Welcome to Freedom Codebook, the cybersecurity newsletter of liberty that isn't quite sure what the Department of Energy was going for, but is totally willing to play ball.
Tune in: "Axios on HBO” Season 2 will feature exclusive interviews with Sundar Pichai, Jared Kushner, Lisa Monaco, Janet Napolitano, Leon Panetta and more. Tune in Sunday 6 pm ET/PT.
Smart Brevity count: 1,472 words/<6 min. read
Illustration: Sarah Grillo/Axios
Security experts are drawing differing lessons from the latest report of the alleged use of secret NSA hacking tools by a criminal group. Some argue the NSA needs more oversight, while others say that organizations need to be more vigilant about updating the systems the NSA tools target.
The big picture: These two remedies aren't mutually exclusive. But neither is easy to achieve.
Driving the news: The debate flared after the New York Times reported that attackers responsible for Baltimore's recent ransomware incident used a program believed to be created by the NSA.
Background: The NSA code, known as EternalBlue, leaked in 2017 as part of a year-long dump of agency files online by a cryptic hacker group called the Shadow Brokers.
Between the lines: Whether the NSA needs more oversight in developing tools has no bearing on whether people should patch, and vice versa. And fully achieving either solution alone might not be possible.
Details: The executive branch does have an oversight structure in place, known as the vulnerabilities equities process. Any time agencies want to keep a vulnerability they discover secret so it can be used for surveillance, they have to make their case in front of a special interagency panel.
Where it stands: After WannaCry, it's likely that the VEP has already adopted a stricter approach toward approving "wormable" tools.
The bottom line: Ultimately, there may be less room to build out oversight than critics hope and a ceiling to how much applying updates can improve security.
Mueller walks away from the podium after making a statement about the Russia investigation, May 29. Photo: Chip Somodevilla/Getty Images
Special prosecutor Robert Mueller closed his statement yesterday — his first and only public remarks about his conclusions in the Russia investigation — with a plea for the public to remember how we got into this mess. Meanwhile, President Trump argued that the Russia narrative doesn't matter as long as he didn't participate in the swindle.
What they're saying: "I will close by reiterating the central allegation of our indictments — that there were multiple, systematic efforts to interfere in our election," said Mueller. "That allegation deserves the attention of every American."
The big picture: Mueller's saying we need to focus on two things instead of one — and we've only done a good job of focusing on one.
Why it matters: Placing Trump at the center of the controversy has allowed Russia to escape punishment commensurate with the crime, while stalling Congress from passing comprehensive election security measures with enough time to institute them before the 2020 election.
The bottom line: It's easy to get angry about a physical attack against America. Sometimes patriotism also calls for getting angry at a less tangible attack on the American idea.
Twitter is funding research into white supremacy on its platform, including whether or not dialogue on Twitter might actually be de-radicalizing white supremacists, according to Motherboard.
What they're saying: "[C]ounter-speech and conversation are a force for good, and they can act as a basis for de-radicalization, and we've seen that happen on other platforms, anecdotally," Vijaya Gadde, Twitter's head of trust and safety, legal and public policy, told Motherboard. "So one of the things we're working with academics on is some research here to confirm that this is the case."
Context: Social media is typically regarded as prime recruitment and radicalization ground for hate groups.
Details: The counter-speech research is, per Gadde in Motherboard, one of a few lines of research on white supremacy Twitter is funding, including looking at whether removing extremists from the site would be beneficial to users.
The amount of data exposed by online file storage and sharing protocols rose by 50% since 2018, according to Digital Shadows.
The big picture: Many of the largest events reported as data breaches aren't data breaches at all — they're instances where a security researcher notices that data in a cloud server or another file sharing protocol hasn't been secured when the company absolutely should have secured it. In those cases, the data is exposed to the internet for anyone who knows where to look.
Details: It's disheartening that the amount of exposed data still appears to be expanding.
Notably, exposures of S3 buckets, data stored on Amazon's cloud service, dropped to a "nearly unrecognizable amount" since last year, down from 16 million to around 2,000.
First American exposure: A web design flaw in First American Financial Corporation's document transfer system left around 885 million files exposed on the web with no security. (Axios)
China threatens rare earth elements over Huawei: China threatened to cut off the U.S. from its supply of rare earth elements over the Huawei export bans, most recently with a veiled threat from a spokesman at the Chinese Commerce Ministry. (Reuters).
Facebook deactivated Iranian disinformation accounts disguised as (among other things) U.S. Representatives' official accounts. (Axios)
Deepfakes are getting so good that it's hard to tell if that video of the Mona Lisa talking to you is authentic. (Vice)
Codebook will be back next week.