Showing posts with label leaks. Show all posts
Showing posts with label leaks. Show all posts

Sunday, July 31, 2016

Media, "Experts", too quick to assign responsibility for DNC hacks

I'd like to tell you a story. Its a story that doesn't particularly make me look very good. It was at a point in my career where I still had a lot to learn, and like many young people I thought I was smarter than I was. But its a true story and there is an important point to it, so I'm telling it here even at the risk of looking a bit like a schmuck.

To tell the story, we have to go back in time. The year was 2006. There were still movies in the theaters that didn't have a single comic book character in them. George W. Bush was still best known for destroying the middle east and not for his adorable stick-figure self-portraits. No one that worked outside of telecommunications or that didn't wallpaper their house in aluminum foil believed that the NSA was wiretapping everyone and everything. And I had just received a promotion.

I was working within the primary data center of an internet service provider. The company I was working for had a tiered engineering structure and I had just gone from Tier 1 to Tier 2. I would be making more money and accepting more responsibility in return.

A big part of that responsibility was investigating and resolving abuse complaints received by the ISP. Whether a company hosts servers, websites, emails or provides commercial internet service (this company provided all of the above) occasionally someone will do something on your network they aren't supposed to. Sometimes when someone does something naughty on your network, someone from another network notices. Maybe someone downloaded copyrighted material with P2P software and was caught: the copyright holder would send in a DMCA request. Maybe someone's website has been compromised and the hacker has started scanning the entire internet for a specific exploit; the admin of another network notices and sends an email begging to make the scanning stop. Or maybe someone has defrauded the company by using a stolen credit card and fake company details to sign up for a dedicated server, which in turn is used to send spam - one of the many IP reputation services send over an automated email sending examples of the messages. It had become part of my job to read these messages, investigate them where needed and determine how to handle them.

I was really excited about this promotion. When I was younger I had read books like the Cuckoos Egg; now that was going to be my life. But there was a problem: at this point I knew quite a bit about web servers, but not so much about email servers. I knew even less about the even-at-the-time out-of-date and incredibly-proprietary custom qmail cluster that provided an enormous chunk of this company's email. So I started reading.

I read every RFC that referenced the SMTP protocol. Then I read how no one pays any attention to that shit. I read all about qmail. I learned how to read email headers. I learned how to tell when headers were forged and some of the tricks spammers used. I handled my first few dozen cases well and closed them quickly. 

But there was a problem. The cases I came across lacked drama. It wasn't like the Cuckoo's Egg. Although in a few cases I might have been able to find out exactly who was responsible for hacking a server or setting up an illegal spam service, there was nothing I could do with that information. Even in the rare circumstance where the person was actually in the United States, what was I going to do? Call 9-11? Call the State Attorney's Office? Call the FBI or the Secret Service? Despite what you might read in the funny papers, law enforcement is not equipped to investigate or prosecute the vast majority of "cybercrime" cases. Victims have no one to call, local, state and Federal police don't want to be involved unless there is a political or regulatory angle, and the most simple hacking case is almost always a mess of jurisdictional SNAFU's. You think Bernie Fife knows how to get a warrant for those Ukrainian VPN logs? (He doesn't.) The fact is, when you read about a criminal computer crime investigation, you are essentially viewing a photograph of Big Foot. 

But I desperately wanted to be a White Hat Cyber Cop. I wanted to take down a Cyber Porn ring or a bunch of Russian mobsters (Russian Business Network was my Moby Dick). But that just wasn't my job. My job was help fix whatever had been broken, to make sure that my customers were able to safely resume doing business as normal, and to maybe make some recommendations to make the next hack a little harder to pull off without making everyone's life miserable.

One day I came across evidence that two servers owned by the same customer had been the source of a substantial amount of malicious network traffic. Somehow (this was a big network) this had been missed up to this point. It had been going on for months. These servers had been used to break into other servers on other networks; VPN tunnels would then be established and spam would be sent through the tunnels. Most of the time it looked like normal ssl traffic. 

