Welcome to Codebook, the only cybersecurity newsletter that has specifically been asked to stop using photographs of people in bear costumes to illustrate Fancy Bear.
Tips? Comments? Reply to this email.
When the U.S. announced new trade sanctions against Chinese tech giant ZTE last month, it didn't intend to strengthen China's domestic semiconductor industry. But trade fights can have unexpected consequences.
"The Trump administration probably didn't think twice about sanctioning ZTE, but it's going to have real effects," said Jim Lewis, senior vice president at the Center for Strategic and International Studies and a former head of the Commerce Department team dealing with national security issues in high tech trade with China.
The broad strokes: In mid-April, the U.S, which says ZTE has illegally traded with North Korea and Iran and covered up its actions, barred the company from access to all U.S. exports for 7 years. ZTE is dependent on American microprocessors to build its wares.
The intrigue: Skirmishes over semiconductors and those involving China's two leading hardware firms, Huawei and ZTE, always happen under a cloud of national security and cybersecurity fears.
Go deeper: Read the whole story.
An AP investigation found new ties between the hacking group that raided the Democratic National Committee in 2016 and so-called-ISIS cyber attacks — in this case, death threats to U.S. military spouses.
The background: We already knew there was a connection between attacks claiming to be from the "Cyber Caliphate" and Fancy Bear, a group the U.S. and many other nations have attributed to Russian intelligence.
The new details: The AP received access to the Secure Works victim list and found that five prominent military spouses, all women, who received death threats from the Cyber Caliphate were also being targeted by Fancy Bear around the same time.
The National Freedom of Information Coalition worries government employees and groups may run afoul of public records laws if they use Gmail's new "self- destructing message" feature. The advocacy group is urging Google to turn off the feature on all .gov accounts.
Why it matters: The executive branch and many local governments are required to archive all communications for freedom of information, oversight or historical purposes. Gmail's self-destruct feature, introduced last month, lets senders set a limit on how long an email will stay in someone else's mailbox. That makes it a nifty security tool for those who don't want their old missives to be stolen or leaked.
Tech to stop embarrassing leaks has been too tempting to ignore for government officials, even when it violates records laws. White House employees communicated using the encrypted messenger Confide, likely in violation of records laws. Missouri governor Eric Greitens —who Monday moved to quash a search warrant on his Gmail account in a sexual misconduct scandal — was also criticized for using Confide.
Federal IT workers skew more "Matlock" than "How To Get Away With Murder." By NextGov's count, there are 4.64 employees over 60 years old for every one under 30.
Why that matters: NextGov based that stat on December data. When it looked at September data last year, the ratio was 4.53 to one. Both of those ratios were up from the June 2017 numbers.
But, but, but: The demand for IT staff is growing, not shrinking. And staffers over 60 have a tendency to retire.
Worse than the government as a whole: The ratio of above 60 to below 30 is three times worse for IT than government as a whole, though both are skewing older than months past.
Photo by Joby Sessions/Maximum PC Magazine via Getty Images
Security folk had hoped a new spate of security vulnerabilities in Intel processors discovered by several different groups of researchers, including Google's Project Zero, would be announced Monday. But the vulnerabilities and patches won't start to be released until the second half of this month, if not later.
Why it matters: The German computer magazine c't reported that Spectre NG is a suite of eight glitches, four of which are high risk. The same publication reported that the delay in announcing the bugs was to give time to Intel to finish creating patches.
Extreme caveat: It's tough to gauge the severity or even existence of flaws no one can examine. All of the coverage of Spectre NG is still coming through a shroud of secrecy. Even the theory that the bugs would be released Monday was based mostly on a guess. Google's Project Zero, which supposedly discovered one of the bugs, traditionally gives manufacturers 90 days to come up with a patch before publishing the flaw on its own.
Codebook will return on Thursday.