Welcome to the Cyber Saturday edition of Data Sheet! Facebook boots a prospective intern for building a privacy-invasive mapping tool, a report accuses a Russian anti-virus firm of playing dirty, and the SEC charges alleged market-moving press release pilferers,
Fortune reporter Robert Hackett here, taking over the weekend duties for your regular host, Heather Clancy. I’ll be cranking out Data Sheet for the next couple of weeks while she’s away.
Have feedback? Reach me on Twitter (@rhhackett) or via email robert.hackett@fortune.com. Or if you have a real juicy tip, let’s chat off-the-record through a messaging service like Cryptocat or Jabber. You can find me at rhhackett@jabber.ccc.de, fingerprint: F225E829 13846232 0709A43A 1ECB83D3 BDDFF6A7. (We can always use good old-fashioned PGP encryption, too.)
TOP INTELLIGENCE
Martyr or marauder? This summer, Facebook punted a prospective intern, Aran Khanna, a Harvard student and developer, for building a Google Chrome browser extension that demonstrated a privacy flaw in Facebook's Messenger app. His tool revealed the locations of Messenger correspondents by scraping users' geolocation data (which was available for anyone in a thread to see) and plotted it on a map. He called it, in a clever nod to Harry Potter, the "Marauder's Map."
For a social network that prides itself on having a hacker ethos—the 'Hacker Way,' as the company has affectionately calls it—Facebook's decision to rescind Khanna's offer seemed to me a contradiction of its cultural tenets. The company had known about the geolocation sharing feature for years and hadn't done anything to address it. It's not as though Khanna's discovery (and app) came as a surprise. Besides, shouldn't the company embrace its own self-professed, hacker-praising principles?
I contacted Alex Rice, a former Facebook employee who happens to be the co-founder and chief tech officer of bug bounty startup HackerOne, a Facebook-backed venture. For him, it seems, Khanna had crossed a line: "Security researchers should always strive to educate the vendor and the public on risks without resorting to generating unnecessary fear, uncertainty, and doubt," he said via email.
Khanna, after all, marketed his tool with phrases like "stalking," and "creepy."
I'm not sure who is in the right here. Perhaps it's naive to think that Khanna's decision to stir the privacy pot should go unpenalized. But it's not as though Khanna was taking part in illicit activities on one of the dark web's most infamous black markets, as an intern at the cybersecurity firm FireEye allegedly did. He merely cobbled together a tool and, in his words, let you "decide for yourself if this is something you should worry about."
Maybe I'm a sucker for the frequently defiant world of wizardry, where insubordination is often the key to survival. Nevertheless, I appreciate Khanna's audacity, though it cost him his summer gig.
THREATS
Kaspersky Labs allegedly faked malware to hurt competitors. The Russian anti-virus company, which faces continuous scrutiny, is said to have engineered files that would dupe rival security scanners into classifying them as malicious. Founder Eugene Kaspersky denied the accusation on his company's blog. (Reuters)
The SEC charged 32 hackers and traders with alleged securities fraud. The group apparently hacked into newswires to sneak peaks at unpublished, market-moving press releases. Through insider trades, the team made off with more than $100 million. (New York Times)
One Stagefright computer bug patch had a hole. The vulnerability affecting devices running Google's Android operating system isn't going down without a fight. Researchers at Exodus Intelligence found a flaw in the company's fix. (Engadget)
ACCESS GRANTED
Fortune's Daniel Roberts rounds the bases on ballpark security with Yankee Stadium's new anti-terrorism tech.
"If you’ve ever spent a long time in line outside a stadium, you know the frustration. You’ve already paid for a ticket, only to wait for the privilege of going inside—where you’ll probably spend more of your money. The New York Yankees know it too. And so the baseball club has partnered with the tech security company Clear to ease stadium entry." Read more on Fortune.com.
ELEVATED PRIVILEGES
The Carlyle Group has agreed to buy Veritas from Symantec for $8 billion—one of the year's biggest deals.
Cybersecurity startup Tanium is reportedly raising new funding at a $2.5 billion valuation. (Fortune)
RECON
China has been spying on top U.S. officials' emails. Since 2010. (NBC)
Ubiquiti Networks got scammed out of $47 million. Beware wire transfer requests from your CEO. (Fortune)
Hackers cut the brakes in a Corvette. Will the car hacking ever end? (Wired)
Lenovo adds unsecure bloatware to its laptops. Again. (Fortune)
Facebook phone number flaw reveals profile info. Be sure to take your "Who can find me?" setting off "public." (Guardian)
Cisco is hungry for cybersecurity startups. The company's CFO spoke to Fortune's Jonathan Vanian. (Fortune)
Which drugs are the most popular on online black markets? Cannabis and MDMA top the list. (Wired)
Hackers can pronounce you legally dead. And you'll be left to suffer the consequences. (Christian Science Monitor)
DataGravity fights CryptoLocker attacks. The trick is to flag abnormally long "write" sessions. (Fortune)
Law enforcers bemoan strong encryption. But privacy advocates and security experts still think we're entitled to that protection. (New York Times)
Pittsburgh is ahead of the pack when it comes to fighting cybercrime. So says the Wall Street Journal. (Wall Street Journal)
TREATS
Need to reset your password? Just ask Shawn. (Ars Technica)
Man or machine? We may never know. (Guardian)
Abc.xyz? Sorry, not in China. (Great Fire)
How hackers hack. It's this simple. (Onion)
Nike threw a hacker party. I mean, who hasn't these days? (Council on Foreign Relations)
EXFIL
“Don’t. Just—don’t.”
An exasperated exhortation directed at bug hunters and penned by Oracle security chief Mary Ann Davidson on the company's blog on Monday. The post didn't last long before the software-maker took it down. “We removed the post as it does not reflect our beliefs or our relationship with our customer,” said Edward Screven, Oracle executive vice president and chief corporate architect, in an attempt to save face.