The more I investigated the situation the more I became convinced this customer was not the victim of these attacks, but was responsible for the attacks. There was no smoking gun, but it in my mind everything in my mind pointed to the customer being the Bad Guy. I spoke to the technician who built the pair of servers for the customer, and the tech remembered the customer had a series of very specific, unusual requests for how the disks were supposed to be partitioned and for how the kernel was to be configured that was similar to how I had seen customers setup a server that could be immediately wiped of any incriminating evidence. I checked out the websites hosted on the servers. The main website - I will never forget this - was an incredibly bare-bones CMS selling decorative rocks. Geodes, crystals, that sort of thing. That might not be so weird for someone with a $2 a month webhosting plan, but this guy had multiple dedicated servers; most of the customers getting servers were insurance companies, universities, doctors offices, military contractors. And this guy. Selling rocks.

I sent the customer several warnings about the hacking; I gave him my best estimation of how he could lock down his server and told him he could hire us to secure it for him. The responses were spotty, and the hacking continued. Eventually, I made the case to management to cancel this customer's service. I was able to get them to agree to my assessment and the customer's account was canceled. 

It was almost immediately after that when I realized that I had completely misread the situation.

Sophisticated spammers know how to plan for having their service canceled. Its part of doing business for them. When they sign up for a 1 year contract they know they are only getting a few months of service out of it. Spammers have always been at the forefront of complex unattended installation, continuous data recovery, imaging and virtualization because they have to turn servers up fast and whenever the banhammer comes down they need to already be activating service at another provider. 

When you cancel a spammer's server, they might send an email in asking why they can't reach their host, and when you tell them they've been spamming they will never contact you again. They're prepared, so there is no point in further discussion.

But the customer with the rock website contacted us, and when we told him he had been spamming he was completely devastated. He sent multiple emails. He called everyone at my company he could. It was clear he had no backups, no plan B. The servers were his livelihood. He begged us to reactivate them, at least long enough to make a backup.

I knew I had made a mistake. I was able to work out a compromise in which we built out a new server to replace his two older servers and helped him transfer his data over safely. The story had a happy ending; the customer got a reduced monthly rate, my company got to reduce the power usage in the data center and keep its profit margin the same, and we stopped the hacking. But the happy ending isn't what's important here.

What's important is that I was wrong. When it counted, I was paying more attention to what I wanted to find than I was to what I could find. I made intuitive leaps based on reasoning that didn't support those leaps. I wanted to be Clifford Stoll. I wanted to impress my boss. I wanted to Get the Bad Guys. Perhaps more important than any of these things, I wanted to have The Answer. More compelling than my fantasizes of being a Cyber Cop was my fear of being incompetent. I thought that being competent meant always having the right solution. 

I could have done my job more effectively by taking more time to review the evidence, and spending less time trying to "connect" a handful of dots that didn't lead anywhere meaningful. Although the story had a happy ending, it could just as easily have had a terrible ending. What if the downtime I caused that customer destroyed his business? 

Over the years I have taken this experience to heart. I've become very reluctant to use intuitive leaps to justify troubleshooting or infosec determinations. Although computing provides us with a rare opportunity to work in a forum in which objective decision making is possible. There are right and wrong answers in computing; but there are also situations in which we don't have enough data to determine the difference between them. Its become easier for me to point out when there isn't enough information to resolve a problem (owning my own business has had no small part in this).

Alright, so that's the story. What on earth does all of this have to do with the DNC hacks?

Over the last week or so I've begun getting my hands on and reviewing the emails and attachments from the Democratic National Committee that have been leaked to the public by a shadowy figure(s) named Guccifer 2.0. This hack became international news beginning last month when the controversial "cyberwarfare" company Crowdstrike announced that the DNC had been hacked, and shortly afterward documents from the DNC began being leaked to a variety of different news outlets, from the Smoking Gun to Wikileaks.

From the very beginning of the DNC hack's injection into the news cycle, the blame for the incident has been squarely laid at the feet of Russian intelligence services. The Russian connection was established by Crowdstrike, who had been asked by the DNC to investigate a hack before the leaks began. Crowdstrike CTO Dmitri Alperovitch published a public report of the findings of their investigation, apparently at the behest of the DNC, in which samples of malware were provided that had links to other attacks that had already been attributed to Russian intelligence, like the compromise of the German Bundestag's network discovered earlier this year.

