Saturday, March 30, 2019

MongoDB's security streak

Email not displaying correctly? View it in your browser.
FOLLOW
subscribe
ANON TIP
March 30, 2019

MongoDB, a database software provider whose stock has been on a tear recently, just hired its first-ever chief information security officer. The appointment, which came Friday, signals that the company plans to take security more seriously even as it faces stiffened competition from the likes of Amazon and other tech giants.

The new boss is Lena Smart, a Glaswegian cybersecurity professional. Smart formerly held the same title at IPO-bound Tradeweb, a financial services firm that supplies the technology behind certain electronic trading markets. Prior to Tradeweb, she headed security at the New York Power Authority, where she worked for more than a decade. A cellist in her spare time, Smart told me in her Scottish brogue that her priority in the new job will be “knowing what the crown jewels are—that’s our customer data—and making sure that’s always protected.”

People leaving MongoDB and other databases unsecured on the web has been a persistent source of data-leaks over the years. Just this month, a security researcher discovered one such sieve that exposed to public view a trove of sensitive information, including location data, on millions of people in China. The misconfigured repository appears to have originated from SenseNets, a Shenzhen-based company that is likely providing the Chinese government with crowd-surveilling, facial recognition technology to track the country’s muslim Uyghur population. This is just the latest leak example; there are innumerable others.

Despite the frequency of these leaks, the situation seems to be improving. Most of these inadvertent leaks have sprung, in fairness, from people using outdated instances of the company’s so-called community edition software, a free, barer-bones version of the database product. Mark Wheeler, a MongoDB spokesperson, conceded that the 12-year-old company “struggled in its early years to find the right balance with security.” But he avers that updates to the default settings of MongoDB’s software over the past few years, plus key security team hires—including guardians Davi Ottenheimer, Kenn White , and now Smart—are changing the equation.

As Smart’s scope involves securing the totality of MongoDB’s business, the data-spillage issue ultimately falls to her. She says she’ll continue educating customers in best practices when it comes to security. She says she will also aim to imbue the company’s product development process with security, quality assurance, and testing from the earliest stages. If we can get in at the very start” of the software development lifecycle, Smart says, it will “save us time and money and make our products more reliable and secure.”

The leaky database issue is one that extends well beyond MongoDB. It’s also a problem for rivals such as Amazon, particularly its S3 buckets, Elastic, and others. Like so many companies, these database-makers are looking now to shore up their software in the hopes of turning a historical weakness—cybersecurity—into a competitive strength. As Dev Ittycheria, MongoDB’s president and CEO, tells Fortune: making the company’s products as secure as possible “is critical to our business.”

Indeed, it’s critical to MongoDB and, increasingly, every business.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me ), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal , or however you (securely) prefer. Feedback welcome.

.
THREATS

Step into the light. NSO Group, a controversial Israeli spyware outfit whose software has been implicated in the murder of Washington Post columnist Jamal Khashoggi, has been trying to clean up its image in the eyes of the public. Shalev Hulio, CEO of the notoriously secretive smartphone-cracking company, interviewed with CBS's 60 Minutes and permitted a tour of the offices. He denied any culpability in Khashoggi's assassination, despite having sold the firm's technology to the Saudi Arabian monarchy.

Order in the court. Hal Martin III, a contractor with the U.S. National Security Agency, pleaded guilty in federal court on Thursday for stealing state secrets in what may be the largest breach of classified information in U.S. history. The lawyer for the defense said Martin's "actions were the product of mental illness." Meanwhile, a New York Times dispatch from Guantanamo Bay alleges that the U.S. government has recordings of the mastermind behind the September 11th terrorist attacks hatching the heinous plot with co-conspirators.

Sipping the poisoned chalice. Nation state-linked hackers last year compromised roughly half a million Windows-running computers produced by ASUS, the Taiwanese tech giant, according to Kasperky Lab, the Russian cybersecurity firm. ASUS downplayed the software supply chain attack in a statement, saying "a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers." We echo the advice of Matt Blaze, a cybersecurity expert and Georgetown University professor, who says people should still regularly update their software.

Microsoft misadventures. Microsoft won a restraining order in U.S. court enabling the company to take control of 99 web domains used by a nation state threat actor. The domains were involved in alleged Iranian hacking campaigns tied to the defection of a U.S. Air Force counter-intelligence, Monica Witt, who is wanted by the FBI. Meanwhile, a 24-year-old, autistic security researcher pleaded guilty in a London court to hacking the computer networks of Microsoft and Nintendo. The judge issued short, suspended sentence, saying: "I am trusting this will be a lesson from which you will all learn."

Were you born yesterday?

