” connect patients with health care providers who are able to prescribe mifepristone and misoprostol, a course of care commonly described as the “abortion pill.”

These services, many of which were founded before _Dobbs v. Jackson_, are poised to eliminate a major paradox in the field of reproductive health: Medication abortion is currently the most common way to terminate a pregnancy, yet only 1 in 4 adults are familiar with it, according to a recent study by KFF.

These clinics operate in different ways—some provide live video visits with doctors and nurse practitioners, while others offer asynchronous counseling—but many have experienced a record number of patient orders (and increased VC funding) over the past year. According to Elisa Wells, cofounder of the nonprofit Plan C, their appeal is straightforward. “Their pricing is quite affordable, and there’s convenience in placing an order and getting pills delivered to your mailbox in three to four days,” she says.

Recent data suggests that telehealth clinics have been effective in expanding access to abortion care, especially for people living in remote areas or in states where the procedure has been criminalized, a finding that Wells’ team corroborates. Thanks to a new series of “shield laws” protecting clinicians from out-of-state prosecution—passed in 12 states, including New York, Maryland, and Illinois—these clinics are positioned to expand their reach even further.

Following the lead of other companies in the femtech space (a category that includes everything from kegel trainers to period-tracking apps), leaders at digital abortion clinics like Hey Jane and Choix have publicly expressed their commitment to users’ privacy as they grow. In a recent interview with _Vogue_, Hey Jane cofounder Kiki Freedman said that the service is “HIPAA-compliant and encrypted.” In an interview with _Ms_. magazine this January, a representative from Choix highlighted its “HIPAA-compliant texting platform,” while another interviewee suggested that “most telehealth providers are not checking IP addresses.” (Read more about how HIPAA actually works here.)

A common belief about virtual clinics is that they offer more discretion than their brick-and-mortar counterparts. “There’s definitely a privacy factor—these sites don’t ask a lot of questions,” says Wells. In a 2020 study of over 6,000 abortion seekers, 39 percent reported choosing a telemedicine option specifically to preserve their privacy. While some providers’ intentions seem genuine, privacy experts have pointed out that their services may not be as secure as users expect them to be (even if they are compliant with US law).

This July, a team of researchers at the Markup reported that Hey Jane’s site passed along user information to Meta and Google, the world’s largest digital advertisers. While providers may not restrict access via IP addresses, our analysis found that most providers readily collected them. For telehealth abortion clinics, HIPAA compliance is just one part of the puzzle.

So which virtual abortion clinics take users’ privacy seriously, and which do not? How can users approach these services with safety in mind? Does HIPAA protect all information sent to telehealth providers? To find out, we teamed up with experts to analyze the privacy policies of five popular abortion-by-mail providers: Wisp, Choix, Hey Jane, Carafem, and Aid Access.

While the American Bar Association reported in April that “high-tech tactics” (like sending court orders to femtech apps) have not been used to successfully convict abortion seekers, prosecutors have used women’s text messages and search histories as evidence in a number of abortion-related cases. Because of this precedent, users should proceed with caution when handing their personal information over to telehealth providers. It’s not uncommon for vulnerable data to end up in the hands of third-party brokers who compile digital profiles of users before selling their information to the highest bidder. Michele Gilman, professor of law at the University of Baltimore, says: “Reproductive health data is being sold and transported into a much larger system.”

To make matters worse, the absence of a comprehensive federal privacy law, like the EU’s General Data Protection Regulation (GDPR), leaves the burden of evaluating privacy policies to individual users. Considering that these policies have gotten longer and more difficult to decipher in recent years, this is a serious burden. For our evaluation, we consulted frameworks from the University of Texas at Austin’s Privacy Lab and the Digital Standard to arrive at four core factors.

Here’s what we found:

Created with Datawrapper

Data Collection (PII)

The GDPR’s American cousin, the California Consumer Privacy Act (CCPA) has inspired proposed state legislation that supports greater protections for a specific category of data—personally identifiable information. While PII is broadly defined, Google interprets it as including email address, full name, precise location, phone number, and mailing address.