The attribution to Russian intelligence has gained steam over the last few weeks until we reached the point we are at now - where news outlets are now reporting the Russian intelligence attribution as fact. It is primarily this that I take issue with. Please note that it may very well be the case that Russian intelligence is behind all this. My concern is there is not nearly enough evidence to declare that attribution as fact without additional evidence.

Crowdstrike's report does not provide the required evidence to establish the attribution. Although the report provides a malware sample and a list of IP addresses associated with prior Russian intelligence-attributed hacks that Crowdstrike claims to have recovered through their investigation, these samples are provided without any form of context and in a format that makes it impossible for other researchers to attempt to replicate their findings. There is no explanation of how these samples were acquired. This is a bit like if your doctor told you that you have lung cancer, and as evidence offers you a picture of a cancer cell that's been cut out of a medical journal instead of, say, an X-Ray of your chest. The Crowdstrike report is an explanation of Crowdstrike's findings. It is not proof of Crowdstrike's findings.

There are a number of reasons why Crowdstrike would have opted the report in a way that cannot be objectively verified or peer reviewed. The first and foremost reason is that the DNC almost certainly asked them not to provide any information about their network. Another possibility (that is less defensible but I hear repeatedly) is that Crowdstrike would not want to reveal their "sources and methods".

And, to be fair, Crowdstrike provided their findings to two other companies - Fidelis, Mandiant and ThreatConnect - all of whom have apparently confirmed at least some of Crowdstrike's findings.

So I am willing to overlook the fact that Kurtz has a long standing history of making inflammatory accusations that are both demonstrably false and troublingly indicative of someone with little to no understanding of infosec. I am willing to overlook the fact that Crowdstrike's claim to fame was not for its skill in solving complex hacking investigations but for offering so-called "hack-back" retaliation services - a business opportunity that Crowdstrike was able to capture because their methodology was so ethically and legally questionable that no one else in the infosec community would have anything to do with it.

I am even willing to overlook the fact that Crowdstrike has corporate partnerships with the two out of three of "independent" companies that confirmed their findings.

Let's take for granted that Crowdstrike's report is 100% accurate and Russian intelligence services did, in fact, compromise DNC systems.

Even if we take that for granted, it still doesn't mean that the DNC email leaks can be objectively attributed to Russian intelligence. 

Those who have read the Crowdstrike (or Fedelis) reports may notice that there is a lack of any mention of the DNC's email servers or evidence of large-scale file retrieval. Its quite likely that these details were left out as part of the concerns I listed already - that the DNC hopes to profit from security-through-obscurity and prevent even basic information about their network from going public. Reporters eager to demonstrate the Russian connection have relied primarily on the @pwnallthethings Twitter feed, maintained by Matt Tait (who, apropos of nothing, claims to have been "an information security specialist for GCHQ").

Tait's Twitter feed has been used to bridge the gap between the Crowdstrike report and the DNC documents leaks by Guccifer 2.0. Tait's primary contribution was discovering that a number of the documents released by Guccifer 2.0 had been modified, and that the individual who made these changes was using a version of Windows with the Russian Language pack enabled. When reporters and bloggers say that "metadata" within the Guccifer 2.0 documents proves a Russian intelligence connection, this is what they are talking about.

In addition to this finding, journalists relied on retweets from Tait's Twitter account for confirmation of other findings, such as the Bundestag link, as illustrated here:
As I was reading through Tait's tweets and his subsequent blog guest posts, I saw myself 10 years ago, with the rock reseller. The DNC hacks significantly increased Tait's cache on social media, as can be seen here (the hack became public June 14th).

@pwnallthethings follower growth for July 2016
Just to be clear: I'm not alleging some sort of a conspiracy. I didn't accuse the rock seller of being a spammer because I hated him and wanted to get him. I went after him because it was a better story than the truth. It was more interesting than the truth. And there was evidence that confirmed my story, just as there is evidence pointing toward Russian Intelligence being behind the DNC leaks. Its just not enough evidence for us to claim it as a fact (yet).

Tait rejects the claim that his findings are influenced by bias:
Seems reasonable. But the trouble is that everyone is biased. I'm biased. You're biased. If you are human, and you have a subjective point of view of consciousness, you are biased. The way to handle this is not to deny it, but to account for it. I don't think Tait or the journalists who have used his findings as definitive proof that "Russians did it" have a bone to pick with Russia. Its just a damn good story. Who wouldn't want to be part of a spy novel?

