Pro-Palestine demonstrators gather during a vigil for U.S. Airman Aaron Bushnell outside the Israeli Embassy in Washington, on Feb. 26, 2024. Photo: Tom Brenner for The Washington Post via Getty Images

Aaron Bushnell, Who Self-Immolated For Palestine 🇵🇸, Had Grown Deeply Disillusioned With The Military! “I have Been Complicit in The Violent Domination of The World And I Will Never Get The Blood 🩸 🩸🩸 Off My Hands.”

— By Nikita Mazurov | February 28 2024

Aaron Bushnell, the active-duty U.S. Air Force Airman who set himself on fire Sunday to protest Israel’s war on Gaza, appears to have grown disillusioned with the U.S. military and his own role as a service member, according to posts on the online forum Reddit under a handle matching one used by Bushnell.

Bushnell, 25, made international news when he professed that he would “no longer be complicit in genocide” and recorded himself shouting “Free Palestine!” as he burned to death in front of the Israeli Embassy in Washington on Sunday. “I am about to engage in an extreme act of protest,” Bushnell had announced on a livestream before his self-immolation, “but compared to what people have been experiencing in Palestine at the hands of their colonizers is not extreme at all.”

The Reddit posts, by a user named acebush1 and mostly from the past four years, chronicle a young person’s experience struggling with money as the pandemic took hold. The Reddit poster turned to the military and was initially enamored with the Air Force, but quickly came to denounce it.

In the months leading up to Bushnell’s act of self-immolation, several of acebush1’s posts showed how sharply their view of the military had shifted. On the r/Airforce subreddit, a user asked veterans whether, in hindsight, they would still choose to join the military. Acebush1 answered, “Absolutely not.”

“I have been complicit in the violent domination of the world,” they said, “and I will never get the blood off my hands.”

The Intercept analysis linked the acebush1 Reddit account to Bushnell by analyzing his social media activity. In a post on Facebook the same day as his self-immolation, Bushnell had posted a link to the video streaming platform Twitch with the username LillyAnarKitty. Using a Twitch username history tool that identifies a user’s prior account names, The Intercept found that the same Twitch User ID number used by LillyAnarKitty previously employed the handle acebush1.

A Reddit user with the same username — acebush1 — posted over a thousand times since 2014. The Reddit posts mention details that align closely with Bushnell’s life, including being in the Air Force, having a friend who was a conscientious objector, and studying computer science.

As this story was being drafted, acebush1’s posts started to be removed from Reddit. The posts were archived and, though Reddit instantly deletes posts from their new interface, visiting the old-style Reddit user profile page reveals their recently deleted posts.

“A Regret I Will Carry”

The acebush1 Reddit user joined the military soon after posting about their financial struggles at the beginning of the pandemic. On March 19, 2020, acebush1 inquired about becoming an Uber Eats driver. The following month they posted asking for financial help: “HELP – Can’t get stimulus or unemployment benefits, about to run out of money.”

In May, acebush1 posted a photo with the caption “My Dad getting suited up to give me a goodbye? hug before I leave for BMT” — basic military training. According to Bushnell’s LinkedIn page, he enrolled in “Basic & Technical Training” in the Air Force in May 2020.

Several months into enrollment, acebush1 appeared excited by the Air Force, reposting a video of a military aircraft in August 2020 and giving it a heading that said: “Man, the Air Force does some cool-ass shit.”

Acebush1 also regularly posted in various video game Reddit communities, including one dedicated to the video game “Valheim.” In Bushnell’s self-immolation livestream, the liquid container he is carrying has a sticker with the slogan ‘the bees are happy,’ a meme from “Valheim.”

In November 2021, acebush1 made multiple posts asking about advice in pursuing a computer science degree. Bushnell’s LinkedIn profile, which has been memorialized “as a tribute to Aaron Bushnell’s professional legacy,” lists him as having been in the process of pursuing a bachelor’s degree in computer software engineering.

