It’s been a rough week for two darlings of the cybersecurity scene. First, an investigation by geek site Ars Technica called out Cylance, known for its “next generation” of anti-virus protection, for stuffing what look to be false positives into its testing demos.
And then on Wednesday, the Wall Street Journal reported that mighty Tanium used live data from one of its customers (a hospital no less!) in its sales pitches—without telling the customer. That report followed an expose from Bloomberg that portrayed a Game of Thrones style work environment at Tanium, replete with humiliation and cruel firings.
So does this point to a larger problem in the cybersecurity industry? Probably not. Every firm is going to have a bad week or two, and the media easily gets carried away with bad news narratives.
But on the other hand, Tanium and Cylance are the shining stars of the cyber space. Both are bona fide unicorns that dazzled investors with whiz-bang technology, and are near the front of the line for an IPO. Tales of marketing shenanigans and toxic culture at these two companies are the last thing the cybersecurity industry needs right now.
Meanwhile, the recent misadventures at Tanium and Cylance remind me of another industry I used to cover: ad tech. Both industries—cybersecurity and ad tech—are characterized by two things that can make it easy for executives to obscure how their companies are performing: 1) giant marketing budgets that shut down skeptics; 2) complicated technology most people (including many analysts) don’t understand. Even if things are really wrong under the hood, it can take a long time for investors to figure that out.
For now, the negative press around the cyber-security stars look more like warning signs than emergency evacuation signals. But more missteps and that could change. Thanks as always for reading—more news below.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
About that missile sabotage: North Korea choked on Kim Jong-Un’s big day last week by screwing up a missile launch. Many think the U.S. had a hand in the failure, but that’s not a sure thing—the missile flop could also be due to “Bad welding, bad parts, bad engineering and bad luck.” This uncertainty reflects how cyber sabotage might not be enough to stop North Korea in the future, especially if reports are true the country now has a quantum encryption device to safeguard its tech. (New York Times)
Hey headphones, stop snooping: You’d think $350 would buy a little privacy. That’s apparently not the case with Bose, whose headphones have been secretly data mining customers’ audio histories, according to a class action lawsuit. It might sound harmless (who cares if they know about my NSync playlist?) but, as the complaint points out, a person’s listening history can include sensitive information like religious or political recordings, or a podcast about coming out of the closet. (Fortune)
Stalkerware for everyone: Elite Russian hackers get all the headlines—but the majority of cyber-snooping is carried out by ordinary folks like teachers, doctors or bus drivers. And these regular people can do a lot of harm thanks to cheap commercial spyware services with names like PhoneSheriff. A new review of thousands of customer records (leaked by a hacker, surprise!) shows how so-called “spouseware” and the companies that sell it created a silent stalking epidemic. (Motherboard)
What’s your cyber-rating? A firm called CyberGRX, which styles itself as a rating agency for security risk, raised a $20M Series B round. The company is one to watch because, if its clearing-house model works as promised, it could free up enormous savings in compliance costs and CISO hours. CyberGRX is also backed by big names like BlackStone and Aetna and says thousands of vendors are already in its vetting program. (Fortune)
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Who hacked Snapchat? No one. Fortune’s Robert Hackett’s looks at how several news outlets repeated rumors of a breach at the messaging service—and why it’s bunk.
The simplest conclusion is that the alleged hackers got their hands on the earlier dump and published a portion. If one had to speculate, they likely did so to pile on to the ongoing PR debacle facing Snapchat in India ….barring any further evidence, the reports of a new Snap hack appear to be bogus. Hackers likely just used the opportunity to co-opt uncritical media outlets to further thrash the company. Read more on Fortune.com.
Microsoft Has a New Way for You to Login Without a Password by Barb Darrow
Skype Is the Most Popular Messaging Apps for Cyber Crooks by Jeff John Roberts
Why Charging Wikileaks with Espionage Would Threaten a Free Press by Mathew Ingram
Confide App, Popular With Trump Staff, Has Privacy Defects by Jeff John Roberts
Chrome and Firefox Phishing Scam is “Practically Impossible to Spot” by Robert Hackett
Bitcoin Wallets Under Siege from ‘Large Collider’ Attack by Jeff John Roberts
ONE MORE THING
420 hackers (still) need not apply. In 2014, the FBI suggested it might loosen pot prohibitions when it came to hiring cyber talent because it was struggling to staff up and, well, many hackers like to smoke weed. So much for that. Now, the FBI says it can hit its hiring targets just fine—without those grubby pot-smokers. It’s a good bet the volte-face is tied to new Attorney General Jeff “good people don’t smoke marijuana” Sessions. (Motherboard)