Also, I use Tait here because the media has decided to rely on his findings so consistently, but he is not alone in transforming tenuous circumstantial findings into Objective Truth. Some of my personal favorites are:

   - Vice Magazine brought in linguists (I am very much avoiding the use of a hackneyed but still-amusing pun here) to analyze the transcript of an interview between a Vice reporter and Guccifer 2.0. Even the honey-picked quotes provided by Vice made it clear that nothing could be proved from these transcripts other than that Guccifer 2.0 likely used Google Translate, but the article has been used as further "proof" that Guccifer 2.0 is Russian and not Romanian.

   - The version of MS Office used to modify leaked files appears to be cracked. Cracked versions of Office are "popular among Russians and Romanians". Because no one anywhere else in the world pirates Microsoft software (certainly I don't - stop looking at my torrents).
This is just silly, but its taken as gospel by a media that is both hungry to spark a Cyber War and whose reporters frequently have the technical acumen of my 94 year old grandmother.

So before we wrap this post up lets quickly review the fallacies that are used to confirm the Russian Connection:


This is the big one. As I said earlier, I am taking for granted that Crowdstrike's report is God's Own Truth, and that a pair of separate Russian intelligence services hacked the DNC and had access to the DNC's network for up to a year.

Even if we accept that Russian Intelligence hacked the DNC, it does not mean that Russian Intelligence leaked the documents. Let's consider some scenarios.

The number 1 reason why networks and servers are compromised is because those networks / servers are vulnerable to compromise. That's such an obvious statement it comes across as a tautology. But its not, and there are important consequences of this obvious statement. I am regularly called in to help companies that have discovered a breach in their IT infrastructure. Something that often happens is I find evidence of multiple compromises; either the victim is using multiple vulnerable software packages, or multiple parties have taken advantage of the same exploit, or the network was compromised a long time ago by a clever hacker who was able to maintain a presence on the network until some much-less-competent hacker came along and defaced a website or broke something.

One of the most compelling alternate explanations relies on a similar chain of events happening at the DNC. Russian intelligence had compromised the DNC for a long time using the sophisticated techniques described by CrowdStrike. The Russians stayed present in the network for a year in order to accomplish what intelligence services typically want to accomplish - compiling as much information as possible. Then, some knucklehead(s) named Guccifer 2.0 comes along and compromises an email server with the goal of accomplishing some hare-brained political goals known only to him/them. Guccifer 2.0, being a moron, sets off the bells and whistles that cause the DNC to contact CrowdStrike, who in turn discover the Russian intelligence presence.

There's other options. Remember that guy name Edward Snowden? Remember how he worked for a US intelligence agency? Remember how he leaked a bunch of documents to the media? Remember this other person Chelsea Manning? Remember how Chelsea released all of those cables that included detailed intelligence analyses of foreign countries? Remember how those documents had huge political implications in those countries, like maybe sparking the Arab Spring? The point is that leaks within intelligence services happen that aren't necessarily planned by that intelligence service. Those leaks can have devastating impacts on the elections of foreign countries. Here, Guccifer 2.0 is either a Russian intelligence employee or a hacker whose true target was Russian intelligence. Theres a few options within this option - Guccifer 2.0 as working for another nation hoping to influence the US election and increasing US/Russian tensions, Guccifer 2.0 as a Russian intelligence employee who has for whatever reason a *huuuuuuuuuge* (get it?) man-crush on Trump. Some of these options are crazy. But its no more crazy than the explanations of the Putin-Trump Axis of Evil floating through the media.


It sounds silly when its put into words, doesn't it? But this is what the "metadata" and "language analysis" comes down to. Guccifer 2.0 is using Office with Russian language settings. Guccifer 2.0 is chatting the way a Russian would chat. ERGO Guccifer 2.0 is Russian. ERGO Guccifer 2.0 is really Russian Intelligence. I'm not sure how to explain how stupid this is, other than to just point out that, no, not everyone who speaks Russian is a GRU agent. Maybe visit Russia and meet some of them? There are some people who speak Russian who are butchers and bakers and candlestick makers. By golly, there are even people who speak Russian that don't live in Russia at all! I know, your mind is blown, right?


