A joke – but it’s true — the joke at TechCrunch is that the security office might as well be called the Department of Bad News, since, well, have you seen what we’ve been covering lately? There’s an endless supply of catastrophic breaches, pervasive surveillance, and awkward startups flogging the downright dangerous.
But sometimes—albeit rarely—there are rays of hope that we want to share. And mostly because doing the right thing, even (and especially) in the face of adversity, helps make cyberspace a little safer.
Bangladesh thanked a security researcher for discovering a leak of citizen data
When a security researcher found that a Bangladeshi government website was leaking the personal information of its citizens, something was obviously wrong. Victor Markopoulos found the exposed data thanks to an inadvertently cached Google search result that revealed citizen names, addresses, phone numbers and national ID numbers from the affected website. TechCrunch verified that the Bangladeshi government website was leaking data, but efforts to notify the government department were initially muted. The data was so sensitive that TechCrunch couldn’t say which government agency leaked the data, as that could further expose the data.
That’s when the country’s computer emergency response team, also known as CIRT, got in touch and confirmed that the leaked database had been patched. The data came from the country’s registry of births, deaths and marriages. CIRT confirmed in a public statement that it had resolved the data breach and that he left “no stone unturned” to figure out how the leak happened. Governments rarely handle their scandals well, but an email from the government to the researcher thanking them for discovering and reporting the bug shows the government’s willingness to address cybersecurity where many other countries do not.
Apple throws the kitchen sink into the spyware problem
More than a decade has passed since then Apple retracted its now infamous claim that Macs don’t get PC viruses (which, while technically true, has plagued the company for years). These days the most pressing threat to Apple devices is commercial spyware, developed by private companies and sold to governments, which can poke a hole in our phones’ security defenses and steal our data. It takes courage to admit a problem, but Apple has done just that with the release of Rapid Security Response patches to fix security flaws that spyware makers are actively exploiting.
Apple rolled out the first emergency “hotfix” earlier this year to iPhones, iPads, and Macs. The idea was to develop critical patches that could be installed without always having to reboot the device (arguably the pain point for the security-minded). Apple also has a setting called Mode Lock, which restricts certain device functions on an Apple device that are commonly targeted by spyware. Apple says it’s not aware of anyone using the Lockdown feature that was subsequently hacked. In fact, security researchers say that Lockdown Mode has actively blocked ongoing targeted intrusions.
The Taiwanese government did not blink before intervening after a corporate data breach
When a security researcher told TechCrunch that a bike-sharing service called iRent — run by Taiwanese auto giant Hotai Motors — was streaming customer data in real time to the Internet, it seemed like a simple fix. However, after a week of emailing the company to resolve the ongoing data leak — which included customer names, mobile phone numbers and email addresses, and customer license scans — TechCrunch was never heard back. As soon as we reached out to the Taiwanese government for help in uncovering the incident, we received a response immediately.
Within an hour of contacting the government, Taiwan’s digital affairs minister Audrey Tang told TechCrunch via email that the exposed database had been flagged with Taiwan’s computer emergency response team, TWCERT, and taken offline. The speed with which the Taiwanese government responded was surprisingly quick, but it was not the end. Taiwan then fined Hotai Motors for failing to protect the data of more than 400,000 customers and ordered it to improve its cyber security. Afterward, Taiwan’s Vice President Cheng Wen-tsan said the roughly $6,600 fine was “too light” and proposed a change to the law that would increase fines for data breaches tenfold.
US judicial system leaks have raised the right kind of alarm
At the heart of any court system is its court records system, the technical stack used to file and store sensitive legal documents for court cases. These systems are often online and searchable, and they limit access to records that might otherwise compromise an ongoing process. But when security researcher Jason Parker found several court filing systems with incredibly simple bugs that were exploitable using just a web browser, Parker knew they had to see those bugs fixed.
Parker found and disclosed eight security vulnerabilities in court records systems used in five US states — and that was just in their first batch of disclosure. Some of the defects have been fixed and some remain outstanding, and responses from states have been mixed. Lee County, Florida took the heavy (and proprietary) position of threatening the security researcher with Florida’s anti-hacking laws. But the revelations also sent the right kind of alarm. Several state CISOs and officials responsible for court records systems across the US saw the disclosure as an opportunity to inspect their own court records systems for vulnerabilities. Govtech is broken (and woefully underserved), but has researchers like Parker finding and revealing defects that need to be fixed makes the internet safer—and the court system fairer—for everyone.
Google killed geofence warrants, even if it was better late than never
It was Google’s ad-driven greed and constant growth that set the stage for geo-attack warrants. These so-called “reverse” search warrants allow police and government agencies to rummage through Google’s vast stores of user location data to see if someone was in the vicinity at the time a crime was committed. But the The constitutionality (and accuracy) of these reverse orders have been called into question and critics have called for Google to end the tracking practice it largely created in the first place. And then, just before the holiday season, the gift of privacy: Google said it would begin storing location data on users’ devices rather than centrally, effectively ending the ability of police to obtain real-time location from its servers.
Google’s move isn’t a panacea, and it doesn’t undo years of damage (or stop police from raiding historical data Google has stored). But it might prompt other companies that are also subject to these kinds of reverse search warrants — hello Microsoft, Snap, Uber, and Yahoo (TechCrunch’s parent company) — to follow suit and stop storing sensitive user data in a way that makes them accessible to the government requests.
