Skip to content Skip to navigation

Friday Cyber News, September 2 2016

Cyber technology-related news and links from around the web, for the week of 8/27 - 9/2:

1. The Campaign to Stop Killer Robots took to the UN's Convention on Certain Conventional Weapons to try to convince the attendees that autonomous killing machines ought to be banned. The convincing scenario is not reigning in military capability, but preventing a small group of dedicated terrorists from artificially expanding their killing power by using millions of artificially intelligent bomb drones--unfortunately, banning the dual-use technology would curtail Defense Department tech development as well. [Buzzfeed]

2. When you discover a security flaw, you can report it (and hope you get a bug bounty), you can exploit it yourself, you can sell it to someone else who might exploit it, and now there's a fourth option: you can publicly short the stock of the company making the offending device, as Muddy Waters Capital did to St. Jude Medical after finding vulnerabilities in its implantable cardiac devices. St. Jude insists the identified behavior is a feature, not a bug--of course--but the interesting aspect of this is the novelty of using market pressure to force security improvements and also profit in the process. [The Hill]

3. A devastating iPhone exploit leaked from Israeli (but US-private-equity-owned) NSOGroup prompted a security update this week--it's version 9.3.5, install it--and also led some to ask, why is Apple's bug bounty only $200k when something like this sells (to the UAE, apparently) for much more? Labor economics, for one; if bug bounties are high enough, Apple might have a hard time convincing good security researchers to work for them as employees rather than find one good exploit and collect a big payout. [Verge; Lawfare]

4. The SWIFT financial transaction system identified more cyber attacks--some successful--on member banks since the Bangladesh hack of earlier this year. SWIFT is taking an unusual tactic to promote better cybersecurity practices among member banks, threatening to reveal confidential information about the banks that suffered breaches unless they improve. [Reuters]

5. Personal pet peeve: the "go-ahead" wave from driver to pedestrian. (It's awkward! The faster traveler--the car--should always be the one to go first, because it leads to less total wait time in the system!) But what will replace that in a self-driving car, and how should the car communicate with pedestrians and other vehicles? The illustrated suggestion--a roof-mounted text display--leaves room for improvement. [NY Times]

6. Passwords for Dropbox accounts from 2012 were leaked this week, though this is one case whether the media made a breach sound worse than it actually was; only hashes were leaked, not plain text, and only about half of those were hashed using the less-secure SHA1 (the other half used bcrypt, so those are basically still safe). What can other companies learn from this about the still-indelicate art of cyber screw-up notification? Once more into the breach response... [Digital Guardian]

7. The FBI warns that hackers have accessed election databases for Arizona and Illinois, adding to concerns over the security of the upcoming Presidential election. Russian hackers have also demonstrated they're willing to alter documents and post the "leaked" altered versions as real, indicating potential for voting record alterations. [Yahoo; Washington Post]

8. Facebook uses your phone's contacts to suggest friends--and will soon use your WhatsApp data as well--leading to breaches of privacy like suggesting a psychiatrist's patients to one another as friends. Facebook also recently eliminated human curation of its "trending topics" algorithm after accusations of liberal bias--the unattended algorithm promptly promoted fake news--but removing human curation is the least-effort solution, not the optimal one. A better idea is to identify sources of good human curation, perhaps by looking at what news stories were important in the past and who identified them first, and promoting those sources. If you're a Google Chrome and Twitter user interested in how identifiable you are online, you can participate in research by Stanford's Sharad Goel. [Fusion; Verge; Continuations; Stanford]

9. The "invisible hand of the data flow" is taking precedence over human experience and decision-making, in medicine, work, and love. It's even replacing human security experts: a mathematical model of the way an expert assesses the security of a computer system is a step toward automated security engineers. [Financial Times; Arxiv]

10. This week in cyber-enabled crimes: Monero improves on the privacy of Bitcoin by mixing transactions and using dual-key addresses, and its popularity on drug-selling websites has led to a spike in its price. If you like heist stories, this one about two South Africans who forge documents to buy an Israeli Stingray-like device--and are told that US and Russian intelligence will have to approve the purchase--has everything. And USBee is software that turns an unmodified USB stick into an RF transmitter, to get information from airgapped machines. [Bloomberg; Daily Maverick; Ars Technica]

P.S. Interested in how to evaluate cyber threats, and want to learn more at SXSW? Vote for a panel with the Cyber Initiative, R Street, the Mercatus Center, and TechDirt: http://panelpicker.sxsw.com/vote/63185. More interested in how to identify psychopaths in Silicon Valley? Vote for our colleague Jeff Hancock's panel: http://panelpicker.sxsw.com/vote/62899 Jeff is a professor of Communication here at Stanford, and will be joined by a social scientist, a venture capitalist, and a clinician.

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. This email contains links that may not work if HTML is not supported in your mailbox. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)