Security Reading List for 04/28/2017
Prepared for <<First Name>>
This week has some great stuff. I'm trying out a new "recommended this week" box, kicking off with Dan Geer's excellent talk "Cybersecurity as Realpolitik," which I read about every six months to stay current on the state of the industry. 

The other "must read' in my mind is the "Flexidie" pastebin post. It's a fascinating narrative of the breakin that hit FlexiSpy.

There are then a few articles on hacking/surveillance by law enforcement, which is always a mixture of fascinating and worrying.

We wrap up with some "state of the industry" articles - both the Economist's take on the computer security industry, as well as a thought-provoking article on how defensive products are tested and compared (hint: poorly), followed by Joel's Law of Leaky Abstractions, which is industry-defining in the sense that a good chunk of the security industry would be rendered useless if we could somehow fix it.

Hope you have a great weekend!

Recommended this week

Cybersecurity as Realpolitik
Dan Geer
Power exists to be used.  Some wish for cyber safety, which they will not get.  Others wish for cyber order, which they will not get.  Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.

Stalkerware: It's on
            ______ __     ______ _  __  ____ ____   ____ ______
           / ____// /    / ____/| |/ / /  _// __ \ /  _// ____/
          / /_   / /    / __/   |   /  / / / / / / / / / __/   
         / __/  / /___ / /___  /   | _/ / / /_/ /_/ / / /___   
        /_/    /_____//_____/ /_/|_|/___//_____//___//_____/   
                         brought to you by
           __                                 __  ___                          
          / /  ___  ___   ___  ___ _ ____ ___/ / / _ ) ___  __ __              
         / /__/ -_)/ _ \ / _ \/ _ `// __// _  / / _  |/ _ \/ // /              
        /____/\__/ \___// .__/\_,_//_/   \_,_/ /____/ \___/\_, /               
                       /_/                                /___/       
                        ___ _ ___  ___/ /                                       
                       / _ `// _ \/ _  /                                        
  __   __         ___                       __   _                     
 / /_ / /  ___   / _ \ ___  ____ ___  ___  / /_ (_)____ ___   ___   ___
/ __// _ \/ -_) / // // -_)/ __// -_)/ _ \/ __// // __// _ \ / _ \ (_-<
\__//_//_/\__/ /____/ \__/ \__/ \__// .__/\__//_/ \__/ \___//_//_//___/
Since FlexiSpy burnt their entire network driving us out, we think it's
time for us to release our HowTo guide for aspiring hackers, about what we
did, and how you can do it, too.

This is going out there to help people learn how to hack and how to defend
themselves, as is traditional after these types of hacks.

I'm Going to Burn Them to the Ground': Hackers Explain Why They Hit the Stalkerware Market

On Tuesday, Motherboard revealed that hackers had stolen a wealth of data from two companies that sell spyware to the everyday consumer. This information showed that tens of thousands of completely ordinary people had purchased malware that can snoop on mobile phones or computers.

Hacker Cop, Hacker Cop
Making a Watcher Force

Advanced, intrusive surveillance techniques are more and more likely to be in the toolbox of John Q Patrolman. Here’s how cops are being trained to hack the airwaves.

Modern 9-11 Systems are a Real-Time Surveillance Bonanza

Tower triangulation is old news. Law enforcement can now receive real time updates on your near exact coordinates via email with various carrier technologies like NELOS, PCMD, and RTT, all thanks to next generation 9-11 services.

Carnegie Mellon May Have Helped the U.S. Government Access a Terror-Linked iPhone

Cops are going to hack. As encryption and anonymity technologies continue to proliferate, the FBI and other law enforcement agencies increasingly use hacking tools to aid their investigations or identify criminals.

Direction of the Industry
How to manage the computer-security threat

COMPUTER security is a contradiction in terms. Consider the past year alone: cyberthieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an internet firm, by Verizon, a telecoms firm, was nearly derailed by two enormous data breaches; and Russian hackers interfered in the American presidential election.

Computer security is broken from top to bottom

OVER a couple of days in February, hundreds of thousands of point-of-sale printers in restaurants around the world began behaving strangely. Some churned out bizarre pictures of computers and giant robots signed, “with love from the hacker God himself”.

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

Last November, a systems engineer at a large company was evaluating security software products when he discovered something suspicious.  One of the vendors had provided a set of malware samples to test—48 files in an archive stored in the vendor's Box cloud storage account.

The Law of Leaky Abstractions

There’s a key piece of magic in the engineering of the Internet which you rely on every single day. It happens in the TCP protocol, one of the fundamental building blocks of the Internet.  TCP is a way to transmit data that is reliable.
Like this report? Pass it along:
Read Later
Don't love these articles? Let me know what I should change with an email to

If you'd like to fiddle with things, go ahead and update your preferences, or you can break my heart and unsubscribe <<Your Favorite Email Address>> from this list.