2 December 2012

Adrian Lamo on Hacker Cold War

Adrian Lamo sends:

I'm rewriting this, at least in part, after having Disqus lose it in whole. It's part response and part furtherance to and of Andrew Alan "weev" Auernheimer's Wired op-ed

http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/

It bears repeating, so I might as well get it out at least the one time.

His piece kind of conflates netcentric and codecentric security disclosures, which are in no way equivalent in their risk or their objective morality. Both exist as a kind of potential energy in cyberspace, but as any reader of Neuromancer could tell you, one takes you into potentially dangerous territory.

I'd always taken the sort of view that says security issues will be eventually disclosed, so a public and effective disclosure is the best practice when they come up. But as conflicts of interest in cyberspace become more frequent and more muddled, he's right - disclosure may not always be the best policy.

I know, I'm as surprised as anyone that I found myself agreeing here, but do hear me out. Software exploits are no longer clever bits of data that could poke holes in data, but exist only to prove a concept (if, indeed, they ever were). More or less anything that can possibly be weaponized online is actively being weaponized, and it has been for some time.

We see the occasional end results ­ a hack here, a disclosure theree, a credit card fraud epidemic elsewhere. What is less public, and what infosec news (if they're aware of it) doesn't report is the interests that tie these things together. We all know about things like, say, China hacking Google, or (unrelatedly) Mitt Romney's tax theft being hoaxed. These things do not happen in a vacuum.

The reasons rarely come out because the actors, if ever identified, are rarely identified by legal process when they are either sufficiently connected (not unlikely past a certain point of criminal ambition) or because they are in some way state actors (or both). No one credibly believes that, say, Ehud Tenenbaum was on vacation in the decade between being praised for marathon hackery of US military networks by Israeli then-prime minister Benjamin Netanyahu, and being arrested again to face an unusually lenient sentence of time served for million-dollar fraudulent indiscretions that became too inconvenient to ignore.

Given these relationships, the security community may have taken a wrong turn at the Zimmermann-era furor over PGP & encryption being "munitions". Arms dealers enjoy a far more favorable and balanced relationship with their clients than many hackers do with their own governments. Netcentric disclosure is no longer worth it to many unless their target is politically, militarily, or economically convenient to their governments (flashbacks of Saddam Hussein's e-mail being hacked by a US national during the Second Gulf War) or sufficiently exigent as to justify the risk. And codecentric disclosure is at its base an acceptance of any use of that code which follows.

And yet hackers & security technicians are uniquely relied on for these soft conflicts of the electronic sort, but lack the vested, rigid interests and inertia of states. Agreement between various de facto combatant populations online could be achieved via this demographic long before their various states would ever come to the table. But as it stands now, these people are vastly more likely to be a tool of policy, not influencers of it. And they are likely to be penalized if they challenge the convention that governments hold a monopoly on legitimate use of force in cyberspace.

I've may have wandered a long way from what Andrew set out to say, but if I have, it's only further down the same path. Recognizing what goes on, especially with respect to how the Internet is being used and influenced, is both a form of personal responsibility for any citizen and a way to give them a stake in the interests previously excluded to them. Bluntly put, we are contributing to a hacker cold war. We are contributing to the use of force in cyberspace, but largely without a vote. Perhaps we should have written a Geneva convention for the Internet before we optimistically declared its independence. I hope dialogue between peoples will prove that doubt unfounded