Situational awareness: A controversial bill allowing companies to "hack back" in some circumstances will be reintroduced today in the House.
Welcome to Codebook, a perfectly acceptable cybersecurity newsletter.
Today's Smart Brevity: 1,324 words, ~5 minute read
Illustration: Sarah Grillo/Axios
A recent study found that only 5.5% of security vulnerabilities discovered by researchers were actually ever used by hackers.
Why it matters: That number makes instinctive sense to experts but can seem counterintuitive to anyone outside the field. That's because all vulnerabilities are not created equal — and in a world with hundreds of bugs released a week, prioritizing the important ones is key to any defense.
The big picture: If the 5.5% statistic sounds jarring, you're not alone. Jay Jacobs, chief data scientist, founder and partner at Cyentia Institute and the lead author of the study, says he thought it'd be higher, too.
The reasons they wouldn't can vary. Most hacking is criminal, not espionage, and criminal hackers tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use, and not all of the easy-to-use vulnerabilities are in products that are widely deployed.
The impact: The number of vulnerabilities used by hackers matters because there are far more new vulnerabilities each month affecting any organization than any organization can patch.
What's needed: That makes prioritizing vulnerabilities key. And that means taking several factors into account.
One factor not to take into account? Us. Or more accurately, media exposure of a vulnerability in general.
Jigsaw, the public service company owned by the parent company of Google, purchased a commercial social media trolling service to study its actions last year, Wired reports.
Why it matters: The campaign, which Jigsaw had conducted in Russia around the least consequential issue they could find, netted some interesting results. But it also raises a question of the ethics of purchasing such a campaign.
Details: The Jigsaw campaign centered on a decades-old Russian debate about whether Joseph Stalin was a hero or an embarrassment.
The fallout: The campaign was deliberately small. But the optics of even a small campaign could have consequences, both in terms of U.S.-Russian relations and Russian national politics.
Meanwhile, Twitter released a summary of inauthentic account removals Thursday, including nearly 5,000 accounts from Iran, 4 from Russia and 33 from Venezuela. Perhaps most unexpected, Twitter downed 130 accounts from the Catalan independence movement in Spain.
On Feb. 26, 2014, thousands of pro-Ukrainian activists and Crimean Tatars came to show their support for the territorial integrity of Ukraine. Photo: Pavlo_Bagmut/Barcroft Media via Getty Images
Cloudflare's Project Galileo, which offers free high-tier DDoS protection service to journalists, dissidents, civil liberties groups and other at-risk groups, turned 5 years old this week. The project currently serves over 600 accounts.
Why it matters: An LGBT protection group in the Middle East, for example, does important work on a shoestring budget and cannot possibly afford to block the outsized number of attacks it could face from governments and even citizens.
Background: "Project Galileo originally started from a failure to live up to what was originally our mission to make a better internet," Cloudflare CEO Matthew Prince told Codebook.
The impact: 5 years later, here's what Cloudflare has learned from offering the service:
Huawei cancels laptop: Huawei canceled a Windows laptop launch after being blacklisted from buying products from American companies by the U.S. Department of Commerce. (Axios)
ES&S nixes paperless voting: Election Systems & Software, a voting systems giant, "will no longer sell paperless voting machines as the primary voting device in a jurisdiction," the CEO wrote in an opinion piece. (Roll Call)
Gaming industry facing hackers: The gaming industry saw 12 billion credential-stuffing attacks in a 17-month period starting in November 2017. (Akamai)
Codebook will return next week.