Welcome to Codebook, the cybersecurity newsletter whose biggest social media fear 5 years ago was its parents sending a friend request on Facebook (see below).
Tips? Please reply to this email.
South Korean military remove propaganda loudspeakers from the demilitarized zone in May. Photo: Chung Sung-Jun/Getty Images
In 2013, when Peter Singer started writing a new book about online propaganda, the topic was largely speculative for U.S. readers. Singer and co-author Emerson Brooking watched in horror as their research merged with America's reality in 2016.
The big picture: "Russia is not the full story," Singer tells Codebook. "Russia is just a chapter in a larger book."
Singer, a researcher at the New America think tank, means that both figuratively and literally. His and Brooking's book, "LikeWar: The Weaponization of Social Media," comes out today. It may be the first study to link Mexican cartels, ISIS and reality TV villain Spencer Pratt.
Singer interviewed Pratt for the book. He has also briefed various intelligence agencies. "Spencer Pratt gets it. The government doesn't," he said.
It's Trump's playbook: "LikeWar" isn't about President Trump; he's just another chapter. But Singer tells Codebook that Trump is a good distillation of the tactics others use to make online propaganda work:
The bottom line: These tactics aren't secret sauce any more. Singer cites an example in Israel, where the approach has been institutionalized.
Four days after the Facebook breach announcement, we still don't know who the perpetrator was or how the access to accounts was used, and there's some reason to suspect that the numbers of affected users is less than the 90 million who had to log in a second time. We may be able to thank domestic and international notification laws for any confusion.
Obviously, for consumers and governments, there are real advantages to knowing right away about a breach.
But, but, but: The EU's Global Data Protection Regulation, as former Facebook CISO and current Stanford academic Alex Stamos pointed out on Twitter, gives only 72 hours to notify authorities about a breach. That means companies have to announce security flaws to the public before completing a full investigation.
Why it matters: There's a good chance Facebook will have more information about the attack as internal investigations have time to gather facts. Companies now have to go public without those facts.
Photo: Paul Giamou/Getty Images
A bevy of news stories and researchers will tell you that hackers sell personal data for frighteningly small amounts of money on the dark web. According to a new report from Terbium Labs, those statistics might be well-intentioned but are almost certainly not helpful to understanding the issue.
Why it matters: Reports about how much money credit cards cost in criminal markets don't tend to use consistent definitions — there's no way to draw any meaning from a report last year saying card information costs $5 and one today saying it costs $10.
Adding rigor: Bringing scientific rigor and consistent definitions could be really useful. We don't know, notes Wilson, if the prices go back up after Black Friday or how law-enforcement actions or service disruptions change costs.
Twitter announced new "election integrity" rules for its platform Monday, including stricter rules against fake accounts, punishments for accounts associated with banned accounts and a prohibition against sharing hacked materials.
Why it matters: The first two rule changes likely conform with what people assume Twitter's rules already are. The third rule is a little more complex.
The announcement: "Our rules prohibit the distribution of hacked material that contains private information or trade secrets, or could put people in harm’s way. We are also expanding the criteria for when we will take action on accounts which claim responsibility for a hack, which includes threats and public incentives to hack specific people and accounts. Commentary about a hack or hacked materials, such as news articles discussing a hack, are generally not considered a violation of this policy."
Twitter was the platform used by reporters and other folks to communicate with Russian cut-out persona Guccifer 2.0 about the 2016 election hacking scandal. It's also a common venue for other hackers to announce activity. Given the rate links to files get shared on Twitter, it will be interesting to see how it is enforced.
This is your yearly reminder that October is National Cybersecurity Awareness Month, and that you can go back to being oblivious about cybersecurity in 29 days.
How to celebrate: Homeland Security will be hosting events up and down the Eastern Seaboard, including symposia in the D.C. area and an event with NASDAQ in New York. Various private sector groups will host events as well.