Thursday, February 28, 2019

The Truth Behind Momo - A Cybersecurity Expert Calls for Education

Preview of  the Upcoming Peppa Phone Phreaking Scandal

I wrote this article in collaboration with Pete Jacob, cybersecurity expert to some of the world’s top amusement parks, concerning the Momo hoax and what we can learn from it. 

Momo isn't real. YouTube videos were not "hacked." There's not much more to it, but let's explore, from a cybersecurity standpoint, why this is such an interesting phenomenon and why teaching the public about cybersecurity could have quashed the whole thing before it started.

Keisuke Aisawa didn't intend to incite mass panic when they designed a nightmarish "Mother Bird" sculpture.
Talents include: Hacking without having arms, Staring Contests
Rather, the sculpture references tormented spirits found in Chinese folklore. But the pictures were shared online and, like all good art, it inspired someone - they renamed the creature "Momo" and concocted a crazy story. 

Pirate Pitfalls


It was alleged that Momo was hacking into Peppa Pig content - inserting herself into videos of the friendly pig. A quick search of YouTube turns up thousands of Peppa Pig videos - only some of which are posted by an official, verified source. (Read more about Verified YouTube channels here) The verified channel (marked with a check mark) has some free videos, but also prominently features ads to buy digital editions of the series.

As a business, Peppa has no reason to give you the entirety of their content for free. Some official channels do offer free videos, but they're teasers - things to get you and your children interested in buying digital copies, subscriptions, and merchandise. Or they're monetized - they show ads throughout the video and receive money for your views. If a company is offering their copyrighted goods for free, consider the motives: Are you expected to become hooked on the good? Spread the word? Buy related merchandise? Is it a stunt to generate exposure and feelings of good will?

Note that only one of these videos comes from a verified channel - and the verified search result isn't always first.

I reached out to Peppa Pig and their parent company, Entertainment One, and asked for a link to the official Peppa Pig YouTube accounts to ensure that the "Peppa Pig - Official Channel" and the international equivalents are indeed the only sanctioned accounts. I have not received a response but will update as information becomes available. Unless Peppa tells me otherwise, I have to assume that all unverified accounts are illegally streaming copyrighted work. Peppa does not endorse this content and, because we have no idea what kind of people are posting these, we can't confirm that they aren't splicing weird stuff into the stolen videos (which, though unethical, isn't hacking - I'll explain why in a moment).

When you view pirated content on YouTube, or any platform, you are accepting the possibility that the video has been edited or tampered with in some way. Just as when your LimeWire download of Missy Elliot came with a side of virus, you should not be surprised when something garnered through criminal means contains something unsavory.



What would actually pulling off this Momo thing entail?


Editing two videos together is easy. Search the App Store and you'll find countless apps that promise the ability to merge multiple clips. Hacking, however, is not so simple. First, consider the time and effort someone would have to put into hacking a channel's account. It would require some degree of technical skill or social manipulation to gain access to a password. If passwords aren't easily attainable, we could force our way in. Websites have safeguards in place to hinder hackers from using brute force to access an account, yet it can be done - but think of the know-how required: years of technical experience, speed (Google eyes me with suspicion every time I sign in on a new device - you bet the original channel will be receiving an email concerning a
This is just some WordPress code, but that black background is really spooky.
troubling login), and precision. Once access to the account has been gained, you'd have to upload a video that has either been ripped from a legitimate Peppa Pig source or torrented (this is starting to sound like more trouble than it's worth) edited (more technical skill!) to include a clip of Momo, a figure we've only ever seen still pictures of, talking (so, now we need some artistic skill to make the voice-over convincing). Then we need to make sure all of our hard work will be viewed, so we need to know a little about marketing and SEO. Then we must ensure that if our our painstakingly hacked video does get viewed, people share and talk about it, which might take months to come to fruition. Momo apparently engages children in a challenge, which implies even more videos and some degree of interactivity. All to what end? To scare a child? Where's the money in that?

