Our guest for Episode 70 of the Cyberlaw Podcast is Dan Kaminsky, a famous cybersecurity researcher who found and helped fix a DNS security flaw. Dan is now the Chief Scientist at WhiteOps, but I got to know him in an unlikely-bedfellows campaign against SOPA because of its impact on DNS security. Dan and I spend most of the podcast disagreeing, largely about trust, Snowden, and security, but we do explore in detail the fact that, contrary to the Received Canon of Silicon Valley, end-to-end encryption is broken to improve security thousands if not millions of times a day by responsible corporate CISOs. Dan also describes WhiteOps’s promising new take on identifying hackers and clickfraud on the internet.
In the news roundup, we bring back This Week in NSA for old times’ sake, highlighting the enactment of the USA FREEDOM Act and exploring its likely impact. We mock Charlie Savage for his overwrought New York Times article claiming that NSA’s cybersecurity monitoring is a privacy issue. (We apologize to Julia Angwin, Jeff Larson, and Henrik Moltke, who shared Charlie’s byline; we’ll mock you next time, I promise.) NSA is apparently inspecting traffic from foreign sources for malware and other signatures and may also be spotting exfiltrated data as it leaves victims’ networks. Charlie and his coauthors call this “warrantless surveillance of Americans’ international Internet traffic.” Note to the New York Times: a hacker sending me malware and stealing my files is a lot of things, but in the real world no one would call that my “international Internet traffic.”
Jason covers the broken settlement between MasterCard and Target arising from Target’s notorious Christmas 2013 breach. And the Office of Personnel Management comes in for some well-earned criticism, not least for its lame offer of credit monitoring to the 4 million victims of what may be Chinese hacking. If it is the Chinese government, the one thing we probably don’t have to worry about is credit fraud, and given the flood of Chinese thefts of American personal data, the government needs to be giving victims better guidance about what to watch for.
Speaking of government failings, we talk about the supine US response to Putin’s trolls, even though they’re clearly testing tools to create panic and sow disinformation in the wake of a crisis in the United States. Even when they do it inside the United States, it appears that our only strategy is hope.
Michael talks about the Supreme Court ruling that will make the internet safe for violent revenge fantasies. And Jason explains the difference between the FBI’s encryption “Going Dark” campaign and the FBI’s CALEA “Going Dark” campaign: They’re both DOA, but buried in different parts of the US Code.