Widdershins: Politics, De-evolution and the State of the Internet Widdershins. Why Widdershins? I first brought up this word at DefCon 9. To explain, let me quote from my DefCon talk. "The circle is a symbol used in many cultures to signify an unbroken cycle or chain. In Wicca, a practitioner will cast a circle around the ritual area at the beginning of the ritual, moving clockwise, or deosil. A "sacred space" for worship and magick is created, with the circle allowing protection from outside forces, and a concentrated focus of energies to be contained within the circle. At the end of the ritual, the practitioner will move counter-clockwise, or widdershins, to release and return the energy contained within the circle back from whence it came. As is the case with most religions, its symbolism is reflected within society. "Social" circles expand and contract. And society has a tendency to draw circles around itself using divisions such as class and race to try to contain themselves. But as history has shown us, all of these circles are eventually undone, and what is contained within them is released and returned to the elements from which it was drawn. What if the circle is a technological one? Or what if the so-called magick within a closed circle is technological in nature? How do we release *that* type of magick?" In that talk, I described a de-evolving technological society. Circles of treaties, laws, and political movements. A steady encrouchment upon civil liberties. Before the terrorist attacks on my birthday on September 11th, I stated that the Internet is rapidly de-evolving through a series of political actions and many of our freedoms are either illegal or may soon become so. I also stated that the nation state was giving way to the transnational corporate/government hybrid, which is happening much faster than I originally anticipated. The terrorst attacks against the United States were more of an attack against the ways of the West than against our nation. And the attack was not committed by a nation state, but a distributed entity with elements inside of dozens of different nation states. The fact that some nation states, or elements within particular nation states, are helping via technology, finances, and other means to provide support for this distributed group of attackers only complicates the entire story. There will be many casualties besides the obvious victims in New York, Arlington, Virginia, and Pennsylvania. Included in these victims will be us, as our personal liberties and freedoms we have come to love and know are being attacked. The time for action is now. There is plenty to do for everyone, and it involves what we do best - hacking. We built the Internet. I'm not just talking about the wires, and the computers, but the *spirit* of the Internet. We developed the technologies that allowed two people to communicate without eavesdropping by anyone, including our government. We developed the forums into which we can speak anonymously to others, *including* our government, to voice an opinion without fear of reprisal. We created open circles that allowed us to don and discard different masks at will -- and we could dance behind these masks without fear of discovery or ridicule. Many of the technologies we brought to this circle are a part of the social fabric that makes up what is refered to as cyberspace. Even the concept of masks -- alternate identities by which to hide -- are considered the norm. In fact, many of us wear these masks like a Native American dancer wears a mask, paint, and costume during a sacred dance -- the Indian knows he is not the Eagle, we who are watching the dance know he is not the Eagle, but the mask, the paint, and the costume *bring out* the Eagle within. The "You've Got Mail" crowd has some expectation of privacy and security when it comes to participating in this great global dance, but unless we are there to point out issues of privacy and security, we will not be heard. What have hackers done? Well, we have created a wealth of tools. And like many tools, they can be used for good or evil. "A hammer can be used to build a house or break into one" seems to be a popular sentiment. Yes, we all realize this is somewhat two-faced - some tools have generic features, other tools do include features whose purpose solely benefit the intruder and not the administrator, including tools I have written myself. But we have written a lot of tools. Using these tools we have created, some of us have destroyed. You cannot step around this fact. The only defense we have is that in any grouping of society, you have a few bad people. So we will always have to live with that aspect of that part of our society. We disclose. Some of us disclose fully, which is what most of us believe is the best way. Unfortunately some people take advantage of this, and destroy instead of create. As a result, there are two camps forming. One is composed of people like Marcus Ranum and Russ Cooper who believe in limited disclosure among a group of "professionals". Professionals in this case seems to be code for "not hackers". A second group of people, comprised of people involved with the anti-security.is folk believe that hackers themselves should stop sharing except within very tight and trusted circles. I know people personally in that second camp, in fact several