The former lingerie salesman who has Putin's knickers in a twist

This week we interview Eliot Higgins, founder and executive director of the online investigative collective Bellingcat and author of We Are Bellingcat.

Bellingcat has produced remarkable investigative scoops on everything from Saddam's use of chemical weapons to exposing the Russian FSB operatives who killed Sergei Skripal with Novichok, and, most impressive, calling a member of the FSB team that tried to kill Navalny and getting him to confess. Eliot talks about the origins of the effort (as a part-time break from his job at a lingerie company), the techniques that make Bellingcat so effective, and the hazards, physical and moral, that surround crowdsourced investigations.

In the news, Dave Aitel gives us the latest on the Chinese Exchange server attacks, and the reckless hack-everyone spree that was apparently triggered by Microsoft's patch of the vulnerability.

Jamil Jaffer introduces us to the vulnerability of the week – dependency confusion, and the startling speed with which it is being exploited.

I ask Nate Jones and the rest of the panel what all this means for government policy.  No one thinks that the Biden administration's published cyberstrategy tells us anything useful. More interesting are two deep dives on cyber strategy from people with a long history in the field. We see Jim Lewis's talk on the topic as a sign of his evolution in the direction of much harsher responses to Russian and Chinese intrusions. Dmitri Alperovich's approach also has a hard edge, although he points out that the utter irresponsibility of the Chinese pwn-em-all tactic  deserves an especially harsh response.  I ask why Cyber Command didn't respond by releasing a worm that would install poorly secured shells on every Exchange server in China.

In other news, I blame poor (or rushed) DOD lawyering for the district court ruling that DOD couldn't list Xiaomi as an entity aligned with the Chinese military. Jamil is more charitable both to DOD and the Judge who made the ruling, but he expects (or maybe just hopes) that the court of appeal will show DOD more deference.

Twitter, on the other hand, is praying that the Northern District of California suffers from full-blown Red State Derangement, as it asks the court there to enjoin the Texas Attorney General's investigation into possible anticompetitive coordination in the Great Deplatforming of January 2021. Nate gives us the basics on the lawsuit. I observe that, to bring such a Hail Mary of a case, Twitter must deeply fear what its own employees were saying about the deplatforming at the time. Neither Nate nor I give Twitter a high probability of success. And even if this case does succeed, red states are lining up a host of new laws and regulatory initiatives for Silicon Valley, most notably Gov. DeSantis's controversial effort to navigate section 230 and the first amendment.

Nate also provides a remarkably clear explanation of the sordid tale of European intelligence and law enforcement agencies trying to cut a special deal for themselves in the face of surveillance-hostile rulings from the EU's Court of Justice. The agencies are right to want to avoid those foolish decisions, but leaving the US on the hook will only inflame trans-Atlantic relations.

In quick hits, Jamil and Dave talk about Israel's Unit 8200, which offers a better cybersecurity VC alumni network than Stanford. Playing to type, I close with This Week in Sex Toy Security and immediately display my naivete: Wearables, who knew?  But the security lapses in what Dave calls the internet of junk at least offer us a new, more explicit interpretation of a man-in-the-middle attack.

And more!

Download the 353rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.