Welcome to Codebook, the cybersecurity newsletter that got into a Twitter argument about centaurs over the weekend.
Today we are coming live from the Department of Homeland Security's National Cybersecurity Summit in New York, where the business community will discuss security issues with DHS. We'll have coverage in the Axios stream and more in Thursday's edition.
Tips? Please reply to this emai.
Illustration: Sarah Grillo/Axios
Federal officials are doubling down on sounding alarms about the risks of supply-chain security threats — attacks where hackers sabotage software or hardware before it's sent to the customer — with warnings to businesses up against the theft of intellectual property, federal contractors up against espionage and telecoms who will soon face large-scale buildout of 5G networks.
Why it matters: It's difficult to extract supply-chain-vulnerable products from the market. Many devices and networks include components from a variety of companies from all over the world, providing ample opportunity for bad actors to interfere. Banning certain products can combat such threats, but can also cause friction: Just look at the recent call to remove ZTE and Huawei products from the telecom networks.
Driving the news: Last week, the Office of the Director of National Intelligence issued a report Thursday that supply chain attacks used for economic espionage were on the rise. On Friday, the Department of Defense told reporters that it was compiling a list of software manufacturers with Chinese and Russian ties it thinks military branches and contractors should avoid.
Why now: The United States is about to go through a massive infrastructure expansion project as mobile carriers and equipment firms roll out 5G technology. Meanwhile, rural communities are still building their first broadband networks.
The government could dig its way out of the hole, but likely won't. Jim Lewis, currently of the CSIS think tank and formerly a Department of Commerce official specializing in high tech issues involving China, estimates that the government could even the playing field and solve the telecom supply chain problem for a little over a billion dollars.
Last week, the ACLU demonstrated that, using the default settings on Amazon's Rekogition system, 5% of the members of Congress would be misidentified as criminals. According to an Amazon blog post, that data is skewed by the ACLU's use of default settings not intended for law enforcement use.
Why it matters: It'd obviously be bad if capital police stormed a senator's office looking for a murder suspect, or if any other person was misidentified as a wanted criminal. The issue here is that the ACLU set Rekognition to match faces with 80% confidence — something Amazon describes as useful for a social network to suggest who to tag in a photo.
When Amazon did a similar test with 99% confidence, it generated no false positives.
The bottom line: Accuracy isn't the only reason to be uncomfortable about pervasive facial recognition; activists worry that this will erode any chance of privacy. But its good to know that the accuracy can be set higher than the ACLU tested.
A much touted "unhackable" cryptocurrency storage system is, more or less, a cell phone with no purpose-specific security hardware added on. Also, the phrase "unhackable" doesn't mean what you think it means, according to the manufacturers.
Why it matters: The Bitfi wallet, loudly backed by the ever-colorful John McAfee, claims to be so unhackable that that it will give $100,000 dollars to anyone that can prove it wrong.
That's not what unhackable means: Assuming Bitfi is right, you can't get money off a wallet they mail you. That's not the only way to hack a device — it isn't even the place most hackers would look first. Every time a user checks the Bitfi's balance or transfers money on or off of the device, that data decrypts. That's when it would be most vulnerable.
The intrigue: When researches broke down the wallet, they found it relied on Mediatek MT6580 internals — just like this low-end cell phone — likely removing some of the unnecessary features. Though Bitfi jousted with researchers on Twitter, they didn't argue with that assessment of the hardware.
The bottom line: Bitfi might be a secure device, it even may be more secure then it's competitors. But the underlying claim that the device is unhackable is reckless.
Motherboard details the arrest of 20-year-old Joel Ortiz, who tricked several cell phone companies into transferring other people's phone numbers into his control. He leveraged that phone number to a $5 million ill-begotten bounty.
SIM swapping: The technique, known as SIM swapping, gives an attacker access to not just the phone number but to any account that uses that phone number to change a password. That allegedly gave Ortiz the ability to steal several million dollars from cryptocurrency investors and additional money by selling off other accounts.
Telegram logo is seen in an Android mobile device. Photo: Omar Marques/SOPA Images/SOPA Images/LightRocket via Getty Images.
Messages sent on the instant messanger app Telegram routed through Iran yesterday due to a glitch in a fundamental internet routing system many suspect was orchestrated by Tehran.
What happened: The glitch used the Border Gateway Protocol to reroute messages through Iranian servers.
Here's how BGP works and why it's vulnerable.
Activists in Iran note that a protest on Tuesday was being planned on Telegram, raising fears that the hijacking was intentional.
We'll be back on Thursday.