I hate separating hackers based on morality.

mr-robot-addressI have given a few talks recently to non-hacker audiences. In so doing, I learned that even at it’s most basic level, the idea of what hacking is, is kind of lost on “normal people.” The “Wanna Cry” malware couldn’t have better illustrated the things I was trying to teach.

It’s not that normies aren’t capable of understanding, it’s that they have been given the wrong information  by the government, the media, and popular culture for years. There is this fairly lame idea of hackers following  this sort of monochromatic gradient matching that of the old-west: the good guys wear white hats, the bad guys wear black hats, and there is a spectrum of moralities in between. There are legitimate ethics that guide hackers, they just aren’t the kinds that you hear about in movies and on TV:

  1. The Sharing Imperative – Hacking is a gift economy. You get tools, knowledge and code for free, so you have to share what you have learned to keep growing the pool.
  2. The Hands-On Imperative – Just like “real” science, you have to learn by doing. Take things apart, break them even, and learn how they work. Use that knowledge to create interesting things.
  3. The Community Imperative – Communities (geographic, philosophical, etc.) are how it gets done. Crews, clubs, chat rooms, hackerspaces, conferences, email lists, are all places for n00bs to ask questions and get flamed, and for l33ts to hold court.

Monochromatic Morality
heckermanThe typical whitehat is a security researcher, penetration tester, or security consultant that only hacks the computers and networks that they have permission to hack. This can either be a lab environment built for research, a client who has retained security services, or an employer who has granted express permission. Whitehats then disclose their findings. This disclosure may be for the benefit of a client or an employer, or it may be to benefit the public. The key differentiator is that the whitehat gets permission and then shares their discovery for the benefit of others.

The typical blackhat is a generally considered to be a criminal. They hack systems that do not belong to them and then do not disclose their findings. The exploits that they discover are hoarded and stockpiled for their benefit alone. The key differentiator is that blackhats do not seek permission, they do not disclose their findings, and they hack for personal benefit.

The gray areas have to do with the degree to which a hacker has permission, discloses their findings, and how they profit from their activities. Whitehats have “real” jobs and share everything, blackhats don’t have jobs and therefore hack for money. A typical grayhat might hack systems that don’t belong to them but then anonymously share their findings, or they might develop their exploits in a lab, but then sell those exploits rather than disclosing them.

In my professional life, I routinely employ hacking tools for the benefit of my employer, whether it’s scanning networks to troubleshoot problems, or cracking passwords to help users who have lost access to their computers. In previous jobs, I have exfiltrated research data from one network to another at the request of the data’s owner. While I don’t always have my employer’s explicit permission to do what I do, they hired me to fix problems for their users, so I do what it takes. The things that I learn, I then share and teach to others, whether that’s talks at conferences or Cinci2600 meetings, or posts on this blog. I have no idea where that falls in the white/gray spectrum.

Chromatic Pragmatism
red_vs_blueInstead of black and white, I prefer to look at hacking from a red vs. blue perspective. Regardless of your moral compass (or that of your employer), you are either on the offensive end which is the red team or the defensive end, which is blue team.

Teams are better terms to think in because hacking is a social activity. You may or may not be physically alone, but you are always learning from others. You read docs and code, you try stuff, you get stuck, you look up answers and ultimately ask someone for help. The idea of hackers as introverted smart kids living in their mom’s basements isn’t nearly as accurate as TV would have you believe.

Regardless of the reason why you are hacking a computer or a network, you are either the attacker or the defender. You are either probing defenses looking for  a way in, or you are hardening defenses to keep others out. You can further divide these activities into application vs. network security, but at that point the discussion is more about tools.

Thinking about hacking in terms of offense and defense takes away all the politics, business, and patriotism of your red and blue teams. If you are a red teamer, backed by your country’s military, you might be doing black hat stuff for a “good” cause. You might be a blue teamer working for organized crime syndicate, doing white hat stuff for “bad” people. You might be a whistleblower or a journalist, exposing bad acts by a government.

Wanna Cry: with the good comes the bad, with the bad comes the good
The Wanna Cry debacle is interesting because of its timing, its origin, its disclosure, and its impact.

