Steptoe Cyberlaw Podcast, Episode #18: An Interview with Brian Krebs

This week’s podcast features Brian Krebs, the noted security researcher behind Krebs on Security.  Brian comments on the week’s news before giving us an interview on the latest in Russian cybercrime.  We talk about why Microsoft is still patching XP – and why that probably gives its lawyers heartburn.  Brian unpacks Covert Redirection, the latest hyped security flaw to get its own logo. And his recent story about Russian cyber fraud leads us to ask why DHS, with all its focus on cybersecurity, can’t stop the visa fraud that sends hundreds of “witting” money mules to the United States for seasonal jobs with fake companies. Brian talks about getting access to the Russian cyberfraud sites that have helped him break a host of security stories.  We discuss the Oceans-11-like structure of “organized cybercrime” as well as its ties to the Russian government.  And we learn how to turn the TTY system that helps the deaf make phone calls into a life-threatening SWAT team visit. I give the “Dumbest NSA Story of the Month” award to Ryan Gallagher of The Intercept for trying to squeeze news from an internal NSA briefing memo surmising that GCHQ probably hoped to expand its access to PRISM data. Gallagher offers up no scandal and no news value but adds a surfeit of snark (the Brits are portrayed as “begging” – Gallagher’s words not NSA’s – for access), plus a few vend-o-quotes from people who’d be glad to express shock and dismay if NSA or GCHQ were revealed to be sponsoring a Boy Scout troop. Microsoft loses a big case before a magistrate in SDNY, who rules that the government can enforce warrants requiring Microsoft to produce data stored abroad.  We canvass the impact of the decision, which is likely to add to transatlantic tensions over law enforcement and privacy. The Supreme Court hears oral argument over cell phone searches incident to arrest.  What’s the prognosis?  As with many April arguments: confusion and multiple opinions.  But the current rule, allowing searches of anything a suspect is carrying when he’s arrested, looks pretty shaky. The White House has released a couple of reports on Big Data—one from the PCAST and one from John Podesta’s group–along with several recommendations.  The PCAST report is fairly good; the recommendations are mostly recycled talking points, though the point about regulating misuse of big data rather than collection or analysis could have value; unfortunately there’s little likelihood that the administration will put it into practice.  For evidence, we note that the second report, from John Podesta’s group, recommends, among other things, amending ECPA to require a search warrant to obtain any stored content—something the Attorney General has already mostly agreed with; that recommendation is hard to square with the PCAST recommendation that government focus more on improper use of data and less on imposing barriers to collection. The White House also released guidance on when NSA will exploit cybersecurity flaws and when it will try to fix them.  They get a generally favorable reception from our panel. GCHQ’s own independent monitor has released a long and favorable report.  We hold a perfunctory wake for the German-US “no spy” talks, put to death by German politics. And data breaches claim their first CEO, as Target makes room at the top.  Brian and the rest of us speculate about what this means for cybersecurity.