ex-NMRC members believe that way, and have returned to the underground. So here's a question to get us really thinking - why are hackers feared? Probably because it boils down to this simple fact -- if someone comes up with a method of using a piece of technology in a way beyond what it was intended, a hacker will tend to admire the method. Additionally, injection of humor and/or irony will add extra points. Here is the point that the rest of society tends to miss -- this admiration occurs even if the method is illegal. In other words, if a hacker breaks into a system and defaces a web site, but does so in a technically interesting way, or even humorously, there will be a level of respect for that individual, even if the admiring hacker knows it is illegal and is something that they themselves would never do. Case in point: check out the web defacements of Evil Angelica -- they are oftentimes humorous and even poke fun of defacement itself. What is even more disturbing for the powers that run our society is that we are willing to cross all kinds of social boundaries in our quest for knowledge. You see, the Internet has done wonders for breaking down barriers, including international borders. Probably the first group to fully realize the potential of this concept were the people that helped build the Internet. No, not the military industrial complex in the middle of the cold war, but the hackers working at educational institutions that began linking up the various regional nets to form what we now know as the Internet. They understood the barriers. Within academic circles they had been bypassing these barriers for years -- but now, the process is a lot more simplified and even automated. WE know how to share information. WE know how to contact each other quickly. WE have almost another language, a technological shorthand where we can say things like "port 80, 53, and 25 are open to the entire DMZ and they're running NT," and that is basically a complete and total security assessment. But this doesn't explain the fears. Society at large fears us because the media says they should, and this is reinforced with inane and technically inaccurate portrayals of what a hacker is in television and movies. But we have law enforcement and government agencies that appear to fear us. Of course, we could simply say they are stupid or just "don't get us", but I'd like for you to think about this for a minute. They are not stupid. They track down criminals using the most minute of clues. They have developed sophisticated technologies. They actually are smart. So why are they telling the media to fear us, and that we are all bad? I'm serious, we need to think about this. For starters, who benefits? This is one of those techniques you use to find out who is behind something, so let's look at who really benefits the most from this "fear". One obvious answer is that these law enforcement agencies get budget money. "We need more money to fight cybercrime, look at all of the website defacements, no one trusts online shopping which is the wave of the future, to save the economy we need more money to make the Internet safe and free from crime." Obviously law enforcement benefits. Governments benefit. They can tax us more for the money, they can say they are helping to alleviate fears, they can even do it bipartisanly, which always make them look good. For the more paranoid, if you believe in a secret society trying to create a world government, think about this. Various international treaties are being created. Some are regional, say maybe just the European Union, others are more global. They create these treaties regarding cybercrime and intellectual property rights that are basically impossible to enforce or control without a governing enforcement body who has multinational authority. Now would cybercrime and the fear of hackers create the New World Order? No. At least not alone. But it does provide one more example. What would bring about such a New World Order? A single unifying event, one where the exploitation of technology allows a small group of individuals to leverage technology to amplify their power to a previously unheard degree? Say like a distributed denial of service attack? Or more like flying a plane into a building? I'll come back to this point in a minute. Remember, when it comes to hackers, the media *wants* sensationalism. Why? To sell adspace and make money, not inform the public. They have spent years conditioning the masses to want trite bullshit. The soundbite. A lot of reporters don't like interviewing me because I tell the truth. They ask "what is the biggest threat computer users face?" When I answer them "underpatched systems" they are often disappointed. "No everyone says that, what about hackers, what about cyberterrorists?" Hmm, it sounds suspiciously like they've answered the question for me. Sidenote to the media: this is why hackers don't like you. Now I have exaggerated things to an extent to prove a point here, but we do have a world that hates and fears us, a media machine that could give a rat's ass whether we speak the truth or not, and governmental law enforcement and commercial security companies using us to make money or increase budgets. Things seem to be getting worse. Technological de-evolution. So what can we do? First off, let's look at some of the