Its timing is interesting because nation-state political hacking is like half of all discussions when it comes to the Presidential election. It’s origin is interesting because the tools in the leaked sample appear to come from the NSA. The leak comes from a group known as “Shadow Brokers.” They said they would auction the rest for a large sum of money. The disclosure is interesting because the first release is a free sample to prove the quality of the goods they intend to auction.

The zero-day exploit exposed by the leaked tools was then used to implement a large scale ransomware attack that severely affected systems in Europe and the UK. A researcher was able to locate a call in the ransomware to deactivate the malware, which stopped the attack dead in its tracks. There are lots of theories about this strange turn of events, but my personal theory is that the ransomware campaign was a warning shot. Possibly to prove out a concept, possibly to urge everyone to patch against the vulnerability.

The idea that NSA tools were compromised, and disclosed by a criminal organization, turns the whole black hat/white hat thing on its head. The NSA was hoarding exploits and not disclosing them, which is total black hat move. Shadow Brokers exposed the tools, prompting a widespread campaign to fix a number of vulnerabilities, which is a total white hat move. So you have a government agency, a “good guy”, doing bad things, and a criminal organization, a “bad guy”, doing white had things.

If you want to talk about the specifics of the hack, the NSA’s blue team didn’t do it’s job, and the Shadow Brokers’ red team ate their lunch. The blue team’s principle was a server where attacks were either launched or controlled. This server was the red team’s target. It’s a pretty epic win for the red team because the NSA is a very advanced hacking group, possibly the best in the world.

The Nature of Freedom

A few cultural events have caused me to think a lot about freedom lately. Of course our new Presidential administration has had an effect, but also some films, television programs, and documentaries. Also, I have been assisting my local political community and the results are pretty depressing.

One film that I saw was “Arrival“. It is based on a short story called “The Story Of Your Life” which goes into more philosophical detail than the film, and centers on the idea of free will. The aliens in the film can see time in a planar rather than linear fashion. Because of that, they have no concept of free will. Knowing what is coming leaves them with no choice but to play their parts to contribute to the known outcome. Speaking to others isn’t so much an exchange of ideas as it is a declaration or codification of events, like announcing a winner, or pronouncing someone dead. Reading the story left me feeling that I had broken my brain in some fundamental way.

Not long after that, I started watching “Westworld“. The hosts in West World are driven by code which is interpreted by their central processing units. Because they store memories digitally, they don’t remember things, and instead reload (relive) them. As a mercy to the hosts, their memories are erased on a regular basis. Something within the code that governs the hosts causes them to start remembering and all hell breaks loose. Again this idea, while fictional, made me think about the nature of freedom.

The idea of reality as a lived experience, the cognitive lens that we see the world through, is based on recollection of previous experiences. Our human memories are not perfect; we cannot retrieve bit-for-bit copies of stored data the way that a computer can. We cannot go back and relive an experience the way that a host from Westworld can. As we experience something, it is colored by a complex mix of emotions and bias. These imperfect and colorized recollections then shape how we experience new things. These new experiences, perceived through our flawed cognition, are then stored using that same flawed mechanism, making it even more flawed. As humans age and grow, their cognition becomes a kind of degenarative corruption of observation. Your lived experience might actually just be shitty encoding.

As I watched these works of fiction, I have also begun to listen to intellectuals dissect the ideas of freedom. I watched a series of documentary films by Adam Curtis. The idea of this series, is that efforts have been made to reduce the idea of humanity into self-serving automata. This numeric representation of humans relies on a kind of rational strategy that guides us. The problem with this simplified view of course is that it ignores the shitty encoding that guides human decision making.

The documentary series points out the use of Zero Sum Game Theory in modern political, economic, and even biological research. This cynical approach led to the dissolution of the idea of human individuality and the rise of popular psychology which uses drugs to manage human behavior. Oversimplification of human behavior leads to a kind of segregation based on small sets of variables, rather than meritocracy. The result is the corporate-run caste system that we have today. More importantly there are two varieties of freedom: one of struggle and coercion based on violent radicalism, and one of meaningless consumerism. Meaningless consumerism is how The West operates without violent revolution; people are free to do whatever they want, so long as all they want to do is watch TV and buy things.

