Thursday, 21 August 2014

Hacking and McCarthyism

'You keep one eye on the past and you're blind in one eye, keep both eyes on the future, and you're blind in both'. It's not irony that I use an old Russian saying as the opening line to this blog post. I'm not going to lie, this has been one of the hardest blogs to start that I've ever known. I guess its mostly because I worry this blog post is a mix of sensationalism, and a misguided premise. Then I remember that I'm me, and of course it is! There is however, some honest concern pushing me to write this. Brace yourself though, this isn't the usual type of blog post from me I fear, the usual light-hearted style masking itself as a serious post is lost. Well, the first part of that statement is true anyway.

There is nothing new about security researchers using past events as a reference point to make comments about their observations on current events. I for one have been guilty of that crime in the past, and you can bet your 'blog-post-reading-ass' I'm going to be guilty of it again. I guess the real question is, “why on earth do I think that 'hacking' is the new McCarthyism?”. Well, I don't think hacking is anything other than love of natural methodological discovery, but what is clear is that the governments of the world don't agree with me. Sure, hacking can be used for wrongdoing, just as chemistry teachers can use their knowledge to cook meth (yeah, science bitches!). I, however, do think hacking is being used as a go to 'crime' that people can be accused of when governments need to silence or hinder people they find to be of annoyance. Within the definition of McCarthyism, you'll find reference to its use of the process of accusation as a means to inflict punishment on the accused. Although Kevin Mitnick pleaded guilty to the crimes he was accused of, you can only see the judicial process was used to punish prior to his guilt being established. Although you have to question if a man can launch nuclear missiles by whistling, surely he can open locks by winking! The same can be said of Chelsea Manning (save your rants about traitors for someone else that will listen to you, I say that to save your energy), who also bore extreme treatment in the guise of judicial process. So much so that in Manning's case Amnesty International raised concerns calling her treatment 'inhumane'. My understanding is that the treatment she is given now is in no way comparable to that of what she received as the accused. I guess that means when you're guilty you automatically become less of a security risk.

The initial crux of this McCarthyism argument was inspired by the news of a 30 year-old Russian gentleman (Roman Seleznev) being renditioned by the United States of America's Secret Service from Male in the Maldives, for the record a non-US airport, to Guam which is a US territory, for 'computer crimes'. From there he was then transferred to Seattle to stand trial. His father, Valery Seleznev, a lawmaker within the Russian government, was informed that the US government is accusing his son of being one of the biggest traffickers of stolen financial information in the world. In all fairness, this could be a completely legitimate accusation to make, what I question here though is the complete disregard for due legal process. Kidnapping people in general is one of those things likely to be frowned upon. However, this led to a train of thought for me, of all the crimes you could be accused of, hacking has to be one of the hardest to defend and certainly one of the easiest to frame someone of committing. The crimes are complex, the juries and judges are non-experts, and the prosecution and defence are in most cases, at best, take technical directions from individuals closely aligned with the case at hand. The reality of it is, speak to your average lay-person about a hacker and the description tends to be of someone spending vast quantities of time online and living in a basement. To be fair though, you've pretty much described gamers, indy-web-developers, developers at large, and in fact come to think of it, nearly every Twitter and Facebook user in the world. The reality of this is it's particularly easy to accuse someone of a crime, make it sound super uber hacker l33t, zomgwtfbbq. Case in point is someone stealing and then releasing AOL's customer data, or as the rest of us like to call it; 'using Google'. Aaron Swartz's basic crime was checking too many books out of a library, a crime he ultimately paid for with his life. Hammond, who to be fair I've been very unsympathetic to, entrapped by an individual under the direct control of Federal Bureau of Investigations. He got 10 years in jail for this! Long story short, accusing someone of being a hacker, is probably more dangerous than accusing someone of being a drug dealer.

Let's jump the ocean to the UK, God bless the Queen, and Betty Windsor. Now, I'm a loyal subject, but WTF love! Seriously upping the ante on hacking laws when your government, that operates in your name, are the biggest computer criminals on your glorious island is beyond me. I mean lets put this into context. Gary Glitter fucked children, yet if he hacked and defaced the Metropolitan Police Service's website whilst doing that, he'd get life in prison! Not for paedophilia as you may think, but for the defacement of a police website. Seriously you have to ask what the motivation is here. The fact of the matter is, you accuse an individual of a crime that is damn near impossible to argue against, you by virtue of a judicial process either get to keep them offline and/or under house arrest, or better yet in a maximum security prison.

Lets take hacktivists, or alleged hacktivists, and add intent. Intent to murder is pretty easy to prove or disprove, you either made physical plans to kill someone, or you vented in a bar with some dude. It's not a crime until you hand over the cash to your assassin for hire, or undercover agent Billy 'read-him-his-rights' McGee. However, computing crimes are very different, especially intent. Downloading a tool used by hackers to attack systems, reading hacker forums, and owning known hacktivist memorabilia. Or, from a different angle, downloading NMAP, visiting Linux Journal, and owning a Guy Fawkes mask. One of those two sentences sounds very like the ingredients for incarceration, the other sounds like an average day for someone doing computer networking.

I, like many others from the UK, have left my home island, to live in Germany. It seems every time I visit Berlin I meet more and more Brits and Americans living there. Some of these people (believe it or not) haven't moved to Germany's Capital for sausage and beer. What is interesting is in some of these cases, some of the Americans (and Brits) are technically in exile (I'll hazard a guess that a number of European cities have exiled individuals). Which is simply crazy; to be in a situation where you can no longer go back to your own country of birth. I bet you're wondering what horrid crimes they have committed, have they robbed, have they assaulted, were they a leader of a middle eastern country, have they killed? No, they've gained access to information, they've seen data, a crime punishable by decades in prison. Let's not forget we have the pseudo-exile issues, where people haven't technically committed any crime yet, but on their return to their own countries they know they will be detained and forced to answer questions, which if they refuse to answer could lead to prosecution. It's worth remembering even during the McCarthy questioning, taking the 5th Amendment didn't offer any protection to the after effects for those people, that ultimately got blacklisted. You have to question the damage that can happen to an individual that may have been cautioned and interviewed about a potential computer crime and how that will affect their long term future. With third party supplies consuming a massive amount of any governmental security budget, if an individual fails to get their security clearance then their future options may very well be limited. Not just with the Government contractor, but X goes and works for Y Security Company and they leave pretty shortly after they start, they interview somewhere else that might not require security clearance, that interviewer calls a friend they have within Y Security Company; 'Why didn't X last long?'. 'Between you and me, something popped up in their security check!'. Yeah, might have just been an interview because they happened to be in the same IRC channel as some anonymous or lulzsec hacker, but that's not how its going to look.

The truth of it, as far as I can see is, the government keeps on ramping up the pressure on hacking, hacktivists, computer security, but at large it's information control. Some people have information they don't want everyone else to have. You're left thinking about the old adage about 'information is power', yet I fear it is more a case of; whoever moves the legislator, rules the information.

So, with that being said I bring you to the end of this blog post. No doubt if you have nothing to hide, you have nothing to fear. As security researchers and practitioners just remember if we ever get arrested we can explain to the juries and judges; yes, I'm a hacker but I'm one of the good ones!