Not every hacker is state-sponsored. Gee whiz, there are even *groups* of hackers who *cooperate* with each other and even *manipulate the media* and *lie about their identity* who are just teenagers somewhere. There is a rich, long standing history of teenagers playing such pranks. Kids have been hacking for longer and frequently using more sophisticated techniques than governments have. Some of the first government "cyber warfare" programs were just field agents who paid kids to hack for them and paid them in drugs. Really.

One of the most recent, well known examples of this is the lulzsec hacking group. lulzsec had a very pointed political agenda and targeted government agencies, law enforcement groups, media companies and others that opposed that agenda. The lulzsec political agenda did not fall into the binary Team Red / Team Blue archetypes that inform what passes for American political commentary, but it was there and it clearly was important to lulzsec and their supporters. Before the indictments began, there were plenty of rumors that lulzsec was state-sponsored.

If you've made it this far - congratulations. You're almost at the end. Let's wrap up.

Some companies tell us that there is evidence the DNC was hacked by Russian intelligence. That evidence hasn't been published. There is different evidence that Russian intelligence is behind the Guccifer 2.0 account. Most of that evidence turns out to be at best incredibly flimsy and circumstantial and at worst utterly irrelevant.

It may very well be the case that Russian intelligence is responsible for the DNC email leaks, but the fact remains that further investigation is required to confirm the identity of Guccifer 2.0. Attributing the attacks to the Russians before such an investigation can occur does an enormous dis-service. The Cold War actually completely sucked. We should avoid repeating that experience based on the flimsy BS that has largely informed the coverage of the DNC hacks up to this point.

Thursday, July 28, 2016

Google labels a dangerous website

Five days ago someone on Hacker News pointed out that Google's Safe Browsing system labeled a "dangerous site".

At some point the Google warning was rescinded, however Google continues to (accurately) point out that pages within will "install malware on visitors' computers".

I've been contacted by many companies over the years who have discovered their web server was compromised after receiving a warning from Google's Safe Browsing system. What I have never seen before is Google labeling a website safe while that website continues to host malware. Has anyone else seen this before? Does anyone at Google confirm this was algorithmically determined behavior and not manual intervention on the part of Google? What possible justification could there be for labeling a website safe that hosts malware?

When I first found malware in content hosted by Wikileaks last year, one of the most frequent negative responses I received was that it is not Wikileaks responsibility to inform their users they host malware and that users should just know to take extreme security measures when reviewing Wikileaks files. Here's another question: if your bank's website hosted malware would you find this same excuse acceptable? If you think we should give Wikileaks a pass but not a bank, what reasoning is this based on? Wikileaks users, volunteers, independent activists and journalists run real risks when reviewing Wikileaks file dumps. Why do we demand more effort be put into making sure some kid doesn't zap a few hundred bucks out of our checking accounts than making sure a reporter isn't imprisoned?

Wikileaks should make some effort to identify malicious software within their filedumps, label infected files, and take more proactive steps to inform users of the risks of handling these files. I would be happy to volunteer to assist with any of these tasks, as I am sure hundreds of other competent infosec professionals. Meanwhile, organizations like Google should stop giving Wikileaks' retrograde operational security a pass. It is exactly because the work that Wikileaks performs is valuable that its worth making the site safe for users.

Friday, November 7, 2014

Private Data vs Public Data

Five years ago, someone by the name of Hacker Croll acquired a large amount of sensitive internal corporate documents from Twitter employees. Hacker Croll took 310 of these documents and sent them to the website Techcrunch. Techcrunch decided to use the information, publishing a series of stories based on the documents and the reactions of Twitter and Techcrunch's readers to the release of the documents.

The documents themselves were not all that terrible. Twitter, it seems, is not an internet Enron. The release of the documents did not result in any serious consequences for Twitter - no flight of investment, no investigations, no indictments. Techcrunch summarized the contents of the documents as: "executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs." For a crooked company such documents would be an absolute disaster. But few outside of the Internet and journalism industries noticed what happened.

Pierre Omidyar noticed. Omidyar was a co-founder of Ebay and a multi-billionaire. Most recently, Omidyar provided a $250 million seed investment to First Look Media. First Look Media is the Publisher behind The Intercept, an online publication that currently employs some of the most aggresive investigative journalists in the world - Glen Greenwald, Lisa Poitras and Jeremy Scahill.

