Good afternoon, Cyber Saturday readers.
David Sanger at the New York Times has out a new book on cyber espionage and digital intrigue, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. While I have not yet read it, I did catch an excerpt that has been making the rounds on Twitter. The passage reveals new details about how Mandiant, a computer forensics firm founded by Kevin Mandia, a U.S. Air Force veteran, clinched its landmark linking of a Chinese hacking group that had ravaged American corporates in years past and Unit 61398 of the Chinese military. (Hat tip to Thomas Rid, a professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies and author of another excellent book, Rise of the Machines: A Cybernetic History, who tweeted a screenshot of the text.)
Here’s the section in question: “As soon as they detected Chinese hackers breaking into the private networks of some of their clients–mostly Fortune 500 companies–Mandia’s investigators reached back through the network to activate the cameras on the hackers’ own laptops,” Sanger writes. “They could see their keystrokes while actually watching them at their desks.”
When Mandiant released its report on the hacking group, so-called Advanced Persistant Threat 1, or “APT1,” the paper was a bombshell. Now five years later, the firm’s methodology, as revealed by Sanger, has resulted in a second bombshell. If accurate–and it seems to be, given that Sanger describes personally watching over the shoulders of Mandiant’s crew while it spied on the spies–the anecdote suggests that Mandiant engaged, even if mildly, in a “hack back,” a highly controversial and legally dubious countermeasure. (The firm did not immediately respond to Fortune’s request for comment about the incident on Saturday afternoon.)
Critics of hack backs warn that such retaliation could escalate into all-out conflict. Imagine: a private company taking on an entire nation. Such recklessness could draw world powers onto a dangerous collision course. There’s no better review of this audacious activity than this recent story in the New Yorker, which describes its legal ambiguity in detail. And yet no U.S. company has ever been charged for a hack back. As the piece’s author, Nicholas Schmidle, explains, “A former Justice Department official told me recently that the optics would be ‘awfully poor’ if the department prosecuted a company that had retaliated against foreign hackers….’I can’t imagine a jury convicting anyone for that.’”
Neither can I. And speaking of optics, a piece of advice: Cover your webcam. No, it’s not weird or paranoid. It’s a common sense precautionary measure–as prudent as locking one’s door upon leaving home. I use a small, plastic shutter that conveniently slides open should I need to video-chat. Heck, even Mark Zuckerberg uses a piece of tape. Go get one!
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
The all-C-I-A-ing eye. Last year the FBI raided the New York apartment of Joshua Schulte, who the government suspects of having leaked CIA hacking documents to the whistleblowing website WikiLeaks. Vice Motherboard reviewed Schulte’s online presence and found, troublingly, that the former intelligence officer had posted CIA code to a publicly accessible personal website. "Quite simply, Schulte has some of the worst opsec and messiest online presence of anyone I’ve ever reported on," writes Motherboard’s Jason Koebler.
Location, location, location. All four major U.S. mobile carriers–Verizon, AT&T, T-Mobile, and Sprint–said they would stop selling customers’ cellphone location data to third party data brokers. The decision came after a glitch was discovered on the website of a mobile data broker that allowed anyone to access just about any other person’s real-time location in the U.S., simply by knowing that person’s phone number. The companies took action after legislators, like Sen. Ron Wyden (D-Ore.), had begun censuring them.
Money, money, money, money. A number of cybersecurity firms raised significant rounds of venture capital funding this week. CrowdStrike raised $200 million at a private valuation exceeding $3 billion. Cylance raised $120 million in a round led by Blackstone Tactical Opportunities. And Goldman Sachs led a round in Agari, an email security firm, for $40 million.
"Tactical pants"–your tax dollars at work, folks.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
The web has reached a new low. It has become an annoying, often toxic and occasionally unsafe place to hang out. More important, it has become an unfair trade: You give up your privacy online, and what you get in return are somewhat convenient services and hyper-targeted ads.
That’s why it may be time to try a different browser…. In the end, Firefox’s thoughtful privacy features persuaded me to make the switch and make it my primary browser.
Here’s How NASA Plans to Protect Earth From Giant Asteroids Hurtling Through Space by John Patrick Pullen
Twitter Acquires Anti-Abuse Startup Smyte to Curb Hate on Its Platform by Monica Rodriguez
Burglars Rappel Through Best Buy Roof and Steal $100,000 in Apple Products by Lisa Marie Segarra