If a hacker is able to exploit a website as lucrative as YouTube, they'll have bigger bounties on their mind than corrupted pig videos. (Or, maybe they're seeking a career in viral marketing). It's much more likely that if an original Momo video did exist, it was uploaded intentionally to generate profit, which isn't hacking at all.

NOTE: It’s important to mention that YouTube HAS been recently hacked, though not in this exact way. In April 2018, hackers were able to change the titles and descriptions of some of the most viewed videos on the site. However, in the interest of free information, the hackers quickly came forward to explain their tactics and motives. It’s also telling that video descriptions were changed to the political message: “Free Palenstine.”

The misuse of the term "hack" is alarmist - it preys on those uneducated in cybersecurity, breeding an atmosphere of misdirected distrust. There's a lot to be scared of on the internet - but this isn't it. By sending letters home with students, well-meaning but misinformed school officials are inciting panic. Think of how far some simple cybersecurity education could have gone in preventing this hoax from spreading. I hope that this serves as a case to educate others on security, but I fear that when Momo blows over, the public's senses will have become deadened to the word, and we'll have a "boy who cried 'hack' " scenario on our hands.

A spy for Big Peppa
Unfortunately, hoaxes such as these are self-fulfilling prophecies. Now that creators know that Momo is profitable, we will see conspiracy theorists obsessing over her origin, spurred on by fake videos created by other creators (or themselves). We will see "jump scare" videos featuring the birdlike creature. We will see staged and out-of-context videos of children crying. All in the name of clicks. Momo wasn't real, but she will be, if you let her. (Here's another curious Momo side effect: there are grown adults watching hours of innocuous Peppa Pig videos, hoping to spot Momo. Wouldn't it be interesting if this was all put on by Big Peppa lobbyists?)

EDIT: As of March 1, 2019, YouTube has announced that they have demonetized all videos related to the Momo hoax (meaning, it'll be harder to profit off of Momo).  This is a step in the right direction for the platform. However, it's unfortunate that informative, fact-based videos debunking the Momo scare have also been demonetized. Next hoax, will we see reluctance on behalf of fact-based bloggers? 

So what can I do?


Without a doubt, there are questionable videos on YouTube and other video sharing platforms. If you do notice something disturbing in a YouTube video geared toward children, be sure to report the channel directly to YouTube and, if you suspect wrongdoing, local authorities. YouTube takes such accusations very seriously and will review the content. Don't share the video on social media - this generates views, which on monetized channels results in paying the offending creator. Don't incentivize bad behavior.

If you're shaken by the Momo scare, it might be time to take a break from platforms that host user-generated content. If you can post to it, so can "they." Stick to tried and true apps such as PBS KIDS Video, Sesame Street, Netflix, and Hulu. While paying for streaming services can feel frustrating when there's all sorts of free stuff on YouTube, you'll be getting a carefully curated selection of videos for your children as opposed to the wild west of content available on YouTube.
Most importantly, use this as an opportunity to educate yourself about how the internet works. Look at your favorite websites and ask yourself: What motivates people to contribute here? What are the potential ways this platform could be abused? Research hacking and the people who do it. Learn about the many companies who work to stop cyber attacks. Use your findings to open up a dialog with your children about safe internet practices.  As an informed internet user, you'll be able to ignore the sensationalism and focus your energies on security topics of real concern.


Ask your school district if they offer internet safety programs for children, teachers, and parents. Encourage them to put one in place if they don't. And if they do, encourage participants to take it again in a year - things change rapidly in this field.

At this very moment, there's a team of people fending off attacks on the companies you work for and interact with. It's a demanding job with ever-evolving responsibilities. It's also immensely interesting and the people in those roles are passionate about education. Ask to speak to your company's cybersecurity analyst  - many of us would be thrilled to visit schools and libraries to help inform the next generation about real online threats. At the very least, we have tons of resources and stories to share.
Pete Jacob is the Cybersecurity Analyst for Cedar Fair Entertainment Company. Stephanie Sanders-Jacob is a writer, editor, and Pete's wife.

1 comment: