It’s been a rough week for a lot of people, but particularly for Apple. On Tuesday, a security researcher tweeted information about a dire bug in the company’s macOS High Sierra operating system that allowed anyone being prompted for system user credentials to bypass the authentication by simply typing “root” as the username and leaving the password blank. Apple rushed to push out a necessary update on Wednesday, but botched it a bit; if you hadn’t yet updated to macOS 10.13.1, but had gotten the patch, your eventual jump to 10.13.1 would reintroduce the “root” bug. Not ideal!
Also not ideal: North Korea’s latest missile test, unless you happen to be Kim Jong Un, in which case it went about as well as you could hope. While initial assessments indicated it was a souped up version of the rocket North Korea tested in July, video and photo analysis revealed that it was instead a brand new, bigger, more capable rocket altogether, theoretically capable of landing a nuclear warhead anywhere in the continental United States.
Broken things abounded this week too, though, starting with the FCC’s public comment system, which bots and automated forms made a mockery of. (In dozens of cases, literally, by introducing Bee Movie memes in lieu of substantive debate.) NSA security practices found the spotlight again, as the feds got a plea bargain out of the TAO programmer who brought home state secrets and plopped them on his home computer, where Russia reportedly scooped them up. It would also be nice, argue two senators in an op-ed this week, if we could unbreak election security before the midterms.
The Supreme Court heard oral arguments on a critical privacy case this week that could hinge on the recognition that smartphones aren’t optional. We spoke with journalist and author David Ignatius about the intersection of quantum computing and espionage. Let’s teach AI to watch drone footage. Let’s teach Donald Trump not to retweet hate propaganda.
Oh, and former national security advisor Michael Flynn probably flipped. So there’s that.
And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
What do this year’s various mega-breaches have in common, from Equifax to Yahoo to, most recently and irresponsibly, Uber? Shoddy disclosure practices that leave customers unaware that their personal information—including, in some cases, extra-sensitive details like Social Security and driver’s license numbers—is in the hands of unknown hackers. While state-level legislation already forms a patchwork of penalties for that sort of behavior, a new bill introduced in the US Senate this week wants to make nondisclosure a jailable offense no matter where it happens in the country. Failure to report within 30 days could come with imprisonment of up to five years for the execs who decided to cover it up.
The bill’s prospects are a little muddied, especially given that it basically echoes a 2014 bill that tried to do the same in the wake of the massive hack Target disclosed that year. Hopefully, though, the number of high-profile breaches—with literally billions of people affected—give the effort a better sense of urgency this time.
Buzzfeed News reported this week that the US is considering proposals that would put intelligence work—including the rendition of overseas targets—in the hands of private contractors, including one called Amyntor Group. How seriously the US is actually taking the possibility of outsourcing that sort of activity is unclear. While the US has previous contracted out various security services, most notably (and notoriously) to Blackwater, now called Academi, handing over an intelligence portfolio comes with particular risks—and presumably lax oversight.
Few people understand the campaign to defeat ISIS better than former Defense Secretary Ash Carter. In a lengthy write-up with the Harvard Kennedy School’s Belfer Center, Carter walks through the key insights he gleaned during his years in opposition to the terrorist group—which can hopefully help similar fights in the future. A few takeaways: Deadlines are useless, metrics are essential, and you won’t get very far at all without building personal relationships in the region. Take some time to read the whole thing, to better understand not just the fight against ISIS, but how the US can, should, and does interact with the world today.
The FBI this week announced an indictment against three Chinese citizens in a spree of hacks against Siemens, Moody’s Analytics, and Trimble, a GPS service. In the case of Siemens alone, the hackers allegedly got away with over 400 gigabytes of data. It’s unclear what motivated the intrusions, but notable that the charges don’t allude to any involvement on the part of the Chinese government; China has of late been pushing the limits of its recent hacking truce with the the US. The hackers aren’t expected to actually face trial, given the unlikeliness of China handing them over to US authorities.