Nearly a year later, acebush1’s posts shifted from largely video game-based content to posts with titles like “Solidarity with Prisoners!” with a link to a Guardian article about an Alabama prison strike, and to reposting a meme image of anarchist philosopher Max Stirner. In 2023, acebush1 made a post with the title “Free Palestine!” and linked to a video of an activist takeover of UAV Tactical Systems, a drone company operated in part by the Israeli defense contractor Elbit Systems.

“I Didn’t Realize What A Huge Mistake It Was Until I Was More Than Halfway Through.”

Shortly after the pro-Palestine post, in June 2023, acebush1 wrote, “I’m sticking it out to the end of my contract as I didn’t realize what a huge mistake it was until I was more than halfway through, and I only have a year left at this point. However it is a regret I will carry the rest of my life.”

The poster mentioned a friend who left the armed services on the basis of conscientious objection; Bushnell’s friend Levi Pierpont, according to the Washington Post, objected and left the military.

Acebush1’s posts became more stridently pro-Palestinian as Israel’s war in Gaza got underway. In one, they denounce Israel as a “settler colonialist apartheid state,” and exclaim that there are no Israeli “civilians” because the entire country is engaged in oppression. They refuse on several occasion to denounce armed Palestinian resistance, saying in the apartheid post that they “work for the air force and would also have no right to complain about violent resistance against my actions.”

In November 2023, acebush1 made another post describing “the moral necessity of getting out.”

In the last few months, acebush1 accelerated their posting across various anarchism-related Reddit communities, as well as on other various communities. “Piracy is always ethical,” acebush1 posted. “If you think that you’re making a difference with who you do and don’t choose to give your money to, you don’t understand how markets work.”

Acebush1’s last Reddit post was on February 24, expounding on how “whiteness erases culture” — a day before Bushnell’s self-immolating direct action. In an earlier post, acebush1 had written, “I’ve never been one for bullshit.”

Amazon's relentless personal data foot-dragging

Sometimes, the best way to understand a failure is to contrast it with a success. Take Amazon, whose avowed “relentlessness” created next-day Prime delivery and AWS, with its power to instantaneously, continuously emit “buckets” of data.

Amazon boasts endlessly about its efficiency, ease of use and speed — which means that whenever you find Amazon being inefficient, hard to use and slow, it’s reasonable to assume that this is a deliberate choice. Like, say, when Amazon is giving you the data it has collected on you.

Nikita Mazurov is a security and privacy researcher with The Intercept. Noting that Amazon is now legally required (under California’s CCPA) to show him all the data it has gathered on him, he placed a request for that data. Therein begins the tale.

https://theintercept.com/2022/03/27/amazon-personal-data-request-dark-pattern/

Amazon — home of one-day delivery of physical goods — took 19 days to deliver that data. During those 19 days, it required Mazurov to jump through innumerable hoops, and, on six separate occasions, tried to divert him to his “Your Account” page where “you can access a lot of your data instantly.”

The data, when delivered, came as 74 separate .zip files, with no “download all” button. Once Mazurov manually downloaded those files — clicking 74 links in succession and piecing the data together — it became apparent that the thin, sanitized stream of data on his “Your Account” page was a translucent scrim over a massive block of data Amazon had squirreled away on him.

It’s…a lot: search keywords, chat logs, conversations with buyers and sellers, your IP addresses, how many search results you click on/add to your basket/buy, and mystery data like “Shopping Refinement” whose values are things like “26,444,740,832,600,000.”

Amazon retains data you’ve explicitly deleted (like old shipping addresses), which exposes you to risk by providing answers to other services’ verification questions (“What was your first street address?”).

There are also files on everything you watched on Prime Video, everything you read on a Kindle, everything you listened to on Amazon Music, everything you uttered to an Alexa, and every game you played on Amazon Games. Mazurov doesn’t use these, so he wasn’t able to say how detailed they are, but given the overall level of detail, it’s likely pretty granular.

This is where the contrast between Amazon’s failures and successes come in. As Mazurov notes, one of the zip files lists 167 corporations who were sold access to his personal data, ranging from the Royal Bank of Canada to Fitbit to HCA Healthcare. It’s a sure bet that when Amazon sells your data to these customers, it comes as a ready-to-use product, not 74 .zip files.