This my issue with the western idea of freedom. It is a comfortable existence; it’s largely devoid of bloodshed, but it is also largely devoid of meaning. Buying new things – says the guy with 4 laptops – isn’t making yourself any happier. Watching TV – says the guy who came to this conclusion by watching movies and TV – doesn’t help you to improve yourself. Being a radical freedom fighter isn’t the alternative, and it’s not like you can bring down corporatism in a bloodless and market-friendly manner. What you can do, however, is diversify. Instead of using violence to coerce others into your idea of freedom, I think that you can build communities around ideas other than meaningless conformity and draconian order. Organizing into communities is the start, but you have to go much further.

Paradoxically (or perhaps ironically), I criticize the tendency for governments and corporations to reduce humanity into numerical figures, yet I cannot help but to see political and economic systems as complex networks. I am an avid proponent of peer-to-peer networking, of decentralization, and the mistrust of authority. In a peer-to-peer network, there are no clients and servers, there are only nodes. The power of the Internet is not that it connects nodes, but that it connects networks of nodes. We, as individuals, have to organize ourselves into networks that pursue and produce meaningful things. Individuality is important, but agency may actually be more important. Having freedoms that you do not make use of is pretty much the same as not having freedoms to begin with. If you are a corporate-run fascist state, it’s probably a better for you if your subjects ignore their freedoms. Convincing them to do that might be part of your game plan.

This is the idea that I am moving around in my mind. What is freedom? Do we in The West actually have it? Did we lose it or did we give it away? The thought process is similar to the Orwell vs. Huxley debate, but I think it goes further because it should take into account human tendencies. Huxley kind of does with his societal focus, but Orwell does not because he is more focused on politics. My concern is with more essential things, like the nature of cognition, the nature of free will, and the nature of humanity.

The problem with everything is central control

I have been reading postmortems on the election, and it basically came down to a failure of media and political elites to get a read on the voting public. Basically, a small number of very powerful intellectuals operated in a kind of silo of information.

All the stuff I have read and watched about the 2008 financial meltdown comes down to a failure of large banks. A small number of very powerful banks, operated in a kind of silo of finance.

This country is a mess because of centralized control and centralized culture. It’s a mess because of intellectual laziness and emotional cowardice. It’s a mess because we rely on crumbling institutions to help us.

Centralizing seems natural and logical. There is an idea in economics called the economy of scale. Basically, a big operation (a firm, a factory, a project) has better purchasing power and is able to spread fixed costs over large numbers of units. In network topology, the Star Model is the simplest to manage, putting all the resources at the center. I tend to think about economics and computer networks as kind of similar.

One of the primary criticisms of the Star Network is the single point of failure. If the center of the network has any sort of problem, the whole network suffers. This is also a problem with economies of scale. A lot of electronic component manufacturing is centralized in Taiwan, in 1999 an earthquake caused a worldwide shortage of computer memory. It seems that any time there is bad weather in New York City, flights are delayed across all of North America. In 2008, trouble with undersea fiber cables caused widespread Internet connectivity problems throughout Asia. A lack of biodiversity in potato crops contributed to the Irish Potato Famine. Centralized control is prone to failure.

This isn’t just a business or a technology problem. It can also be a cultural problem. Centralizing stores of information leads to gatekeeping, where a point of distribution controls the access and dissemination of information. This may be for financial gain, in the case of television and cinema, or it may be for political gain, in the case of the White house press corps. Media outlets repeating what the white house said, and the white house using media reports to support its assertions is how the us ended up invading Iraq under false pretenses.

The diametric opposite of the Star Network is the Mesh network, specifically the Peer-To-Peer network. These models eschew ideas of economy and control in favor of resilience and scalability. Economy of scale eliminates redundancies because they are expensive. Peer-to-peer embraces redundancies because they are resilient.

Embracing peer-to-peer from a cultural standpoint means embracing individuality and diversity. Not just in a left-wing identity politics sort of way, but in a Victorian class struggle kind of way. It means eschewing the gatekeeper-esque ideas of mono-culture in favor of cultural and social diversity. Peer-to-peer culture is messy. It’s full of conflicts and rehashed arguments. It’s not a “safe space” where people of similar mindsets never encounter dissent. It’s a constant barrage of respectful and learning argument.

