POPULARITY
Exploring the Strategic Minds in Cybersecurity: A Conversation with Dave Aitel Welcome to an enlightening episode of our podcast, where we sit down with Dave Aitel, a prominent figure in the cybersecurity landscape. With a robust background in offensive security and an extensive career spanning various facets of the industry, Dave brings a wealth of knowledge and strategic insights to our discussion. As the Founder and CEO of Immunity Inc., a leading cybersecurity company, Dave has played a pivotal role in shaping the cybersecurity landscape. Join us as we delve into his journey, from his early experiences in cybersecurity to the strategic decisions that have defined his role as a thought leader in the field. In this episode, we explore Dave's perspectives on the ever-evolving threat landscape, offensive security strategies, and the intricate balance between security and privacy. Gain valuable insights into the methodologies and philosophies that underpin his approach to addressing the challenges posed by cyber threats. Dave Aitel's expertise extends beyond technical domains; he is also recognized for his contributions to policy discussions on cybersecurity. Discover how his experiences and viewpoints contribute to the broader discourse on cybersecurity policy, technology, and the future of digital defense. Whether you're a cybersecurity professional, an industry enthusiast, or someone keen on understanding the strategic dimensions of cybersecurity, this podcast episode with Dave Aitel is bound to offer thought-provoking perspectives and strategic insights. Tune in to explore the intersection of technology, security, and strategy with one of the industry's strategic minds, Dave Aitel. Show Notes: https://securityweekly.com/vault-psw-10
Exploring the Strategic Minds in Cybersecurity: A Conversation with Dave Aitel Welcome to an enlightening episode of our podcast, where we sit down with Dave Aitel, a prominent figure in the cybersecurity landscape. With a robust background in offensive security and an extensive career spanning various facets of the industry, Dave brings a wealth of knowledge and strategic insights to our discussion. As the Founder and CEO of Immunity Inc., a leading cybersecurity company, Dave has played a pivotal role in shaping the cybersecurity landscape. Join us as we delve into his journey, from his early experiences in cybersecurity to the strategic decisions that have defined his role as a thought leader in the field. In this episode, we explore Dave's perspectives on the ever-evolving threat landscape, offensive security strategies, and the intricate balance between security and privacy. Gain valuable insights into the methodologies and philosophies that underpin his approach to addressing the challenges posed by cyber threats. Dave Aitel's expertise extends beyond technical domains; he is also recognized for his contributions to policy discussions on cybersecurity. Discover how his experiences and viewpoints contribute to the broader discourse on cybersecurity policy, technology, and the future of digital defense. Whether you're a cybersecurity professional, an industry enthusiast, or someone keen on understanding the strategic dimensions of cybersecurity, this podcast episode with Dave Aitel is bound to offer thought-provoking perspectives and strategic insights. Tune in to explore the intersection of technology, security, and strategy with one of the industry's strategic minds, Dave Aitel. Show Notes: https://securityweekly.com/vault-psw-10
Exploring the Strategic Minds in Cybersecurity: A Conversation with Dave Aitel Welcome to an enlightening episode of our podcast, where we sit down with Dave Aitel, a prominent figure in the cybersecurity landscape. With a robust background in offensive security and an extensive career spanning various facets of the industry, Dave brings a wealth of knowledge and strategic insights to our discussion. As the Founder and CEO of Immunity Inc., a leading cybersecurity company, Dave has played a pivotal role in shaping the cybersecurity landscape. Join us as we delve into his journey, from his early experiences in cybersecurity to the strategic decisions that have defined his role as a thought leader in the field. In this episode, we explore Dave's perspectives on the ever-evolving threat landscape, offensive security strategies, and the intricate balance between security and privacy. Gain valuable insights into the methodologies and philosophies that underpin his approach to addressing the challenges posed by cyber threats. Dave Aitel's expertise extends beyond technical domains; he is also recognized for his contributions to policy discussions on cybersecurity. Discover how his experiences and viewpoints contribute to the broader discourse on cybersecurity policy, technology, and the future of digital defense. Whether you're a cybersecurity professional, an industry enthusiast, or someone keen on understanding the strategic dimensions of cybersecurity, this podcast episode with Dave Aitel is bound to offer thought-provoking perspectives and strategic insights. Tune in to explore the intersection of technology, security, and strategy with one of the industry's strategic minds, Dave Aitel. Show Notes: https://securityweekly.com/vault-psw-10
Exploring the Strategic Minds in Cybersecurity: A Conversation with Dave Aitel Welcome to an enlightening episode of our podcast, where we sit down with Dave Aitel, a prominent figure in the cybersecurity landscape. With a robust background in offensive security and an extensive career spanning various facets of the industry, Dave brings a wealth of knowledge and strategic insights to our discussion. As the Founder and CEO of Immunity Inc., a leading cybersecurity company, Dave has played a pivotal role in shaping the cybersecurity landscape. Join us as we delve into his journey, from his early experiences in cybersecurity to the strategic decisions that have defined his role as a thought leader in the field. In this episode, we explore Dave's perspectives on the ever-evolving threat landscape, offensive security strategies, and the intricate balance between security and privacy. Gain valuable insights into the methodologies and philosophies that underpin his approach to addressing the challenges posed by cyber threats. Dave Aitel's expertise extends beyond technical domains; he is also recognized for his contributions to policy discussions on cybersecurity. Discover how his experiences and viewpoints contribute to the broader discourse on cybersecurity policy, technology, and the future of digital defense. Whether you're a cybersecurity professional, an industry enthusiast, or someone keen on understanding the strategic dimensions of cybersecurity, this podcast episode with Dave Aitel is bound to offer thought-provoking perspectives and strategic insights. Tune in to explore the intersection of technology, security, and strategy with one of the industry's strategic minds, Dave Aitel. Show Notes: https://securityweekly.com/vault-psw-10
This episode features Nick Weaver, Dave Aitel and I covering a Pro Publica story (and forthcoming book) on the difficulties the FBI has encountered in becoming the nation's principal resource on cybercrime and cybersecurity. We end up concluding that, for all its successes, the bureau's structural weaknesses in addressing cybersecurity are going to haunt it for years to come. Speaking of haunting us for years, the effort to decouple U.S. and Chinese tech sectors continues to generate news. Nick and Dave weigh in on the latest (rumored) initiative: cutting off China's access to U.S. quantum computing and AI technology, and what that could mean for the U.S. semiconductor companies, among others. We could not stay away from the Elon Musk-Twitter story, which briefly had a national security dimension, due to news that the Biden Administration was considering a Committee on Foreign Investment in the United States review of the deal. That's not a crazy idea, but in the end, we are skeptical that this will happen. Dave and I exchange views on whether it is logical for the administration to pursue cybersecurity labels for cheap Internet of things devices. He thinks it makes less sense than I do, but we agree that the end result will be to crowd the cheapest competitors from the market. Nick and I discuss the news that Kanye West is buying Parler. Neither of us thinks much of the deal as an investment. And in updates and quick takes: I see a real risk for Google in the Texas attorney general's lawsuit over the company's us of facial recognition. Nick unpacks the dispute between Facebook and The Wire, India's answer to Pro Publica, over The Wire's claim of bias in favor of incumbent Indian politicians. If you had the impression that Facebook has the better of that argument, you're right. And in another platform v. press, story, TikTok's parent ByteDance has been accused by Forbes of planning to use TikTok to monitor the location of specific Americans. TikTok has denied the story. I predict that neither the story nor the denial is enough to bring closure. We'll be hearing more.
This episode features Nick Weaver, Dave Aitel and I covering a Pro Publica story (and forthcoming book) on the difficulties the FBI has encountered in becoming the nation's principal resource on cybercrime and cybersecurity. We end up concluding that, for all its successes, the bureau's structural weaknesses in addressing cybersecurity are going to haunt it for years to come. Speaking of haunting us for years, the effort to decouple U.S. and Chinese tech sectors continues to generate news. Nick and Dave weigh in on the latest (rumored) initiative: cutting off China's access to U.S. quantum computing and AI technology, and what that could mean for the U.S. semiconductor companies, among others. We could not stay away from the Elon Musk-Twitter story, which briefly had a national security dimension, due to news that the Biden Administration was considering a Committee on Foreign Investment in the United States review of the deal. That's not a crazy idea, but in the end, we are skeptical that this will happen. Dave and I exchange views on whether it is logical for the administration to pursue cybersecurity labels for cheap Internet of things devices. He thinks it makes less sense than I do, but we agree that the end result will be to crowd the cheapest competitors from the market. Nick and I discuss the news that Kanye West is buying Parler. Neither of us thinks much of the deal as an investment. And in updates and quick takes: I see a real risk for Google in the Texas attorney general's lawsuit over the company's us of facial recognition. Nick unpacks the dispute between Facebook and The Wire, India's answer to Pro Publica, over The Wire's claim of bias in favor of incumbent Indian politicians. If you had the impression that Facebook has the better of that argument, you're right. And in another platform v. press, story, TikTok's parent ByteDance has been accused by Forbes of planning to use TikTok to monitor the location of specific Americans. TikTok has denied the story. I predict that neither the story nor the denial is enough to bring closure. We'll be hearing more.
