Welcome to Codebook, the only cybersecurity newsletter blowing the lid off the Madison, Wisconsin, McDonald's scene.
Tips? Reply to this newsletter.
Illustration: Sarah Grillo/Axios
Reading cybersecurity news is usually stressful, often misleading and sometimes confusing. That's why Codebook is proud to offer you this guide: what to keep in mind when reading cybersecurity news.
A conceivable attack isn't the same as a likely attack: Over the weekend, a variety of newspapers printed a wire story titled "Why you may want to wrap your car key fob in tin foil." The premise was an attacker could clone your key fob using an undetectable cloning machine and steal you car. The tin foil would serve as a Faraday cage and block the signal.
The apocalypse isn't nigh: Last week, New York Times columnist Nicholas Kristof described cyberwarfare as something strikingly similar to the plot of a "Die Hard" movie: An evil attacker would simultaneously take out the power grid, phones and banks. But that kind of blitz — coordinated across multiple industries and thousands of networks — is both technologically and strategically unlikely.
"Breach" has more than one meaning: Axios discussed last week how some incidents being called breaches were really just databases put online without passwords where no bad guy had accessed the data. That's hardly good — but it's not what most people think of when they think of a breach. Along the same lines:
Think simple before complex: Most breaches start with phishing. News stories often emphasize the scary attack before the basics. Hackers start with the basics.
When companies fix security flaws, that's good: If a headline says that a product has a security flaw, that usually it means that product just got more secure — it was announced because it has just been patched. Don't take it to mean that product is less secure than its competition. All products have vulnerabilities.
Finally: Codebook picked examples based on their visibility, but that everyone, even Axios, makes mistakes. (In the interest of fairness, at the bottom of this newsletter, you will find Joe's second most embarrassing journalism story.)
Russian hackers are not targeting state election systems with a cyber campaign as they did in 2016, two Department of Homeland Security officials told separate Congressional committees yesterday.
Where it happened: Officials Chris Krebs, undersecretary in charge of the National Protection and Programs Directorate, testified before the House Homeland Security Committee. Senior cybersecurity adviser (and elections expert) Matt Masterson testified before the Senate Rules Committee.
What it does and doesn't mean: DHS doesn't have full visibility on campaign systems and Krebs noted that Russia is still launching divisive social media campaigns — DHS's good news solely applies to the state election systems. But it is good news.
Photo: Toshifumi Kitamura/AFP via Getty Images
Lawmakers are concerned that chipmakers' strategies to mitigate security flaws nicknamed Spectre and Meltdown may have caused national security issues.
What they're saying: “It's been reported that Intel informed Chinese companies of the Spectre and Meltdown vulnerabilities before notifying the US government. As a result, it's highly likely that the Chinese government knew about the vulnerabilities,” Florida senator Bill Nelson (D-Florida) said at a Wednesday hearing on the issue (as quoted by Wired's Lily Hay Newman).
The theory: Firms involved in the chipmaking process notified all of their clients about Spectre and Meltdown in advance of going public with the vulnerabilities. This gave manufacturers time to patch the problem before hackers were made aware there was a problem to take advantage of.
Meanwhile, two new vulnerabilities similar to Spectre have been discovered, affecting any system running Intel, AMD or ARM processors.
Spectre? Meltdown? These vulnerabilities take advantage of a shortcut processors use. If a user tries to access data protected by a password, the computer begins processing the data before the user enters the password. That way, the data is ready whenever the user is done. There were flaws in the scheme to make sure people without a password couldn't manipulate that process to get data anyway.
The inaugural ThinkCyber cybersecurity fellowship — backed by security testing firm Synack, recruiter Nav Talent and Morgan Stanley — starts Friday, with 22 college students selected from an international applicant pool attending a four-day symposium in Silicon Valley.
Why it matters: Most of the top schools in computer science lack a dedicated cybersecurity component to their programs. To Jay Kaplan, Synack co-founder, that means the challenge is more than just luring top talent to cybersecurity jobs.
"Some of the students will be writing the next generation of applications," he said. "Teaching them at this stage will introduce better security practices."
"I'd love for them to make our jobs harder."
During my first reporting job, at a now-defunct weekly in Madison, Wisconsin, a food section story fell through, and we needed emergency content, fast. I don't have a refined palette, but wanted to be helpful: I offered to find the best McDonald's in Madison.
Why it matters: I ate hundreds of McNuggets in three hours for science.
The details: In theory, we had two days to do the story, but I didn't own a car. My roommate and his girlfriend offered to drive me around late Sunday afternoon.
By the numbers: Every 40 McNuggets is a day's worth of food. In under three hours I went through that cycle 4 times. I couldn't sleep for days afterwords.
The best McDonalds in Madison has a working fireplace.
Codebook will return Tuesday.