The gap between Amazon’s “relentless” efficiency and its bumbling, Kafkaeque data delivery couldn’t be more stark. Think of Amazon’s product philosophy, it’s one-click, Buy Now seamlessness versus this clunky, foot-dragging malicious compliance.

Here’s Amazon’s design philosophy: “If you have to click multiple buttons, if you have to wait for too long, if you have to answer a lot of information — all of those things create friction, and friction exponentially kills the joy of shopping.”

https://www.cnbc.com/amazon-rising/

When Amazon is getting something from you, it is a marvel of efficiency. As Mazurov points out, when you want your data from Amazon, you fill in a form, then another form, then get misdirected six times to the “Your Account” page. Meanwhile, when Amazon wants to get your data, it takes it, silently, efficiently, insatiably — and relentlessly.

Amazon doesn’t let the sensitivity of that data interfere with its product development, either. In contrast to its competitors, Amazon has a long history of treating customer records as a free-for-all, with no effective controls on how internal teams can access, copy and use your data.

https://revealnews.org/article/inside-amazons-failures-to-protect-your-data-internal-voyeurs-bribery-schemes-and-backdoor-access/

That has led to innumerable, completely predictable scandals, including insider attacks that spied on users — and blackmailed them. The company sidelined the security professionals it hired to clean up these processes, treating them as overly cautious killjoys. Eventually, it solved the problem by promoting unqualified people who wouldn’t raise inconvenient objections — leading to a world-class breach:

https://www.wired.com/story/amazon-failed-to-protect-your-data-investigation/

Mazurov wondered if this chaotic data-handling practice might be behind Amazon’s sluggish response to his request, but an Amazon’s spokesperson vigorously denied that the company’s security incompetence was to blame for its inability to deliver his data in a timely fashion.

Mazurov calls all the misdirection and delay a “dark pattern,” revealing just how broad (verging on useless) that term has become. We have a perfectly well-understood term for telling a user that the “Your Account” screen has the data they’re seeking when it doesn’t. We call that “a lie.”

I think we should get back to calling tech company fraud “fraud,” rather than “dark patterns.” It’s one thing to have a giant “OK” button and a tiny, grey-on-white “I do not consent” link hidden in a corner of the screen. But when we call straight-up frauds “dark patterns,” we engage in “criti-hype” — Lee Vinsel’s term for criticism that amplifies the tech companies’ own self-mythologizing:

https://pluralistic.net/2021/09/30/dont-believe-the-criti-hype/#ordinary-mediocrities

“Dark patterns” implies some kind of data-driven mastery of the blind spots of the human critical faculty. But when you try to buy n plane tickets from Fareportal and it shows you a false message stating that there are n+1 left, that’s not a “dark pattern,” that’s “lying.”

https://freedom-to-tinker.com/2022/03/21/holding-purveyors-of-dark-patterns-for-online-travel-bookings-accountable/

Amazon’s data handling looks chaotic from the outside. For example, it somehow managed to delete Nelson Minar’s entire history from Goodreads: 600 titles, 250 reviews.

https://www.somebits.com/weblog/tech/bad/goodreads-lost-all-my-data.html

Minar thinks it might have been a malicious deletion request from someone who hacked his account and then used CCPA to demand deletion to cover their tracks:

https://help.goodreads.com/s/article/How-do-I-cancel-my-account-1553870935772

But as we see with Mazurov’s case, Amazon has more than one way to handle those requests. When retrieval might reveal Amazon’s overcollection, the company takes 19 days to comply, and tries to divert you to a misleading page six times. When you explicitly delete information from Amazon that it can use for data-mining, it keeps the data and flags it “Is Address Active: No.”

This all makes sense when you recognize that Amazon’s relentlessness is pursuit of profit, not provision of service. Amazon will provide good service when it is profitable to do so — but when it is more profitable to put you at risk, then that’s the choice it makes.