The safest websites to use won’t collect your PII at all, but offering a mailing address to a virtual clinic is a matter of necessity here. In this context, it’s helpful to distinguish between companies that use your personal information to provide essential services and those that share this information with third parties. Austria-based nonprofit Aid Access fared the best in this category, encouraging users to access the service with virtual anonymity in its policy. Wisp fared particularly poorly here, citing its ability to send specific geolocation data to advertisers.

The majority of providers we analyzed categorize email addresses and the like as “personal information,” which is only protected by HIPAA if it’s stored alongside medical information. This makes it difficult to judge whether it’s being used appropriately.

_**Low Risk:** PII is not recorded, **Some Risk**: PII is used for intended service, **High Risk:** PII is used by third parties_

Law Enforcement

According to bioethics expert Sharona Hoffman, there’s a common misconception that HIPPA protects your medical information from being shared outside of your doctor’s office. The reality, she says, is that “HIPAA isn’t that protective. Consumers need to know that HIPAA has exceptions for law enforcement and public health.”

While the law provides safeguards for a particular subset of information (personal health information), it doesn’t cover all of the information you provide to a telehealth service. Even if it did apply, the rule _allows_ (but does not _require_) health care providers to expose PHI when presented with a search warrant or other legal document. While providers could technically refuse these requests, most don’t. “It’s easier to comply rather than involve your medical office in litigation,” says Gilman.

Aid Access is a notable exception and has a track record of standing up to law enforcement (it even sued the US Food and Drug Administration last year.) When examining privacy policies, UT’s Privacy Lab recommends looking at companies’ willingness to hand over any data in the absence of a warrant or other legal document. Neither Carafem, Wisp, Hey Jane, nor Choix specify that they would require a warrant before sending information to government agencies or other legal entities.

_**Low Risk:** PII is not recorded, **Some Risk:** Legal documents are required to comply with law enforcement, **High Risk:** Legal documents are not required to comply with law enforcement_

Data Control (Deletion)

Sites that offer users more control over their data can deliver better privacy than those that don’t. While low-risk sites will allow you to delete and edit your information freely, some medical information that users provide to virtual clinics will still be out of reach. This is due to state-specific medical record retention laws, which can require health care entities to retain some records for up to 25 years.

Examining how much control companies give users over other information is a better proxy for understanding their general safety. While most of the providers we analyzed included data deletion protocols in their privacy policies, Choix and Hey Jane’s do not. In addition, the latter confirms that it retains data for an unspecified (“reasonable”) period of time.

While Wisp does offer a deletion protocol, it admits that requests can be refused for a variety of reasons, including “exercising free speech” and “internal and lawful uses” on behalf of itself or its affiliates. In addition to responding to requests, privacy-forward organizations will also proactively delete sensitive information, something Carafem does. However, Carafem does not specify a timeline or provide a general deletion request protocol. By contrast, Aid Access allows users to file deletion requests at will for most information.

_**Low Risk:** Users can edit or delete data, **Some Risk:** Users can edit data, **High Risk:** Users cannot edit or delete data_

Third-Party Sharing (Ads and Marketing)

Research scientist and privacy expert Razieh Nokhbeh Zaeem calls personally identifiable information the “currency of the internet” because of the myriad ways individualized data is collected, bought, and sold across industries. While almost all websites work with third parties in some way, telehealth companies should not sell or share your information with advertisers—but many do, as evidenced by Betterhelp’s recent settlement with the Federal Trade Commission.

If a company is collecting sensitive information and using it to market products and services to you, that presents some risk. If a company shares this information with _other_ companies to support _their_ marketing efforts, it’s a major red flag. As the Markup rightly points out in its privacy policy guide, mentions of “personalization” and “improving services” in these documents usually equate to ad tracking.

According to its privacy policy, Hey Jane uses personal data (and PII) to market its own services (“inform you about products”), while Carafem, Wisp, and Choix reserve the right to pass along information to third-party marketing partners. Choix’s policy claims that it “will never sell your data for third-party marketing purpose\[s\]” in one section but reserves the right to disclose data to its affiliates for “marketing” purposes in another.