Share today's Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/?utm_source=fortune.com&utm_medium=email&utm_campaign=cyber-saturday&utm_content=2019033014pm

Looking for previous Data Sheets? Click here

.
ACCESS GRANTED

Alms qualms. Fast Company pries open the socioeconomics of privacy in this intriguing article. Ciara Byrne, the author, explains how many of the poorest Americans are forced to live under constant surveillance, a situation that exposes them to marketing for predatory financial services. Another set of the nation's poorest, including undocumented immigrants, day laborers, and homeless people, are often forced to live off the grid in what Byrne describes as a "surveillance gap," which prevents them from getting access to resources that might help them.

"Middle-class and wealthy Americans need to realize that novel surveillance techniques are typically used first on the poor," [law professor Michele E.] Gilman wrote in a 2012 article. "By the time these strategies spread beyond controlling the poor, any 'reasonable expectations' against their use have dissolved."

Low-income communities have historically been monitored by government and their privacy has been routinely invaded. In Colonial America, most towns had an "overseer of the poor" who tracked poor people and either chased them out of town or auctioned off their labor. Current public benefits programs ask applicants extremely detailed and personal questions and sometimes mandate home visits, drug tests, fingerprinting, and collection of biometric information.

.
FORTUNE RECON

Huawei's Perception Problem Deepens as U.K. Spies Identify Security Risks by David Meyer

5 Things to Know About Facebook's New Ban on White Nationalism by Aaron Pressman

U.S. Government Declares Grindr a National Security Risk by Chris Morris

How China's Surveillance State Reflects 'Black Mirror' by Clay Chandler

After New Zealand Massacre Video Posting, Microsoft President Says Tech Industry Needs a 'Major Event' Protocol by Alyssa Newcomb

Quadriga's Bitcoins Would Have Been Safer in Bermuda, Country Leader Says by Jen Wieczner

.
.
ONE MORE THING

Dynamic Duo. A question for the entrepreneurs in the room: How did you meet your cofounder? If you said you bumped into each other in a stairwell while attempting to hack into the IT network of that other person's company, then you share something in common with the folks at Duo, a cybersecurity startup snatched up by Cisco for more than $2 billion last year.

I think they call that love at first cyber.

.
EMAIL Robert Hackett
subscribe
share: TW FB IN
.
This message has been sent to you because you are currently subscribed to Cyber Saturday
Unsubscribe here

Please read our Privacy Policy, or copy and paste this link into your browser:
http://www.fortune.com/privacy

FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.

For Further Communication, Please Contact:
FORTUNE Customer Service
225 Liberty Street
New York, NY 10128

Advertising Info | Subscribe to Fortune

Huawei: Hundred Billion Dollar Troll

Email not displaying correctly? View it in your browser.
FOLLOW
subscribe
SHARE
March 30, 2019

The Financial Times reported earlier this week that Chinese telecom equipment manufacturing giant Huawei Technology has hired top-drawer Washington public relations group Burson Cohn & Wolfe to “help it make its case in the US following months of media and political scrutiny.”

One wonders where those spin doctors were on Thursday when Huawei summoned global press to its headquarters in Shenzhen to trumpet its annual financial results. The headline Huawei hoped for—and in some instances received—was that the company’s 2018 sales surged nearly 20% to a record $107 billion despite U.S. government efforts to cast doubt on the security of its products. Profits leapt 25% to $8.8 billion. Very impressive.

And yet most stories led with the in-your-face comments of Huawei’s rotating chairman Guo Ping: “The U.S. government has a loser's attitude. They want to smear Huawei because they can't compete with us."

“Huawei Urges U.S. to Drop ‘Loser’s Attitude‘” blared the Reuters headline. “Huawei Executive Rips U.S. Government” echoed the New York Post.

Sticking a thumb in the eye of Uncle Sam has become a staple of public appearances by Huawei executives. At the Mobile World Congress in Barcelona last month Guo trolled Washington by flashing a photo of former National Security Agency subcontractor Edward Snowden, who leaked documents revealing the NSA's use of U.S.-made telecom equipment for a spy system known as PRISM.

Another rotating chairman, Eric Xu, has lashed out against two U.S. congressmen as “ignorant” and “ill-informed” for charging Huawei with theft of U.S. technology. In a February interview with the BBC, Huawei chairman Ren Zhengfei boasted “There’s no way the US can crush us. The world cannot leave us because we are more advanced.”

The tough talk may be satisfying. Undoubtedly it plays well in Beijing. But it’s not winning friends for Huawei in the West.

It shouldn’t require an expensive PR firm for Huawei to recognize that, beyond China, its core problem is one of trust. It needs to be seen as a reliable partner: responsible, respectful, mature.

The way to earn that trust is not with grandiloquent boasts and bratty taunts. If Huawei wants to be taken seriously, it should stop blowing raspberries and instead offer constructive proposals to cooperate with Western—especially American—regulators to establish third-party panels that could review and verify its products are secure.

More China news below.