DU™ #Repost @abjective ・・・ Play hard. 24-27 august @synthposium Line-up: 101 — LT Ave Eva aka Ghostape — CH Barker — DE Baseck — US Biodread — FIN Denis Kaznacheev & Fake Electronics — RU/DE Ekke Västrik — EST Frank Muller aka Beroshima — DE Felix K — DE Interval — US Jacek Sienkiewicz — PL Karsten Pflum — DK Konakov — UA Max Cooper — UK Mehmet Aslan — CH Morgan Fisher — JP/UK Morphology — FIN Mustelide — BLR Opuswerk — CH Peter Kirn — DE PRCDRL aka Procedural — DE Richard Devine — US Richard Fearless of Death in Vegas — UK Robert Aiki Aubrey Lowe — US Solar X — UK Synxron — UA Taeji Sawai — JP Thomas P Heckmann — DE Todd Sines — US Ulrich Schnauss — DE Vertical Silence — US Abjective Alex Pleninger Alexander Ivanov Alexey Yepishev Ambidextrous Amnfx Analog Sound Andrey Orlov Anton Lanski Bad Zu Black Lenin BMB Spacekid Caprithy Celebrine Chizh Compass-Vrubell Corell dHET Dmitri Mazurov Dyad and the Sleepers Club DZA Egor Sukharev aka Khz Fedor Vetkalov Fizzarum Gamayun Gestalt Grisha Nelyubin HMOT Igor Starshinov Indeepend Interchain Julia Dia Karolina Bnv Kovyazin D Kurvenschreiber Laiva Lapti Leafage Linja Magnetic Poetry Maria Teriaeva Maksim Panfilov Meow Moon Midimode aka MDMD Misha Alexeev Nord City Odopt OID OL Operator Uno Perfect Human Phayah Pinkshinyultrablast Prisheletz PTU Rewired Rhizome aka Nikita Zabelin Roman Filippov aka Filq Rozet Saburov Secrets of the Third Planet Sestrica Sickdisco aka Cross Sofist Suokas Symphocat Timur Omar Tripmastaz Unbalance Unbroken Dub Vanya Limb Vtgnike Expo — music tech interactive exhibition and showcase: All For DJ Alex Pleninger Alexey Taber ASD — Analog Sound Devices DNGR:TECH Deckard's Dream Erica Synths — LV Eternal Engine EMI Eugene Yakshin L-1 Synthesizer — BLR Logich Synth Service MDR. Modular Motovilo Audio Lab Playtronica Pioneer Polivoks Popobawa Sound Pribore Electronics Roland SOMA Laboratory Sputnik Modular SSSR Labs Sur Modular Svarog Audio Synthman Synthfox Synthstrom Audible — NZ Tiptop Audio Uoki-Toki VG Line Warm Place Yamaha Zll Modular Zvukofor Sound Labs On Air — lectures, public talks, discussions, workshops, presentations: Alex Pleninger Andrey Orlov Baseck Dmitry Churikov Dmitry