Rather than limiting or removing the third-party trackers installed on their sites, some providers recommend that users generally opt out of cookie-based advertising within their policies, a strategy that is far from foolproof.

_**Low Risk:** PII is not used for marketing or advertising, **Some Risk:** PII is used for marketing/advertising, **High Risk:** PII shared with third parties for marketing/advertising_

The Bottom Line

In a post-_Roe_ America, virtual abortion clinics provide an essential service, especially for people living in states that criminalize care. Early indicators have shown that they increase access to safe and effective abortion medications, but they don’t offer as much privacy as users are led to believe. With the exception of Aid Access, all of the providers we analyzed have a long way to go when it comes to protecting users’ privacy and earning their trust.

To manage risk when approaching these services (and accessing other information about abortion in hostile states), educators at the Digital Defense Fund recommend reducing your footprint by using privacy-forward search engines like DuckDuckGo, creating temporary email accounts for abortion care, and turning off location tracking on all of your devices.

While engaging in defensive tactics like these are practically useful, legal scholars like Gilman suggest that the reproductive justice movement will advance only when federal and state governments no longer rely on an outdated “notice and consent” paradigm for data privacy. “We need _meaningful_ consent in the reproductive health space,” says Gilman. “Privacy policies today are more like adhesion contracts—suggesting that users ‘take it or leave it.’ It’s not realistic or fair to tell people they can’t engage with technology if they want to protect their privacy.”

Gilman recommends advocating at the state level for better privacy standards, especially if your representatives are considering new legislation. She also encourages people to demand increased protections from private companies, many of which are more flush with the “currency of the internet” than they would have us believe.

The Most Popular Digital Abortion Clinics, Ranked by Data Privacy

Pixel Binary Transparency is the latest security benefit for Pixel owners.

It's not in Google's best interests for its smartphones to be easily compromised, and the tech giant has just rolled out a new security feature that for now is exclusive to Pixel devices: Pixel Binary Transparency.

You can think of it like a certificate of authenticity for your phone. It proves that the Pixel handset you have in your hands is the genuine article and not one that's been modified at the software level—potentially with security consequences.

While this is Pixel-only at the moment, it joins the existing Android Verified Boot feature in making sure that the phone that's in your hand hasn't been tampered with in any way—perhaps even before it reached you.

Along with speedy software updates, exclusive apps, and top-level camera performance, Google wants this new security feature to be another reason you'll buy a Pixel over anything else—and here's how it works.

The Security Problem

Are you sure your Pixel hasn't been compromised?

Photograph: Google

There are a lot of steps along the way before your new smartphone reaches you in its tidily cellophaned box, and all of those steps can be exploited by bad actors looking to take control of your device. If you think that opening a factory-fresh device means you don't have any security concerns to worry about, you'd be wrong.

Malware can be inserted into software code—Android software code, in this case—before a new handset gets put in the box. Remember that, as well as the basic Android operating system, you have additions by carriers and manufacturers (including Google and Samsung), not to mention a host of third-party libraries and open source code that all today's software is built on.

It only takes one part of the supply chain process to get exploited—one check that isn't carried out, or one assumption that is wrong—for devices to be put at risk. These attacks can also be launched once you start using your phone, with ostensibly safe apps unknowingly taken over by harmful code. Over-the-air software updates can also be hijacked before reaching users.

If you think about all the businesses involved in maintaining the software on your phone, from individual app developers to corporations such as Google, that's a lot of attack surfaces for hackers to consider. These kinds of attacks are on the rise too. All of this doesn't even consider the secondhand market as well, where used and refurbished Android devices (and especially Pixel phones, in this case) sold by prior owners come with no such guarantees that they're fresh installations of Android that are safe and clear of malware.

Google's Android Fixes

A Merkle tree is used to verify software.

Courtesy of David Nield

In simple terms, the new Pixel Binary Transparency checks the Android operating system on a Pixel phone to make sure the code is exactly as it should be. It's a bit like checking the authenticity of a painting, looking for signs of tampering, or checking that all the office doors and windows are locked at the end of the day. Google has written about the new feature in a blog post, and it says the feature will be built upon in the future.