The cultural division in this country is a failure of our core values. It’s a failure of the right’s anti-intellectualism, and it’s a failure of the left’s elitism. It’s faith by many in crumbling institutions that are out of touch. It’s a failure of corporate media that forces us to turn to our social networks for news that discourages discussion and only seeks to confirm our individual biases.

I’ll be writing more about this opinion (and make no mistake, it’s just an opinion) in future posts. Hopefully it will foster some of the discussion that I am seeking.

Election Got You Down? GOOD.

farnsworth_presidentMy social media feeds are physically dripping with existential angst about the Presidential election. My conservative friends were losing their shit over either Hillary and her lies, or the fact that Trump is leading their party off a cliff. My liberal friends were salty about Bernie getting the shaft from the DNC. There was a lot of talk about the lesser of two evils.

I have been making my saving throw against angst-filled rants, until now. Everyone I know is in some sort of funk over the election, and I’m just sitting here like “Welcome to my world. You’re stuck here until January, but look on the bright side: AT LEAST YOU DON’T LIVE HERE.”

For me, there was never a good choice. The whole election was like a shit sandwich and the whole country spent like two years arguing over which end to bite into. This “None Of The Above” view of American politics is pretty much where I live my life. I hate at least half of the liberal platform, and at least half of the conservative platform. This doesn’t make me a moderate, it makes me a political misfit.

I was pretty well braced for disillusion. I voted for Obama, and watched him pivot from promises of government transparency and closing Git-mo, to a growth of the surveillance state. I like gay marriage and healthcare, don’t get me wrong. Those were good things that I could get behind. I just *really* hated Bush’s illegal spying; Obama campaigned against it but then turned around and made it bigger. *Then* he equipped it with assassination drones.

I was *this* close to making a protest vote for either Stein or Johnson, but my principles gave way to my self-preservation instinct and I grudgingly voted for Clinton. I am mad that Trump won because I feel like I got robbed of my statement. I felt pretty dirty voting for her, and then she had the audacity to lose. The world-as-we-knew-it was wrong about her being the presumptive nominee and now I can’t smugly say “Don’t blame me, I voted for… Stein? I guess?”

My politics can be summed up in two basic talking points: I hate cops and I hate corporations. I am a firm believer in both social progress and limited federal government. There are too many laws, too many jails, and there’s not enough independent media companies, banks, and telecoms. I don’t know if I dislike capitalism, or just the corporatism that we practice all over the world. Maybe well-executed capitalism is like well-executed socialism and only exists in the fantasies of economists. I don’t really care, I’d rather focus on the sharing economy.

hillary_memeA sick part of me wanted Trump to win. Not the actual me, just that little crazy part that envisions the car crashing when you have to slam on your breaks suddenly. You know, that crazy death-wish part, that kind of fantasizes about the zombie apocalypse.

Any way, I wanted very badly to say “Look, if I vote for her, can you all just promise to work to make things better?”

Well, now it’s time to work on making it better. The thing that I want to work on is not political parties and why they all suck. I am done with believing in elections for Democrats and Republicans. I’m still gonna vote, I just won’t invest in the idea of elections producing results that I want. I’d rather invest that energy into writing about something else.

That something else is basically doing away with our country’s reliance on central authority. I think we should have a government, I just think it shouldn’t be such a big factor in our lives and our culture. I think we should have a mass media, but it should be free from corporate influence and cartel ownership. I think we should see America for what it is: a great nation that was exceptional, but is capable of decadence and corruption, just like any other country.

Election Year Economics Are Stupid

I am no economist, but elections aren’t about economics, they are about rhetoric, which I know a little bit about. Political rhetoric is about narratives. In an election year, the narrative of fiscal policy is about reinterpreting the basic principles of macroeconomics in order to garner votes. The problem, as I see it, is that these narratives, these talking points, are passed off as solid leadership. All politicians lie, but this is different. These are carefully crafted messages that people follow. Messages that people believe.

Both liberals and conservatives are establishing the same narrative: that their side has all of the answers, and the other side is ignorantly wrecking the country. Both sides do this, make no mistake. This is why I don’t care for either. It doesn’t matter which side you fall on politically. If you give that premise one ounce of rational thought, you can see that that idea is -in a word- stupid. Why would a group, backed [presumably] by half the country, back a plan that would doom the very nation that they want to control? This isn’t about good vs. evil, or smart vs. stupid. This is about two essential pieces of a natural process: the need for business to make profits, and the need for a social safety net. Not only are these great ideas, they are also essential components of a healthy economy. They may actually help each other in the process: good social safety nets could mean more freedom for businesses.