The big news of the week was a Fifth Circuit decision upholding Texas social media regulation law. It was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but Judge AndyOldham wrote an opinion that could be a model for a Supreme Court decision upholding Texas law. The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that it cannot happen to them. Nick Weaver piles on. Maury Shenk explains the recent European court decision upholding sanctions on Google for its restriction of Android phone implementations. Dave points to some of the less well publicized aspects of the Twitter whistleblower's testimony before Congress. We agree on the bottom line—that Twitter is utterly incapable of protecting either U.S. national security or even the security of its users' messages. If there were any doubt about that, it would be laid to rest by Twitter's dependence on Chinese government advertising revenue. Maury and Nick tutor me on The Merge, which moves Ethereum from “proof of work‘ to “proof of stake,” massively reducing the climate footprint of the cryptocurrency. They are both surprisingly upbeat about it. Maury also lays out a new European proposal for regulating the internet of things—and, I point out—for massively increasing the cost of all those things. China is getting into the attribution game. It has issued a report blaming the National Security Agency for intruding on Chinese educational institution networks. Dave is not impressed. The Department of Homeland security, in breaking news from 2003, has been keeping the contents of phones it seizes on the border. Dave predicts that the Department of Homeland Security will have to further pull back on its current practices. I'm less sure. Now that China is regulating vulnerability disclosures, are Chinese companies reluctant to disclose vulnerabilities outside China? The Atlantic Council has a report on the subject, but Dave thinks the results are ambiguous at best. In quick hits: The Senate has confirmed Nate Fick as the first U.S. cyber ambassador I offer data confirming my cynical view that Apple is not so much concerned about your privacy as it is eager to take over the role of Google and Facebook in the advertising market Nick lays out the latest Treasury Department guidance on sanctions and tornado cash Maury explains how the Indian government persuaded 50 million Indians to geotag their homes And I explain why it is in fact possible that the FBI and Silicon Valley are working together to identify conservatives for potential criminal investigation.
The big news of the week was a Fifth Circuit decision upholding Texas social media regulation law. It was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but Judge AndyOldham wrote an opinion that could be a model for a Supreme Court decision upholding Texas law. The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that it cannot happen to them. Nick Weaver piles on. Maury Shenk explains the recent European court decision upholding sanctions on Google for its restriction of Android phone implementations. Dave points to some of the less well publicized aspects of the Twitter whistleblower's testimony before Congress. We agree on the bottom line—that Twitter is utterly incapable of protecting either U.S. national security or even the security of its users' messages. If there were any doubt about that, it would be laid to rest by Twitter's dependence on Chinese government advertising revenue. Maury and Nick tutor me on The Merge, which moves Ethereum from “proof of work‘ to “proof of stake,” massively reducing the climate footprint of the cryptocurrency. They are both surprisingly upbeat about it. Maury also lays out a new European proposal for regulating the internet of things—and, I point out—for massively increasing the cost of all those things. China is getting into the attribution game. It has issued a report blaming the National Security Agency for intruding on Chinese educational institution networks. Dave is not impressed. The Department of Homeland security, in breaking news from 2003, has been keeping the contents of phones it seizes on the border. Dave predicts that the Department of Homeland Security will have to further pull back on its current practices. I'm less sure. Now that China is regulating vulnerability disclosures, are Chinese companies reluctant to disclose vulnerabilities outside China? The Atlantic Council has a report on the subject, but Dave thinks the results are ambiguous at best. In quick hits: The Senate has confirmed Nate Fick as the first U.S. cyber ambassador I offer data confirming my cynical view that Apple is not so much concerned about your privacy as it is eager to take over the role of Google and Facebook in the advertising market Nick lays out the latest Treasury Department guidance on sanctions and tornado cash Maury explains how the Indian government persuaded 50 million Indians to geotag their homes And I explain why it is in fact possible that the FBI and Silicon Valley are working together to identify conservatives for potential criminal investigation.
Just when you thought you had a month free of the Cyberlaw Podcast, it turns out that we are persisting, at least a little. This month we offer a bonus episode, in which Dave Aitel and I interview Michael Fischerkeller, one of three authors of "Cyber Persistence Theory: Redefining National Security in Cyberspace." The book is a detailed analysis of how cyberattacks and espionage work in the real world—and a sharp critique of military strategists who have substituted their models and theories for the reality of cyber conflict. We go deep on the authors' view that conflict in the cyber realm is all about persistent contact and faits accomplis rather than compulsion and escalation risk. Dave pulls these threads with enthusiasm. I recommend the book and interview in part because of how closely the current thinking at United States Cyber Command is mirrored in both.
Just when you thought you had a month free of the Cyberlaw Podcast, it turns out that we are persisting, at least a little. This month we offer a bonus episode, in which Dave Aitel and I interview Michael Fischerkeller, one of three authors of "Cyber Persistence Theory: Redefining National Security in Cyberspace." The book is a detailed analysis of how cyberattacks and espionage work in the real world—and a sharp critique of military strategists who have substituted their models and theories for the reality of cyber conflict. We go deep on the authors' view that conflict in the cyber realm is all about persistent contact and faits accomplis rather than compulsion and escalation risk. Dave pulls these threads with enthusiasm. I recommend the book and interview in part because of how closely the current thinking at United States Cyber Command is mirrored in both.
Dave Aitel introduces a deliciously shocking story about lawyers as victims and—maybe—co-conspirators in the hacking of adversaries' counsel to win legal disputes. The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one's hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask “Will no one rid me of this meddlesome litigant?” Before you know it, there's a doxing site full of useful evidence on the internet. But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that the intelligence community had signaled interest. That leads us to the reason why NSO has continuing value – its ability to break Apple's phone security. Apple is now trying to reinforce its security with the new, more secure and less convenient, lockdown mode. Dave gives it high marks and challenges Google to match Apple's move. Next, we dive into the U.S. effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he and Dave both caution, however, that the U.S. must impose the same burdens on its own firms as on its allies'. Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end encryption (“e2e”). The U.K. has introduce an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. The identifying isn't easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I'm usually a cheap date for crypto-skeptical laws, but I can't help noticing that this proposal will stir up 90 percent as much opposition as requiring companies to be able to intercept communications when they get a court order while it probably addresses only 10 percent of the crimes that occur on e2e networks. Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court's abortion ruling into a reason to talk about privacy. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions won't even muster five votes on this Court. Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it's a case of a red team hacking tool being used by … a red team. Jane notes that Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative. I'm a little less hard on DHS, but only a little. Finally, in updates and quick hits: I point out that the U.S.-EU transatlantic data deal is looking a lot like vaporware. That's a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic. Jane and I take a whack at predicting Elon Musk's Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products. And, finally, some modest good news on Silicon Valley's campaign to suppress politically “incorrect” speech. Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the coronavirus vaccine (it doesn't stop infection or transmission, and it has side effects, all of which raises real doubts about the wisdom of mandating vaccinations). Berenson sued and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social's armor is worth celebrating.
Dave Aitel introduces a deliciously shocking story about lawyers as victims and—maybe—co-conspirators in the hacking of adversaries' counsel to win legal disputes. The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one's hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask “Will no one rid me of this meddlesome litigant?” Before you know it, there's a doxing site full of useful evidence on the internet. But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that the intelligence community had signaled interest. That leads us to the reason why NSO has continuing value – its ability to break Apple's phone security. Apple is now trying to reinforce its security with the new, more secure and less convenient, lockdown mode. Dave gives it high marks and challenges Google to match Apple's move. Next, we dive into the U.S. effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he and Dave both caution, however, that the U.S. must impose the same burdens on its own firms as on its allies'. Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end encryption (“e2e”). The U.K. has introduce an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. The identifying isn't easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I'm usually a cheap date for crypto-skeptical laws, but I can't help noticing that this proposal will stir up 90 percent as much opposition as requiring companies to be able to intercept communications when they get a court order while it probably addresses only 10 percent of the crimes that occur on e2e networks. Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court's abortion ruling into a reason to talk about privacy. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions won't even muster five votes on this Court. Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it's a case of a red team hacking tool being used by … a red team. Jane notes that Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative. I'm a little less hard on DHS, but only a little. Finally, in updates and quick hits: I point out that the U.S.-EU transatlantic data deal is looking a lot like vaporware. That's a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic. Jane and I take a whack at predicting Elon Musk's Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products. And, finally, some modest good news on Silicon Valley's campaign to suppress politically “incorrect” speech. Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the coronavirus vaccine (it doesn't stop infection or transmission, and it has side effects, all of which raises real doubts about the wisdom of mandating vaccinations). Berenson sued and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social's armor is worth celebrating.
