Welcome to Codebook, coming to you from Black Hat and DEF CON in Las Vegas. Strangest slot machines I've seen so far: Goonies, Seinfeld and National Lampoon's Vacation.
Tips? Please reply to this email.
Parisa Tabriz speaks at the Silicon Valley Comic Con in 2016. Photo: Kimberly White/Getty Images for AMC
In 1994, Netscape Navigator developed the secure browsing standard — HTTPS — that is still used today. For more than 20 years, cybersecurity pros knew that needed to be what every site used. And yet, it wasn't.
It's a common scenario in the security world: Knowing how to protect billions of users isn't enough to force the cultural shift it would take to accomplish it.
The latest: Parisa Tabriz, head of Google's Project Zero, and an accomplisher of big things (including forcing sites to use HTTPS by default), outlined an operable battle plan at the Black Hat conference to make those kinds of shifts— from knowing what needs to be done to actually getting it done.
The doom and gloom comes from presentations on security problems that could have been solved if only products met very minimal security standards. It's easy to lose heart when, year after year, presentations boil down to "keep software up to date" and "enable two-factor identification."
Project Zero is tasked with finding security flaws in any vendor's product. If the vendor doesn't provide a solution in 90 days, or at least show considerable progress, Google will publish the flaw.
How to change something: During her keynote, Tabriz suggested focusing on three things:
How to build coalitions: "Broaden your perspective. Leave your office more to meet other types of people and learn to articulate to other stakeholders," she told Codebook.
Every week, Symantec discovers 10 new groupings of events that may indicate new teams of hackers committing crimes, new nation state threats gearing up for attacks or new clusters of especially active teenagers.
Though Symantec believes it can block the tactics of those groups, that's to0 many to do deep dive research on each of them to better understand if those attacks are related and — if they are —what they are trying to accomplish.
"Even with 150 malware researchers, it's too many to keep up," Liam O'Murchu, director of security technology and response for Symantec, told Codebook at Black Hat.
Why it matters: While it doesn't mean that those bad guys are winning, it does give a sense of the struggle throughout the industry to fully appreciate what's going on.
The back story: Symantec doesn't discover the groupings entirely by hand anymore. They use an automated system to find potential groups, allowing them to discover connections humans would miss.
Photo: Tim Carman / The Washington Post via Getty Images
In his Black Hat talk Wednesday and his upcoming book "Industry of Anonymity: Inside the Business of Cybercrime," Jonathan Lusthaus argues that cybercrime isn't as connected to traditional mafias as you — or even criminals — might expect.
Lusthaus, the director of the Human Cybercriminal Project at Oxford, did a seven-year study over 20 countries. While criminals seemed to believe the mob is heavily tied to cybercrime, few could offer concrete examples.
Why not? Because cyber criminals don't have turf wars — there's plenty of opportunity for crime to go around. Because of that, Lusthaus determined, there was no need for the physical protection the mob could provide.
That said, the criminals are still organized. While they may not be connected to a broad, violent network of criminals, they still work in hierarchical groups to maximize attacks.
Mobile security experts Codebook spoke to at Black Hat were not impressed by Epic Games' decision to offer an Android version of its blockbuster game Fortnite without using the Google Play store.
Why this is bad: The Google Play store is a "walled garden," a tightly controlled environment that allows Google to check all apps for malware. By default, the only app store Android phones can use is Google's.
So, why do it? The Google Play store charges a 30% commission for sales on its store. Epic can enjoy far more profits by circumventing the Play store.
What they're saying: "If other major developers follow Fortnite's lead, there could be a collapse of the 'walled garden' system," said one mobile security expert. "That would be a disaster."
Codebook returns on Tuesday.