Skip to content Skip to navigation

Friday Cyber News, April 7 2017

Cyber technology-related news and links from around the web, for the week of 4/1 - 4/7:

1. New details emerge about the 2014 Russian breach of the State department; the NSA was alerted by an ally at a "Western intelligence agency" (perhaps one that starts with 'G' and ends in 'Q') who had not only observed the attack on the Russian network, but were literally observing the attackers, on CCTV cameras at their workplace. Sometimes attribution is easy. [Washington Post]

2. Lisa Monaco explains why the Obama administration didn't speak out more about Russian hacking before the 2016 election. (Afraid of seeming too partisan; trusted the FBI would do a thorough investigation; hindsight is 20/20?) [Politico] 

3. It's not all Russia's fault; a Twitter bot conductor in Utah masterminds the trending hashtags behind conservative controversy, and a meme maker operating from his kitchen table provides sources for political conspiracy theorists. This is the brave new world of online propaganda, and all we got for it was the opportunity to claim "blogger" press credentials at concerts in the 00's. Facebook is now attempting to combat fake news by posting educational warnings about checking the URLs of new articles (URLs that, commenters note, Facebook itself does its best to hide in order to keep users reading on the platform). [Buzzfeed; New Yorker; The Hill

4. A Chinese espionage campaign against cloud service providers and their customers, called Operation Cloudhopper, is discussed in detail in a report out this week. Of note again for an attribution aficionado, the timing of the attacks mirrors the Chinese workday, including a lunch break. [The Hill] 

5. New York State's Court of Appeals decided that platforms like Facebook are not allowed to challenge broad search warrants; only the subjects of those warrants can challenge them as illegal searches, limiting the ability of Facebook and others to protect user privacy. [NY Times]

6.​ The Cryptocurrency Certification Consortium proposed security standards for cryptocurrency exchanges, which are basic (encrypt wallets; enforce 2FA) but welcome. Curious about recent Bitcoin developments? Listen to the latest episode of our Raw Data podcast. [NewsBTC; Raw Data]

7. The news this week that Uber has gamified the driving process--not to make it fun, but to make it addictive--received a lot of negative attention on Twitter, but did we expect anything less? And is algorithmic pressure more insidious than other forms of workplace coercion? The Uber app will attempt to entice drivers with an automatically populating chain of rides, and arbitrary goals and encouragement, but these prods can be ignored or rejected, unlike many forms of workplace communication. [NY Times]

8. We want AI to replace emotional labor as well as rote assembly-line labor, but efforts to do so--from Eliza the therapeutic chatbot to automated flagging of online harassment--are difficult to get right. The danger in keeping emotional labor a human activity, though, is that the internet provides so many uncompensated demands for it, including responding to friends' Facebook statuses, getting into Twitter arguments, and providing customer support. [Medium] 

9. Following the repeal of FCC regulations to protect internet users' browsing history, many ISPs issue statements that they will not sell individual users' browsing history. (They weren't expected to; the easier and more profitable path is to sell aggregated browsing histories, and they are likely to increase collection now that the promise of monetization is in the air, as Stanford researcher Sharad Goel points out). A recent Reuters/Ipsos poll suggests that 75% of Americans would not allow investigators to monitor their internet activity to help combat domestic terrorism; a representative for 75% of Americans is notably absent from the FCC's rulemaking committee. Because your best courses of action are either warily awaiting ISP ToS changes or getting a VPN, here's an up-to-date and massive spreadsheet comparing the security postures of every available VPN. [Reuters; Slate; Reuters; That One Privacy Site]

10. Let's hope cyber criminals don't read security bloggers: A crafty suggestion for personalized phishing involves combing Twitter for people complaining about brands, sending them emails pretending to be from those brands, embedding malware in the "unsubscribe" link, and profiting. This week's malware trend, though, is "fileless" malware, which targets working memory rather than the hard drive. Stay safe out there. Relatedly, this week AIG has become the first major insurer to offer cyber insurance to individuals, as part of a home insurance package. [Daniel Miessler; CyberScoopx2]

Thanks for reading,

Stanford Cyber Initiative

(To suggest an item for this list, please email You can view news from past weeks, subscribe, and unsubscribe at