Four things I'm reading this week:
How Secure Is Your Supply Chain?: Earlier this week, researchers discovered a firmware update platform for Android phones which, without notifying the phone user, periodically beams location information and the contents of communications back to an unidentified facility in China. The development company provides software to more than 700 million phones and other IoT devices, although it’s not yet clear how many of these were affected. We don’t know yet whether this was intelligence collection, advertising, or a simple mistake. But either way, it’s an essential reminder of the importance of the supply chain for all our devices, and an object lesson that even the most conscientious user may find it difficult to police the security of all of their devices. I’m reading: “Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say.”
- Integrating Cyber Engagement into Cold War Deterrence: In the wake of the election, the United States — and other western countries with impending elections — is focusing seriously on how to engage with, resist, and deter future Russian influence efforts. One of the core shifts that will have to happen is that we stop thinking of “cyber” as an end, and recognize it as a means of state influence.
I’m reading: “In our new Cold War, deterrence should come before detente.”
- The Impact of Exponentially Expanding Complexity on Security (Hint: It's Not Good): As usual, the correct (if depressing) insight, via xkcd. This problem is true throughout tech, but nowhere is it more true than in security. Defenders that understand how a system is supposed to work will never win against intruders that know how it actually works.
- Online Harassment and Social Media: One of the more disturbing stories coming out of the election has been the troubling spike in harassment targeting ethnic and religious minorities. Measuring and managing this sort of targeted hate speech online is difficult and fraught with challenges, but recent moves from Twitter are a hopeful development. The network has changed some of its rules to help the targets of harassment protect themselves, and taken steps against some of the most egregious accounts. The problem isn’t going away, so it will be interesting to see what happens as this continues to develop. I’m reading: “Twitter suspends alt-right accounts.”