I’m a current events junkie. I’ll admit it. And I work with law firms. Thus, my favorite podcast? “Stay Tuned with Preet.” Yes, this is Preet Bharara, the former U.S. Attorney for the Southern District of New York. Check out an episode. Preet takes a few questions about the law at the beginning of each episode. Then he has a guest. Preet is not only smart, but surprisingly personable. It’s a fast-moving hour.
A recent guest was John P. Carlin, former Assistant Attorney General for the National Security Division at the Department of Justice and Chief of Staff to Robert Mueller at the FBI. He is currently a partner with Morrison & Foerster. Carlin is an international cybersecurity expert.
One of the things which caught my attention in this episode was Carlin’s story of the US subsidiary of a German company whose data was stolen by hackers in the Chinese military. The company, SolarWorld, in Hillsboro, Oregon, made solar energy components.
How was the data stolen? Email. Carlin said, “Email. It is the least protected part of the system, usually. Not like Intellectual Property which is encrypted or where special measures are taken to protect it. They stole email traffic.”
In the investigations of Paul Manafort and Michael Cohen, the FBI has retrieved messages from Signal, Telegram and WhatsApp. While there are weaknesses inherent in all of these apps, the question remains: What does a good data protection scheme look like?
A few days ago, the FBI revealed that Michael Cohen’s messages sent with Signal and WhatsApp
are now available as evidence in the on-going investigation into his
various dealings. While thousands of emails and documents have already
been recovered from Cohen’s devices, home, hotel room, and office, the
recovery of data from messaging apps that promise end-to-end encryption
is surprising. One would presume that end-to-end message encryption
should ensure that those messages are unrecoverable without assistance
from Mr. Cohen. However, clearly that is not the case.
Meltdown and Spectre reveal that perfect information protection comes at an increasingly steep cost.
In the field of data security, 2018 began with a jolt. The revelation
of the Meltdown and Spectre security vulnerabilities has taught us that
in 2018 (and beyond), nothing is sacred.
Speculative execution, the architectural concept that is exploited in the Spectre vulnerability, has been in use by mainframe processors since the mid-1970s. It is taught in Computer Architecture 101 in universities around the world. And yet, it turns out that the security implications were never fully understood until about seven months ago.
Out-of-order execution, the culprit in the Meltdown
vulnerability, is also a ubiquitous concept, although Meltdown is easily
avoided with a better implementation of the concept.