Open in app

Sign in

Write

Sign in

Infocalypse now: P0wning is not enough

Walter van Holst
10 min readDec 31, 2014

--

(It is all about ethics in hacker communities)

This is the text of a speech I wrote to deliver at 31C3, but sheer stage fright and insufficient preparation caused me to actually deliver this. A reasonably accurate summary in German can be found here)

Chaos Congress has so far been as great as ever. Both in quality and in quantity. For the 31st time several large security issues have been made public. The Snowden revelations are still ongoing, despite useful idiots writing columns at Tageszeitung that it is time to move on beyond Snowden.

In fact, it is bigger than ever with over 11000 tickets sold. At least according to Die Welt and we know that Die Welt is never wrong. That in itself might be an indication that IT-security and the intersection of technology and society finally are getting the attention they deserve, right? It may be the case on the latter, but I rather doubt the former is the case.

This event in itself is an illustration of an underlying problem: the IT-industry historically has not built security in its products and services, it just has not managed to prevent us from testing it in. We are heading for a future in which this becomes a life-threatening problem. With life-threatening I do not only mean at an individual level, but also at a collective level. Basically, an infocalypse. Roughly three decades of the hacker scene proving over and over that systems are extremely brittle have not brought any structural changes about to prevent this from happening. I do not feel qualified to say how this can otherwise be prevented from happening. I do feel qualified however to make a few observations about a few failure modes of our various hacker communities gathered at this fine even. And by failure modes I mean blind spots that have made us less effective than we could otherwise have been. Not failure modes in the sense that we are to blame for the current mess, but failure modes in the sense that we do not live up to the six tenets of hacker ethics:

  1. Access to computers — and anything which might teach you something about the way the world works — should be unlimited and total. Always yield to the Hands-On imperative!
  2. All information should be free.
  3. Mistrust authority — promote decentralization.
  4. Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.
  5. You can create art and beauty on a computer.
  6. Computers can change your life for the better.

These have been formulated by Steven Levy, back in 1984. Also:

“Be excellent to each other”

The failure modes are:

  1. Political indifference
  2. Ideological purity
  3. Focus on breaking things instead of making them resilient
  4. Inability to communicate the fundamentals
  5. Tribalism
  6. Underappreciation of usability and beauty in design
  7. Rockstar culture

Rockstar culture is the rug that ties this room largely together, but I’ll leave that for last.

Political indifference

First of all: Political indifference. You wouldn’t tell it from the programme of this event, but there are quite a few people in our communities who feel we could do with less social and political issues and more focus on technology. My first response is: coding by itself is a political act. Especially writing and publishing software is challenging notions of property, imaginary or intellectual, whichever you prefer most. Also, deploying fully centralised infrastructures that allow for surveillance and central control is in itself aiding and abetting the surveillance state.

Even if you are not convinced by that, politics will come after you already. Belgacom was hacked through spearphishing attacks on its system administrators. Almost anyone in this room with a job that touches sensitive systems is probably worthy of somewhat targeted surveillance and attacks. Not to mention that anyone who is in serous security research runs a risk of being considered a political subversive. That is not to deter anyone from doing security research, just that you should be aware that “just doing technical” stuff means that you already are politically active. Your mere presence in this room indicates unease with the current status quo.

Your own feelings about your political activity bear little relevance when the state decides you are a subversive. And states across Europe are increasingly lurking towards authoritarianism. You might as well get used to the idea that regardless of you having tuned out of political debate, the political debate will affect you.

And if you feel that our current democracy and rule of law are sufficiently rotten not to engage with it in other ways than through technology, by all means do carry on. Do realise however that your choices affect real people’s lives in ways neither they nor you can foresee. If code is law, then tinkering with code is as political as tinkering with law.

Ideological purity

Then there is ideological purity. Sometimes equally bad as political indifference, although usually less bad. Because results trump ideologically purity. Does it suck to have to rely on the US government for money to create an infrastructure for anonymous internet use? It probably does. Does that mean that Tor is tainted? Unless you audit their code, you cannot say so in advance. The question is not necessarily who is funding who, but who is funding who to do what.

