Hackers for Hire

Episode 320 of the Cyberlaw Podcast

|The Volokh Conspiracy |

Our interview this week is with Chris Bing, a cybersecurity reporter with Reuters, and John Scott-Railton, Senior Researcher at Citizen Lab and PhD student at UCLA. John coauthored Citizen Lab's report last week on BellTroX and Indian hackers for hire, and Chris reported for Reuters on the same organization's activities – and criminal exposure – in the United States.

The most remarkable aspect of the story is how thoroughly normalized the hacking of legal and lobbying opponents seems to have become, at least in parts of the US legal and investigative ecosystem. I suggest that instead of a long extradition battle, the US should give the head of BellTroX a ticket to the US and a guaranteed income for the next few years as a witness against his customers.

In the news roundup, Nick Weaver tells the remarkable story of how Facebook funded an exploit aimed at taking down a particularly vile online abuser of young girls—one who was rendered nearly invulnerable by his use of TAILS, the secure, thumb drive-based communication system (Vice, Gizmodo). This is a great story because it really doesn't conform to any of the stilted narratives into which most internet security stories are usually jammed.

Nick also notes Big Tech's pledge to do more to stop child abuse online. I suggest that only Dr. Evil would be impressed by the amounts of money being invested in the campaign.

Well, another week, another Zoom bomb.  Now the company is taking heat because it terminated several Tiananmen Square commemorative Zoom sessions after China complained (NYT, Zoom). David Kris and I don't think Zoom had much choice about cutting off the Chinese customers.  Terminating the US account holder who organized a session, however, was a bad move – and one that's since been corrected by the company.

Nate Jones and I square off again for Round 545 on content moderation, spurred this time by reports that Sen. Josh Hawley is drafting legislation inspired by the Trump Administration's Section 230 Executive Order. Meanwhile several Republican senators are pushing the FCC to act on the order. Nate and I find rare bipartisan common ground on the proposal that Congress require social media companies to take down foreign government online propagands – and maybe work with the US government to stop it at the source.

David reports on a (deservedly) obscure EU cloud independence project. It seems to have been embraced by Microsoft, which I accuse of going full AT&T – embracing government regulation as a competitive differentiator. As if to prove my point, Microsoft announces that it's getting out of the business of doing facial recognition for the police – until it can persuade Congress to regulate its competitors.

Why are spies targeting vaccine research? Nate has the answer; he draws on the excellent Risky Biz newsletter analysis of what drives COVID-19 cyberespionage.

Nick flags the potential significance of ARM wrestling, as the UK chip designer ARM fights its JV partner for control of its Chinese joint venture. In a story that made the cut because of Twitter and Linkedin feedback, Nick assigns a "moderate" threat label to the latest Universal Plug n Pwn exploit. (It's only moderate because there are so many pwned IOT devices already in a position to DDOS targets of opportunity.)

In quick hits, I note that Israel has halted its controversial use of intelligence capabilities to monitor the spread of the coronavirus, but the government reserves the right to revive monitoring if a second wave shows up (JPost, Yahoo). Poor Brewster Kahle is looking like an internet hippie who fell asleep at Woodstock and woke up at Altamont. The Internet Archive is ending its program of offering free, unrestricted copies of e-books, but the publishers who sued over that program may decide to keep suing until they've broken his entire "digital library" model, and maybe the Internet Archive as well (NYT, Ars Technica). That would be a shame. Finally, even if you have a thousand talents, honesty may not be one of them. Charles Lieber, the Harvard University professor arrested for lying about his lucrative China thousand-talents contracts, has now been indicted on false statement charges.

Download the 320th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.