We give you Weaver

Episode 250 of the Cyberlaw Podcast

|The Volokh Conspiracy |

If you get SMS messages on your phone and think you have two-factor authentication, you're kidding yourself. That's the message Nick Weaver and David Kris extract from two stories we cover in this week's episode of The Cyberlaw Podcast – DOJ's indictment of a couple of kids whose hacker chops are modest but whose social engineering skillz are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there's always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain't "When Harry Met Sally," but for a degraded age, "When Bezos Exposed Pecker" will have to do. David keeps us focused on the legal questions: Was the Enquirer letter really extortion? Would publication of the pics be actionable? And is there any way the Enquirer could get those text messages without someone committing a crime? Plus, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media – privacy law threat or competition law menace? That's the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the PLA to the curb and brought in the professionals from China's Ministry of State Security. So now Chinese tradecraft is a little better, and DOJ is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing even conservative university lawyers.

Well, maybe one more item: I close by thanking HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

"I got a fever, and the only cure is more Weaver. Love the show. I'm a lawyer but not in tech or security law, but it's still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show."

In return, I am moved to channel Peggy Lee. And if more good reviews don't pour in, I may make that performance a weekly feature. David Kris, I'm sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee's oeuvre like that.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

NEXT: What's Wrong with Telling Women Not to Drink?

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Plus, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

    If that brother stole photographs of his naked sister and her boyfriend, then circulated those images as political weapons or for cash, the sibling bond might be strained.

    (Most of this remains to be revealed — which should be fine entertainment for months, because of the intrigue and the rare confluence of resources and motivation on the Bezos side — but if the brother were demonstrated to have been involved in this mess it is difficult to figure how his conduct could please the sister or motivate her to protect him from consequences of a striking, creepy betrayal. How many people would think of, let alone engage in, trafficking in purloined pictures of a sister’s “nether region?”)

    1. Well, isn’t the theory that Ma Kardashian was instrumental in getting her daughter’s sex tape with Ray J (sp?) out there, or at least parlaying the publicity into the billion-dollar Kardashian-Jenner industry of being famous for being famous? This could be wrong, but I recall hearing something along those lines years ago.

      But if it’s not inconceivable that a mom could do it (as terrible that is to ponder), it’s not beyond belief that a sister-brother could team up for such a publicity move. (Though if you’re dating the richest man in the world, it wouldn’t seem advantageous to rock the boat, unless you knew he was about to kick you to the curb.)

  2. If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself.

    It meets the very definition of two-factor authentication. And while one can take means to either intercept or social engineer your way into getting the code – its still better than nothing. That Stewart Baker appears to be advocating for not turning it on at all directly puts people at risk.

    Which isn’t a surprise considering how little he knows about actual infosec.

Please to post comments

Comments are closed.