All of this doesn’t mean that there are no serious questions about to which extent it is ethical to engage with state actors. That conversation is unfinished and we may not be able to finish it anytime soon. With emphasis on the term conversation, meaning a two-way street. Not shouting others down for licking the jack-boots of the state but accepting that even with a global internet there are still geopgraphical differences in the history of state misbehaviour. That means it is counterproductive to look at the rest of the world through the prism of the USA or that of Germany under the Stasi. It also means that the rest of the world could do worse than being perceptive to the hard-learnt lessons of Germany and the current police state that is the USA. A cynical person could say that Putin’s Russia is something the West seems see as role model, but has not equalled yet. And no, I do not want to live in a totalitarian kleptocracy.

Likewise, it runs counter to any ethos of being excellent to each other when you try to prevent a person of giving a talk because he or she has the wrong friends. Judging others by unsavory friends is declaring one guilty by association. Another part is there sometimes appears to be a dick-waving contest about who is more radical. Mind you, being radical is good. If only because it allows the moderates to take position they otherwise wouldn’t dare to take. Without radicals there will not be results. Only having radicals and having alienated the moderates, both on substance and tactics, gets us nothing.

On tactics it should be mentioned that the victory on data retention was achieved through strategic litigation. Roughly the most bourgois tactic for activism you can think of. ACTA was defeated by concerted lobbying and Polish football fans protesting in the streets. We can raise the cost of mass-surveillance by encrypting all the things, but we cannot rein in the military-industrial-surveillance complex without the full spectrum of action. We may still not even get there without corporate interests aligning with our interests in this battle.

We all could do with a little less shouting and drama about not toeing the party line and more about focus about the values we share and bring about the new dawn that we want.

Breaking things

It is always easier to see the flaws in other people’s work than that in your own. Defense has always been harder than offense. The net result is that we are celebrating for the 31st time failures of others to secure protocols and systems. And rightfully so. At the same time, the very definition of insanity is doing the same things over and over and expecting different outcomes. If the purpose of providing proof to the world that most IT-systems are shoddily designed and even more shoddily built is to shame the IT-industry into adopting better practices, then that approach is not really a success.

What is underappreciated is the development and evangelisation of better development methodologies. Stuff like LangSec. Seriously, if there’s anything worth lookin into, it is LangSec. Meredith Patterson, Sergey Bratus and the late Len Sassaman have done amazing work to bring formal verification of software into the reach of mere mortals. Things like that deserve more time in the limelight than they get. And similar methodological frameworks for other aspects of systems engineering.

The mere fact that the Tor project relies on funding from the greatest danger to democracy democracy has recently faced, the US government, speaks volumes in itself.

Communicating the fundamentals

“The current laws protect our ‘infallible’ systems against anomalous people”

(Amelia Andersdotter)

Right now we are in a situation in which teenagers in secundary education get computer science in school. And by computer science I mean they get to learn the ropes of Microsoft Office 2013. This more or reflects the general understanding of computer systems in society: magical devices for which you have to learn certain magic incantations, but certainly cannot be expected to have a mental model of how a computer works. About half a century after Alan Turing’s death we haven’t managed to find an idiom to evoke what general purpose computing means for mortals.

Likewise for notions of privacy and sharing culture. The closest to that is Jérémie Zimmermann with his lovely concepts of datalove and privacy as intimacy.

The result of this is legislative definitions of intrusion software in the Wassenaar Arrangement on export controls as:

“The modication of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”

This is not malicious. This is incompetence, well-meant, but disastrous. By this definition any browser that supports Javascript is intrusion software. Which gets me to tribalism.

Tribalism

We’re here with about 12000 people, mostly from Germany, the Benelux, Scandinavia, Poland and other parts of Europe. When you look at the gender ratio, we may finally have reached parity with the IT-industry. Congratulations, despite our intent not to rely on bogus credentials, somehow there are barriers to the scene for women. This is an undeniable fact.

