The Cybersecurity Stories We Were Jealous of in 2020

newspapers

Image: Leon Neal/Getty Images

The end of the year is usually a good time for retrospection and one of our favorite traditions: digging into the archives and recognizing the best cybersecurity stories of the year. Stories so good, we wish we had written them ourselves.

Without further ado, here’s the annual Motherboard’s Cyber Jealousy list. 

The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet

By: Andy Greenberg

Marcus Hutchins may very well be one of the most famous hackers and cybersecurity researchers of the last few years. He helped stop the chaotic and disruptive WannaCry worm, and then got ensnared in an unexpected criminal case that saw him admit to writing banking malware when he was a teenager. Against all odds, the judge let him off the hook, arguing that Marcus had already paid the price during the trial and showed real remorse. We all knew one day someone would write a kickass profile of Marcus, also known as MalwareTech, and Andy Greenberg at Wired knocked it out of the park.

Exclusive: Apple dropped plan for encrypting backups after FBI complained

By: Joseph Menn

Believe it or not, this story came out this year, even though January of 2020 feels like 10 years ago. Joseph Menn, who always has one or two truly shocking scoops a year, reported that the FBI convinced Apple to block its plan to encrypt its backup service iCloud. The folks at Cupertino were planning to make backups end-to-end encrypted, much like their messaging and video chat services iMessage and FaceTime. But then the feds changed their minds. This shows how cops and law enforcement agents can get around end-to-end encryption tapping into backups, which most people have enabled by default…and how Apple sometimes is happy to cave to the government. 

iPhone spyware lets police log suspects’ passcodes when cracking doesn’t work 

By: Olivia Solon

The tech from iPhone crackers GrayShift is not really controversial in and of itself. The company’s GrayKey product is designed to unlock modern iOS devices, in the same sort of way Cellebrite had cornered the market for unlocking all sorts of other phones. But the Hide UI feature is different: in one possible situation, it could surreptitiously record a user’s password when law enforcement gives the phone back to them. This is so authorities don’t need to try and guess the password, and capture it instead. 

Federal Agencies Use Cellphone Location Data for Immigration Enforcement

By: Byron Tau and Michelle Hackman

This Wall Street Journal piece was the first to show that U.S. law enforcement agencies are simply buying their way to granular location data harvested from smartphones. It reported that ICE was using the data to find and arrest people, and named one of the central companies in this industry, Venntel. This piece made us so obsessed with the location data industry that we started a nearly year long series of articles, including one that showed that the U.S. military and contractors buy similar data, and another that CBP had spent nearly half a million dollars on buying access to location data.

Lined up in the sights of Vietnamese hackers:

By: Hakan Tanriverdi, Max Zierer, Ann-Kathrin Wetter, Kai Biermann, Thi Do Nguyen

This piece on hacking group Ocean Lotus shows not only what journalists can do when they apply themselves to more technical analysis, but also how media outlets can effectively present that sort of information to readers. The piece shows, step-by-step, how an email may actually be carrying malware. This was truly a genre-defining story, a mix between a technical security research paper and a journalistic endeavor. One of the best stories of the year, and perhaps of the last few years. Kudos to our friend Hakan Tanrivendi and his colleagues. 

How the Pentagon is trolling Russian, Chinese hackers with cartoons

By: Shannon Vavra

“We don’t want something they can put on T-shirts,” the U.S. official said, referring to imagery of a bumbling bear that U.S. agencies have portrayed Russian hackers as in publicly distributed comic-strip-style pictures. “We want something that’s in a PowerPoint their boss sees and he loses his shit on them.” What a couple of quotes! This piece, of course, is funny, but it also highlights a dramatic and important shift from U.S. agencies around cybersecurity: while Russian hackers are very familiar with trolling their opponents, U.S. officials are trying their own stuff too.

How a Hacker’s Mom Broke Into a Prison—and the Warden’s Computer

By: Lily Hay Newman

The headline alone seems like it comes from an Onion article, and yet, it’s all a true story. A bizarre tale of hacking, prisons, and a mother at the center of it all. 

Obscure Indian cyber firm spied on politicians, investors worldwide

By: Jack Stubbs, Raphael Satter, Christopher Bing 

For years, several groups of security researchers and journalists have lifted the veil, in painfully detailed stories of abuse, on what some call the Hacking as a Service industry. That part of the cybersecurity world where mercenary companies provide surveillance tech and hacking tools to pretty much any government that is willing to pay. This story, on the other hand, names—for the first time—a company that takes things a step further: this shady Indian startup was conducting hacking operations on behalf of companies who wanted to steal competitor’s secrets.    

Secret Trump order gives CIA more powers to launch cyberattacks

By: Zach Dorfman, Kim Zetter, Jenna McLaughlin and Sean D. Naylor

Very few stories a year reveal details of classified cyber operations conducted by governments—let alone the US government. This story by a legitimate dream team of reporters does precisely that. 

Airbnb Executive Resigned Last Year Over Chinese Request for More Data Sharing

By: Dustin Volz and Kirsten Grind

We all know how much China has been able to throw its weight at American tech companies, from forcing Apple to store Chinese citizens iCloud data within the country, to tempting Google so much to convince the company to work on developing a censored version of its search engine. This story is a bit more wild: Airbnb’s former “chief trust officer,” a former FBI deputy director, resigned from the job because he was concerned about how much data Airbnb shared with the Chinese government. Truly a bombshell. 

Risky Biz’s Patrick Gray interviews CISA’s Chris Krebs

Patrick’s podcast is a must listen pretty much every week, if anything for him and Adam Boileau’s always sharp and smart analysis of the week’s news. In this case, however, Patrick deserves kudos for talking to Chris Krebs, the architect of the Cybersecurity and Infrastructure Security Agency, just a few days before the election he helped secure—and a couple of weeks before Donald Trump fired him via tweet for stating the truth about the election. Patrick is an exceptional interviewer and this is a great example of that.   

This week in security, Zack Whitaker’s newsletter 

There are very few newsletters we subscribe to. There are even fewer that we actually want to read and open. Zack Whittaker’s is one of those. Whittaker, the security editor at TechCrunch, provides a cogent, to the point summary of the most important and interesting cybersecurity news of the past week. But he does it with humour and clarity, and usually there’s a picture of a cat at the bottom, which is always a plus.