things we have done. I'll skip the breaking into systems and other similar things because that is what most of the rest of the talks at Toorcon are about. However, I'd like to cover the supposed hacktivist activity. Web site defacements are *not* hacktivism. They are usually boring, and if there is any message that is political, it is added on as an afterthought. I'd invite everyone to take a look at some of the articles from the Attrition folks at attrition.org on hacktivism. They have done a lot of research into this area, including an expose on the entirely self-fulfulling-prophecy media-created Chinese-American hacker war of defacements. They have also released an article that decries the supposed "call to arms" for hackers to attack various web sites in middle-eastern countries. I have a few words to say about that -- don't. Just say no to web site hacking, in particular against an entire country's address space. Remember, the enemy in this case is not a nation state, but a distributed group of mobile terrorists. Attacking all of the web sites in Iraq is not only pointless, but a wonderful waste of time. While a small group within Iraq may be funding terrorism, the entire nation is not. The same with Pakistan, United Arab Emirates, and even Afghanistan (whose exiled legitimate government is against the Taliban who have seized control). What is worse is that some people really do think that web site defacement is a way to get your political message out. The average defacer's "work" is never seen by the public at large, the message is never reported by the media accurately, and being that you are lumped in with a bunch of lousy grafitti artists the message is dismissed out of hand anyway. No one should be defacing web sites at all, with the possible exception of Evil Angelica, who is quite entertaining. Do you folks really want to piss people off? STOP DEFACING WEBSITES. How will these government agencies get their budgets? How will security companies sell penetration tests? To quote one of those movies "the winning move is not to play." What about doing things like actually finding the bank accounts, the real Internet accounts of the terrorists? What if in your excitement you manage to 1) tip off the terrorists because you are not as elite as you thought, 2) you taint evidence by your intrusion and none of it can be used in court so the terrorists go free, or the more likely 3) due to your poking around in the site you are labeled a terrorist, and are busted as a co-conspirator to one of the world's most henious crimes. Have there been acts of what you could truly call hacktivism? Actually there are a few, but they are not widely reported because either they don't fit well into the soundbite category, or they offer up challenges that are beyond a reporter's knowledge. Now there are excepts, but I think most reporters are thinking "how do I sell *this* to my editor?" rather than "this is something truly worthy of wide coverage!" An example: Rubberhose. I encourage everyone to visit www.rubberhose.org. This is a great example of hackers coding together to help out the oppressed. Rubberhose is basically a crypto solution for people who are afraid they are going to get their passphrase literally beat out of them. The target user would be a human rights activist who writes up, photographs, and digitizes information about human rights abuses in a foreign country, and wants to keep from getting a passphrase beaten out of them that could decrypt the data and endanger the lives of the people the activist is trying to save. Another example: Peekabooty. What Hacktivismo and the Cult of the Dead Cow are developing are methods to allow suppressed people to bypass governmental technological boundaries such as firewalls to get to information. Their Hacktivismo Declaration is an important document simply because of it's solidifying nature. There are other smaller examples of such triumphs that the public nevers hears about. And do you know what? Rubberhose and Peekabooty scare the shit out of these governmental types, including the U.S. government. Do you know why? Do you know why the really smart people who control the transglobal entities, the secret societies that suppress knowledge and run the puppet media and economies of the world really REALLY fear us? The real fear is that we will organize. That is it in a nutshell. If we, the hackers, the ones who know how the wiring works, the ones who know how the ones and zeroes are all strung together, the ones that build and topple technological infrastructures as a hobby actually *unite*, we could do anything. There is no system, no transnational corporation, no government agency, or computerized secret that we as a group cannot uncover and gain access to. Besides supporting projects such as these, I am going to bring up some rather controversial material. Now I am not suggesting that you should *not* support human rights, but remember that there are other transgressions against people, against the environment, and against knowledge itself that are being perpetrated by tightly-knit circles. Imagine if one of us heard of a transnational that held a secret such as that -- one that was proprietary, but disclosure could result in saving lives. And imagine if we were organized. This is why we are feared. And quite frankly, because of such things