Using hackers as a national resource

Misha Glenny's TED talk entitled "Hire the Hackers" was sent to me about a dozen times today.

I was reminded of the excerpt below taken from my 1995 thesis. Reviewing it after all these years, it is not perfect, but does raise some important points and the central theme still rings true.

Step Seven: Use Hackers as a National Resource

The digital underground should be viewed as an asset to the United States.
They use illegal means to satisfy their curiosity about the workings of computer
technology because the system has denied them other means of accessing the
digital realm they love. Harvard Law professor Laurence H. Tribe even suggests
that access to technology may be a required goal of democratic society. He
states:

It’s true that certain technologies may become socially indispensable –
so that equal or at least minimal access to basic computer power, for example,
might be as significant a constitutional goal as equal or minimal access to the
franchise, or to dispute resolution through the judicial system, or to
elementary and secondary education. But all this means (or should mean) is that
the Constitution’s constraints on government must at times take the form of
imposing "affirmative duties": to assure access rather than merely
enforcing "negative prohibitions" against designated sorts of invasion
or intrusion.(133)

Some hackers are loyal to the ideals of their nation. For example, when
news of Stoll’s German hacker selling U.S. secrets to the KGB hit the
underground many hackers responded with hatred towards the guy who had
associated their movement with national espionage and threats to national
security. They were willing to use their abilities to combat this problem, and
were even willing to target Soviet computers for the Central Intelligence
Agency. One case of a hacker making a contribution to society is the story of
Michael Synergy and his quest for presidential credit information. Synergy
decided one day that it would be interesting to look at the credit history of
then President Ronald Reagan. He easily found the information he was looking
for and noticed that 63 other people had requested the same information that
day. In his explorations he also noticed that a group of about 700 Americans
all appeared to hold one credit card, even though they had no personal credit
history. Synergy soon realized that he had stumbled upon the names and
addresses of people in the U.S. government’s Witness Protection Program. A good
citizen, he informed the FBI of his discoveries and the breach of security in
the Witness Protection Program.(134)

One of the basic benefits to United States national security is the lack of
a coherent movement among the members of the digital underground. Hackers are
by nature individualistic. They lack a common bond that allows them to focus
their energies on one target. If there is a common target among hackers, it is
corporate America, especially the telephone companies. These corporations have
become targets because hackers rely on their service to access cyberspace, which
can be a very expensive proposition. The United States government has a vested
interest in not providing them with another target, especially if that target is
the government itself. The United States should utilize hackers, and give them
recognition in exchange for the service they provide by finding security holes
in computer systems.

The United States should not discontinue efforts to stop credit fraud and
other computer activities that are unquestionably criminal. But, the United
States should allow the hackers to conditionally roam the realm of cyberspace.
These conditions would include the following: (1) If computer access is gained,
the security hole should be immediately reported to the government or
centralized agency and should not be given to anyone else, and (2) information
files should not be examined, modified or stolen from the site. In return the
United States acknowledges the hackers’ accomplishments, thus feeding their
competitive egos.

Why should the United States government trust hackers? No trust is
necessary. The United States is not offering the hackers anything that they
don’t already have, except recognition for their ability to discover security
flaws. The hackers will remain on the networks regardless of what policy the
United States follows concerning their activity. It is simply giving them the
forum they need to meet people with similar interests on a legitimate basis,
rather than a secret one. Robert Steele argues, "If someone gets into a
system, that is not a violation of law, it is poor engineering. When we catch a
hacker, rather than learn from him, we kick him in the teeth. When the Israelis
catch a hacker, they give him a job working for the Mossad."(135)

Many U.S. corporations already allow the hackers to identify security
weaknesses in their computer systems. The Legion of Doom, the most notorious
group of hackers in the U.S., briefly entered the computer security business
with the formation of their company called Comsec Security. Bruce Sterling
reports, "The Legion boys are now digital guns for hire. If you’re a
well-heeled company, and you can cough up enough per diem and air-fare, the most
notorious computer hackers in America will show up right on your doorstep and
put your digital house in order – guaranteed."(136) Some argue that this
is simply extortion, but individuals are not saying "pay up or else we
will enter your system." They are offering their skills to secure
vulnerable computer systems from possible electronic intrusion.

