The Cybersecurity Stories We Were Jealous of in 2018
Here at Motherboard, we are passionate about cybersecurity. We cover stories of hacking and information security every single day. Our goal is to tell you all the most important stories in the world of hackers. Unfortunately, we just can’t get to all the stories, and more often than not, other publications get to them before we do. And that’s OK! It’s how journalism works.
This year, we thought it’d be good to highlight some of those stories. We took inspiration from Bloomberg BusinessWeek Jealousy list, where the magazine highlights other people’s great work.
Call it Motherboard’s Cyber Jealousy list. A humble hat tip to our favorite stories from our fierce competitors. It’s a tribute to the journalists and the stories that gave us a bit of envy, pushed us to be better, and best served the public interest.
Without further ado, here’s a very incomplete list of our favorite stories about hacking and information security that we loved, and that we wish we had done ourselves.
What is a cybersecurity firm’s responsibility around not exposing certain hacking operations? Here, Cyberscoop showed that sometimes companies do decide to unmask campaigns targeting arguably legitimate threats, such as terrorists. We also explored this dilemma in our feature on Kaspersky Lab a few weeks after Chis Bing and Patrick O’Neill’s scoop.
The US government and its intelligence apparatus suffered a deadly blow in China in 2011 and 2012, when more than two dozen CIA sources and informants were killed. But it all started in Iran in 2009, when hackers broke into a CIA “internet-based covert communications system,” as revealed in this bombshell report by Zach Dorfman and Jenna McLaughlin.
How Persian Gulf Rivals Turned US Media Into Their Battleground (BuzzFeed News)
Sometimes the best weapon a hacker can use is not an exploit or phishing kit, but the media. If you can discredit your enemy through the relatively cheap method of enticing a journalist with a scoop, you’re onto a winning strategy. Just look at how Guccifier 2.0—a persona allegedly created by the Russian government—distributed the hacked Democrats material too.
This story broke open an entire avenue of reporting for us and others: finally, someone was selling relatively cheap tools for unlocking iPhones, which led to widespread proliferation of the tech not just among the three-letter intelligence agencies of the world, but also among state- and local law enforcement. This has ramifications for all sorts of things in the so-called Going Dark debate, and kicked off a new game of security cat-and-mouse between Apple and Grayshift.
FBI Repeatedly Overstated Encryption Threat Figures To Congress, Public (The Washington Post)
The FBI has been complaining about encryption...well, pretty much since the 1990s. And in the last few years, particularly after Apple refused to help unlock an alleged terrorist’s iPhone, the battle has intensified. This Washington Post scoop showed that the numbers trotted out by FBI officials when talking about how damaging strong encryption is during investigations were overstated and sometimes incorrect. In other words, encryption isn’t as much of an hurdle as the FBI would like us to believe.
Ryan Gallagher not only broke the news that Google was developing a search engine for China, one that would censor terms around human rights and protests, but he’s also remained on top of the story. His reporting sparked widespread protests both internally at Google and among human rights organizations, questions at a Congressional hearing, and, just this week, he reported that Google has hit a major roadblock with the project as disputes have grown internally. This story reminded us—once again—that companies that have a good track record for caring about human rights don’t always stay that way, and that a handful of employees speaking up can change the course of a multi-billion company.
Speaking of Google employees standing up against a controversial program, this story about the internet giant’s secret Pentagon contract broke long before Googlers organized marches to protest their own company. Kate Conger’s relentless reporting on the story led to Google shutting down the program and was one of the original stories that helped kick off a new wave of protests by Silicon Valley employees against their own companies.
It wasn’t a great year for Facebook’s bosses either. Cambridge Analytica, a constant struggle to moderate content, and some embarrassing breaches affecting millions of people, among a slew of seemingly endless scandals. You may have missed or forgotten this story, but it’s worth your time. Kashmir Hill, with the help of a team of smart researchers, proved how Facebook mines your cell phone’s contact data to suggest new friends on the social network, and to serve you better targeted ads.
Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret (The New York Times)
Speaking of apps that know too much...there are only a few outlets with the resources, reach, and dedication to take a story and present it in such a way that the general public can really understand a security issue. This is one of those stories—the sharing of location data lifted by apps may not be a new phenomenon, but the Times team produced the definitive piece tangibly explaining what this means for the privacy of everyone with a smartphone.
Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (The New York Times)
We’ve extensively covered how malware is used in cases of domestic violence, stalking, and abuse. This Times piece looked at the next step in that use of technology at home: the Internet of Things. Definitely worth a read if you are concerned with how technology can impact the lives of ordinary, non-technical people. And if you don’t, why are you reading a post about cyber articles?
Russian Troll Farm Hijacked American Teen Girls’ Computers for Likes (The Daily Beast)
As a hacker, Kevin Poulsen brings some of the coolest technological approaches into journalism. Here, Poulsen found a dodgy browser extension belonging to Russia’s controversial troll army, the Internet Research Agency. He then bought the domain linked to it, letting him see what sort of data it was collecting, and from where. He found the IRA’s software on computers all over the place. A great reminder to think how can journalists approach a story from a different, technological angle.
What’s the point of writing about malware, spyware, and hacking if you can’t show readers how the technology affects real people? Every great infosec story should have a human angle. This is a great example of that. Former Motherboard editor Matt Braga visited one of the latest victims of government-sponsored hacking, a growing problem that’s putting regular people all over the world in danger.
Gray Hat—Marcus Hutchins’ Profile (New York Magazine)
The security researcher better known as MalwareTech helped stop WannaCry, one of the most virally infectious malware outbreaks ever. Months later, the FBI arrested him for a crime he’s accused to have committed when he was a teen. This in-depth profile tries to answer a universal question in the world of cybersecurity: does a hacker hero always have to have a past? And if so, what should authorities do with them?
Service Meant to Monitor Inmates’ Calls Could Track You, Too (The New York Times)
File this under “companies you probably never heard of doing sketchy things that can affect us all.” The Times scored another huge scoop revealing that Securus Technologies, a firm that provides and monitors inmates phone calls, was letting pretty much anyone track people’s cell phones for a fee. Thanks to Securus, anyone “can find the whereabouts of almost any cell phone in the country within seconds,” according to the investigation. As we found out later, and rather unsurprisingly, Securus wasn’t securing this data at all.
The Crisis of Election Security (The New York Times)
You’ve heard about election hacking for years. Everyone is worried about it, but seemingly no one is doing anything to prevent it. Veteran infosec reporter (and Motherboard contributor) Kim Zetter goes deep into the history and crisis of election security, writing perhaps the definitive piece about the subject. A must-read for anyone who cares about democracy and the integrity of the elections.
The outbreak of destructive malware NotPetya never got the attention it deserved, perhaps because it came a few weeks after the headline-grabbing WannaCry ransomware outbreak. Andy Greenberg makes it justice in this thrilling tale, part of his upcoming book, on how NotPetya crippled the largest shipping company in the world. The only downside of this story is that it will make you want to read more, but you’ll have to wait until the book comes out.
WikiLeaks and Julian Assange’s fall from grace has been documented over the last few years, but this report built on a treasure trove of leaked chat logs, felt like the nail in the coffin. The Intercept revealed how the secret-spilling organization candidly talked about their preference for the Republican party to win the 2016 election, their thoughts on the “bright, well connected, sadistic sociopath” Hillary Clinton, and some unsavory comments about feminist activists.
The controversial and successful spyware vendor NSO Group has been in the headlines for a couple of years, after researchers caught government hackers using sophisticated hacking tools developed by the company to hack a Dubai-based human rights activist. This investigation by Israeli newspaper Haaretz exposed the behind the scenes story of how Saudi Arabia bought iPhone malware from NSO for more than $200 million.
Russian Hackers Posed As ISIS To Threaten Military Wives (Associated Press)
The threat of ISIS hackers has often been unjustifiably hyped up. But in this deeply reported story, people like Angela Ricketts show that the threat was real enough for some people. The AP’s Raphael Satter talked to several people targeted by ISIS sympathizers, putting a face to the victims of a scary online campaign. We need more stories that focus on the victims of hacking, this was a great example of that. And Satter and his colleagues at the AP have produced several more in the last few months that are also worth your time.
Living with Depression in Tech (Jonathan Zdziarski's personal blog)
Apple security researcher and forensic expert Jonathan Zdziarski here opened up about an incredibly important and often overlooked topic: mental health in tech. Zdziarski powerfully details his own struggle with depression, and at the same time offers a hopeful tale of overcoming it with a lot of hard work, introspection, and learning.
We look forward to more stories like these next year—not just on our own site, but on those of the competition. We’ll also try to have some of these reporters on CYBER, our new infosec podcast, to talk about their biggest stories.
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.