Conservatives are pushing tax cuts at every turn in order to stimulate private industry. Liberals are looking to implement government programs to help people that they believe are being ignored by private industry. LOL/JK they’re just lining the pockets of their corporate cronies 🙂

Private industry and social stability are both good ideas; there is nothing wrong with either idea. The problem is that both ideas are postured in such a way as to appear mutually exclusive. Tax cuts are inherently plutocratic, while programs to help those who need it are the fast track to communism. This has nothing to do with actual plutocracy or communism and everything to do with political posturing.

Presenting your set of goals, however noble, as superior to those of the other side is deliberately ignoring half of the problems that our nation faces. We face a need for employment, which comes from businesses, and a need for a strong social safety net, which comes from taxes. People need to work so that they can pay taxes. Businesses need to profit so that they can employ workers and pay taxes. What’s more, pitting the interests of business against the interests of the population is at best a waste of already finite resources, and at worst a recipe for societal collapse.

Economies rely on two forces: supply and demand. These forces are often represented in the political narrative as business and consumers. The problem with this narrative is that the market is actually made up of two interdependent cycles where businesses and consumers fulfill the roles of supply and demand at various stages. These cycles depend on each other to keep repeating. The people who participate in these processes perform different functions in the cycle. Even if you own a company, you still have to go home and buy things. Even if you earn only minimum wage, you are still selling your time and energy for a wage.

In the graphic above, you can see where businesses and consumers are both buying and selling to each other. There are different markets where consumers supply and businesses demand, only to have the roles reverse. This is a good representation of the interdependence of these two cycles. If you are a business, you are working to turn your resources (raw materials, production capacity, energy) into profits. If you are a consumer, you are looking to turn resources (land, labor and capital) into income. If consumers don’t have income, they can’t buy stuff from businesses and they cannot invest in businesses. If businesses cannot make profits, they cannot employ people. If this balance is upset, no one can pay taxes. Conservatives would have you believe that Americans sacrificing in order to keep private industry going is the way to keep the country going. Liberals would have you believe that government programs financed by corporate taxes will keep the country going. Both parties are right at some point in the economic cycle, and they’re both wrong at the opposite end.

Capitalism works when everyone acts in their own rational self interest. Political rhetoric focuses on “self interest” at the expense of rationality. Election Year Economics is the antithesis of rationality. Pitting consumers against businesses is irrational. Businesses are employers. Employees are customers. If people can’t work, they can’t buy your crap. If you aren’t buying crap, there are no jobs. Expecting the government to care for you is irrational. Subverting the democratic process to avoid taxes is irrational. The politics of fiscal policy is the politics of irrationality.

You see, while markets cycle clockwise and counterclockwise, the economy itself cycles up and down. Things go well, the economy grows, and then it runs out of steam and contracts. This is natural. The contraction not often pleasant, but it is natural. Expansion and contraction is unavoidable. The purpose of the government in this process is not to keep the cycle perpetually expanding. That is impossible, and believing it to be possible is irrational.

The role of government in the business cycle is to even out these natural ups and downs. This is where Monetary Policy should come into effect. It should keep things from expanding out of control, and then soften the blow of recession. The government does this during expansion by limiting the money supply (Federal Reserve conspiracies notwithstanding) and during contraction by providing a social safety net. During times of recession, the government increases spending, cuts taxes, and programs like unemployment benefits and other forms of assistance keep people buying until things pick up again. These are good things that get people votes on both sides.

