Saturday, December 23, 2017
Innocent until Covertly Proven Guilty
Tom Bossert made some interesting publicized comments on the Wannacry worm a few days ago. Some of the media questions were leading and predictable. There was the usual blame-the-NSA VEP nonsense which he pushed back on strongly and (imho) correctly. Likewise, there was the International Law crowd trying to claw back relevance.
Mostly what we learned from press conference is that Tom Bossert is smart and knows what he's talking about. Likewise, he realistically pointed out that DPRK has done pretty much everything wrong a State can do, and hence we've essentially emptied our policy toolbox over their heads already.
But, of course, he also made a comment on the MalwareTechBlog/Marcus Hutchin's case, essentially saying that we got lucky that he registered the Wannacry killswitch domain. Sam Varghese over at ITWire immediately wrote an article claiming I had egg on my face for my positing that MalwareTechBlog in fact had prior knowledge of Wannacry, and was not being honest about his efforts. In fact, I had bet @riotnymia some INFILTRATE tickets that this would go the other way. Looks like she should book a trip! :)
A more balanced approach was taken by TechBeacon taking into account Brian Kreb's article.
Marcus himself has been busy calling me stupid on the Internet, which I find amusing in so much as I've been around a lot of people in legal trouble over the years, from various members of the TJMaxx hacking incident, to a bunch I won't mention currently going through legal issues with computer hacking, to, even more oddly, a romantic relationship with someone whose family got accused of murder (and who also hooked up famed 4th Amendment lawyer Orin Kerr with his wife, fwiw, because the legal world is positively tiny).
Here's what I know about all people in those positions: They are essentially driven insane, like portraits shattered by a hammer. Orin, surprisingly, will argue against all evidence that we treat cyber criminals the same in the States as overseas. But we don't. We resolutely torture people and companies accused of hacking based on essentially tea-leaf reading from law enforcement (on one hand) or our intelligence organizations (in the case of nation state attribution).
Kaspersky, of course, is one of those. And it's interesting how the stories change from the news paper leaks (was involved in FSB op) to the standing statements on the podium from government officials across the world, which state only that Kaspersky presents "An unnecessary risk when placed in areas of high trust". What we've learned is that the UK and Lithuania have both also essentially banned Kaspersky.
In other words: We live in a world where nothing is as it seems, except when it is.