Hackers can be used to secure the United States’ digital interests. Every
effort should be made not to alienate them from the newly emerging digital
infrastructure. In the same Congressional hearing where his publication was
branded as manual for computer crime, Emmanuel Goldstein made the following
remarks about access to technology and computer crime:

This represents a fundamental change in our society’s outlook.
Technology as a way of life, not just another way to make money. After all, we
encourage people to read books even if they can’t pay for them because to our
society literacy is a very important goal. I believe technological literacy is
becoming increasingly important. But you cannot have literacy of any kind
without having access…. If we continue to make access to technology
difficult, bureaucratic, and illogical, then there will also be more computer
crime. The reason being that if you treat someone like a criminal they will
begin to act like one.(137)

It is ridiculous to assume that the entire hacker subculture is motivated by
criminal intentions. Hackers, like all other groups or subcultures, contain a
diverse array of individuals. Every group has a criminal element and the
hackers’ criminal element is no different than the criminal element that exists
within the law enforcement community. A General Accounting Office report on
threats to the nations National Crime Information Center, found that the
greatest threat to this centralized criminal database was not from outside
hackers but from corrupt insiders.(138)

Most hackers are still young and have not formulated complete ideologies
regarding right and wrong behavior. Bob Stratton, a former hacker who now works
as a highly trusted security expert, argues that "These people (hackers)
haven’t decided in some cases, to be good or evil yet and it is up to us to
decide which way we want to point them."(139) Mr. Stratton argues that we
can mentor these individuals and thereby utilize their technological skills.

Mitch Kapor, founder of one of America’s most successful software companies
notes that "the image of hackers as malevolent is purchased at the price of
ignoring the underlying reality – the typical teenage hacker is simply tempted
by the prospect of exploring forbidden territory…A system in which an
exploratory hacker receives more time in jail than a defendant convicted of
assault violates our sense of justice."(140)

There does seem to be a trend in the past year to utilize hacker
capabilities, both in the public and private sectors. This needs to increase,
and perhaps some evaluation of our own laws might be necessary if we wish to
continue knowing where the holes in the United States’ information
infrastructure are.


Realizing the Metaverse

I've got some thoughts on virtual worlds just posted on TechGrid:

"In reading the book, it really makes one wonder why we haven’t created better instances of virtual worlds in today’s technology environment. The closest thing to the OASIS of Cline’s novel is Second Life, but it still has a lot of shortcomings. It got me wondering what are some of the minimal requirements that could improve upon the virtual world we already have that would make it more valuable in a social and business context. The goal is to make it the type of environment a virtual worker would be logged into in conducting their daily business (coding, writing blog posts, etc). Here are some ideas…"

Source: Realizing the Metaverse — TechGrid


It always amazes me...

to discover which posts are the most popular on this site. The 24 Ringtone is the top post by far along with the 23 Devices my iPhone has replaced, followed by complaints about SpamHaus and DirecTV.

My prediction essays get a fair bit of traffic, but nothing compared to the four posts above. Even after all these years, I still get email from people asking to help them with their SpamHaus issues.


The impact of emergent technology

From an interview with William Gibson:

"One of the things that’s unknowable is how humanity will use any new technology.

No one imagines that we’d wind up with a world that looks like this on the basis of the technology that’s emerged in the last hundred years. Emergent technology is the most powerful single driver of change in the world, and it has been forever. Technology trumps politics. Technology trumps religion. It just does. And that’s why we are where we are now. It seems so self-evident to me that I can never go to that Technology: threat or menace? position. Okay, well, if we don’t do this, what are we going to do? This is not only what we do, it’s literally who we are as a species. We’ve become something other than what our ancestors were. "

(Source: The Vulture Transcript: Sci-Fi Author William Gibson on Why He Loves Twitter, Thinks Facebook Is ‘Like a Mall,’ and Much More -- Vulture)


MacBook Air - the Missing Sync

I'm excited to take a look at the new MacBook Air laptops that Apple released today. Excellent form factor with decent performance might make them the ultimate travel machines. It seems clear that these devices are targeted at folks who already have a computer, but want a portable computer for when they are out and about. Thinking about how this model applies to me, the MacBook Air is a perfect device, with one significant shortcoming.

I want it to sync with iTunes on my desktop.

It occurs to me that managing my media library on these devices is a huge hinderance. I have a Mac Pro desktop that stores by massive music library and makes it available over my home network to any connected device. However, when I am on the road, none of that content is accessible to my laptop. There are lots of solutions that allow me to sync an entire library, but what if I only want to sync a subset given the storage limitations of a portable device.