The Intercept regularly publishes articles based on leaked documents and information. A number of such stories are among the most controversial coverage of the intelligence community. For example, The Intercept recently received and published leaked documents that for the first time describe the outrageous growth of the US Terrorist Watchlist to 1.2 million people

The US was furious about the leaks, and is as of this writing continuing to fumble and grope in the dark to find and destroy the life of the concerned citizen who shared this information with the public. The Washington press immediately and credulously reported the search of a man's home as proof of his involvement in leaking the documents

Only the most sacerdotal of Totalitarians argue that there is some sort of moral imperative to ensure that documents like those involved in The Intercept's Watchlist leak must only be read and circulated by the Top Men of Government, and should never be exposed to an ignorant and drooling public, lest their eyes melt out of their skull like the penultimate scene of Indiana Jones and the Raiders of the Lost Ark. There was and continues to be a clear public interest in exposing the growth of the terrorist Watchlist to such catastrophic proportions; a growth that was facilitated, as we learned through the Intercept, the US deciding in secret that evidence or even suspicion of terrorist activity or affiliation are no longer requirements to entry into the Watchlist. At the very least, the 1.2 million people deserve to know why their human right to travel has been impeded and in some instances stolen entirely.

The Terrorist Watchlist is the product of a Public organization, in service of a function that is of direct interest to the Public. Such a one to one relationship makes it a straight forward matter to justify the release of such critical information when considered with a modicum of intellectual honesty (a resource that is in rare supply these days, to be sure). 

But what of Private organizations? Under what circumstances is it appropriate to publish information deemed secret by a corporation, for example? Let us consider Wikileaks for a moment. In 2007, Wikileaks published a variety of documents obtained from Bank Julius Baer. The documents pertained to a variety of incredibly naughty behavior perpetrated by the Bank. Wikileaks documented how Bank Julius Baer placed former employees and their families under surveillance, and how the Bank had allowed insiders to take out astronomically large loans immediately prior to the collapse of the Bank. Bank Julius Baer's collapse was eventually absorbed and resolved as a sovereign debt. In effect, Bank Julius Baer had allowed insiders to steal from Swiss tax payers; not just allowed the theft, but facilitated that theft.

Once again, in this context, we can see a one-to-one relationship between the content and context of the documents and the public interest. The Bank Julius Baer Leak contained material directly related to massive financial crimes; crimes in which the Public was the victim. The Bank Julius Baer Leak showed how the bank arranged these crimes, how they profited, how they attempted to cover up those crimes and how they attempted to extort and strong arm witnesses to those crimes.

The Bank Julius Baer Leaks and Bank Julius Baer's ham-fisted reactions to the leaks (a failed attempt at a legal attack) catapulted Wikileaks into international prominence. 

But what about the Twitter leak that we mentioned at the beginning of this article? On its face, there appears to be a number of differences. The Twitter Leak was not the result of an insider exposing the crimes of an organization to the press, as in the Watchlist and Bank Julius Baer. With Twitter, an outsider broke into the private accounts of Twitter employees in order to take internal documents. But that is not the only difference. Twitter did not appear to "get caught with its pants down", so to speak. No serious malfeasance was uncovered - only a business plan that included what Twitter claims to be legitimate Trade Secrets. 

There is at least one sensical position in which uncovering the Twitter business plan to the Public would be legitimate. Twitter is a "public" corporation; Twitter uses the stock ticker TWTR on the New York Stock Exchange. Shouldn't the "Business Plan" be readily available to its investors? Twitter did not invent any of the technology that powers its platform; and certainly nothing purported to be technology-centric "secrets" were leaked. The Twitter Leaks contained information pertaining to the corporate structure of Twitter. What such information could be conceived such that it would be legitimately secret, considering that Twitter is a "public" corporation?

There are, then, contexts in which the leak of information from private entities is ethically complex. For the most part, the US government errs widely on the side of secrecy in all contexts; unless, of course, it is considering individuals, who the US government at this point considers has very little if any rights to privacy or secrecy that cannot, at the very least, be circumvented with the correct arcane mixture of briefs and filings and subpoenas and letters from various agencies. In today's United States, the 4th amendment is no longer a fundamental starting place for consideration of the role of government in its interaction with sovereign individuals with a wide berth of human rights. In today's United States, the 4th amendment is an obstacle to be overcome; a hoop to jump through; a point of interest for clever intellectual games that circumvent its textual and contextual meaning.