as what Erin Brochavich and others have uncovered, what perhaps YOU have uncovered, we really do need to organize. Most of these transnationals care only about their one true god with two heads -- money and power. In July I recommended we join forces and start helping out others such as Amnesty International, and any other group that risks life and limb to help their fellow man. We could learn a lot about protecting and protesting, and they could learn about technology from us. There are those of us trying to band together to make this type of symbiosis actually happen, and work. Now as I stated before, things have accelerated much faster than I originally anticipated. In fact, it is possible that we are too late. The terrorist attack upon the WTC and the Pentagon acted as an acelerator for events already in motion. With the DMCA, WIPO, and other actions by the WTO, including the arrest of Dmitry Sklyarov, the groundwork was already being set. Add in a rampant terrorist attack, throw in completely unsubstantiated theory regarding terrorists using stegonagraphy in pictures on Ebay and Amazon, and you have knee-jerk legislation to quickly erode our already-shrinking rights. Which brings us to widdershins. The opening of closed circles, to release their magick. As I have stated numerous times before, we are prisoners. The key to unlocking our shackles is information. That is why we say information wants to be free. A lot of this information has been gathered and closed away from the rest of us, some say to protect others, some say to protect us from themselves. Here is a little bit of information for you. I will tell you how your own talents are being used against you. You are being used by the system. So am I. We have to work, and work hard, all of us, because nothing is free. None of us live in freedom, because we are enslaved to various systems such as credit card debt, the entire health care and insurance cycle, and mortages and car payments. We are slaves of the economy. Know this. Your skills are being tapped into by others. The great "them." They. They watch our web sites, sniff our email, watch our posts to full disclosure mailing lists. They study our habits and very thought processes. They use this to say we are a danger to society, yet use our honed skills to build their defenses. The journalist Lew Koch labeled the neo-McCarthyism surrounding technical issues such as DeCSS, Napster, and other hotbeds of controversy regarding our technical toys "cybersteria". People have been warning you for months, people such as Lew, the 2600 guys, and others such as myself that the government will continue to use legislation to reign in and cut off our rights -- one by one. Next on the chopping block -- encryption. Legislation is being discussed this week to make hacking into a computer system a terrorist act, and further legislation is being introduced that demands any encryption have a backdoor in it for the government to use under the same lame guidelines that they have for search and seizures. If the trend continues, expect the usage of non-government-backdoored encryption to be a terrorist act, full disclosure of security issues and hack tool development to be aiding and abetting a terrorist, and further and further intrusions into our personal freedoms both on and off line. This is not an idle threat. A number of us have been making these dire predictions for a while now. I said last July that it was time to get organized, and start learning how to fight. Unfortunately, due to unforseen events that happened on September 11th, the ripple effect has accellerated the actions we warned you about. It is the nature of governments to try and maintain control over its people, and preserve the infrastructures that sustain it. With the de-evolution of the nation state, and the rise of the transnational state, we must realize that we, the computer underground, are more of a target of various governments and transnational states than ever before. Because we are a provisional government away from becoming a transnational state ourselves. As I said earlier, if we were organized they would REALLY fear us, because we would be unstoppable. We are a headless provisional government, with hackers holding the wires instead of the infamous "them". And they can't control it, and that drives them absolutely mad. Are we on the right track? Are we moving forward properly? Let me tell you a quick story about a run-in I had last July on the last day of DefCon. Sunday morning, July 15th. I was minding my own business when a group of three individuals approached me. All had that short-hair, clean-shaven, casual-but-not-too-casual look that at DefCon screams FEDERAL AGENT. They came up and said, "Mark, can we talk to you privately for a minute?" Two of them whipped out ID and one said, "We're NSA, we thought we'd tell you that up front so you don't freak out." Of course, wanting to speak to me privately was freaking me out. I honestly thought I was about 30 seconds from handcuffs. Had I known about the DefCon bust of Dmitry Sklyarov I would dropped a chalupa right there. "Sure, no problem." I glanced around the room, kind of hoping I would spot Jennifer Grannick. I was trying to play it cool, which in all honesty involved me not breaking out into a run. "We have questions about your talk. We want to know