During times of expansion, however, conflict arises. At the other end of the business cycle, the government needs to control the supply of money to keep the economy from overheating and then crashing. It does this by raising interest rates, raising taxes, and by reducing government spending. Higher interest rates encourage saving and discourage risky investing, lending, and borrowing. Higher taxes create a budget surplus that can later be used for benefits programs. Reduced government spending encourages maximum employment in the private sector and efficient allocation of funds. These are good economic decisions, but they are bad political moves. High taxes and interest rates draw the ire of Wall Street and its conservative votes. Reduced spending affects public institutions and their liberal votes. The goal is for the government should be to create a budget surplus and then use it to jumpstart the economy during downturns. This is politically painful for both the left and the right, and it costs votes. That means no one on either side wants to do it. When you run a business one fiscal quarter at a time, and when you run a nation one election at a time, good fiscal  and monetary policy become a sort of leaky roof problem. You can’t raise the funds you need when everyone is unemployed and broke, but you don’t need social safety nets when everyone is employed.

All-tax-cuts-all-the-time is bad fiscal policy. All-government-spending-all-the-time is also bad fiscal policy. If the government can’t raise funds by taxing, it has to raise them by borrowing (from China!) which is also bad fiscal policy. In this process, we as the electorate have to understand where we are -as a nation- in the economic cycle. I guess this would be a good place for the media or the education system to help the process, but media is a private industry where celeb gossip is more profitable than macroeconomics, and education is a money pit for taxpayers.

Unfortunately, you can’t fit that message on a bumper sticker, and my Facebook feed seems to only have enough attention span for clicktivism.

The FBI asking Apple to Backdoor an iPhone is a Rubicon for Privacy

The US District Court of California has asked Apple to backdoor a locked iPhone for the FBI. This isn’t a request to unlock a single phone, this is a request for Apple to build a tool that lets the FBI circumvent the security on the iPhone… as in basically all iPhones, which will then set a precedent for all smart phones.

“Make no mistake: This is unprecedented, and the situation was deliberately engineered by the FBI and Department of Justice to force a showdown that could define limits our civil rights for generations to come. This is an issue with far-reaching implications well beyond a single phone, a single case, or even Apple itself.”

In case this is your first time reading about why government mandated back doors are a universally bad idea, here is the quick list:

  1. A digital backdoor, much like a real back door, can be used by anyone, not just those authorized to access it. Back doors make excellent targets for criminals, spies, and other bad actors. These things get discovered, and then they get misused. If you are a criminal, and you are looking to steal data, knowing that there is a backdoor in a system lets you focus your cracking efforts.
  2. Encryption is only good when it’s secure. Insecure crypto is worse than useless because it creates a false sense of safety and control. This is why Digital Rights Management technologies never work. No matter how you slice it, a purpose built entry point is a vulnerability. Once you introduce a back door, or a “Golden Key” it invalidates the security (and value) of the entire system (see point 1). An insecure phone just isn’t worth as much as a secure one.
  3. The bad guys you are trying to catch are bad guys. They don’t give a single runny shit about government regulations. This means that the bad guys who use crypto will simply switch to new illegal tools that don’t have back doors. When the SOPA bill threatened to block DNS for sites accused of piracy, tools immediately began to surface that would defeat the blocks, before the bill was even voted on.
  4. In the case of criminals, government mandated back doors would create a market for secure tools. These tools wouldn’t be Made In America like the *iPhone. Back doors would devalue the iPhone (see point 3) and add value to technologies that aren’t made in the US. Meanwhile, Federal Law Enforcement still couldn’t access phones that belong to terrorists. All the damage done by this would be collateral because the only people affected by this mandate would be innocent bystanders.

There are *tons* of other reasons why back doors are bad, but those are the top 4. Cory Doctorow sums the argument against back doors fairly succinctly in an article in The Guardian:

That’s really the argument in a nutshell. Oh, we can talk about whether the danger is as grave as the law enforcement people say it is, point out that only a tiny number of criminal investigations run up against cryptography, and when they do, these investigations always find another way to proceed. We can talk about the fact that a ban in the US or UK wouldn’t stop the “bad guys” from getting perfect crypto from one of the nations that would be able to profit (while US and UK business suffered) by selling these useful tools to all comers. But that’s missing the point: even if every crook was using crypto with perfect operational security, the proposal to back-door everything would still be madness.

The Law Enforcement community declares war on crypto in one form or another once or twice a decade. Every time they do, we as digital citizens need to stand up and say “NO!” They will keep trying, and we have to keep fighting, every time. It really is that important.

*The iPhone isn’t made in America either, but Apple does employ Americans around the country. Russian mobsters or Romanian cyber-criminals presumably don’t employ many Americans.