On the other side of the debate are those who favor transparency. It is a diverse group (and a group that I am a vocal, obvious and unapologetic member of). You have libertarians of both the civil and capital "L" variety, privacy advocates, internet security researchers, journalists, human rights campaigners of all different stripes, lawyers and even the odd-ball politician or two. Among this group there is a great deal of disagreement. Unlike the other side of the argument, membership is not determined by jingoistic and unquestioning affiliation to a faceless, monolithic entity. Those in favor of transparency have arrived at their point of view as the result of reflection, introspection, a Platonic sense of social duty or even good old fashioned Self Interest. Argument ensues.

There are absolutists on the side of transparency. Today they are sometimes called "Open Access Advocates". Technology neophytes and most "news" people are under the mistaken impression that this position is a relatively new one. There is no shortage of intellectual mush that condescends to explain to the rest of us in blog posts, in tweets and all other manner of too-cool-for-school 'new media' how Millennial are to blame for a religious devotion to transparency. Its because of Facebook and Myspace. The kids don't event know what privacy is - they live in the public sphere, "dick pics" and all, and they expect everyone else to, as well - corporations and governments, included. This explanation is, of course, wrong.

The absolutist take on transparency is as old as modern computing itself. It was the default position of nearly all of those driving the early personal computer movement; and it was the absolute essence of hackers in the 80's and 90's (myself included). The essential document of this movement was published not in 2013 with the Guerilla Open Access Manifesto, but in 1986, by Phrack Magazine. It was in the pages of Phrack, Volume One Issue 7, that a very talented young man who called himself The Mentor wrote The Hacker Manifesto. It was a call to arms to young men across the world (ladies would play a pivotal role, but not in the 80's hacker scene). Governments and Corporations had valuable information - information about how computers worked, how networks functioned. The information they had, they locked away. In 1986 if you wanted to learn about computer networks your options were severely limited. You could go to university, where you could expect to have to take two years of math and out-dated theoretical 'computer science' before so much as logging into a computer. You could buy a personal computer, which could easily run several thousand dollars and would not allow you to learn UNIX or VAX/VMS. But what if you were 15? Or 50, for that matter? What if you didn't have the money? 

If you wanted to learn, you had to hack. The 80's and 90's was a time when the pursuit of knowledge was explicitly and aggressively criminalized. Many, many children were made felons for trying to learn; or, as the Mentor put it, "My crime is that of curiosity"

This time was what sowed the seeds of the many problems with the Internet today. 

Not all transparency advocates are absolutists. If one reaches the point of advocating transparency through the consideration of liberal legal and social principles (liberal in the classical, British, sense and not the convoluted US sense, where liberal is a synonym for a progressive socialist). Such principles take the notion of private property as the starting point for a great deal of what people in the US consider "rights to privacy". From this point of view, it is because government agencies invade or steal or destroy the property of a sovereign citizen that we must view improper Government search and seizure with disdain. From this point of view, it is easier to understand why the liberal transparency advocate may fiercely admonish the Government for hiding information of public interest, while also criticizing people like Hacker Croll for leaking information from a private corporation like Twitter; private information that lacks as direct a Public interest.

It is this debate within the transparency community that has driven recent criticism of First Look Media founder Pierre Omidyar. When asked about the Twitter hack and leak on, of all platforms, Twitter, Omidyar had this to say: 

Omidyar is clearly on the liberal side of the transparency advocacy camp. Julian Assange, on the other hand, is clearly among the absolutists. Assange's absolutist position is what, in my opinion, led him to publicly criticize Omidyar and Greenwald, and to question the integrity of the First Look Media project, during a recent interview with Democracy Now’s Amy Goodman.

I am including below a brief transcript of Assange's comments on First Look Media during this recent interview. Please bear in mind that this transcript, while unedited, is incomplete. I strongly recommend watching the entire interview for the clearest possible understanding of Assange's position.

