2 December 2012
Adrian Lamo on Hacker Cold War
Adrian Lamo sends:
I'm rewriting this, at least in part, after having Disqus lose it in whole.
It's part response and part furtherance to and of Andrew Alan "weev"
Auernheimer's Wired op-ed
It bears repeating, so I might as well get it out at least the one time.
His piece kind of conflates netcentric and codecentric security disclosures,
which are in no way equivalent in their risk or their objective morality.
Both exist as a kind of potential energy in cyberspace, but as any reader
of Neuromancer could tell you, one takes you into potentially dangerous
I'd always taken the sort of view that says security issues will be eventually
disclosed, so a public and effective disclosure is the best practice when
they come up. But as conflicts of interest in cyberspace become more frequent
and more muddled, he's right - disclosure may not always be the best policy.
I know, I'm as surprised as anyone that I found myself agreeing here, but
do hear me out. Software exploits are no longer clever bits of data that
could poke holes in data, but exist only to prove a concept (if, indeed,
they ever were). More or less anything that can possibly be weaponized online
is actively being weaponized, and it has been for some time.
We see the occasional end results a hack here, a disclosure theree,
a credit card fraud epidemic elsewhere. What is less public, and what infosec
news (if they're aware of it) doesn't report is the interests that tie these
things together. We all know about things like, say, China hacking Google,
or (unrelatedly) Mitt Romney's tax theft being hoaxed. These things do not
happen in a vacuum.
The reasons rarely come out because the actors, if ever identified, are rarely
identified by legal process when they are either sufficiently connected (not
unlikely past a certain point of criminal ambition) or because they are in
some way state actors (or both). No one credibly believes that, say, Ehud
Tenenbaum was on vacation in the decade between being praised for marathon
hackery of US military networks by Israeli then-prime minister Benjamin
Netanyahu, and being arrested again to face an unusually lenient sentence
of time served for million-dollar fraudulent indiscretions that became too
inconvenient to ignore.
Given these relationships, the security community may have taken a wrong
turn at the Zimmermann-era furor over PGP & encryption being "munitions".
Arms dealers enjoy a far more favorable and balanced relationship with their
clients than many hackers do with their own governments. Netcentric disclosure
is no longer worth it to many unless their target is politically, militarily,
or economically convenient to their governments (flashbacks of Saddam Hussein's
e-mail being hacked by a US national during the Second Gulf War) or sufficiently
exigent as to justify the risk. And codecentric disclosure is at its base
an acceptance of any use of that code which follows.
And yet hackers & security technicians are uniquely relied on for these
soft conflicts of the electronic sort, but lack the vested, rigid interests
and inertia of states. Agreement between various de facto combatant populations
online could be achieved via this demographic long before their various states
would ever come to the table. But as it stands now, these people are vastly
more likely to be a tool of policy, not influencers of it. And they are likely
to be penalized if they challenge the convention that governments hold a
monopoly on legitimate use of force in cyberspace.
I've may have wandered a long way from what Andrew set out to say, but if
I have, it's only further down the same path. Recognizing what goes on,
especially with respect to how the Internet is being used and influenced,
is both a form of personal responsibility for any citizen and a way to give
them a stake in the interests previously excluded to them. Bluntly put, we
are contributing to a hacker cold war. We are contributing to the use of
force in cyberspace, but largely without a vote. Perhaps we should have written
a Geneva convention for the Internet before we optimistically declared its
independence. I hope dialogue between peoples will prove that doubt unfounded