what your sources were, and how you reached your conclusions. You don't have to name names, just how you came up with what you came up with." Hmm, not what I expected. I explained why I thought there was no dependency at this point in time between the economy and the Internet ecommerce craze. As soon as the economy turned a little south, a bunch of dot coms went belly up, not the other way around. People tighten their belts, and they give up some of the frivolous things like ordering pizza online. I explained how I thought that the nation state was in decline, and how the rising transnationals were the first major steps towards a world government. How regional and global treaties could not be truly enforced without a world government behind it. How while I believed that my vote is pointless within the U.S. (the last election proved that), but completely and totally worthless in a world government that might be partially put together by oppressive regimes. I explained why I believed that the NSA would never allow export of crypto unless they could crack it, and that the entire "we gave in to public pressure" thing with crypto export was just a ruse that made the privacy and crypto folks think they had gained something, when they gained nothing. Based upon this I gave my estimates on what I thought their true crypto capabilities were. During my answers they all smiled, and one guy was nodding his head like he knew I was going to answer that way and had just won a bet on it. "Good. Excellent work. We really liked your talk." Hmmm. This didn't make much sense coming from the NSA. Did I not imply by inference that they were evil? Was my talk not plain enough? Maybe I wasn't clear exactly how evil I thought they were. So I asked them why they liked it. They spoke briefly with me about how they thought the stuff on transnationalism was very good, especially since according to some of the "social modeling software" output the idea of a world government was an inevitability. A kind of natural evolution of our global society. The debate within the agency was whether to get on board with the idea of a world government so they could "get their hooks in" or fight it tooth and nail because the good ole USA is the numero uno game in town. That was quite interesting, especially in a quick talk I had with yet another NSA employee right before I hopped into a cab with Richard Thieme to the airport for my flight which confirmed some of this. Ok, maybe not confirmed, but interesting. This other NSA guy echoed the same sentiment, and he felt my talk was actually patriotic. Anyway, I asked these three guys about the crypto stuff. I told them "I think you can cut through 128bit like butter as in real time decryption so you can tap into SSL, I think you can brute force 1024bit in a day and 2048bit in a week. I think this entire crypto export thing is a crock of shit." I remember thinking to myself, "'Crock of shit'? Is that as intellectual as you can get?" "Well, of course you're right." No way. "On all counts?" "Not exactly, but close enough." Again with the grins. I was standing there waiting for the other shoe to drop. It finally did. "Like you said in your talk, of course we will deny it." Again I became the supreme intellectual, and said to them, "Well I don't believe a fucking word you tell me." They laughed, saying things like "good for you." And then they decided to fuck with my head a little, which was probably the point of their entire discussion with me anyway. "Of course we could be just telling you this stuff because it is disinformation designed to undermine your thought processes. Or we could be lacing the true with lies, hoping you try to find both, again to undermine you. Or we could be just honest guys who liked your talk. Anyway, you seem to have potential. Keep up the good work." And they left. I mean damnit. What a mindfuck. So get involved. Work with human rights groups, this is neeeded now more than ever. Work with encryption, learn it, and start archiving tools. Develop stealth communication technologies, even develop alternatives to the Internet -- look at the work being done at guerrilla.net for a wireless alternative. [announcements, discuss RAZOR, nmrcOS beta, mailing list] We are hackers. We adapt. If we are outlawed on the Internet, we will circumvent our shackles, maybe return to our BBS networks of old, but we will still share our information, we will still get our message out, we will not be suppressed. They will try their disinformation subterfuge, and try to cloud your minds with petty arguments such as the full disclosure debate, open source vs. closed source, and the technical interpretations of our work. But it will only strengthen our resolve. They will try to stop us from entering their sacred little circles by chopping off the heads of our leaders. Well guess what? There will be the occasional rallying battle cry by an individual or group, but there are no real leaders, only resolve and raw unbridled intellect. Black hats. White hats. Grey hats. Crackers. Script kiddies. You can use your terms to try and subdivide us and pit us against one another. It won't work. WE ARE HACKERS. In closing I'd like to use a traditional Wiccan saying after opening acircle. The circle is open, yet unbroken. Merry meet, merry part, and merry meet again. Thank you, and blessed be.