AMY GOODMAN: Julian Assange, you just recently had a Twitter battle with Glenn Greenwald. It might have surprised some. You know, the whole Intercept, the new online publication, releasing information based on Edward Snowden’s documents around the NSAspying on whole countries. You felt that they should name the countries, not withhold any names. Explain what that was about.

JULIAN ASSANGE: Well, I have a lot of respect for Glenn. Glenn has defended WikiLeaks from the attack by the U.S. grand jury over a long period of time. And he’s been very brave in the Edward Snowden publications, and, you know, quite forthright. He left The Guardian, in part because of that reason, because The Guardian was censoring the material that he was trying to publish. But he entered into First Look. And unfortunately, First Look is not just Glenn. First Look is actually the big power. All the money and organization comes from Pierre Omidyar. And Pierre Omidyar is one of the founders—is the founder of eBay and owns PayPal and goes to the White House several times each year, has extensive connections with Soros, and can broadly be described as an extreme liberal centrist. So, he has quite a different view about what journalism entails. For example, he has said this year, and also in 2009, that if someone gave him a leak from a commercial organization, not from the government, then he would feel it was his duty to tell the police. So that’s a very different type of journalism standard that comes from Pierre Omidyar. And unfortunately, some of that, or perhaps a significant amount of it, has gone into First Look and created some constraints there. And that was seen most—seen most disturbingly when First Look knew from the Edward Snowden documents that all of Afghanistan was having its telephone calls recorded. The National Security Agency had corruptly installed mass surveillance inside Afghan telcos, saying to the Afghan government that they were doing—installing this monitoring just going after drug dealers, not mass surveillance but targeted surveillance after Afghan opium dealers, and in fact they were recording the phone calls of every single Afghan. And that’s as great an assault to sovereignty as you can imagine, other than completely militarily occupying a country, to record the intimate phone calls of every single Afghan citizen. And Afghanistan, as a country, and its people have the right to choose their own destiny, knowing what is actually happening to them. And First Look decided that they would censor the fact that Afghanistan was having all its telephone calls recorded.

Personally, I find it difficult to commit to one camp or the other. In the late 80's and early 90's, I was very much a member of the hacking scene. That part of my life ended up informing my choice in career, and I am deeply sympathetic to the members of that small group who have so often grown up to do amazing things. On the other hand, at university while studying for my Undergraduate degree I had the opportunity to learn from and argue with some very talented professors of legal philosophy. These arguments formed the basis of what is, at this point, a rather committed agreement with a good deal of what is called "libertarianism" in the US.

I do not agree with Assange's assessment of First Look. Regardless of Omidyar's financial role, Greenwald, Scahill and Poitras have time and again demonstrated themselves as journalists of the first rate. It would take quite a bit at this point to convince me that any of them have "sold out".

That said, I continue to follow and support Wikileaks as well as other Open Access advocates. The criminal indictment of Aaron Swartz, for example, strikes me as a horrifying return to criminalizing independent research; one that I fear will not die with Mr Swartz. The only crime that occurred in the case of Aaron Swartz was the criminal and irresponsible harassment of a very talented young man by a pack of amoral sadists masquerading as members of the Justice Department; unprincipled careerists lead by Carmen Ortiz, Stephen Heymann and Scott Garland (if ever there was an Orwellian title for a government agency, it is the Justice Department, which is as effective a magnet for human filth and depravity as has ever existed). Not surprisingly, Mr Swartz was not the first talented young man that Ortiz and her thugs have driven into the grave with draconian and evil prosecutorial misconduct. Hacker Jonathan James committed suicide at the ripe old age of 25 following an indictment by Heymann that would likely have landed James in prison for a longer period of time than most people convicted of 2nd degree murder or manslaughter. 

What are you own views on what information is public and which is private? What is "fair game" and what should remain secret? On what basis and under which principles do we make these decisions? These are complex questions; the State would have us believe that the answers as simple and straight-forward. Anything that any government or corporation says is secret should be secret under the Computer Fraud and Abuse Act. What has followed is decades of abuse of the CFAA; abuse that has destroyed the lives of computer enthusiasts and open access advocates while protecting criminals in government and big business from exposure. Such is a road that leads to disaster. An intellectually honest public conversation, followed by an immediate course correction, is required - and, I believe, imminent.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...