Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary. John Lynch is the head of the Justice Department’s computer crime section. We find more common ground than might be expected but plenty of conflict as well. I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions. We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks. In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence. We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense.
In the news roundup, Alan Cohn and I consider whether Twitter should worry about being sued for providing material support to ISIS. Answer: Yes, at least a little. Tim Cook, too, for that matter.
Meredith Rathbone leads us through the Wassenaar wilderness, providing glimpses of a promised land. And Maury Shenk brings good news for sane corporate security programs from the unlikeliest of sources – the European Court of Human Rights.
I question the FTC’s judgment in imposing a fine and a consent decree on a dental software firm that wrote its own crypto.
Maury reports incremental progress on cybersecurity in the only law-writing process that makes Congress’s adoption of the Cyber Security Act look expeditious.
And in quick succession, I note NSA’s newly disclosed procedures for implementing the USA FREEDOM Act, Yahoo’s cheap settlement of an email surveillance suit, and a teenaged social hack that compromised accounts associated with Director of National Intelligence James Clapper.