Black Hat, DEFCON and the Summer of Our Discontent

Thursday, July 21, 2016

Paul Shomo


At upcoming cybersecurity conferences, many will cause trouble for big business and the government. These institutions might ask, what do these people want? They want privacy at the bottom and transparency at the top. That, and a little less hierarchical leadership.

The end of July is when the cybersecurity industry turns on its bad boy image. On the surface, the upcoming conferences are about educating attendees on the latest threats. In reality, many in the industry gather en masse to take on “The Man.” Developers spend the entire year plotting breakthroughs to build a freer Internet, exposing headline-grabbing vulnerabilities, or finding ways to avoid surveillance and censorship.These efforts typically culminate into one incendiary week at BlackHat and DEFCON.

Jeffrey McNamara, legal counsel for DEFCON explained it best when he recounted what he often hears from researchers. According to McNamara, many researchers come to DEFCON with one intention, “I want to step on the toes of ...master of the universe aggressive company. I want to come to DEFCON and piss them off.”  Mr. McNamara must have a difficult job, as his law firm has been involved in many lawsuits with tech giants as big as Cisco.

A mega-corporation or government on the receiving end of this agitation might ask, “What does the horde want?” Personally, I think the answer is evident in how techies spend their spare time. Many developers invest time on projects to promote free speech, demand transparency from powerful institutions, and some even create applications to incent open participation.

Would You Like Some Big Business, or Maybe Government? …How About Neither!

The mainstream narrative encourages choosing favorites between the state and private industry. The security crowd loves to thumb its nose at both. Of course it's a delicate balance, as most of us are employed by these power centers. Like that brilliant but flippant programmer, who they let mouth off to the boss, the cybersecurity mob delights in razzing our employers.

This complex relationship is epitomized by the hacker-centric DEFCON, where “Feds” are regular attendees and sometimes socialize with hackers after hours. In turn, the hackers often pay their bills by consulting for the government. At DEFCON, the National Security Agency (NSA) speaks alongside the ACLU and the Electronic Freedom Foundation (EFF). Privacy organizations that are perpetually locked in litigation with the Feds hear enthusiastic cheers from audiences. However, DEFCON leadership has historically encouraged dialogue with the National Security Agency (NSA), and calls for increased cooperation are popular amongst many attendees. The battle to protect individual privacy is a rallying cry for many attendees, but at the same time there is widespread recognition of the need to (at least sometimes) work with the powers that be.

I'll always remember the year of the Snowden leaks. The Feds were uninvited to DEFCON, but the NSA managed to attend anyway, and it was a circus. Attendees posed with cardboard cutouts of Edward Snowden, and one attendee handed out tinfoil hats. Personally, I wasn’t able to attend General Alexander's session. I did take a tinfoil hat though, and loved every minute of it. It was one of the few times where democracy felt like the idealized version of my youth.

Of course, there are many other targets who have felt the wrath of the cyber mob, many far more objectionable than our own government. At Black Hat or DEFCON, you’ll hear tales of how hacktivist collectives trolled Middle East terrorists, or Anonymous’ participation in the Twitter frenzy which ignited the “Arab Spring.” While a lot of tech workers don’t officially support hacktivism, many smile at some of its results.

Open Testing and Participation

Each night we ritualistically close and lock our front doors, because it makes us feel secure. A cop who’s kicked down thousands of doors once told me, “99.9% of doors go down in one kick.” We don’t know our front doors are insecure, because we never try to kick them in. In cybersecurity we open the floodgates for white hats with a passion for hacking to “test kick” our doors. While mainstreamers see chaos in this rowdy band of penetration testers, insiders see testing our defenses as an attempt at real security. This is why calls for the state to limit penetration testing and vulnerability research have been historically resisted.

The almost Wild West condition of security research is characteristic of the technology age. Some professions, such as medicine or architecture, employ state licensing monopolies and specialized schools to limit worker participation. Cybersecurity tends to go in the opposite direction, embracing open participation. Internet culture esteems the advancement of knowledge above self-interest, and eschews pre-conceptions about what kinds of people might have innovative ideas. In our industry, non-degreed workers sit alongside PhD's from Berkley and MIT. After all, many of our pioneers, like Bill Gates, Mark Zuckerberg, or Steve Jobs, dropped out of college

The online encyclopedia, Wikipedia, is another great example of how the community values open participation. To those thinking knowledge needs to be regulated by the few, Wikipedia has been a surprising success. In the same vein, researchers have discussed peer-to-peer free press platforms without hierarchical leadership to limit journalists’ contributions or authorities to censor opinions.

Leaderless organizations are frightening to many. I’d be inaccurate to claim all tech workers embrace the concept in all cases. I do however maintain that open technology – from the owner-less Linux, to Wikipedia, and to the uncontrollable Bitcoin – has shown that we can get along with more freedom and less authority. I’d argue it provides optimism that society might even thrive under these conditions.

Freed Speech and its Deterrents

It seems that many have been plotting an escape from America’s Panopticon. This notion is reminiscent of philosopher Michel Foucault’s theory of “Panopticism.” Foucault paints a society where total surveillance exists within a building structure, named the “Panopticon.” He explains that citizens in this state would be discouraged from taking on their rulers, due to a feeling that powerful men are watching their activism.

Remember when corporations with terrible service cowered in fear over web reviews they could not remove? Cybersecurity professionals pine for the days when those at the bottom ruled. They desire a new peer-to-peer internet, without central hubs to censor speech. The big controversy at Black Hat last year was the suspicious cancellation of the “ProxyHam” session, which would have taught attendees to achieve online anonymity with ham radios.

The notion that surveillance degrades the free speech needed to regulate a healthy society drives a lot of engineering imagination. Presentations on efforts to anonymize web browsing, such as the Tor Project, are routine at shows like Black Hat. Well, unless the authorities mysteriously cancel them.

Paradox of Encryption and Transparency

Policy makers might argue there is a contradiction between the industry’s fight for privacy and its love for whistleblowers and leaks. Why do many cheer the now open information in the Panama Papers, celebrate the Snowden or Bradley Manning leaks, but are afraid their own personal information cannot be kept private from the prying eyes of the State?

At first this might seem inconsistent, but I see wisdom behind the instinct to resist information authority. Human hierarchy tends to pyramid into increasingly fewer numbers up top. If you're going to fight for rights, there are more individuals at the bottom and more power to abuse from above. Thus, “Give us Privacy at the Bottom, and Transparency at the Top,” is not a bad credo.

Possibly Related Articles:
Infosec Island
Privacy Security Freedom of Speech information authority
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.