It’s the top of the yr. Which means it’s time for us to have a good time one of the best cybersecurity tales we didn’t publish. Since 2023, TechCrunch has seemed again at one of the best tales throughout the board from the yr in cybersecurity.
If you happen to’re not acquainted, the thought is straightforward. There are actually dozens of journalists who cowl cybersecurity within the English language. There are a whole lot of tales about cybersecurity, privateness, and surveillance which are revealed each week. And a whole lot of them are nice, and it is best to learn them. We’re right here to suggest those we appreciated probably the most, so take into account that it’s a really subjective and, on the finish of the day, incomplete listing.
Anyway, let’s get into it. — Lorenzo Franceschi-Bicchierai.
Each occasionally, there’s a hacker story that as quickly as you begin studying, you assume it could possibly be a film or a TV present. That is the case with Shane Harris’ very private story of his months-long correspondence with a prime Iranian hacker.
In 2016, The Atlantic’s journalist made contact with an individual claiming to work as a hacker for Iran’s intelligence, the place he claimed to have labored on main operations, such because the downing of an American drone and the now-infamous hack towards oil big Saudi Aramco, the place Iranian hackers wiped the corporate’s computer systems. Harris was rightly skeptical, however as he saved speaking to the hacker, who ultimately revealed his actual identify to him, Harris began to imagine him. When the hacker died, Harris was capable of piece collectively the actual story, which someway turned out to be extra unimaginable than the hacker had led Harris to imagine.
The gripping story can also be an incredible behind-the-scenes have a look at the challenges cybersecurity reporters face when coping with sources claiming to have nice tales to share.
In January, the U.Ok. authorities secretly issued Apple with a court docket order demanding that the corporate should construct a backdoor so police can entry iCloud knowledge of any buyer on this planet. Attributable to a worldwide gag order, it was solely as a result of The Washington Post broke information that we realized the order existed to start with. The demand was the primary of its sort, and — if profitable — could be a serious defeat for tech giants who’ve spent the previous decade locking themselves out of their customers’ personal knowledge to allow them to’t be compelled to supply it to governments.
Apple subsequently stopped providing its opt-in end-to-end encrypted cloud storage to its clients within the U.Ok. in response to the demand. However by breaking the information, the key order was thrust into the general public eye and allowed each Apple and critics to scrutinize U.Ok. surveillance powers in a means that hasn’t been examined in public earlier than. The story sparked a months-long diplomatic row between the U.Ok. and the USA, prompting Downing Avenue to drop the request — solely to strive once more a number of months later.
This story was the form of fly-on-the-wall entry that some reporters would dream of, however The Atlantic’s editor-in-chief obtained to play out in real-time after he was unwittingly added to a Sign group of senior U.S. authorities officers by a senior U.S. authorities official discussing battle plans from their cell telephones.
Studying the dialogue about the place U.S. navy forces ought to drop bombs — after which seeing information studies of missiles hitting the bottom on the opposite facet of the world — was affirmation that Jeffrey Goldberg wanted to know that he was, as he suspected, in an actual chat with actual Trump administration officers, and this was all on-the-record and reportable.
And so he did, paving the way in which for a months-long investigation (and critique) of the federal government’s operational safety practices, in what was known as the most important government opsec mistake in historical past. The unraveling of the state of affairs finally uncovered safety lapses involving the usage of a knock-off Signal clone that additional jeopardized the federal government’s ostensibly safe communications.
Brian Krebs is likely one of the extra veteran cybersecurity reporters on the market, and for years he has specialised in following on-line breadcrumbs that result in him revealing the identification of infamous cybercriminals. On this case, Krebs was capable of finding the actual identification behind a hacker’s on-line deal with Rey, who’s a part of the infamous superior persistent youngsters‘ cybercrime group that calls itself Scattered LAPSUS$ Hunters.
Krebs’ quest was so profitable that he was capable of discuss to an individual very near the hacker — we received’t spoil the entire article right here — after which the hacker himself, who confessed to his crimes and claimed he was making an attempt to flee the cybercriminal life.
Impartial media outlet 404 Media has achieved extra affect journalism this yr than most mainstream shops with vastly extra sources. One in every of its largest wins was exposing and successfully shuttering a large air journey surveillance system tapped by federal companies and working in plain sight.
404 Media reported {that a} little-known knowledge dealer arrange by the airline business known as the Airways Reporting Company was promoting entry to 5 billion airplane tickets and journey itineraries, together with names and monetary particulars of peculiar People, permitting authorities companies like ICE, the State Division, and the IRS to trace individuals with out a warrant.
ARC, owned by United, American, Delta, Southwest, JetBlue, and different airways, stated it will shut down the warrantless knowledge program following 404 Media’s months-long reporting and intense strain from lawmakers.
The killing of UnitedHealthcare CEO Brian Thompson in December 2024 was one of many largest tales of the yr. Luigi Mangione, the chief suspect within the killing, was quickly after arrested and indicted on costs of utilizing a “ghost gun,” a 3D-printed firearm that had no serial numbers and inbuilt personal with out a background examine — successfully a gun that the federal government has no thought exists.
Wired, utilizing its past reporting experience on 3D-printed weaponry, sought to check how simple it will be to construct a 3D-printed gun, whereas navigating the patchwork authorized (and moral) panorama. The reporting course of was exquisitally instructed, and the video that goes together with the story is each glorious and chilling.
DOGE, or the Division of Authorities Effectivity, was one of many largest working tales of the yr, because the gang of Elon Musk’s lackeys ripped by way of the federal authorities, tearing down safety protocols and crimson tape, as a part of the mass-grab of residents’ knowledge. NPR had among the greatest investigative reporting uncovering the resistance motion of federal employees making an attempt to forestall the pilfering of the federal government’s most delicate knowledge.
In a single story detailing a whistleblower’s official disclosure as shared with members of Congress, a senior IT worker within the Nationwide Labor Relations Board instructed lawmakers that as he was searching for assist investigating DOGE’s exercise, he “discovered a printed letter in an envelope taped to his door, which included threatening language, delicate private info and overhead footage of him strolling his canine, in accordance with the quilt letter hooked up to his official disclosure.”
Any story that begins with a journalist saying they discovered one thing that made them “really feel like shitting my pants,” you already know it’s going to be a enjoyable learn. Gabriel Geiger discovered a dataset from a mysterious surveillance firm known as First Wap, which contained data on hundreds of individuals from world wide whose telephone places had been tracked.
The dataset, spanning 2007 by way of 2015, allowed Geiger to determine dozens of excessive profile individuals whose telephones have been tracked, together with a former Syrian first woman, the pinnacle of a personal navy contractor, a Hollywood actor, and an enemy of the Vatican. This story explored the shadowy world of telephone surveillance by exploiting Signalling System No. 7, or SS7, an obscurely named protocol lengthy recognized to permit malicious monitoring.
Swatting has been an issue for years. What began as a nasty joke has turn into an actual menace, which has resulted in at least one death. Swatting is a kind of hoax the place somebody — usually a hacker — calls the emergency providers and methods the authorities into sending an armed SWAT staff to the house of the hoaxer’s goal, usually pretending to be the goal themselves, and pretending they’re about to commit a violent crime.
On this function, Wired’s Andy Greenberg put a face on the numerous characters who’re a part of these tales corresponding to the decision operators who need to take care of this downside. And he additionally profiled a prolific swatter, often called Torswats, who for months tormented the operators and faculties all around the nation with faux — however extraordinarily plausible — threats of violence, in addition to a hacker who took it upon himself to trace Torswats down.
