Skip to Content

Threat Sheet—Saturday, August 29, 2015

I first met Charlie Miller and Chris Valasek—the notorious “mid-drive Jeep hackers”—at this year’s Black Hat security conference in Las Vegas, Nev. They seemed to be enjoying the media attention, each knocking back a bottle of Heineken at a podium in front of the press room following their much anticipated talk on How They Did It. The pair emanated undeniable sprezzatura, fielding reporters’ questions—including ones who had blatantly neglected to do their homework (Why did you choose to hack a Jeep Cherokee? Answer: they had spent much of the previous year determining it to be the most hackable vehicle on the market)—with tactful equanimity, obliging explanations, and self-deprecating jokes.

Couple of regular guys. Just with the power to remotely crash your car.

Then this week Miller, an ex-NSA “global network exploitation specialist” who has been tinkering on Twitter’s security team for the past three years, announced that he would quit his day job. To do what exactly? No one could be sure.

Wall Street scrutiny, slipping share prices, and unresolved leadership questions aside, Twitter seems like a fairly decent place to work. In fact, the social network debuted on Fortune’s “100 Best Companies To Work For” list this year, claiming spot no. 24. Considering all the buzz Miller and Valasek’s carjacking stunt garnered, it was clear to many industry watchers that a big move was in the works. That move, it turned out, was to Uber.

Miller and Valasek, the world’s leading white hat highwaymen, have announced that they plan to join the $50 billion ride-sharing service’s Advanced Technologies Center, a research lab opened by the company in Pittsburgh, Pa. earlier this year. The lab is stocked with 40 former (poached) Carnegie Mellon software engineers and robotics researchers, not to mention former (poached) executives from Google’s mapping division. The hacker duo, the company said in a statement, will work closely with Joe Sullivan, Uber’s chief security officer, who formerly worked at Facebook. (You guessed it, he too was poached).

Uber’s ambitions are stunning. As is the company’s ability to lure away top-tier talent. Given Uber’s affinity for aggressive tactics, however, I am reminded of another bit of news that surfaced this week. Reuters reported that the Russian anti-virus tycoon Eugene Kaspersky allegedly encouraged “rubbing out” his rivals with shady business tricks throughout his firm’s history. (Kaspersky has denied the allegations.)

Imagine what damage pros like Miller and Valasek could do if turned loose on Travis Kalanick’s competitors? I don’t think that’s a likely scenario, of course. They don’t seem to have maliciously driven motives. Just the opposite, in fact: They seem intent on improving the security of auto-manufacturers.

Nevertheless, here’s hoping Uber chooses never to hack its rivals.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.

THREATS

Netflix ditches anti-virus. The movie streaming giant has decided to do away with traditional anti-virus software. Instead, it is substituting in the services of a company called SentinelOne. (Forbes)

Investors wanted out of Ashley Madison pre-hack. Avid Life Media CEO Noel Biderman apparently struggled for years to sell his company or raise money, according to emails. Media mogul Barry Diller of InterActive Corp, owner of Match.com and Tinder, was among those uninterested in a deal. (Reuters)

AT&T crams ads in Wi-Fi hotspots. A security researcher says that the telecom giant was “tampering with HTTP traffic” in order to serve more ads to customers connecting to its Wi-Fi hotspots. AT&T has since ended its ad injection program, which the company says it was experimenting with at two airports. (Ars Technica)

Google creates Apple security workaround. Apple’s upcoming iOS9 operating system will require all content that arrives on an iPhone to use HTTPS encryption. Google peeved security advocates by teaching app-makers to bend the rules a bit, so the company could continue to serve up mobile ads. (Fortune)

Obama to broach cybersecurity with China. Next month, Chinese President Xi Jinping plans to visit the White House. President Barack Obama says he’ll use the opportunity to raise the U.S.’s concerns about hacking with the Chinese leader. (Reuters)

Mr. Robot season finale postponed. After a fatal shooting that occurred live, on-air, in Virginia, the hit TV show will delay its season finale until Sept. 2. The final episode apparently includes a scene that is “similar in nature” to the events of the tragedy. (Wired)

German intelligence agency struck deal with NSA. In exchange for access to the U.S. spy agency’s searchable database software called XKeyscore, Germany’s BfV, its domestic intel agency, agreed to contribute “all data relevant to NSA’s mission.” Unlike Germany’s BND, its NSA-equivalent, the BfV may monitor only individual suspects with parliamentary approval. (Die Zeit)

Head of Russian anti-virus firm allegedly promoted attacking rivals. Eugene Kaspersky of Kaspersky Labs apparently encouraged his employees to create fake virus samples that would fool competitor’s technology. He apparently used the tactics against companies such as AVG, Microsoft, and Avast between 2009 and 2013. (Reuters)

ACCESS GRANTED

Fortune contributor and executive director of the Institute for Public Accuracy Norman Solomon explains why government surveillance won’t protect your data.

“The need to find a balance between privacy and security has become a truism in American media and political rhetoric. Surveillance makes us safer, we’re told, and too much concern with keeping personal lives private would reduce protection against terrorism. Such pie-chart depictions of privacy and security might seem logical, but they’re badly flawed.” Read more on Fortune.com.

TREATS

In space… No one can hear you crypto. (Ars Technica)

Hey, eyes up here. These boots were made for hacking. (ZDNet)

All aboard! Nazi gold train. (Fortune)

Laser guns. Meet Boeing’s giant drone blaster. (Verge)

Super hackers? They “practically don’t exist.” (Register)

 

FORTUNE RECON

Disney’s tech innovation is my nightmare by Dan Primack

Post-Katrina New Orleans is a window in America’s economic doldrums by Amy Liu and Richard Shearer

The NFL’s Jen Welter is storming the field by Daniel Roberts

ONE MORE THING

Set a firmware password. You just might thwart a thief. (FTC blog)

EXFIL

“‘Rubbing out’ – is one of the methods, which we will DEFINITELY use in combination with other methods.”

Russian anti-virus tycoon Eugene Kaspersky, reportedly writing an email in 2009 about sabotaging competitors. The phrase “rubbing out” apparently quotes a famous threat from Vladimir Putin in vowing to hunt down Chechen rebels. “If we catch them in the toilet,” he said, “then we will rub them out in the outhouse.”