Clay Chandler
@claychandler
clay.chandler@fortune.com
.
Economy and Trade

Xi's Euro tour. After signing Italy up to the Belt and Road Initiative last weekend, President Xi Jinping headed to France, where the two countries signed 15 business deals worth billions of dollars. Among them was a purchase order for 300 planes from Airbus, which was worth approximately $33 billion. That's a blow to Boeing. China was one of the first countries to ground Boeing's 737 Max aircraft after the fatal crash in Ethiopia this month and looks likely to exclude Boeing orders from any trade deal struck with the U.S. Fortune

Clocking up air miles. U.S. Treasury Secretary Steven Mnuchin was back in China this week with, fellow frequent flier, Trade Representative Robert Lighthizer to continue negotiations on trade. In a tweet, Mnuchin called the talks "constructive" and noted Vice Premier Liu He will be back in Washington next week to continue the conversation. Reportedly, China made proposals that address U.S. concerns of forced tech transfers for the first time. Previously Beijing refused to accept that was even an issue. CNBC

Trade war spills into Brazil. Soy beans have been a focus of the Sino-U.S. Trade War, and the Amazon rain forest might get hit with collateral damage. After the U.S. restricted China's access to American soy beans, China turned to Brazil to fill the gap. If Brazil increases production to meet demands, swathes of the Amazonian rainforest could be cut down to make way for soy fields, environmentalists warn. South China Morning Post

.
content from Deloitte
Your Data Ecosystem Strategy
Companies are increasingly incorporating data from third-parties to fuel their analytics activities. This can yield valuable operational and strategic insights. How can you get the most value from outside data sources? Deloitte explains.
Read More
.
Innovation and Tech

One to watch. Two of America's largest pension funds own shares in Chinese security camera manufacturer Hikvision, the world's largest surveillance company. Hikvision's cameras are installed across China but the company's presence in Xinjiang has proved controversial. Since last year, roughly a million of Xinjiang's minority Uyghur population have been detained in so-called "re-education camps," where the mostly Muslim Uyghurs are taught to embrace more traditional Chinese culture. Hikvision provides CCTV coverage for the camps. Some funds are now being pressured to drop their stakes. Financial Times

Seek and ye shan't find. Google is reportedly conducting a covert assessment of Project Dragonfly, the code name for the company's plan to develop a censored search engine for the Chinese market. Performance reviews are common place at Google but, unlike normal, the findings of Project Dragonfly's assessment won't be reviewed by regular staff. Instead management has established closed "review committees" to oversee the assessment. The Intercept

Back on the market. Grindr, one of the most popular LGBTQ dating apps, is up for sale after the Committee on Foreign Investment in the United States (CFIUS) queried whether the app posed a security threat. That's because Grindr was bought by Beijing Kunlun Technology three years ago. CFIUS didn't specify what the security concerns are, but it's likely CFIUS worries the Chinese company could use the app to gather sensitive data on U.S. citizens. The Verge

.
.
In Case You Missed It

More Than a Third of China Is Now Invested in One Giant Mutual Fund WSJ

Alibaba accuses Meituan CEO of libel for questioning founder's integrity TechNode

Meng Hongwei: China to prosecute former Interpol chief BBC

Airbnb Wants the Key to China's Millennial Empire WSJ

Has China's answer to Davos lost its shine with high-profile absences and a TV blackout? SCMP

.
Politics and Policy

On the mend. New Zealand Prime Minister Jacinda Ardern is flying to China tomorrow to meet President Xi Jinping, a month after Beijing postponed an original meeting in February. Observers suspect China was punishing the Kiwi nation for blocking Huawei's bid on a 5G network last November. Now, just two weeks after the deadly shooting at two mosques in Christchurch, Ardern is facing pressure to confront Beijing on its treatment of Muslim Uyghur group's in Xinjiang province. Bloomberg

Canola go so far. China has banned imports of canola seeds from two of Canada's largest suppliers, threatening the $2 billion trade. Beijing halted imports from Canada's largest exporter earlier this month and expanded the blockade to the second largest exporter this week. Foreign Ministry spokesperson Geng Shuang said the ban is "scientific" but added Canada could help by taking "practical measures to correct the mistakes it made earlier." Likely an oblique reference to the arrest of Huawei CFO Meng Wanzhou in Vancouver last year. Reuters

This edition of CEO Daily was edited by Eamon Barrett. Find previous editions here, and sign up for other Fortune newsletters here.

.
EMAIL ALAN MURRAY
subscribe
share: TW FB IN
.
This message has been sent to you because you are currently subscribed to The CEO Daily
Unsubscribe here

Please read our Privacy Policy, or copy and paste this link into your browser:
http://www.fortune.com/privacy

FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.

For Further Communication, Please Contact:
FORTUNE Customer Service
225 Liberty Street
New York, NY 10128

Advertising Info | Subscribe to Fortune