If you've been worrying about how a leaky U.S. government can possibly compete with China's combination of economic might and autocratic government, this episode of the Cyberlaw Podcast has a few scraps of good news. The funniest, supplied by Dave Aitel, is the tale of the Chinese gamer who was so upset at the online performance of China's tanks that he demanded an upgrade. When it didn't happen, he bolstered his argument by leaking apparently classified details of Chinese tank performance. I suggest that U.S. intelligence should be subtly degrading the online game performance of other Chinese weapons systems we need more information about. There may be similar comfort in the story of Gitee, a well-regarded Chinese competitor to Github that ran into a widespread freeze on open source projects. Jane Bambauer and I speculate that the source of the freeze was government objections to something in the code or the comments in several projects. But guessing at what it takes to avoid a government freeze will handicap China's software industry and make western companies more competitive than one would expect. In other news, Dave unpacks the widely reported and largely overhyped story of Cyber Command conducting “hunt forward” operations in support of Ukraine. Mark MacCarthy digs into Justice Samuel A. Alito Jr.'s opinion explaining why he would not have reinstated the district court injunction against Texas's social media regulation. Jane and I weigh in. The short version is that the Alito opinion offers a plausible justification for upholding the law. It may not be the law now, but it could be the law if Justice Alito can find two more votes. And getting those votes may not be all that hard for a decision imposing more transparency requirements on social media companies. Mark and Jane also dig deep on the substance and politics of national privacy legislation. Short version: House Democrats have made substantial concessions in the hopes of getting a privacy bill enacted before they must face what's expected to be a hostile electorate. But Senate Democrats may not be willing to swallow those concessions, and Republican members may think they will do better to wait until after November. Impressed by the concessions, Jane and Mark hold out hope for a deal this year. I don't. Meanwhile, Jane notes, California is driving forward with regulations under its privacy law that are persuading Republicans that preemption has lots of value for business. Finally, revisiting two stories from earlier weeks, Dave notes The devastating consequences and obscure motivations of Conti's ransomware attacks on the Costa Rican government, and The deep tension between the U.S. government and Microsoft over export controls on intrusion tools. Download the 410th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
If you've been worrying about how a leaky U.S. government can possibly compete with China's combination of economic might and autocratic government, this episode of the Cyberlaw Podcast has a few scraps of good news. The funniest, supplied by Dave Aitel, is the tale of the Chinese gamer who was so upset at the online performance of China's tanks that he demanded an upgrade. When it didn't happen, he bolstered his argument by leaking apparently classified details of Chinese tank performance. I suggest that U.S. intelligence should be subtly degrading the online game performance of other Chinese weapons systems we need more information about. There may be similar comfort in the story of Gitee, a well-regarded Chinese competitor to Github that ran into a widespread freeze on open source projects. Jane Bambauer and I speculate that the source of the freeze was government objections to something in the code or the comments in several projects. But guessing at what it takes to avoid a government freeze will handicap China's software industry and make western companies more competitive than one would expect. In other news, Dave unpacks the widely reported and largely overhyped story of Cyber Command conducting “hunt forward” operations in support of Ukraine. Mark MacCarthy digs into Justice Samuel A. Alito Jr.'s opinion explaining why he would not have reinstated the district court injunction against Texas's social media regulation. Jane and I weigh in. The short version is that the Alito opinion offers a plausible justification for upholding the law. It may not be the law now, but it could be the law if Justice Alito can find two more votes. And getting those votes may not be all that hard for a decision imposing more transparency requirements on social media companies. Mark and Jane also dig deep on the substance and politics of national privacy legislation. Short version: House Democrats have made substantial concessions in the hopes of getting a privacy bill enacted before they must face what's expected to be a hostile electorate. But Senate Democrats may not be willing to swallow those concessions, and Republican members may think they will do better to wait until after November. Impressed by the concessions, Jane and Mark hold out hope for a deal this year. I don't. Meanwhile, Jane notes, California is driving forward with regulations under its privacy law that are persuading Republicans that preemption has lots of value for business. Finally, revisiting two stories from earlier weeks, Dave notes The devastating consequences and obscure motivations of Conti's ransomware attacks on the Costa Rican government, and The deep tension between the U.S. government and Microsoft over export controls on intrusion tools. Download the 410th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. Not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia's soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine's grid. What's surprising is that the grid attacks have not seriously degraded civilian life, and how hard the Russians have had to work to have any effect at all. Cyberwar isn't a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it's looking more like a confession of weakness than of strength: “My military attack isn't up to the job, so I'll throw in some fancy cyberweapons to impress The Boss.” Would it have more impact here? We can't know until the Russians (or someone else) gives it a try. But we should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia's internet for a few hours just to show we can. It's better than no plan, but we're not ready to say it's the right plan, given the limited impact and the high cost in terms of exploits exposed. Much more surprising, and therefore interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a very good blog post, Ukraine has made it easy for civilians to keep using their phones without paying no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding the network to be a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries. Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter's poison pill probably kills Musk's chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources, all declaring that the preservation of democracy depends on internet censorship, administered by their friends. Scott takes us deep on pipeline security, citing a colleague's article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to (FERC), because, well, TSA. The Biden administration is similarly inclined, but I'm not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that's also open to FERC, Scott points out. You can't talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It's got a boatload of features, but Gus is skeptical that it's the best tool for causing major havoc in electric grids or pipelines. Also, remarkable: it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that's Defending Forward! As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe's effort to build its own cloud industry. I recount the broader story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle. Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for face recognition vendor id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it? Download the 403rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. Not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia's soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine's grid. What's surprising is that the grid attacks have not seriously degraded civilian life, and how hard the Russians have had to work to have any effect at all. Cyberwar isn't a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it's looking more like a confession of weakness than of strength: “My military attack isn't up to the job, so I'll throw in some fancy cyberweapons to impress The Boss.” Would it have more impact here? We can't know until the Russians (or someone else) gives it a try. But we should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia's internet for a few hours just to show we can. It's better than no plan, but we're not ready to say it's the right plan, given the limited impact and the high cost in terms of exploits exposed. Much more surprising, and therefore interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a very good blog post, Ukraine has made it easy for civilians to keep using their phones without paying no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding the network to be a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries. Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter's poison pill probably kills Musk's chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources, all declaring that the preservation of democracy depends on internet censorship, administered by their friends. Scott takes us deep on pipeline security, citing a colleague's article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to (FERC), because, well, TSA. The Biden administration is similarly inclined, but I'm not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that's also open to FERC, Scott points out. You can't talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It's got a boatload of features, but Gus is skeptical that it's the best tool for causing major havoc in electric grids or pipelines. Also, remarkable: it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that's Defending Forward! As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe's effort to build its own cloud industry. I recount the broader story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle. Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for face recognition vendor id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it? Download the 403rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link to join the audience: https://riverside.fm/studio/the-cyberlaw-podcast-400 See you there! There's nothing like a serious shooting war to bring on paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides. Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn't happened yet. Dave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia's planners may have believed they wouldn't need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some cyber weapons in Ukraine, the pace of the war may be making it hard to build them. None of that is much comfort to Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true. Meanwhile, Matthew Heiman reports, the effort to shore up defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it's been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave says, either because the Russians know how to control it or because they can't. Take your pick. Speaking of mistrust, the German security agency has suddenly discovered that it can't trust Kaspersky products. Good luck finding them, Dave offers, since many have been whitelabeled into other company's software. He has limited sympathy for an agency that resolutely ignored U.S. warnings about Kaspersky for years. Even in the absence of a government with an interest in subverting software, the war is producing products that can't be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan? Meanwhile, people who've advocated tougher cybersecurity regulation (including me) are doing a victory lap in the press about how it will bolster our defenses. It'll help, I argue, but only some, and at a cost of new failures. The best example being TSA's effort to regulate pipeline security, which has struggled to avoid unintended consequences while being critiqued by an industry that has been hostile to the whole effort from the start. The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan thinks that Chinese companies will follow their economic interests and adhere to sanctions—at least where it's clear they're being watched—despite online hostility to sanctions among Chinese digerati. Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate ethnic Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts. Jordan unpacks China's new guidance on AI algorithms. I offer grudging respect to the breadth and value of the topics covered by China's AI regulatory endeavors. Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community. This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed. Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It's Brazil, apparently chosen because the spies couldn't bring themselves to help an actual enemy of their country. And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He's a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union, which have lingered for thirty years too long in the Internet domain system. Check WIRED magazine for my upcoming op-ed on the topic. Download the 399th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Much of this episode is devoted to new digital curtain falling across Europe. Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook. Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet. Mark describes how private companies in the U.S. have excluded Russian media from their systems, including how DirecTV's decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the myth making in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country. Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he tells us more about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world's reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend. A few things happened other than the war in Ukraine, including President Biden's first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden's embrace of stronger online children's privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the president the opportunity to pitch his plan to support domestic chip production. Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week's House Commerce hearing to hold Big Tech accountable, respond to wide-spread public concerns about tech's surveillance business model, but still he thinks they are unlikely to make it through the process to become law. Gus says that Amazon's certification that it has responded to the Federal Trade Commission's inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company's fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. I take the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it would likely be several months before the full Senate would act on the nominations. Finally, Nick argues that certain measures in the European Commission's proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect of dramatically weakening web security. Download the 397th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Much of this episode is devoted to new digital curtain falling across Europe. Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook. Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet. Mark describes how private companies in the U.S. have excluded Russian media from their systems, including how DirecTV's decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the myth making in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country. Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he tells us more about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world's reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend. A few things happened other than the war in Ukraine, including President Biden's first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden's embrace of stronger online children's privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the president the opportunity to pitch his plan to support domestic chip production. Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week's House Commerce hearing to hold Big Tech accountable, respond to wide-spread public concerns about tech's surveillance business model, but still he thinks they are unlikely to make it through the process to become law. Gus says that Amazon's certification that it has responded to the Federal Trade Commission's inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company's fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. I take the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it would likely be several months before the full Senate would act on the nominations. Finally, Nick argues that certain measures in the European Commission's proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect of dramatically weakening web security. Download the 397th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits' embrace of cringe rap. No more apologies. We're proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there's a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government's filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That's what the government wants us to think, but it's persuasive nonetheless, and both Scott and David Kris recommend it as a read. Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so—complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn't sound like much of a scandal, but it may lead to new popup boxes on intel analysts' desktops as they search the resulting databases. In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers. In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That's the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut. Scott and I dig into the IRS's travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers. I point to the only place Silicon Valley seems to be innovating—new ways to show conservatives that their views are not welcome. Airbnb has embraced the Southern Poverty Law Center (SPLC), whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb—and so was her husband. By my count that's guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he's using them to support the Wrong Narrative. We're not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real life can deny them to people whose views they don't like. Scott and I unpack the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren't waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a Section 230 challenge. Download the 394th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits' embrace of cringe rap. No more apologies. We're proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there's a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government's filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That's what the government wants us to think, but it's persuasive nonetheless, and both Scott and David Kris recommend it as a read. Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so—complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn't sound like much of a scandal, but it may lead to new popup boxes on intel analysts' desktops as they search the resulting databases. In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers. In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That's the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut. Scott and I dig into the IRS's travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers. I point to the only place Silicon Valley seems to be innovating—new ways to show conservatives that their views are not welcome. Airbnb has embraced the Southern Poverty Law Center (SPLC), whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb—and so was her husband. By my count that's guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he's using them to support the Wrong Narrative. We're not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real life can deny them to people whose views they don't like. Scott and I unpack the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren't waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a Section 230 challenge. Download the 394th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
All of Washington is back from Christmas break, and suddenly the Biden administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere. Treasury regulatory objections to Facebook's cryptocurrency project have forced the Silicon Valley giant to abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. The Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton reveals. The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation's water systems. Gary Gensler is full of ideas for expanding the Security and Exchange Commission's security requirements for brokers, public companies and those who service the financial industry. The Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data. In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn't creating as much bad news as we first expected. It's a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw. Dave also dives deep on the story of the Belarussian hacktivists (if that's what they are) now trying to complicate Putin's threats against Ukraine. It's hard to say whether they've actually delayed trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime. In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy's founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we'll probably still be following court proceedings over events from 2011 in 2025 or later. Speaking of anachronistic court proceedings, the European Union's effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel's dominant position in the chip market, and we're nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. We agree that it's only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger. Finally, Dave brings us up to date on a New York Times story about how Israel used NSO's hacking capabilities in a campaign to break out of years of diplomatic isolation. Download the 392nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
All of Washington is back from Christmas break, and suddenly the Biden administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere. Treasury regulatory objections to Facebook's cryptocurrency project have forced the Silicon Valley giant to abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. The Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton reveals. The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation's water systems. Gary Gensler is full of ideas for expanding the Security and Exchange Commission's security requirements for brokers, public companies and those who service the financial industry. The Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data. In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn't creating as much bad news as we first expected. It's a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw. Dave also dives deep on the story of the Belarussian hacktivists (if that's what they are) now trying to complicate Putin's threats against Ukraine. It's hard to say whether they've actually delayed trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime. In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy's founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we'll probably still be following court proceedings over events from 2011 in 2025 or later. Speaking of anachronistic court proceedings, the European Union's effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel's dominant position in the chip market, and we're nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. We agree that it's only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger. Finally, Dave brings us up to date on a New York Times story about how Israel used NSO's hacking capabilities in a campaign to break out of years of diplomatic isolation. Download the 392nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
All the cyber litigation that didn't get filed, or decided, over Thanksgiving finally hit the fan last week, and we're still cleaning up. But first, I have to ask Dave Aitel for a sanity check on Log4Shell. Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave's only piece of good news is that some big projects were far enough behind in updates that they hadn't built the flaw into their products. In the first of several cyber lawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google's complaint against two criminals behind the Glupteba botnet. We note that the defendants deserve credit for their own creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft's trademark approach—using trademark violations to seize botnet infrastructure—would be less effective. We note that this week Microsoft used litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for long enough that botnets are only inconvenienced, not destroyed, by the tactic? Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. And we're only finding out about it now. In secret. When Congress finally gets around to the cyber incident reporting bill that it bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with China as the kind of cyber incident that ought to be reported to anyone on the receiving end of corporate lobbying campaigns. The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a key role in the adoption of Section 702 walks us through the decision. The decision was 2-1, but not on the main ruling. Instead, the debate was over Article III and the “advisory” nature of FISA court opinions reviewing executive procedures under that section. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that procedure. Dave explains why Tor might not be as secure as we think. A mysterious and likely state sponsored actor is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly lobbying against measures to cut down on malicious Tor relays. But wait, there's more cyber litigation, and again Jamil talks us through it. A Saudi women's rights activist has brought a Computer Fraud and Abuse Act lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I'm a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion. Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics support. Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too helpful in unraveling the DNC attackers identities in 2016 and is now paying for it with a Russian treason charge. Maury notes that the U.S. decision to blacklist the Chinese artificial intellgience company SenseTime was carefully timed to guarantee disruption of SenseTime's IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury is skeptical. Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S.. Jamil notes that the cyber incident reporting bill didn't make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn't especially disappointed. Maury and I disagree about a much-ballyhooed group of companies claiming to combat artificial intelligence bias in hiring. I'll believe it when they actually expose their recommendations to public scrutiny. For those who think bias in content moderation is not a thing, try spending ten minutes with this right-wing French candidate's very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn't fit for children. My guess is that it was the ad's effectiveness that YouTube really disapproved of. Dave and I puzzle over the Biden administration's unsatisfying “Initiative for Democratic Renewal”—a big international get-together that got only cursory attention in the U.S., perhaps because its theme is still a little hard to find. And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks for Western militaries what it means to “impose a cost” on ransomware gangs. With that, the Cyberlaw Podcast bids farewell to 2021. We will return in January. Download the 387th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.
In this episode, Dave Aitel and I dig into the new criminal law the House intelligence committee has proposed for workers at intelligence agencies. The proposal is driven by the bad decisions of three intel agency alumni who worked for the United Arab Emirates, doing phone hacking and other intrusions under the sobriquet of Project Raven. Dave criticizes the broad language, the assumption that hacking for the government teaches things you can't learn in the private sector, and the use of criminal penalties where reporting obligations would suffice. I plug a podcast on the topic released by the Association of Former Intelligence Officers. Maury Shenk and I dig into the Federal Communications Commission's decision to kick China Telecom off the U.S. telecommunications network. My view: this decision was overdetermined, a perfect storm of bad politics, poor decisions by China Telecom, and the fact that no American company has ever been licensed to do in China what China Telecom has spent 20 years doing in the United States. We also dig into the proposal of a global regulatory alliance, Financial Action Task Force (FATF), to impose some fairly strict requirements on cryptocurrency transactions. A lot of companies are criticizing the proposal, but unlike five years ago, they're weighed down by the existence of an entire ransomware industry that depends on cryptocurrency. The EU, meanwhile, is struggling to implement sanctions for cyberattacks. As usual, Europe is its own worst enemy, tied down by excessive politicization, weak intelligence collection made weaker by a lack of sharing, and aggressive judicial oversight. Maury and I track down a tip about France trying to turn cloud security standards into a weapon for excluding U.S.-owned providers. The big cloud companies are deemed insecure because they aren't immune to U.S. legal process. But neither are the “big” European champions, since they almost certainly are subject to U.S. jurisdiction. So not only will EU buyers of cloud services be stuck with Deutsche Telekom and its two percent market share, they still won't be safe from the long arm of U.S. discovery. European data protection policy at its finest! We briefly explore Facebook whistleblower Frances Haugen's flirtation with criticizing Facebook for adopting end-to-end encryption (e2e). Once she discovered that criticizing e2e is beyond the pale, however, she retreated into a cloud of incomprehensibility. I capture the moment in my latest effort to turn cyber policy into cartoons. Download the 381st Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
In this episode of Phoenix Cast, hosts John, Rich, and Kyle welcome special guests Perri Adams, Dave Aitel, George Perkovich, and JD Work. The guests discuss their article “Responsible Cyber Offense” explaining to the hosts why they wrote the article, going through the specific recommendations point by point, and then answering what they wish they could add. Share your thoughts with us on Twitter: @USMC_TFPhoenix (Now verified!) Follow MARFORCYBER & MCCOG on Twitter, LinkedIn, Facebook, and YouTube. Leave your review on Apple Podcasts and please share to continue the conversation. Links: https://www.lawfareblog.com/responsible-cyber-offense
This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first conformed death resulting from the equipment failures caused by ransomware—a newborn strangled by its umbilical cord without the usual electronic warnings. Dmitri also recaps and explains a new cryptocurrency regulatory topic that doesn't concern its use in ransomware schemes—the move to ensure the financial stability of stablecoins. Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill's sweep is far broader than cases like Project Raven. I make the argument that it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council. The second imposes reporting requirements on U.S. government purchases of vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. In other legislative news, Dmitri covers the three committees producing bills to require cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel. It's a very aggressive bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, “What's the difference between Europe's staggering fines for General Data Protection Regulation (GDPR) violations and the fines for violating U.S. cyber reporting obligations?” The answer: about two weeks, at which point the maximum fine due to the U.S. will exceed the top European fine. Mark gives an overview and some prognostication about Google's effort to overturn the EU's $5 billion antitrust fine for its handling of Android. Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, which are now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send hostages in the form of local employees, are trying to use their leverage to control what those companies do in countries like Germany. And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts. At Dave's request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption. Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner. Waiting in the wings for that event is even more antitrust action, possible new online privacy rules and Commissioner Slaughter's enthusiasm for addressing racial equity quotas under the guise of algorithmic fairness. Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that's the second in five years if you're counting) and the U.S. decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel (it's the magic of time served awaiting extradition, I speculate). In quick hits: Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of user algorithms. That's bound to give US companies a new competitive advantage in a field where TikTok has passed them. Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith to violating U.S. sanctions to offer a bland speech on cryptocurrency in North Korea. I give the highlights of two new and eminently contestable cyberlaw rulings: In U.S. v. Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9 percent certain to be child porn. The decision would be unfortunate if it weren't meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF! And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that would fill me with concern about the way it empowers Silicon Valley's biased Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those troubling consequences if I thought the opinion would survive. And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias? And more! Download the 377th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
We begin the episode with a review of the massive Kaseya ransomware attack. Dave Aitel digs into the technical aspects while Paul Rosenzweig and Matthew Heiman explore the policy and political implications. But either way, the news is bad. Then we come to the Florida “deplatforming” law, which a Clinton appointee dispatched in a cursory opinion last week. I've been in a small minority who thinks the law, far from being a joke, is likely to survive (at least in part) if it reaches the Supreme Court. Paul challenges me to put my money where my mouth is. Details to be worked out, but if a portion of the law survives in the top court, Paul will be sending a thousand bucks to Trumpista nonprofit. If not, I'll likely be sending my money to the ACLU. Surprisingly, our commentators mostly agree that both NSA and Tucker Carlson could be telling the truth, despite the insistence of their partisans that the other side must be lying. NSA gets unaccustomed praise for its … wait for it … rapid and PR-savvy response. That's got to be a first. Paul and I conclude that Maine, having passed in haste the strongest state facial recognition ban yet, will likely find itself repenting at leisure. Matthew decodes Margrethe Vestager's warning to Apple against using privacy, security to limit competition. And I mock Apple for claiming to protect privacy while making employees wear body cams to preserve the element of surprise at the next Apple product unveiling. Not to mention the 2-billion-person asterisk attached to Apple's commitment to privacy. Dave praises NSA for its stewardship of a popular open source reverse engineering tool, Ghidra. And everyone has a view about cops using YouTube's crappy artificial intelligence takedown engine to keep people from posting videos of their conversations with cops. And more! Download the 369th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets
Dave Aitel, who started his career at NSA and spent the past twenty years in offensive cybersecurity, comes on ChinaTalk to discuss What he's learned in his quest to read every cyber policy paper What blindspots remain in the field How China ranks in offensive and defensive cyber ceapabilities relative to the US and what we can all learn from the Tianfu Cup (http://www.tianfucup.com/) Why Cyberpunk 2077 is a masterpiece Please consider supporting ChinaTalk at https://glow.fm/chinatalk/ Apply to be an intern at Rhodium! https://rhg.com/careers/ Graded China Policy Papers: https://docs.google.com/spreadsheets/d/1D88loPVPBgGYj53lroS05rB1LJ2kA5DnbfRJIXghST0/edit?usp=sharing Graded Cyber Policy Papers: https://docs.google.com/spreadsheets/d/1pnISykZe1nn1wwWBJRiaxYaqDoj4ADeBtsoUL41Hw2Y/edit?usp=sharing Outtro Music: ICE-PROUD
Dave Aitel, who started his career at NSA and spent the past twenty years in offensive cybersecurity, comes on ChinaTalk to discuss What he's learned in his quest to read every cyber policy paper What blindspots remain in the field How China ranks in offensive and defensive cyber ceapabilities relative to the US and what we can all learn from the Tianfu Cup (http://www.tianfucup.com/) Why Cyberpunk 2077 is a masterpiece Please consider supporting ChinaTalk at https://glow.fm/chinatalk/ Apply to be an intern at Rhodium! https://rhg.com/careers/ Graded China Policy Papers: https://docs.google.com/spreadsheets/d/1D88loPVPBgGYj53lroS05rB1LJ2kA5DnbfRJIXghST0/edit?usp=sharing Graded Cyber Policy Papers: https://docs.google.com/spreadsheets/d/1pnISykZe1nn1wwWBJRiaxYaqDoj4ADeBtsoUL41Hw2Y/edit?usp=sharing Outtro Music: ICE-PROUD
This week we interview Eliot Higgins, founder and executive director of the online investigative collective Bellingcat and author of We Are Bellingcat. Bellingcat has produced remarkable investigative scoops on everything from Saddam's use of chemical weapons to exposing the Russian FSB operatives who killed Sergei Skripal with Novichok, and, most impressive, calling a member of the FSB team that tried to kill Navalny and getting him to confess. Eliot talks about the techniques that make Bellingcat so effective and the hazards, physical and moral, that surround crowdsourced investigations. In the news, Dave Aitel gives us the latest on the Exchange server compromise, and the reckless Chinese hack-everyone spree that was apparently triggered by Microsoft's patch of the vulnerability. Jamil Jaffer introduces us to the vulnerability of the week – dependency confusion, and the startling speed with which it is being exploited. I ask Nate Jones and the rest of the panel what all this means for government policy. No one thinks that the Biden published cyberstrategy tells us anything useful. More interesting are two deep dives on cyber strategy from people with a long history in the field. We see Jim Lewis's talk on the topic as an evolution in the direction of much harsher responses to Russian and Chinese intrusions. Dmitri Alperovich's approach also has a hard edge, although he points out that the utter irresponsibility of the Chinese pawn-em-all tactic deserves an especially harsh response. I wonder why Cyber Command didn't respond by releasing a worm that would install poorly secured shells on every Exchange server in China. In other news, I blame poor (or rushed) Pentagon lawyering for the district court ruling that the Department of Defense couldn't list Xiaomi as an entity aligned with the Chinese military. Jamil is more charitable both to DOD and the Judge who made the ruling, but he expects (or maybe just hopes) that the court of appeal will show the Pentagon more deference. Twitter, on the other hand, is praying that the Northern District of California suffers from full-blown Red State Derangement, as it asks the court there to enjoin a Texas Attorney General investigation into possible anticompetitive coordination in the Great Deplatforming of January 2021. Nate gives us the basics. I observe that, to bring such a Hail Mary of a case, Twitter must deeply fear what its own employees were saying about the deplatforming at the time. Neither Nate nor I give Twitter a high probability of success. And even if it does succeed, red states are lining up new laws and regulatory initiatives for Silicon Valley, most notably Gov. DeSantis's controversial effort to navigate section 230 and the first amendment. Nate also provides a remarkably clear explanation of the sordid tale of European intelligence and law enforcement agencies trying to cut a special deal for themselves in the face of surveillance-hostile rulings from the EU's Court of Justice. The agencies are right to want to avoid those foolish decisions, but leaving the US on the hook will only inflame trans-Atlantic relations. In quick hits, Jamil and Dave talk us through Israel's Unit 8200, the press on which offers a better cybersecurity VC alumni network than Stanford. We also discuss recent news about security lapses in what Dave calls the internet of things. And more! Download the 353rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
We interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of “COVID-19 Apps Are Terrible—They Didn't Have to Be,” a paper for Lawfare's Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and privacy laws. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional enthusiasm for privacy. In the news roundup, suddenly face recognition isn't toxic at all, since it can be used to identify pro-Trump protestors. And, of course, we have always been at war with Oceania. Dave Aitel explains why face recognition might work even with a mask but still not be very good. And Jane Bambauer reprises her recent amicus argument that Illinois's biometric privacy law is a violation of the First Amendment. If you heard last week's episode about Silicon Valley speech suppression, you might be interested in seeing the proposal I came up with then, now elaborated in a Washington Post op-ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration. Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting. Not dead yet, the Trump administration has delivered regulations for administering the executive order allowing the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics. Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, but more work for lawyers. I ride one more hobbyhorse, critiquing Mozilla's decision to protect “user privacy” while imposing new burdens and risks on enterprise security. The object of my ire is Firefox's Encrypted Client Hello. Dave corrects my tech but more or less confirmed that this is one more nail in the coffin for chief information security officer's control of corporate networks. Matthew Heiman and I dig into the latest ransomware gang tactics—going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails In a few quick hits, Maury tells us about the CNIL's decision that privacy law prevents France from using drones to enforce its coronavirus rules. I note a new Federal Deposit Insurance Corporation cybersecurity rule that isn't (yay!) grounded in personal data protection. Maury explains the recent EU advocate general's opinion, which would probably make Schrems II even less negotiable than it is now. If it's adopted by the European Court of Justice, which I argue it will be unless the court can find some resolution that is even more anti-American than the advocate general's proposal. And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues—a reorganization that may not last longer than a few months. And more! Download the 345th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Jonas Lejon is an amazing mind in the Swedish security world. A great entrepreneur, hacker, and security-expert! We had the pleasure of talking with him in this episode of Security Headlines. he wanted to specialize in security so he packed his bag and headed over to the capital city to work more in-dept with security. He wanted to go deeper and deeper, so spent his extra hours learning the assembly programming and getting into the low-level brain of the computer system. He managed to land a job working for the Swedish version of NSA. Jonas now runs his own company called "Triop" and has a lot of fun side projects that we dig into. In this episode we also cover: Micro blogging building search engines bloggz dot se Getting over 20K users within a few weeks Twitter in the early days Building Sweden's biggest micro-blogging platform testing in production WordPress Security bug bounties Finding security holes in Zoom writing about encryption and security fuzzing Hacking Bluetooth ISOC-SE the swedish top level domains .se and .nu the internet in Sweden beatboxing pentesting enumerating existing users based on validation time updated, security by default systems network logging Programming leaving python 2 Customizing Kali linux Time-of-check to time-of-use attacks writing exploits ## External links: https://triop.se https://kryptera.se https://web.archive.org/web/20081102073248/http://bloggz.se/ https://web.archive.org/web/20110630210858/http://bloggy.se/ https://en.wikipedia.org/wiki/Memcached https://wpsec.com/ https://utvbloggen.se/ https://se.linkedin.com/in/jonaslejon https://www.youtube.com/channel/UCI49rLPi_Lbbux5eo8ewLKA https://en.wikipedia.org/wiki/Dave_Aitel https://github.com/SofianeHamlaoui/Spike-Fuzzer https://isoc.se/ https://internetstiftelsen.se/en/ https://www.netnod.se/ https://en.wikipedia.org/wiki/Kali_Linux https://en.wikipedia.org/wiki/Arcade_Fire https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use https://github.com/juliocesarfort/public-pentesting-reports https://www.hackerone.com/ https://www.bugcrowd.com/ https://twitter.com/jonasl
Our news roundup is dominated by the seemingly endless ways that the U.S. and China can find to quarrel over tech policy. The Commerce Department's plan to use an executive order to cut TikTok and WeChat out of the U.S. market have now been enjoined. But the $50 Nick Weaver bet me that TikTok could tie its forced sale up until January is still at risk, because the administration has a double-barreled threat to use against that company—not just the executive order but also CFIUS—and the injunction so far only applies to the first. I predict that President Xi is likely to veto any deal that appeals to President Trump, just to show the power of his regime to interfere with US plans. That could spell the end of TikTok, at least in the US. Meanwhile, Dave Aitel points out, a similar but even more costly fate could await much of the electronic gaming industry, where WeChat parent TenCent is a dominant player. And just to show that the U.S. is willing to do to U.S. tech companies what it's doing to Chinese tech companies, leaks point to the imminent filing of at least one and perhaps two antitrust lawsuits against Google. Maury Shenk leads us through the law and policy options. The panelists dismiss as PR hype the claim that it was a threat of “material support” liability that caused Zoom to drop support for a PFLP hijacker's speech to American university students. Instead, it looks like garden variety content moderation aimed this time at a favorite of the far left. Dave explains the good and the bad of the CISA order requiring agencies to quickly patch the critical Netlogon bug. Maury and I debate whether Vladimir Putin is being serious or mocking when he proposes an election hacking ceasefire and a “reset” in the cyber relationship. We conclude that there's some serious mocking in the proposal. Dave and I also marvel at how Elon Musk, for all his iconoclasm, sure has managed to cozy up to both President Xi and President Trump, make a lot of money in both countries, and take surprisingly little flak for doing so. The story that spurs this meditation is the news that Tesla is so dependent on Chinese chips for its autonomous driving engine that it's suing the US to end the tariffs on its supply chain. In quick hits and updates, we note a potentially big story: The Trump administration has slapped new restrictions on exports to Semiconductor Manufacturing International Corporation, China's most advanced maker of computer chips. The press that lovingly detailed the allegations in the Steele dossier about President Trump's ties to Moscow hasn't been quite so loving in their coverage of the dossier's astounding fall from grace. The coup de grace came last week when it was revealed that the main source for the juiciest bits was flagged by the FBI as a likely Russian foreign agent; he escaped a FISA order only because he left the country for a while in 2010. The FISA court has issued an opinion on what constitutes a “facility” that can be tapped with a FISA order. It rejected the advice of Cyberlaw Podcast regular David Kris in an opinion that includes all the court's legal reasoning but remains impenetrable because the facts are all classified. Maury and I come up with a plausible explanation of what was at stake. The Trump administration has proposed Section 230 reform legislation similar to the white paper we covered a couple of months ago. The proposal so completely occupies the reasonable middle of the content moderation debate that a Biden administration may not be able to come up with its own reforms without sounding fatally similar to President Trump. And in yet more China news, Maury and Dave explore the meaning of Nvidia's bid for ARM and Maury expresses no surprise at all that WeWork is selling off a big chunk of its Chinese operations And more! Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design. Hope you like it! Download the 330th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
In our 327th episode of the Cyberlaw Podcast, Stewart is joined by Nick Weaver (@ncweaver), David Kris (@DavidKris), and Dave Aitel (@daveaitel). We are back from hiatus, with a one-hour news roundup to cover the big stories of the last month. Pride of place goes to the WeChat/Tiktok mess, which just gets messier as the deadline for action draws near. TikTok is getting all the attention but WeChat is by far the thorniest policy and technical problem. I predict delays as Commerce wrestles with them. Nick Weaver predicts that TikTok's lawsuit will push resolution of its situation into January. I've got fifty bucks that says it won't. Lawfare wins either way. Dave Aitel digs into the attempted Tesla hack. Second best question in the segment: Who's the insider that enabled an attack on his employer and is still working there three years later? Best question: How many CSO's can say with confidence that none of their employees would take $1 million to plug a USB stick into the company network? This Month in Overhyped Judicial Decisions about FISA: David Kris lays out the seven-years-late Ninth Circuit decision that has been billed as striking at the FISA warrantless surveillance law. Talk about overtaken by events. The opinion grumbles about the Fourth Amendment but doesn't actually rule (and its analysis is so partial that it isn't even persuasive dicta). It boldly finds that the collection violated a statute that has been repealed anyway. And then it says that doesn't matter because suppression of the evidence isn't a remedy and the violation didn't taint the trial. The only really good news for the civil liberties community is that Justice can't appeal to the Supreme Court because, well, it won. David also takes on the other overhyped FISA decision, a lengthy FISA court review of agencies' minimization practices with respect to Americans' data collected under section 702. The court approved practically everything but was predictably and not improperly upset at the FBI's inability to design social and IT systems that prevent dumb violations of the rules. Speaking of FISA, important national security provisions remain unsettled, in large part because of Trump's misguided opposition. Who, David asks, could possibly persuade GOP members that there's a FISA reform that responds to their sense of grievance over the Russian collusion investigation? I volunteer, with lengthy testimony to the PCLOB and a shorter piece in Lawfare. Dave Aitel asks why we're surprised that Iranian hackers are monetizing access to networks that don't offer national security value to their government. Or that hackers are following their targets into specialized software markets. If you know your target is a law firm, he suggests, you'd be better off looking for flaws in Relativity than in Windows…. Excuse me, I just felt someone walk over my grave. Nick and Dave are both critical of the Justice Department's indictment of Joe Sullivan for obstruction of justice and misprision of felony. That is beginning to look like a case Sullivan can win, and he just might take it to trial. Nick thinks the Justice Department is playing a long game in pretending it can seize 280 cryptocurrency accounts used by hackers. It can't get the funds, but it sure can make it hard for the hackers to get them. U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021. And more! Download the 327th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
In the News Roundup, Dave Aitel (@daveaitel), Mark MacCarthy (@Mark_MacCarthy), and Nick Weaver (@ncweaver) and I discuss how French and Dutch investigators pulled off the coup of the year this April, when they totally pwned a shady “secure phone” system used by massive numbers of European criminals. Nick Weaver explains that hacking the phones of Entrochat users gave them access to large troves of remarkably candid criminal text conversations. And, I argue, it shows the flaw in the argument of encryption defenders. They are right that restricting Silicon Valley encryption will send criminals to less savory companies, but those companies are inherently more prone to compromise, as happened here. The EARN IT Act went from Washington-controversial to Washington consensus in the usual way. It was amended into mush. Indeed, there's an argument that, by guaranteeing nothing bad will happen to social platforms who adopt end-to-end encryption, the Leahy amendment has actually made e2e crypto more attractive than it is today. That's my view, but Mark MacCarthy still thinks the twitching corpse of EARN IT might cause harm by allowing states to adopt stricter rules for liability in the context of child sex abuse material. He also thinks that it won't pass. I have ten bucks that says it will, and by the end of the year. Dave Aitel, new to the news roundup, discusses the bad week TikTok had in its second biggest market. India has banned the app. And judging from some of the teardowns of the code, its days may be numbered elsewhere as well. Dave points to reports that Angry Birds was used to collect user information as well when it was at the height of its popularity. We wax philosophic about why advertising and not national security agencies are breaking new ground in building our Brave New World. Mark once worked for a credit card association, so he's the perfect person to comment on claims that being labeled a “hate speech” platform won't just get you boycotted in Silicon Valley but by the credit card associations as well. And once we're in this vein, we mine it, covering Silicon Valley's concerted campaign to make sure Donald Trump can't repeat 2016 in 2020. He's been deplatformed at Twitch this week for something he said in 2016. And Reddit dumped his enormous subreddit for failure to observe its censorship rules – which I point out are designed to censor only the majority. I argue it's time to go after the speech police. Nick takes us to a remarkable Washington story. He thinks it's about a questionable Trump administration effort to redirect $10 million in “freedom tool” funding from cryptolibertarians to Falun Gong coders. I point out that US government funds going to the cryptolibertarians were paying the salary of the notorious Jake Applebaum and buying tools like TAILS that have protected appalling sextortionist criminals. Really, the money would be better spent if we burned it on cold days. Returning to This Week in Hacked Phones, Nick explains the latest man in the middle attack that requires the phone user to do nothing but visit a website. Any website. Dave sets out the strikingly sophisticated and massive international surveillance system now aimed by China at Uighers all around the world. And Nick warns of two bugs that, if you haven't spent the weekend fixing, may already be exploited on your network. Download the 323rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
Security industry pioneer Dave Aitel dishes on entrepreneurship, fostering a "one team, one parking lot" culture, how lessons from his time at the NSA still guides his decisions, and his approach to blunt, honest marketing. We also discuss a shared passion for Brazilian Jiu-Jitsu and his work supporting Project Grapple in Miami. Disclosure: Ryan Naraine is a security strategist at Intel Corp. Ryan produces this podcast in his personal capacity and the views and opinions expressed in these recordings do not necessarily reflect the positions and views of Intel Corp. or any of its subsidiaries.
Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school's Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they forced in FBI procedures. In the course of that discussion, I realize that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI's lawyering. In the News Roundup, we're inundated by serious new reports on cyberattacks. Dave Aitel admits that the hacking group he envies most is Turla, which was recently discovered to have totally pwned and stolen the entire attack infrastructure of an Iranian government team. Dave notes that Avast has succumbed to a second, far-reaching intrusion into its network, reminiscent of the last attack, which led to the company sending out a compromised CCleaner application: We may never know whether Avast got the intruder out, Dave suggests, but his hat is off to the company's PR team. In still more pwnage news, Dave praises two new detailed reports from security companies: FireEye's report on APT41's combination of espionage and cybercrime and Crowdstrike's report on amazingly successful Chinese efforts to steal aircraft intellectual property. And one more: Cyber Command has leaked the bare minimum of information designed to show that Iran's strike against Saudi oil facilities did not go unpunished. Dave and I take our hats off to Iran's PR team, which responded to the vague leak by claiming that Cyber Command “must have dreamt it.” In other news, Gus Hurwitz breaks down a recent Ninth Circuit decision construing the Section 230 immunity for tools that filter content on the Internet. Remarkably, two judges thought that the immunity for preventing access to “objectionable” content would allow a company to cut off consumers' access to its competitor's products. Luckily, the two judges were a district court judge and the Ninth Circuit dissenter. But the close call shows how broadly the “objectionable” immunity sweeps. Which raises the question whether our trade agreements should broaden the immunity and turn it into international law that can't be amended easily, or at all. That was a point of rare bipartisan agreement at a recent House hearing. But there's no sign yet that Congress is going to reject the trade deals that do this. Gus and I also touch on the latest flaps over social media content monitoring. Dan Podair explains what's good and what's missing from the California Attorney General's rules implementing California's new, sweeping privacy act. Poor Equifax: Just when they were hoping the worst had passed, the plaintiff's bar doxxed even more embarrassing security failings. Dave offers this cold comfort: All the mistakes that were offered to show that Equifax security was bad could be found in pretty much any network in the country. More cold than comfort, Dave! And, finally, we close with This Week in Puerile Jokes: All inspired, of course, by the UK Government's decision to drop its plan to require ID to watch sex videos online. Download the 283rd Episode (mp3). You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
And we're back with an episode that tries to pick out some of the events of August that will mean the most for technology law and policy this year. Dave Aitel opens, telling us that Cyber Command gave the world a hint of what “defending forward” looks like with an operation that is claimed to have knocked the Iranian Revolutionary Guard's tanker attacks for a long-lasting loop. David Kris lifts the curtain on China's approach to information warfare, driven by the Hong Kong protests and its regional hegemonic ambitions. Speaking of China, it looks as though that government's determination to bring the Uighur population to heel led it to create a website devoted to compromising iPhones, in the process disclosing a few zero-days and compromising anybody who viewed the site. Dave Aitel teases out some of the less obvious lessons. He criticizes Apple for not giving security-minded users the tools they need to protect themselves. But he resists my suggestion that the FBI, which first flagged the site for Google's Project Zero, went to Google because Apple wasn't responsive to the Bureau's concerns. (Alternative explanation: If you embarrass the FBI in court, don't be surprised if they embarrass you a few years later.) The lesson of the fight over Chinese disinformation about Hong Kong on Twitter and Facebook and the awkwardness of Apple's situation when faced with Chinese hacking is that the U.S.-China trade war is a lot more than a trade war. It's a grinding, continental decoupling drift that the trade war is driving but which the Trump Administration probably couldn't stop now if the president wanted to. We puzzle over exactly what the president does want. Then I shift to mocking CNN for Trump derangement and inaccuracy (yes, it's an easy target, but give me a break, I've been away for a month): Claims that the president couldn't “hereby order” U.S. companies to speed their decoupling from China are just wrong as a matter of law. In fact, the relevant law, still in effect with modest changes, used to be called the Trading with the Enemy Act. And it's been used to “hereby order” the decoupling of the U.S. economy from countries like Nazi Germany, among others. Whether such an order in the case of China would be “lawful but stupid” is another question. August saw more flareups over alleged Silicon Valley censorship of conservative speech. Facebook has hired former Sen. Kyl to investigate claims of anti-conservative bias in its content moderation, and the White House is reportedly drafting an executive order to tackle Silicon Valley bias. I ask whether either the FTC or FCC will take up their regulatory cudgels on this issue and suggest that Bill Barr's Justice Department might have enough tools to enforce strictures against political bias in platform censorship. We close with the most mocked piece of tech-world litigation in recent weeks – Crown Sterling's lawsuit against BlackHat for not enforcing its code of conduct while the company was delivering a widely disparaged sponsored talk about its new crypto system. Dave Aitel, who runs a cybersecurity conference of his own, lays out the difficulties of writing and enforcing a conference code of conduct. I play Devil's Advocate on behalf of Crown Sterling, and by the end, Dave finds himself surprised to feel just a bit of Sympathy for the Devil. Download the 275th Episode (mp3). You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department's newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition. Greg sheds some light on the Defense Department's activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope's lost—and how we can retain technological leadership. In what initially seemed like a dog-bites-man story, Attorney General Barr revived the “warrant-proof” encryption debate. He brings some thoughtful arguments to the table, including references to proposals by GCHQ, Ray Ozzie and Matt Tait. Nick Weaver is skeptical toward GCHQ's proposal. But what really flew under the radar this week was Facebook's apparent plan to drastically undermine end-to-end encryption by introducing content moderation to its messaging services. I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security (at least for anyone to the right of George W. Bush). News Roundup newcomer Dave Aitel thinks I'm wrong, at least in my attribution of Facebook's motivations. Mieke Eoyang, another News Roundup newcomer, brings us up to date on all the happenings in election security. Bob Mueller's testimony brought Russian election meddling to the fore. His mistake, I argue, was testifying first to the hopelessly ideological House Judiciary Committee. Speaking of Congress, Mieke notes that the Senate Intel Committee released a redacted report finding that every state was targeted by Russian hackers in the 2016 election—and argues that we're still not prepared to handle their ongoing efforts. Congress is attempting to create a federal election security mandate through several different election security bills, but they likely will continue to languish in the Senate, despite what Mieke sees as a bipartisan consensus. Not all hope is lost, though. Director of National Intelligence Dan Coats, now on his way out, has established a new office to oversee and coordinate election security intelligence. Nick adds an extra reason to double down on election security: How else will we be able to convince the loser that he is indeed the loser? In other news, NSA is going back to the future by establishing a new Cybersecurity Directorate. Dave tries to shed some light on the NSA's history of reorganizations and what this new effort means for the Agency. Dave and I think there's hope that this move will help NSA better reach the private sector—and even give the Department of Homeland Security a run for its money. I also offer Dave the opportunity to respond to critics who argued that his firm, Immunity Inc., was wrong to include a version of the BlueKeep exploit in its commercial pentesting software. The long and the short of it: If a vulnerability has been patched, then that patch gives an adversary everything they need to know to exploit that vulnerability. It only makes sense, then, to make sure your clients are able to protect themselves by testing exploits against that vulnerability. Mieke brings us up to speed on the cybercrime blotter. Marcus Hutchins, one of Dave's critics, pleaded guilty to distributing the Kronos malware but was sentenced to time served thanks in part to his work to stop the spread of the WannaCry ransomware. Mieke says that Hutchins's case is a good example that not all black hat hackers are irredeemable. I note that it was good for him that he made his transition before he was arrested. Dave and Nick support the verdict while lamenting how badly hackers are treated by U.S. law. We round out the News Roundup with quick hits: Facebook had a very bad week, not least because of the multibillion dollar fine imposed by the FTC; the Department of Justice is going to launch a sweeping antitrust investigation into Big Tech; there was a wild hacking conspiracy in Brazil involving cell phones and carwashes; Equifax reached a settlement with the FTC regarding its epic data breach. Speaking of which, we make a special offer to loyal listeners who can learn whether they are eligible to claim a $125 check (or free credit monitoring, if you really prefer). Just go here, and be sure to tell them the Cyberlaw Podcast sent you. Oh, and an anti-robocall bill finally made it through both houses of Congress. Download the 274th Episode (mp3). You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Telegram recovers from a distributed denial-of-service attack. No attribution yet, but all the circumstantial evidence points to the Chinese security services. Operation Fishwrap, conducted by parties unknown, is an influence campaign that substitutes olds for news. Aircraft component manufacturer ASCO’s production is hit by ransomware. Hacking back is back, in Congress. Why don’t people patch? And a tip on fact-checking. Ben Yelin from UMD CHHS on NYPD cellphone surveillance. Guest is Dave Aitel from Cyxtera on offense oriented security and the INFILTRATE conference. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_13.html Support our show
Dave Aitel and Matt Tait come on the podcast to discuss their recent Lawfare essay critiquing the current status of the Vulnerability Equities Process. They argue that the process by which the US government decides whether or not to disclose software vulnerabilities is fundamentally broken, and that now is the time to discuss how to fix it.