I'd love to be able to plug my MacBook Air into my Mac Pro and sync it just like any other device in iTunes, including the ability to move over rented movies. This seems like the optimal solution for managing media across portable systems. It works for my iPhone and my iPad, why not implement in the MacBook Air?


‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought

Interesting revelation. One major red flag associated with this worm was the fact that folks were claiming it got distributed widely via removable media. Turns out that might not be the case...

"As first reported on July 15 by KrebsOnSecurity.com, Stuxnet uses a vulnerability in the way Windows handles shortcut files to spread to new systems. Experts say the worm was designed from the bottom up to attack so-called Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities.

The worm was originally thought to spread mainly through the use of removable drives, such as USB sticks. But roughly two weeks after news of Stuxnet first surfaced, researchers at Moscow-based Kaspersky Lab discovered that the Stuxnet worm also could spread using an unknown security flaw in the way Windows shares printer resources. Microsoft fixed this vulnerability today, with the release of MS10-061, which is rated critical for Windows XP systems and assigned a lesser ‘important’ threat rating for Windows Vista and Windows 7 computers."

(Source: ‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security)


Please support Pedaling for Patriots!

Over the past few months, it has been an honor to work with Rob and Kim Richer on their dream to ride their bikes (pedaling kind) from coast to coast to raise awareness and money for the CIA Officers Memorial Fund.  They started their ride today and are documenting everything on the website Pedaling For Patriots.

If you can make a donation to this great cause, please do.  In the least, please spread the word to your friends and colleagues by linking to their site on your blogs, Facebook and Twitter streams.  Your support is greatly appreciated!


Snapshot in time - September 11, 2001

A few interesting screenshots from the Terrorism Research Center on September 11, 2001.

Here is a message that Neal Pollard and I wrote that greeted our visitors when they first hit the terrorism.com domain. Having founded the company on the 1st anniversary of the OKC bombing we were sensitive to drawing too many conclusions too soon and were worried about the backlash against Muslim Americans. In reality, we had already drawn some of our own conclusions and were sharing them with our customers and colleagues. However, given we were the top result for "terrorism" on Google and were getting millions of visitors, we felt we had a responsibility to provide calm consistent messaging focusing energy on the rescue operations.  Several months later I would learn how widespread the distribution of this message was, with some companies printing out copies for all employees.  (You can click on the image to get the full size version)

We also set up a special section of the site to track developments relating to the attacks.  This screenshot is from some time in the 24-72 hours following the attacks.


Furthering the Field: A Comprehensive Program for Cyber Conflict Studies

Furthering the Field: A Comprehensive Program for Cyber Conflict Studies
*Revised and Updated Invitation*
The Cyber Conflict Studies Association invites you a one-day conference on 21 September 2010 to review and discuss six ongoing studies in cyber conflict, with a keynote address by Richard A. Clarke. The principal investigators and authors have a broad range of international experience – from the White House to Wall Street, academics and PhDs to cyber warfare practitioners and lawyers.

Please join us to hear about and participate in these on-going studies:

Strategic Cyber Conflict Issues by Dr. James Mulvenon
International and U.S. Legal Issues for Cyber Conflict by Eneken Tikk and Maeve Dion
Cyber Conflict at the Operational Level by Bob Gourley and Sam Liles
Challenges and Opportunities of Non-State Actors by Dr. Greg Rattray and Jason Healey
What is to Be Done Next? by Dr. Sami Saydjari
U.S. Critical Infrastructure Vulnerabilities, a Primer by Matt Devost
Confirmed panelists for the conference include:
Dan Geer, In-Q-Tel
James Lewis, Center for Strategic and International Studies
Martin Libicki, RAND Corporation
Kristin Lord, Center for a New American Security
Catherine Lotrionte, Georgetown University
John Mallery, Massachusetts Institute of Technology
Dan Prieto, IBM
Michael Schrage, Massachusetts Institute of Technology
Adam Segal, Council on Foreign Relations
Further information about the individual studies are available at the CCSA homepage. From the homepage, information about the studies is available on the left side panel under "On-going Studies."

These studies are mid-stream and will be completed and published next year. CCSA welcomes any expertise you may have to offer and looks forward to your participation. Please click on the link below to view the invitation.

Invitation to CCSA Conference on Cyber Conflict (If you cannot view the PDF document, a Word document copy of the invitation is available at the bottom of the web page.)

If you haven't already done so, please RSVP to rsvp@cyberconflict.org.