DEV Community: Oussama Afnakkar

🔴 SILENT SMS: Your phone tracks without notification

Oussama Afnakkar — Wed, 04 Mar 2026 13:16:34 +0000

Germany Federal Police: 101,117 Type 0 SMS (2020)
All agencies: 440,000+ (2010)

SS7 = no query authentication. 800+ operators globally.

No consumer detection exists.

https://sbytec.com/blog/silent-sms-intro/

The Invisible Risk Score: How Government Surveillance AI Builds a Model of You

Oussama Afnakkar — Mon, 02 Mar 2026 10:15:56 +0000

Two Invisible Risk Scores Control Your Future

Palantir Gotham built yours legally from SSA/IRS/DHS data.

China's Salt Typhoon built theirs from breached US telecoms + Treasury.

Same entity resolution math. Same unified citizen profiles.

Zero audit rights. Different jurisdictions.

I wrote this because security practitioners need to threat model both architectures.

The Core Mechanism

class FederatedProfileComparison:
    def authorized_federation(self):
        # Palantir Gotham - Legal access
        return {
            "sources": ["SSA", "IRS", "DHS"],
            "method": "contracted API federation", 
            "output": "risk_score + association_graph"
        }

    def unauthorized_federation(self):
        # Salt Typhoon - Breached access  
        return {
            "sources": ["telecom_metadata", "Treasury", "CFIUS"],
            "method": "persistent infrastructure access",
            "output": "communication_profile + movement_graph"
        }

    def shared_properties(self):
        return {
            "citizen_awareness": False,
            "citizen_recourse": False,
            "model_contestability": False
        }

Both produce the same output type: unified person-objects with derived behavioral predictions.

The Baudrillard Problem

When two competing models of the same person exist:

Neither contains your context (travel reasons, financial decisions)
Both drive real decisions (employment, security screening)
You cannot see either score
No due process mechanism spans jurisdictions

def what_systems_cannot_hold():
    return {
        "intent": None,
        "context": None, 
        "relationships_explained": None
    }

Complete 3-Post Series Investigation

Full analysis - Zuboff behavioral surplus → Virilio speed math → 8 due process questions practitioners cannot answer:

Read All 3 Parts + Get Detection Rules

What threat modeling questions does this raise for your team?

Palantir Gotham: Why One Breach = Every American

Oussama Afnakkar — Mon, 02 Mar 2026 09:17:22 +0000

Gotham doesn't organize data. It creates new data through entity resolution.

def entity_resolution(records):
    # Input: SSA + IRS + DHS siloed records
    # Output: unified citizen objects + derived attributes
    s_ij = similarity(record_i, record_j)
    if s_ij > θ: merged_entity = f(∪attrs)
    return merged_entity  # NEW DATA

4-Layer Architecture:

Federation → siloed agency APIs
Entity Resolution → s_ij > θ math
Ontology → risk scores, graphs
Query → analysts see derived outputs

What questions do you have about the detection rules?

Full Technical Analysis + YARA Rules

DOGE Accessed Your SSA Records Before Courts Could Stop It

Oussama Afnakkar — Mon, 02 Mar 2026 09:11:54 +0000

February 2025: DOGE team queried SSA records for every American.

March: Court challenge filed. June: Supreme Court ratified access.

The data was already federated when oversight began.

The PayPal Mafia Pipeline

PayPal → fraud detection at scale
Palantir → CIA In-Q-Tel funds same team
2025 → SSA/IRS/DHS unified under executive order

# The consolidation timeline
Feb: DOGE access begins
Mar: Judge Hollander injunction  
Apr: Fourth Circuit upholds
Jun: Supreme Court reverses → access ratified

I wrote this because the timeline matters more than the ruling.

Full Origin Story