Happy weekend, Cyber Saturday readers.
It has been busy here at HQ between a Fortune 500 issue close and New York City’s “blockchain week,” so I’m passing my weekend column duties onto a pinch hitter. Today’s essay comes to you courtesy of Oren Falkowitz, a cybersecurity entrepreneur, NSA alum, and regular reader of this newsletter. His contribution is timely, you’ll discover as you read on, given that it was the 100th birthday of the late scientist Richard Feynman last week. Hope you enjoy.
When the Nobel Prize-winning physicist Richard Feynman delivered the 1974 commencement speech at Caltech, he warned against “cargo cult science,” in which people arrive at erroneous conclusions by misinterpreting the causality of results. The phrase derives from religious movements on isolated islands in the South Pacific that received airdrops of vital supplies during World War II. There, witch doctors pronounced that building new airstrips and bamboo headphones would make the supply-laden airplanes reappear.
Unfortunately, this sort of deluded thinking is just as prevalent in our modern world; nowhere more so than in cybersecurity.
We witness this cargo cultism when people ascribe insurmountable superpowers to cyber actors, simply because we struggle to stop them. We encounter it in the industry’s xenophobic biases, which treat software developed in Russia or emails from Nigerian internet addresses as suspect, even when we can’t actually pinpoint maliciousness. And the phenomenon manifests itself in a persistent belief that, if we just try harder, we can train people to spot phishing attacks that are, in fact, designed to fool them.
Despite the billions of dollars spent on cybersecurity, damages from cyberattacks continue to mount, and the underlying economics of being a bad guy on the internet remain a really good business. Hackers are moving on a frightening trajectory from data theft and data ransom, to data manipulation, to physical destruction. Now they are threatening the very stability of society.
Products that return disastrous results, as the current crop of cybersecurity solutions do, usually don’t survive the ruthless equilibrium of the marketplace. But in cybersecurity, accountability is essentially nonexistent. We should demand that vendors offer guarantees, or price products based on performance. You wouldn’t pay for a car if it broke down as soon as you took it off the lot and onto the highway, and you shouldn’t pay for cybersecurity that doesn’t work.
The witch doctors of cybersecurity have offered sham remedies. Trends in business like the transition to cloud computing, through Amazon Web Services and Microsoft Azure, are conditioning customers to pay only for what they use. Cybersecurity should be no different: Pay for performance, rather than pay-for-misses. Quite simply, does it protect you or not?
Until cybersecurity companies produce solutions that actually stop cyberattacks—provably, transparently, and repeatedly—we’ll continue dutifully making faux radar towers in palm trees. Humans are capable of accomplishing amazing feats, and our history of accomplishments as a species should give us the confidence that solutions in cybersecurity are just as surely within our grasp.
Mr. Falkowitz is a co-founder and the Chief Executive Officer of Area 1 Security, you can follow him on Twitter @orenfalkowitz
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Encryption corruption. Researchers discovered vulnerabilities, dubbed “eFail,” that affect PGP, an encryption software program, and S/MIME, an encryption protocol. Attackers can exploit the flaws to expose the plaintext of email messages encrypted with these tools. The Electronic Frontier Foundation has recommended uninstalling or disabling PGP email plug-ins as a result, and instead using the encrypted chat app Signal for discreet communications. (It’s worth noting that other researchers found a since-fixed flaw in the desktop client for Signal that allowed attackers to execute malicious code in messages.)
Sell, sell, cell. Firms that buy people’s location data from cell service providers like AT&T, Sprint, T-Mobile, and Verizon, and then sell it for marketing and other purposes, are facing scrutiny after a series of incidents drew attention to their operations. This week, for instance, Vice Motherboard reported that a hacker stole login information for thousands of customers of Securus, a company that sells call-tracking services to prisons so wardens can keep tabs on prisoners’ outgoing calls. Also this week, a researcher discovered that a buggy phone-tracking tool on the website of LocationSmart, a geo-data aggregator employed by marketers and corporations, has been leaking the whereabouts of just about everyone in the U.S. The company took its demo offline for now.
To the vault. Joshua Schulte, a 29-year-old former CIA and Bloomberg software engineer, is the prime suspect in a recent leak of secret documents relating to CIA hacking tools, the New York Times reports. He is believed to have given an archive of intelligence documents to the whistleblowing website WikiLeaks, which branded the haul “Vault 7” when it published the cache last year. Prosecutors have so far charged Schulte for possessing child pornography—it remains unclear why they have not as yet pressed charges in connection to the leak.
Once more unto the breach. Tidal, the music-streaming service, said it is investigating a “potential data breach” with the help of an unidentified cybersecurity firm after a Norwegian newspaper accused the platform of having manipulated streaming and subscriber numbers. Also, Brinker International, owner of the restaurant chain Chili’s, said that some undisclosed number of Chili’s restaurants were “impacted by a data incident.” The company said it involved the possible compromise of customer payment card information between March and April of this year.
Electrical tape: the ultimate invisibility cloak.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Titled The Selfish Ledger, the 9-minute film starts off with a history of Lamarckian epigenetics, which are broadly concerned with the passing on of traits acquired during an organism’s lifetime. Narrating the video, Foster acknowledges that the theory may have been discredited when it comes to genetics but says it provides a useful metaphor for user data. (The title is an homage to Richard Dawkins’ 1976 book The Selfish Gene.) The way we use our phones creates “a constantly evolving representation of who we are,” which Foster terms a “ledger,” positing that these data profiles could be built up, used to modify behaviors, and transferred from one user to another.
Twitter Has a New Plan To Combat Trolls by Jonathan Vanian
Google Offers Free Protection to U.S. Political Websites by Jeff John Roberts
Google and Internet Archive Are Top Choices For ISIS Propaganda by Jeff John Roberts
Keyless Cars Can Have Deadly Consequences by Sarah Gray
Tim Cook’s Duke Commencement Speech Emphasizes Privacy by David Z. Morris
ONE MORE THING
Atomic bomb. Is nature continuous or discrete? The history of modern science has for centuries assumed the fundamental fabric of the universe to be particulate, rather than a continuum. This bias may be due, in part, to a misreading of a Roman poet, Lucretius, whose influential work De Rerum Natura helped kick off the scientific revolution after its rediscovery in 1417, says University of Denver philosophy professor Thomas Nail in a piece on Aeon.