Everyone agrees bug bounties, whereby companies pay hackers to tip them off about vulnerabilities, are a good idea. But now professional investors want to get in on the action, which raises hard questions about whether this is a clever market strategy that promotes security — or just sort of sleazy.
The issue became big news after a short-seller firm, Muddy Waters, announced this month that St. Jude’s medical devices had cyber vulnerabilities. The firm is poised to make money after St. Jude’s stock dropped over 5% on the news. According to a Bloomberg report, this triggered off a frenzy of investor interest that could kick off a new strategy that goes like this: “Find a company or industry that is adopting Internet-connected devices, check whether the gadgets are hackable, place your trades and publish the research.”
St. Jude’s is not exactly happy about being the guinea pig for this investment strategy: It is suing Muddy Waters, saying its announcement was false and defamatory. Meanwhile, the U.S. Food and Drug Administration says it is looking into the vulnerability claims (Muddy Waters told the agency about the claims before going public with them).
While the hedge fund crowd is tantalized by the idea of a new high yield investment strategy, the cyber-security community may have second thoughts. If this strategy of short-selling cyber victims catches on, will this create perverse incentives that result in longer lag times before problems are patched? Or will the specter of short sellers just provide another incentive for companies to take their security more seriously? It’s too soon to say for now, but we can expect to hear more about this in the future.
Thanks for reading – all the cyber news is below.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
OPM blame game: a scathing Congressional report about the colossal data breach at the Office of Personnel Management has touched off finger-pointing between OPM staff and outside contractors over who screwed up the most. (Threat Post)
Intel out of the security game: The chip maker’s security business failed to live up to high expectations, and now Intel will spin it off into a new unit called McAfee that will be majority owned by a private equity firm. (Fortune)
Porn fans pwned: If you insist on signing up to a porn discussion site, at least use a throwaway email and password. That appears to be the lesson from a 800,000 name breach at Brazzers. (Motherboard)
Cyber not sexy? Academics say the public is still bored by cyber news, despite a series of calamitous breaches, because it’s not “sexy” enough. DataSheet readers, of course, don’t believe a word of this. (San Diego Union Tribune)
Yelp gets on the bug bounty bus: The site announced it will pay $100 to $15,000 to those who warn it about vulnerabilities. No word if we will be able to give star ratings to the hackers. (Threat Post)
Speaking of rankings, Time editor Ryan Teague Beckwith tweeted out the five best “cybers.” Security is number two and “sex” somehow didn’t make the list.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Uncle Sam finally has a CISO as the White House named Ex-Air Force General Gregory Touhill to bolster digital defenses across the government. Robert Hackett breaks down what the job might mean:
Touhill will be responsible for “helping to ensure the right set of policies, strategies, and practices are adopted across agencies,”… [But a] chief security strategist at the cybersecurity firm FireEye questioned the longevity of Touhill’s tenure in the face of an upcoming presidential election. “First reaction: will he survive election? Is he an appointee or bureaucrat?”. Read the rest on Fortune.com.
Disney Now Scans the Fingers of 3-Year-Old Kids (by Jeff John Roberts)
There are About to Be far More “Non-Secure” Sites on the Web (by Robert Hackett)
EU-Canada Air Data Deal Is Illegal, Top Lawyer Warns (by David Meyer)
How Sony’s New Show “Startup” Gets Bitcoin Right (by Jeff John Roberts)
ONE MORE THING
This USB “kill stick” will fry rogue computers: Worried someone will plug a top-secret USB into an unauthorized device? Then buy this $56 USB stick that responds to an unfamiliar computer by zapping 200 volts into it. (IT World)