More specifically, the new Android safety measure uses public cryptographic logs—digital bookkeeping systems—to show what a Pixel installation should look like. Entries can be appended to these logs when new software is released, but they can't be changed or deleted. In other words, any unauthorized edits are going to stand out.

The logs use what's known as a Merkle tree to maintain the integrity of the records within them, a cryptographic structure that speeds up the process of checking large amounts of data for any tampering. The approach means that much smaller portions of data can be analyzed to identify whether or not any changes have been made.

While Google itself admits that most users won't need the Pixel Binary Transparency feature because of the other safeguards already in place on Android, you can in fact try it out on your own Pixel phone or tablet. You're going to need to be familiar with compiling code and using the Android Debug Bridge (ADB) software that lets you analyze Android devices from a computer.

Pixel Binary Transparency complements the existing Android Verified Boot (AVB) safeguard, which works in a similar way. The instant that an Android device boots up, it looks for a special software “signature” (a little like a password) verifying that all is well, the software is untampered with, and the boot process can continue. As with Pixel Binary Transparency, any tampering is virtually impossible to conceal. At the same time, AVB also protects the device from being rolled back to older, less secure versions of Android.

Google's New Feature Ensures Your Pixel Phone Hasn't Been Hacked. Here’s How It Works

New research reveals the strategies hackers use to hide their malware distribution system, and companies are rushing to release mitigations for the “Downfall” processor vulnerability on Intel chips.

At the Defcon security conference in Las Vegas last weekend, thousands of hackers competed in a red-team challenge to find flaws in generative AI chat platforms and help better secure these emerging systems. Meanwhile, researchers presented findings across the conference, including new discoveries about strategies to bypass a recent addition to Apple’s macOS that is supposed to flag potentially malicious software on your computer. 

Kids are facing a massive online scam campaign that targets them with fake offers and promotions related to the popular video games _Fortnite_ and _Roblox_. And the racket all traces back to one rogue digital marketing company. The social media platform X, formerly Twitter, has been filing lawsuits and pursuing a strategic legal offensive to oppose researchers who study hate speech and online harassment using data from the social network.

On Thursday, an innovation agency within the US Department of Health and Human Services announced plans to fund research into digital defenses for health care infrastructure. The goal is to rapidly develop new tools that can protect US medical systems against ransomware attacks and other threats.

But wait, there’s more! Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A large phishing campaign that’s been active since May has been targeting an array of companies with malicious QR codes in attempts to steal Microsoft account credentials. Notably, researchers from the security firm Cofense observed the attacks against “a major Energy company based in the US.” The campaign also targeted organizations in other industries, including finance, insurance, manufacturing, and tech. Malicious QR codes were used in nearly a third of the emails reviewed by researchers. QR codes have disadvantages in phishing, since victims need to be compelled to scan them for the attack to progress. But they make it more difficult for victims to evaluate the trustworthiness of the URL they’re clicking on, and it’s more likely that emails containing a QR code will reach their target, because it’s more difficult for spam filters to assess QR images included in an attachment like a PDF.

It’s common practice for attackers—both criminal actors and state-backed hackers—to scam or otherwise lure victims from a starting point of mainstream services like email, photo sharing, or social media. Now, research from the security firm Recorded Future attempts to categorize the types of malware most often distributed from these various jumping-off points, and which strategies are most common. The goal was to give defenders deeper insight into the services they need to prioritize securing. The review found that cloud platforms are the most used by attackers, but communication platforms like messaging apps, email, and social media are also widely abused. Pastebin, Google Drive, and Dropbox were all popular among attackers, as are Telegram and Discord.

In response to the “Downfall” Intel processor vulnerability disclosed by Google researchers last week, organizations have been releasing tailored fixes for the flaw. The bug could be exploited by an attacker to grab sensitive information like login credentials or encryption keys. Amazon Web Services, Google Cloud, Microsoft Azure, Cisco, Dell, Lenovo, VMWare, Linux distributions, and many others have all released guidance on responding to the vulnerability. Prior to public disclosure, Intel spent a year developing fixes to distribute across the industry and coordinating to encourage widespread patch release from individual vendors.

Source

Wired