We’re a tribe of mostly white, upper-middle class, university educated, Mate-sipping males with a surplus of facial hair

Moreover, looking at the demographics of the Benelux countries and Germany, there should be at least a few hundred people of Turkish or Moroccan descent at this event. Plus a fair amount of people of colour. The problem is that this is not even perceived as a problem.

My question is fairly simple: how can you pretend to live up to an ethic that prides itself on substantive criteria for accepting people when the net result an ethnically homogeneous group? I think this is related to another problem, that of usability and beauty.

Usability and beauty

“foo@xmpp.tld sent you a message that was intended for another session. If you are logged in multiple times another session may have received this message.” (typical OTR error messag in Jitsi, a XMPP IM-client)

Security and usability are often presented as mutually exclusive. Just like too many politicians think that wanting security means that we have to sacrifice liberty. Both are flat-out lies. If you can’t have security without usability, you won’t have security. This is for the simple reason that we all are part of social networks, by which I don’t mean Facebook and other Silicon Valley stalkers, but networks of human beings. The problem starts when we start using IT for maintaining our social network. Because then we soon start to gravitate to the level of security hassle the biggest part of the network is willing to put up with. Which amounts to zero. By extension, if you believe that security precludes usability, then you also believe we have roughly three options. The baseline paranoia of the general population gets high enough that it gets sufficiently interested in computer technology that the atrocities such as PGP and OTR become acceptable to it. Or, slightly less unlikely, we collectively opt out of digital technology. Finally, we just stop being social creatures.

The alternative is to start thinking of usability as a security requirement. Yes, that is hard. It is even harder because it requires a much broader skillset than being a good coder, as if that already is not hard enough. It also means that whatever you are building, you most broaden the goals for doing so. This runs counter to the notion of building free software in order to scratch an itch. Often a technical itch, unresolved by proprietary solutions. Which is one of the reasons why free software is slowly taking over technical infrastructure. Free software is made by and for people that want to know their tools. Intimately. Usability requires a mindset in which you want your tools to be as invisible as possible. If we want our communications tools te become as discrete as an ideal butler, they must become as accessible and invisible as an ideal butler.

But that is hard. Very hard. And it requires cooperation across people with various skillsets. If only because if you have written the code, you no longer can look at its usability objectively. So you have to play nice with others.

Rockstar culture

Like I said before, rockstar culture is the rug that sort of ties the room together. We do need heroes and there can’t be quite enough heroes like Chelsea Manning, John Kiriakou and Edward Snowden, to name a few. However, we can do with less rockstars. Because frankly, rockstars tend to be assholes who treat their groupies in a shitty way and tend to leave mess behind. Because they are no longer held to a standard of being excellent to each other. Having rockstars around is in itself a symptom that some people get away with not being excellent to others, but being prima donnas.

Equally worse, having rockstars around puts an incentive on not collaborating. On not sharing knowledge. On having sharp elbows. On being competitive by all means. Like accusing others of being ideologically impure. It puts a premium on offense over defense. On having hidden codes that put outsiders off. Outsiders that would love to be in an environment in which they are not being judged for not sporting a penis or having a coloured skin.

We can and must keep on p0wning all the things. Decentralising all the things. Encrypting all the things. We must do so without being an elite with secret codes and magic knowledge. By sharing and being receptive to non-geeks. Otherwise we will get a dark age instead of a new dawn.

Acknowledgements/credits

Amelia Andersdotter / Jacob Appelbaum /Maria Claudia de Azevedo Borges / David Bovill /Sergey Bratus / Nick Farr / Smári McCarthy / Quinn Norton / Meredith Patterson / Eleanora Saitta / Ksenya / Jérémie Zimmermann

--

--

Walter van Holst

Written by Walter van Holst

254 Followers

By day I practice law in ICT. Otherwise I moonlight as a civil liberties activist (but mostly in a digital context) and as an opiniated loudmouth.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams