A record-setting insecurity week.
Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service. Matt joined the Digital Service from Google where he authored their SafeSearch content filter. Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA. They both stress that the Service is looking for good code and policy hackers — and that their Digital Service recruiting link is https://www.usds.gov/join
After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft’s new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.
Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.
Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors. Jen reveals this shocking statistic: the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed. And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.
Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record: victim of world’s biggest DDOS attack, fueled by the Internet of things. What next? Networked Fords launching a denial of service attack on GM dealers?
Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure. (As pretty much any overprotected ten-year-old boy could have told us.)
Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).
We take a long look at the Digital Service and what it has done so far. Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency. I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*). This leads to a colloquy on what it will take to fix IT procurement in the US government. We make a little progress, but find no silver bullets.