A Russian government-backed hacking operation known as Turla now names two of its code modules "TrumpTower" and "RocketMan." (CyberScoop)
Welcome to Codebook!
Today's Smart Brevity: 1,120 words, ~4 minute read
Illustration: Sarah Grillo/Axios
It just got easier for cybersecurity toolmakers to offer campaigns help — but only by a little.
The big picture: Cybersecurity firms have flocked to provide free services to state election authorities, and some want to help protect political campaigns, too. But those efforts have been in legal limbo thanks to the complexities of election finance law.
Driving the news: The Federal Election Commission issued its final of a series of clarifying decisions last week: Firms may offer political campaigns the same discounts they offer other customers, but only nonprofits can provide campaigns with free services or deals special to the campaigns.
Why it matters: Though much of the political focus has moved to voting machines, that wasn’t what Russia hacked in 2016. Rather, it targeted campaigns and political groups — and getting their defenses correct in 2020 is critical.
Details: The FEC had been weighing whether Area 1, a phishing security company, and Defending Digital Campaigns, an election security nonprofit, could offer free services to campaigns.
The intrigue: Several firms already offer free services to state election groups — including Microsoft, Cloudflare, Google and Synack — and it’s easy to think democracy would be better served if campaigns could get security tools for free, too.
Area 1's case was unique, because both the FEC and Area 1 agree that offering the same pricing to campaigns as to everyone else is explicitly legal. But Area 1's unusual pricing scheme made campaign lawyers nervous, Area 1 CEO Oren Falkowitz told Codebook.
Agari, which provides a different type of email security than Area 1, adjusted plans to offer its wares for free to campaigns. It will now offer free services via nonprofits like DDC.
Microsoft has seen a key early indicator of looming attempts to hack candidates and election systems.
Context: In a blog post Wednesday, the software giant said it regularly observes a spike in attempts to hack think tanks and nongovernmental groups (NGOs) that work with U.S. and European candidates before hackers attempt to go after the candidates and election systems. And, they say, they've seen that start to play out in advance of 2020.
Background: Here's the pattern, per the blog post: "We saw such attacks in the U.S. presidential election in 2016 and in the last French presidential election. In 2018 we announced attacks targeting, among others, leading U.S. senatorial candidates and think tanks associated with key issues at the time. Earlier this year we saw attacks targeting democracy-focused NGOs in Europe close to European elections."
Between the lines: Not all hacking is about interfering in elections — NGOs and think tanks provide insight about what a candidate will do in office. But this is one sign that nations have taken an interest in the election.
Photo: Kirill Kudryavtsev/AFP via Getty Images
A viral app that ages people's faces is not actually uploading all of a user's stored photos to some mysterious server, the guy who started that rumor admits. It appears to be a legitimate case of a wrong conclusion being drawn from various data points.
What actually happened: FaceApp requires users to give permission to access photos, take pictures and upload them to a server — where image processing converts what you look like now into a prediction of what you'll look like as you face the ravages of the inevitable to human mortality (Fun!).
The scarefest worked its way to D.C. insiders, when the Democratic Party told candidates not to use the app and Sen. Chuck Schumer (D-N.Y.) asked the FBI and FTC to investigate the whimsical reminder that all things must decay.
The bottom line: FaceApp is no more a risk than any other app on your phone. But no less a risk, either.
Sprint customers' accounts breached (ZDNet): Sprint issued letters to impacted customers after hackers exploited a security flaw on Samsung's "add-a-line" website.
Former Justice Stevens passed away (Axios): John Paul Stevens was 99. Stevens earned a bronze star for work as a cryptographer during World War II, and he wrote an oft-cited opinion in 1995 promoting he right to anonymity.
Fernando "Corby" Corbató, too (TNW): There's a dispute over who first invented the password, but Corbató, an influential MIT professor, had a legitimate claim. Corbató was 93.
Medical biller breach affects 2.2 million more (TechCrunch): A previously announced breach at a defunct medical collections group affected even more people than previously known.
Codebook will be back next week, unless something goes horribly wrong.