Simple Nomad's DefCon 11 Rant

[InfoSec News <isn () c4i org>]

http://www.nmrc.org/pub/report/sn-dc-2003.html

Have you noticed the change? Do you remember where you were when you
first felt the change? I am talking about the change in the security
community, especially the underground community. Less trust. More
control. Less truth. I'm not talking about society since 9-11,
although most certainly looking at things like USA Patriot and DSEA
one can certainly see less trust, more control, and less truth. I'm
talking about the underground closing ranks. The emergence of Richard
Thieme's third generation hackers.

The holy trinity of hackers -- trust, control, and truth.

Typically the purest form of knowledge -- the facts -- are what
hackers refer to as truth. A wisp of falsehood or lie will cause a
hacker to bristle. With the nature of hacking being to learn the true
nature of something, the truth is an important commodity.

Trusting a truth. An important item on the hacker checklist. Can a
"truth" be trusted as really being true? Crawling through the ether,
keeping enemies as friends, encountering the unknown, a hacker needs
to know not only who to trust but what. And it is never a glass that
is half empty or half full, it is a swirling and ever-changing
fishbowl filled with truths and lies, all swimming together and
influencing each other. Finding the truth needle in a haystack of
disinformation -- the marching orders of the new millenium hacker.

Hackers need to be able to not only understand the control mechanisms
that surround a truth, and the nature of those controls, but to
understand the responsibility that comes with exercising control over
a truth. Also, knowing when and how you are being controlled and
manipulated, be it by pervasive means or just the fact that you are
aware your actions are being monitored. Having your actions monitored
can influence your behavior substantially. Between TLA-driven
Carnivore-styled systems to enemy hackers with dsniff to nosy ISP
admins, the tilting game board has not just shifted the controls, but
the mere threat of controls have changed hacker methods drastically
and permanently.

There are hackers -- white hat types -- that have removed code from
their web pages simply because of the threats posed by such things as
DMCA. Talk about Sun Tzu tactics -- many coders removed their work
from the net without any laws being used against them. That's a
serious control mechanism right there.

The new millenium hacker has seen this landscape of unknown enemies in
unknown numbers, circled the wagons, and lives a multi-layered life
behind layered walls of security, disinformation, and distrust.

Two years ago I gave a talk at DefCon 9 that was in my opinion the
highpoint for Simple Nomad 1.0. I received a lot of positive feedback
from this talk, mainly along the lines of agreement that society is
heading for a suppressive human rights hell in a handbasket cleverly
disguised with a transnational conglomerate cloaking device. It was a
call to arms that things were going from bad to worse. After DefCon 9,
September 11 happened, and all of my exaggerated claims -- as well as
the claims of many others -- began to happen. Claims of the coming
neo-Hooverism began to usher forth starting with the passage of USA
Patriot and followed by a series of Presidential directives and
legislation currently in various stages -- some passed into law, some
pending before a willing congress -- that seriously attacks the hacker
and hacker culture.

What came of that so-called warning, that call to arms? Nothing. Why?  
Because I trusted in my own logic. I assumed that everyone at DefCon
was just like me, and would react the same way I did. Rather than
assuming the "Russ Cooperesque" title of Cassandra of the Internet,
and blame my audience, or assume I was simply an old schooler talking
to a jaded generation beyond my reach, I tried to think things
through. Hopefully I've learned a thing or two about trust and a bit
about control.

So this brings us quite naturally to aliens and UFOs. Give me a moment
to explain....

How many people have seen, or know someone who has seen a UFO? My
guess pretty much everyone here. I find this to be very compelling.

For years, we have been taught that to utter a belief in UFOs, admit
seeing a UFO, or confessing in a belief that aliens are trading
antimatter reactors to our government for porn, is to stand up and say
we are crazy. The media has very effectively taught us this. *This* is
a control.

However it is human nature to talk about the weird and bizarre, so
eventually a fringe element proclaims whatever truths they can find,
they are easily led astray with disinformation, but they manage to
make enough noise to get at least parts of society to acknowledge some
of their truths. Their truths become almost a religion. And now, after
several years, it is ok to acknowledge in public, or at least among
friends, to admit that you or someone you know and trust has seen a
UFO.

With careful encouragement from the media, it becomes ok, and is even
a relief, to acknowledge this because you *aren't* crazy, in fact you
are normal.