Play hard. 24-27 august @synthposium Line-up: 101 — LT Ave Eva aka Ghostape — CH Barker — DE Baseck — US Biodread — FIN Denis Kaznacheev & Fake Electronics — RU/DE Ekke Västrik — EST Frank Muller aka Beroshima — DE Felix K — DE Interval — US Jacek Sienkiewicz — PL Karsten Pflum — DK Konakov — UA Max Cooper — UK Mehmet Aslan — CH Morgan Fisher — JP/UK Morphology — FIN Mustelide — BLR Opuswerk — CH Peter Kirn — DE PRCDRL aka Procedural — DE Richard Devine — US Richard Fearless of Death in Vegas — UK Robert Aiki Aubrey Lowe — US Solar X — UK Synxron — UA Taeji Sawai — JP Thomas P Heckmann — DE Todd Sines — US Ulrich Schnauss — DE Vertical Silence — US Abjective Alex Pleninger Alexander Ivanov Alexey Yepishev Ambidextrous Amnfx Analog Sound Andrey Orlov Anton Lanski Bad Zu Black Lenin BMB Spacekid Caprithy Celebrine Chizh Compass-Vrubell Corell dHET Dmitri Mazurov Dyad and the Sleepers Club DZA Egor Sukharev aka Khz Fedor Vetkalov Fizzarum Gamayun Gestalt Grisha Nelyubin HMOT Igor Starshinov Indeepend Interchain Julia Dia Karolina Bnv Kovyazin D Kurvenschreiber Laiva Lapti Leafage Linja Magnetic Poetry Maria Teriaeva Maksim Panfilov Meow Moon Midimode aka MDMD Misha Alexeev Nord City Odopt OID OL Operator Uno Perfect Human Phayah Pinkshinyultrablast Prisheletz PTU Rewired Rhizome aka Nikita Zabelin Roman Filippov aka Filq Rozet Saburov Secrets of the Third Planet Sestrica Sickdisco aka Cross Sofist Suokas Symphocat Timur Omar Tripmastaz Unbalance Unbroken Dub Vanya Limb Vtgnike Expo — music tech interactive exhibition and showcase: All For DJ Alex Pleninger Alexey Taber ASD — Analog Sound Devices DNGR:TECH Deckard's Dream Erica Synths — LV Eternal Engine EMI Eugene Yakshin L-1 Synthesizer — BLR Logich Synth Service MDR. Modular Motovilo Audio Lab Playtronica Pioneer Polivoks Popobawa Sound Pribore Electronics Roland SOMA Laboratory Sputnik Modular SSSR Labs Sur Modular Svarog Audio Synthman Synthfox Synthstrom Audible — NZ Tiptop Audio Uoki-Toki VG Line Warm Place Yamaha Zll Modular Zvukofor Sound Labs On Air — lectures, public talks, discussions, workshops, presentations: Alex Pleninger Andrey Orlov Baseck Dmitry Churikov Dmitry Morozov — ::vtol:: TBA... (at WINZAVOD Contemporary Art Center)

Forget A Ban — Why Are Journalists Using TikTok In The First Place?

I’m a Security Researcher Working in the Journalism Field, and I’m Here to Rain on Your Dangerous, Dumb Parade.

— Nikita Mazurov | April 7, 2024

The TikTok logo displayed on a laptop screen with a glowing keyboard in Krakow, Poland, on March 3, 2024. Photo: Klaudia Radecka/NurPhoto via Getty Images

As Far As I know, there are no laws against eating broken glass. You’re free to doomscroll through your cabinets, smash your favorite water cup, then scarf down the shards.

A ban on eating broken glass would be overwhelmingly irrelevant, since most people just don’t do it, and for good reason. Unfortunately, you can’t say the same about another dangerous habit: TikTok.

As a security researcher, I can’t help but hate TikTok, just like I hate all social media, for creating unnecessary personal exposure.

As a security researcher working in journalism, one group of the video-sharing app’s many, many users give me heartburn. These users strike a particular fear into my heart. This group of users is — you guessed it — my beloved colleagues, the journalists.

TikTok, of course, isn’t the only app that poses risks for journalists, but it’s been bizarre to watch reporters with sources to protect express concern about a TikTok ban when they shouldn’t be using the platform in the first place. TikTok officials, after all, have explicitly targeted reporters in attempts to reveal their sources.

My colleagues seem to nonetheless be dressing up as bullseyes.

Ignoring TikTok’s Record

Impassioned pleas by reporters to not ban TikTok curiously omit TikTok’s most egregious attacks on reporters.

In his defense of TikTok, the Daily Beast’s Brad Polumbo offers a disclaimer in the first half of the headline — “TikTok Is Bad. Banning It Would Be Much Worse” — but never expands upon why. Instead, the bulk of the piece offers an apologia for TikTok’s parent company, ByteDance.

Meanwhile, Vox’s A.W. Ohlheiser expatiates on the “both/and” of TikTok, highlighting its many perceived benefits and ills. And yet, the one specific ill, which could have the most impact on Ohlheiser and other reporters, is absent from the laundry list of downsides.