Licensed to Pwn: The Weaponization and Regulation of Security Research Jim Denaro Dave Aitel Matt Blaze Nate Cardozo Mara Tam Catherine “Randy” Wheeler Security research is under attack. Updates to the Wassenaar Arrangement in 2013 established among its 41 member nations an agreement to place a variety of previously undesignated “cybersecurity items” under export control. After 18 months and a half-dozen open advisory meetings, the U.S. has taken the entire security research community by surprise with its proposed rule; we are confronted by a sweeping implementation with profound consequences for academia, independent research, commercial cybersecurity, human rights, and national security. While the outcome of this round of regulatory intervention is still uncertain, the fact that there will be more is not. This panel of experts will discuss the context, history, and general process of regulation, as well the related question of “weaponized” research in regulatory discourse. There is significant daylight between the relatively lax text of the Wassenaar Arrangement itself and the extraordinarily broad implementation proposed in the U.S. What will the practical effects of those differences be, and why did the U.S. diverge from the Wassenaar text? Regulators are, even now, still struggling to comprehend what the consequences of this new “cyber rule” might be. So, how are we to understand this regulatory process? What are its objectives? Its impacts? Its limits? How can we influence its outcomes? Eleventh-hour interventions are quickly becoming a hallmark of regulatory activities with implications for the wider world of information security; the fight here is almost exclusively a rearguard action. Without resorting to the usual polemics, what failures of analysis and advice are contributing to these missteps – on both sides? What interests might encourage them? How are security researchers being caught so off-balance? Come victory or despair in the present case, this panel aims to answer the question of whether there is a solution that prevents technology transfer to hostile nations while still enabling free markets, freedom of expression, and freedom of research. Dave Aitel (@daveaitel) is an offensive security expert whose company, Immunity, Inc., consults for major financial institutions, Fortune/Global 500s, etc. At the age of 18, he was recruited by the National Security Agency where he served six years as a “security scientist” at the agency’s headquarters at Fort Meade, Maryland. He then served as a security consultant for @stake before founding Immunity in 2002. Today, Dave’s firm is hired by major companies to try to hack their computer networks - in order to find and fix vulnerabilities that criminal hackers, organized crime and nation-state adversaries could use. Immunity is also a past contractor on DARPA’s cyber weapons project, known as Cyber Fast Track. The company is well-known for developing several advanced hacking tools used by the security industry, such as Swarm, Canvas, Silica, Stalker, Accomplice, Spike, Spike Proxy, Unmask - and, most recently Innuendo, the first US-made nation-grade cyber implant with Flame/Stuxnet-like malware capabilities. Immunity has offices in Florida, D.C., Canada, Italy and Argentina. eWeek Magazine named Dave one of “The 15 Most Influential People in Security.” He is a past keynote speaker at BlackHat and DEF CON. He is a co-author of “The Hacker’s Handbook,” The Shellcoder’s Handbook” and “Beginning Python.” He is also the founder of the prestigious Infiltrate offensive security conference (Businessweek article) and the widely read “Daily Dave Mailing List,” which covers the latest cybersecurity news, research and exploit developments. Twitter: @daveaitel Matt Blaze (@mattblaze) is a professor in the computer science department at the University of Pennsylvania. From 1992 until he joined Penn in 2004, he was a research scientist at AT&T Bell Laboratories. His research focuses on the architecture and design of secure systems based on cryptographic techniques, analysis of secure systems against practical attack models, and on finding new cryptographic primitives and techniques. In 1994, he discovered a serious flaw in the US Government's "Clipper" encryption system, which had been proposed as a mechanism for the public to encrypt their data in a way that would still allow access by law enforcement. He has testified before various committees of the US Congress and European Parliament several times, providing technical perspective on the problems surrounding law enforcement and intelligence access to communications traffic and computer data. He is especially interested in the use of encryption to protect insecure systems such as the Internet. Recently, he has applied cryptologic techniques to other areas, including the analysis of physical security systems; this work yielded a powerful and practical attack against virtually all commonly used master-keyed mechanical locks. Twitter: @mattblaze Nate Cardozo (@ncardozo) is a Staff Attorney with the Electronic Frontier Foundation. He focuses on the intersection of technology, privacy, and free expression. He has defended the rights of anonymous bloggers, sued the United States government for access to improperly classified documents, and lobbied Congress for sensible reform of American surveillance laws. In addition, he works on EFF's Coders’ Rights Project, counseling hackers, academics, and security professionals at all stages of their research. Additionally, Nate manages EFF’s Who Has Your Back? report, which evaluates service providers' protection of user data. Nate has projects involving automotive privacy, speech in schools, government transparency, hardware hacking rights, anonymous speech, public records litigation, and resisting the expansion of the surveillance state. Nate has a B.A. in Anthropology and Politics from the University of California, Santa Cruz and a J.D. from the University of California, Hastings where he has taught legal writing and moot court. Twitter: @ncardozo Jim Denaro (@CipherLaw; moderator) is the founder of CipherLaw, a Washington, D.C.-based intellectual property law firm and focuses his practice on legal and technical issues faced by innovators in information security. He is a frequent speaker and writer on the subject and works in a wide range of technologies, including cryptography, intrusion detection, botnet investigation, and incident response. Jim advises clients on legal issues of particular concern to the information security community, including active defense technologies, government-mandated access (backdoors), export control, exploit development and sales, bug bounty programs, and confidential vulnerability disclosure (Disclosure as a Service). He has a degree in computer engineering and has completed various professional and technical certifications in information security and is engaged in graduate studies in national security at Georgetown University. Before becoming an attorney, Jim spent obscene amounts of time looking at PPC assembly in MacsBug. Twitter: @CipherLaw Mara Tam (@marasawr) is a semi-feral researcher and historian of policy, justice, culture, and security. She has authored, co-authored, and contributed research for technical policy papers in the fields of international security and arms control. After earning a first class degree in art history, Mara’s work supported bilateral negotiations towards peaceful nuclear cooperation between the United States and India. She has been a participant, speaker, and panellist for academic conferences in cultural studies, languages, and history, as well as for strategic programmes like ‘The Intangibles of Security’ initiative convened by NATO and the European Science Foundation. She is currently a doctoral candidate and freelance thinkfluencer. Twitter: @marasawr Catherine “Randy” Wheeler has served as the Director of the Information Technology Controls Division in the Bureau of Industry and Security’s (BIS) Office of National Security and Technology Transfer Controls since June 2006. From July 2011 – July 2012, Ms. Wheeler was detailed to serve as the Acting Chair of the Operating Committee in the Office of the Assistant Secretary for Export Administration, the interagency body that resolves disagreements among reviewing agencies on export license applications. From 1995 through May 2006, Ms. Wheeler was an attorney with the Office of the Chief Counsel for Industry and Security, and served as Senior Counsel for Regulation from 2003 through 2005, advising BIS on regulatory and licensing issues. She previously served as a policy analyst with the Bureau of Export Administration’s Office of Foreign Availability from 1984-1991, and as a policy analyst with the National Telecommunications and Information Administration’s Office of International Affairs from 1981-1983. Ms. Wheeler received a B.A.in International Relations from Carleton College in 1979, an M.S. in Foreign Service from Georgetown University in 1981, and a J.D. from the Georgetown University Law Center in 1993.
Donate to Breast Cancer Research at http://securityweekly.com/300, Panel: End User Security Awareness: Hot or Not with Dave Aitel, Lance Spitzner, Javvad Malik, Dameon Welch-Abernathy (aka "Phoneboy"), SpaceRogue.
The summer of hack PHDays recap - Slides and video http://phdays.ru/press/news/8087/ - Photo http://phdays.ru/about/photos/ - CTF http://phdays.ru/ctf/ctf2012/ http://www.securitylab.ru/blog/personal/offtopic/23134.php 10 crazy IT security tricks that actually work http://www.infoworld.com/print/196864 Dave Aitel’s attack on Security Awareness - Original post on CSO: http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness?page=1 - Reaction 1: http://blogs.rjssoftware.com/rjssecurity/?p=206 - Reaction 2: http://daveshackleford.com/?p=827 - Reaction 3: https://jadedsecurity.net/2012/07/21/836/ UISGCon - www.8.uisgcon.org - http://uisgcon.blogspot.com