The Cyberlaw Podcast

We interview Dmitri Alperovitch of CrowdStrike on the company’s 2019 Global Threat Report, which features a ranking of Western cyber adversaries based on how long it takes each of them to turn a modest foothold into code execution on a compromised network. The Russians put up truly frightening numbers—from foothold to execution in less than twenty minutes—but the real surprise is the North Koreans, who clock in at 2:20. The Chinese take the bronze at just over 4 hours. Dmitri also gives props to a newcomer—South Korea—whose skills are substantial.

In the News Roundup, I cheer the police for using “reverse location search warrants” to compel Google to hand over data on anyone near a crime scene. Nick Weaver agrees and puts the blame on Google and others who collect the data rather than the police who use it to solve crimes.

A committee of the U.K. House of Commons has issued a blistering final report on disinformation and fake news. I offer this TL;DR: that all right-thinking Brits must condemn Facebook because Leave won, just as all right-thinking Americans must condemn Facebook because Trump won. Maury Shenk takes a more nuanced view.

Nick and Dmitri explain just how scary the growth of DNSpionage has become. The only thing as scary seems to be the continuing effort to put voting systems on the Internet. Nick reacts to this in the typical way of his people.

The mysterious Facebook Title III case won’t be unsealed, so we really don’t know what the Justice Department was trying to get from Facebook.

The New York Times claims that India is proposing Internet censorship along China’s model. I think that’s just the New York Times’s bias showing and that India is mainly imitating Europe. Maury rides to the New York Times’s rescue.

In breaking news, The Cyberlaw Podcast has developed AI podcasting so good we don’t dare tell you about it.

This Week in Chutzpah: Alleged hacker Lauri Love has lost his bid to recover the data he stole. I want to know why we didn’t give it back to him with a couple of keyloggers installed. The temptation to decrypt—and give prosecutors new evidence—would be irresistible.

In closing, Nick and I dwell on YouTube’s pedophile comment problem and whether recommendation engines are more to blame than human nature.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

 

Download the 252nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-252_1.mp3
Category:general -- posted at: 11:06am EDT

The backlash against Big Tech dominates this episode, with new regulatory initiatives in the U.S., EU, Israel, Russia and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: The link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the Federal Trade Commission and Facebook will agree on a $1+ billion fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as it is about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and the Defense Department. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the president’s executive order on artificial intelligence. I complain that it’s a cookie-cutter order that could as easily be applied to alien abductions. The Pentagon’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, we are profoundly unready.

The CFIUS model is contagious! Brian Egan tells us Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of internet businesses operating in China. I must say, it was nice of them to offer the service in beta to the Office of Personnel Management, Anthem and Equifax. Speaking of which, could this spell more trouble for Western firms doing business in China?

Brian touches on the Treasury Department’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting U.S. persons. It turns out that the hackers had help—and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-251.mp3
Category:general -- posted at: 5:02pm EDT

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast—the Justice Department’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skills are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the “Enquirer” letter really extortion? Would publication of the pics be actionable? And is there any way the “Enquirer” could get those text messages without someone committing a crime? And, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media—privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the People’s Liberation Army (PLA) to the curb and brought in the professionals from China’s Ministry of State Security (MSS). So now Chinese tradecraft is a little better, and the Justice Department is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing university lawyers.

Okay, one more: I celebrate HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.” 

I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

 

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

 

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-250.mp3
Category:general -- posted at: 4:30pm EDT

In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to U.S. cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.

In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement is a new front in breach derivative litigation or a black swan. He says it’s more of a red herring—and explains why.

This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the budget version.

The Russians are so far from being shamed for their hacking that now they’re faking it. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. We are reminded of the Russians’ recent unveiling of a remarkably adroit robot that turned out to be a man in a robot suit.

Maury Shenk and I discuss Google’s latest imitation of Apple’s “law enforcement lockout” feature and its claim that hurting law enforcement was “unintended side effect.”

Maury also notes the flap over a flaw in Apple’s FaceTime that allows for eavesdropping. Predictably, New York State is investigating.

And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps that recorded the browsing habits of paid volunteers.

Quick hits:

This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.

I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices

Finally, EPIC et al. are calling on FTC to impose a $2 billion fine, structural changes and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob—an always-ready tool for punishing unpopular views—EPIC’s filing should be all you need.

 

Download the 249th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-249.mp3
Category:general -- posted at: 5:26pm EDT

1