The record is well established. In an attempt to identify reporters’ sources, ByteDance accessed IP addresses and other user data of several journalists, according to a Forbes investigation. The intention seems to have been to track the location of the reporters to see if they were in the same locations as TikTok employees who may have been sources for stories about TikTok’s links to China.

— Not Only Did TikTok Surveil Reporters In Attempts To Identify Their Sources, But The Company Also Proceeded To Publicly Deny Having Done So.

“TikTok does not collect precise GPS location information from US users, meaning TikTok could not monitor US users in the way the article suggested,” the TikTok communication team’s account posted on X in response to Forbes’s initial reporting. “TikTok has never been used to ‘target’ any members of the U.S. government, activists, public figures or journalists.”

Forbes kept digging, and its subsequent investigation found that an internal email “acknowledged that TikTok had been used in exactly this way,” as reporter Emily Baker-White put it.

TikTok did various probes into the company’s accessing of U.S. user data; officials were fired and at least one resigned, according to Forbes. That doesn’t change the basic facts: Not only did TikTok surveil reporters in attempts to identify their sources, but the company also proceeded to publicly deny having done so.

And Now, Service Journalism For Journalists

For my journalism colleagues, there may well be times when you need to check TikTok, for instance when researching a story. If this is the case, you should follow the operational security best practice of compartmentalization: keeping various items separated from one another.

In other words, put TikTok on a separate “burner” device, which doesn’t have anything sensitive on it, like your sources saved in its contacts. There’s no evidence TikTok can see, for example, your chat histories, but it can, according to the security research firm Proofpoint, access your device’s location data, contacts list, as well as camera and microphone. And, as as a security researcher, I like to be as safe as possible.

And keep the burner device in a separate location from your regular phone. Don’t walk around with both phones turned on and connected to a cellular or Wi-Fi network and, for the love of everything holy, don’t take the burner to sensitive source meetings.

— Dumb USA 🇺🇸: China 🇨🇳 Is Coming! China 🇨🇳 is Coming! China 🇨🇳 Is Coming!

You can also limit the permissions that your device gives to TikTok — so that you’re not handing the app your aforementioned location data, contacts list, and camera access — and you should. Only allow the app to do things that are required for the app to run, and only run enough to do your research.

And don’t forget, this is all for your research. When you’re done looking up whatever in our hellscape tech dystopia has brought you to this tremendous time suck, the burner device should be wiped and restored to factory defaults.

The security and disinformation risks posed to journalists are, of course, not unique to TikTok. They permeate, one way or another, every single social media platform.

That doesn’t explain journalists’ inscrutable defense of a medium that is actively working against them. It’s as clear as your favorite water cup.

How to leak a Zoom meeting

With the world in lockdown, most "white-collar" crime (AKA "world-destroying corruption and looting") now takes place over Zoom. If you witness such a crime, you might be tempted to record the meeting and leak it to a journalist.

But leaking Zoom recordings is seriously fraught because they are full of personally identifying details. Some of these are "traitor-tracing" mechanisms, others are intrinsic to Zoom, and still others come from your end of the recording.

https://theintercept.com/2021/01/18/leak-zoom-meeting/

Nikita Mazurov's guide to anonymizing Zoom videos for The Intercept tackles each of these classes of identifiers.

Traitor-tracing: Zoom meeting hosts have the option to add visual and audio watermarks to their videos.

The visual ones are perceptible - displaying your name/email on the screen so that it will be present in any video-grab - but the audio watermarks are a series of ultrasound chirps with unique identifiers in them.

It's not clear where the audio watermark is inserted; Marzurov hypothesizes that the ultrasonic watermarks are inserted by your copy of the Zoom client, so using an external recording tool might bypass them.

Another important identifier in Zoom recordings is the arrangement of the other participants; this is different for every viewer.

Any recording will reveal information that could identify the leaker: not just the user's OS, but also pop-up alerts about emails and messages.

Source protection with Zoom captures is really hard - but that's all the more reason for this discussion to take place in earnest.