Ten Pounds of Cyberlaw in a Five-pound Sack

All the cyber litigation that didn’t get filed, or decided, over Thanksgiving finally hit the fan last week, and we’re still cleaning up. But first, I have to ask Dave Aitel for a sanity check on Log4Shell. Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave’s only piece of good news is that some big projects were far enough behind in updates that they hadn’t built the flaw into their products. In the first of several cyber lawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google’s complaint against two criminals behind the Glupteba botnet. We note that the defendants deserve credit for their own creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft’s trademark approach—using trademark violations to seize botnet infrastructure—would be less effective. We note that this week Microsoft used litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for long enough that botnets are only inconvenienced, not destroyed, by the tactic? Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. And we’re only finding out about it now. In secret. When Congress finally gets around to the cyber incident reporting bill that it bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with China as the kind of cyber incident that ought to be reported to anyone on the receiving end of corporate lobbying campaigns. The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a key role in the adoption of Section 702 walks us through the decision. The decision was 2-1, but not on the main ruling. Instead, the debate was over Article III and the “advisory” nature of FISA court opinions reviewing executive procedures under that section. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that procedure. Dave explains why Tor might not be as secure as we think. A mysterious and likely state sponsored actor is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly lobbying against measures to cut down on malicious Tor relays.  But wait, there’s more cyber litigation, and again Jamil talks us through it. A Saudi women's rights activist has brought a Computer Fraud and Abuse Act lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I’m a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion. Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics support. Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too helpful in unraveling the DNC attackers identities in 2016 and is now paying for it with a Russian treason charge. Maury notes that the U.S. decision to blacklist the Chinese artificial intellgience company SenseTime was carefully timed to guarantee disruption of SenseTime’s IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury is skeptical.  Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S.. Jamil notes that the cyber incident reporting bill didn’t make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn’t especially disappointed. Maury and I disagree about a much-ballyhooed group of companies claiming to combat artificial intelligence bias in hiring. I’ll believe it when they actually expose their recommendations to public scrutiny.   For those who think bias in content moderation is not a thing, try spending ten minutes with this right-wing French candidate’s very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn’t fit for children. My guess is that it was the ad’s effectiveness that YouTube really disapproved of. Dave and I puzzle over the Biden administration’s unsatisfying “Initiative for Democratic Renewal”—a big international get-together that got only cursory attention in the U.S., perhaps because its theme is still a little hard to find. And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks for Western militaries what it means to “impose a cost” on ransomware gangs. With that, the Cyberlaw Podcast bids farewell to 2021. We will return in January. Download the 387th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.