What is interesting is that the government can keep up its denial of
UFOs, we can keep confessing to each other and get a warm fuzzy, and
because of the nature of humans to *want* to be accepted above all
else, the "truth that is out there" remains just that. Out there, not
here. We think we are one up on the government, when in fact we are
not. Instead of continuing to "fight the good fight", we actually
become more docile. That is a *meta-control*.

Remember, we live in a world where the slime marketeers understand
that everyone thinks they are one of those 10 percenters. You know,
"only the cool people buy our stuff, its not for everyone." Yet
everyone buys the product. Simple math says not everyone can be in the
10%, but if you create the illusion....

Are we all so amazing that all of us are among the 10% best athletes,
best drivers, best lovers, best hackers?

At DefCon 9, I spoke from a perceived vantage point that I was among
the fringe element, and I assumed that I and the audience were within
that 10%. Instead I encountered a meta-control. In spite of the fact
that right after 9-11 we all knew shit like USA Patriot was on the
way, there apparently was nothing we could really do about it, or if
there was, we were content to get that warm fuzzy by simply sharing
our concerns with each other. The call to arms was nothing but a warm
fuzzy. It has taken me two years to understand that I hit a
meta-control, that I was not in the 10%, in fact the existence of the
10% was probably an illusion anyway.

But it was the understanding of a truth. The realization that a new
millenium hacker was emerging from within my limited 1.0 view of the
world. I watched myself morph, adapt and change to my world. I
literally watched myself circle the digital wagons. And in doing so, I
watched the air-gap between nym and psyche -- between the virtual
world and the physical world -- disappear.

To understand the truth about something like a computer is to not only
understand how the components fit together, how they interact, when
they can be bent or broken, when you can exploit sublevels of trust
between components to bypass a control -- it is also about
understanding that computer's placement within a network of others.  
Understanding that the computer, whether placed in the home or in the
office, is a reflection of the user that stores their data on it.  
Understanding that the data itself, when coupled with other computers
on the network near it, tell such interesting stories, like who
controls the company, who hides the company secrets, or who controls
the cash flow. Hacking business processes, hacking corporate culture,
controlling the flotsam and jetsam in the digital flow. And hacking
becomes meta-hacking. Imagine tying companies within the same industry
together at this level, then industries, then governments and nation
states.

Is that too big? No. We cannot think in those terms anymore. Like it
or not, hacking has changed. We have to think big. Hacking is not just
about seeing the limits of a computer system, or even the limits of
the political world that has risen up around the modern-day hacker.  
Hacking is about understanding the system, the complete system. You
must hack yourself. Not the digital self, because there is truly no
division anymore. We are plugged in, and there ain't no going back. We
*have* to hack ourselves. Not just the surface tension that is wrapped
in a nym, but the core of your hacker self. Explore mental ring zero.  
Live to hack, and hack to live.

This is the future of meta-hacking, not just controlling the operating
system, but controlling and influencing what the operators of that
system do -- whether those operators do what they do for good or ill,
and whether that system is a computer, a political set of ideals, or
your own thought processes.

This is why we are pursued through cyberspace by USA Patriot and the
other horses of the digital apocalypse. It is our potential. If we
turned our hacking skills from the systems we have root on to the data
stored on those systems *and what that data represents*, we could
possibly discover where that 10% is really at.

I am not going to tell anyone what to do anymore, namely because until
I fully and truly understand my own truths, and can trust my vision
and understand the controls that bind me, I only serve the will of
others. Others who wish to control you AND me. I can't tell you where
the truth lies, because I refuse to accept the reality shovelled up my
ass by the Man. I have to question everything, and while I am not
telling you what to do, I *am* inviting you to do the same. Question
yourself. Question your questions. Question your lack of a question.

Martin Luther King, Jr. said he dreamt of a day when a man was judged
not by the color of his skin, but by the content of his character. I
dream of a day when a hacker is judged not by the color of his hat,
but by the content of his code.

I'd like to close with jrandom's infamous paraphrasing from Fight
Club: "The people you are after are the people you depend on. We
develop your apps, we backup your data. We route your packets, we
defend you while you sleep. Do not fuck with us."

I thank you, NMRC thanks you, see you next year.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.