ZillyGurke – Minecraft Anarchy #021 – Unexpected Stories From a Hacker Inside the Government (1/2)

Hi-yah the city would see isn’t of laser government team deutschen minecraft server as a division torsion holds that you’ve come to you from wanna see a condom yeah lol me type ent nonpolar no type of access even convinced I fear artists side viewer assurance water on a fun DEFCON tyrants fancy filter doesn’t

Rights and finding him much didn’t talk unexpected stories from a hacker inside the government BAM let’s my shaken if you can see episode shuffle amazeen okay by you from before from when you’re there are stories I’m going to tell you unexpected outcomes unexpected twists you’ve probably heard about some of these

Stories and you can see it I think these are to them that you haven’t heard before I’ll do my thing together there is muscle I’m going from memory from some of these and some of these go back several years I’m not trying to hiss offer be pro or con any particular

Community but I want understandings which is why I’m trying to tell these kind of non-obvious stories somebody had tweeted me something encouraging me to do this talk saying anything we can do to help people understand each other is good because of course prejudice is bred from clean–rinse and exclusion so you

Can kind of consider this my transparency slash trip report three years not long after I started working at dark Club I got funding approval for the first dog one of many programs without actually running I know most folks really familiar with a few of them first program was something about cinder

And it was focused on super ball advanced resistive friend program had nothing to do with whistleblowers and nothing to do with humans it was targeting autonomous software that it was an author Forbes magazine Andy Greenberg who found out the Julian Assange and I 20-plus years and you an article other

Than the way I read the article tend to pit Julian against each other maybe the cinder was a response to WikiLeaks you know a sexy story of hacker friends you know now find themselves at odds one trying to scold the government secrets one trying to protect the government secrets he has a

Sexy story the problem is it’s entirely untrue because cinder has nothing to do with that so since he and other folks wanted to kind of make a story about me and Julian where there was no story before I figured I tell you an actual story about me and Julian this first

Story is called how the DoD ouch unintentionally created WikiLeaks so it was 2009 I had yet to go into DARPA I was over in Germany over the CCC Congress which by the way is awesome and by the way for Tulane is freezing in December so a couple blocks from the

Hotel over to the Congress and I braved it across it takes about like 10 15 minutes before your lips come back and you can actually start to form the words again so there’s a lot that I wanted to see at the Congress and I watched it great

Do I go back to the hotel and go out and britches then winter or do I find something else to kind of have some time this CCC it’s easy to find things to pass the time there and there was a talk that was going on about WikiLeaks remember 2009

Though State Department cables no nothing like that at this point WikiLeaks had been around but it wasn’t kind of in the popular New Rochelle oh it wasn’t a household name so I go oh what it’s taking to run was East Indiaman nobody sure but it seems operationally I’m like that’s cool and

It talks in English news Tim yeah so yeah I’m looking at it and I’m like Julian Assange Julian Assange you know and the name was ringing a bell but it didn’t mean anything again this course Kevin hit it now I saw him up on stage and you know he’s kind of striking

Physical the kind of shocking blond white hair you know a sharply dressed recognizing the voice and it took almost the entire clock before it dawned on me that I know him by different name I knew in his cross some of you men so you remember strode that he wrote like ages

Ago you know he was over it ya holy crap this is the same guy do I know him you know for years I hadn’t seen him in like a decade or I hadn’t I interacted with them online at one point I think he was even managing Sons security updates and

Patches for all of the distributions for son off some site that um Zidane edge you so we should have nominated that for you know possible or potential potential you know epic pwnage that’s kind of cool if you think about that so after the talk I was all excited and you know I

Went up to him waited till the crowds kind of died small crowds outside you set me cigarette I said oh this is gonna be fun because I cut my hair if you’ve seen the shirts most people remember me looking slightly different and of course some like oh I’m

Gonna have I’m gonna play with this a little bit so I walk up to him I know he doesn’t know my voice and of course he’s not going to physically recognize me so do that whole like you know hacker jerk sort of say something that feels like

What the hell how did they know that then kind of just set up the statement on what the troll and I go hey when’s the last time somebody called you prompt if you think that’s weird did they ever find out why the md5 checksums on those Solaris update

Patches didn’t match the actual patches that people installed tell us son site right and he’s just looking at this guy and probably possibly because he hadn’t you know heard the phrase bond for a while and it could very well be that you know he had no clue what I was talking

About with the latter one like oh hey you know it’s me it’s much much from the long sort of thing kind of relaxed we chuckled about it and I was like hey you know you were really really passionate up on stage about WikiLeaks what what was the real impetus what was

The turning point that made you do that because the last I had seen you you were leaving the hack scene going off to academia to do your advanced degree he was working on a cryptographically based file system a rubber hose file system for address space of decrypting and I

Said you know where to go you know the old gang and everything haven’t seen you so we chatted and he said you know let’s go out and have dinner so you know we spent the next several hours over food in Berlin and we work adding and and I wanted to know

Just how passionate he was and how far he was willing to go on it so I asked my hypothetical question I said let’s suppose back in the day my thing was I feel like a packet captures of everything let’s assume some of those packet captures have you going into other

Systems beyond a shadow of a doubt if I submitted those packet captures you know kind of incriminating you to WikiLeaks would you release them and he looked at me and it only took a couple seconds and he said hey we get we get some very similar sort of questions because people

Ask us you know kind of on a parallel if someone were to send us a list of the contributors the WikiLeaks would we publish it and the answer is that you know we don’t want to know who our contributors are because we want to keep the protection that we’ve being

WikiLeaks I’m speaking yes asking from memory here so we try to get in touch with the folks that contributed yeah but we won’t know who they are so ultimately in case that list is real we would have to publish it how’s it go there to : many just yeah we moved on to

The next topic now if any of you have actually interacted with them or know somebody fast they’ll tell you that he is very smart person and that’s absolutely right and it took me probably an hour to realize that he never answered my question but he told me a

Really interesting part that he told me and this is what stuck with me in 2009 from that from that dinner what the turning point was now maybe this was a story just for me maybe it was you know kind of the appropriate thing but I took

This to be kind of ground truth and it stuck with me which is why I’m telling you and I used to tell people inside government the same question when later WikiLeaks kind of popped up he said yeah I had gone off I was over at University doing my graduate work something

Essentially the fundamental research which means something to the government evokes they said it was funded you know by the US government it was a grant from like NSA type DARPA sort of funding we don’t know if those were the actual agencies and he said it was during that

Time period where there was a big pullback from the DoD and the message that the other universities received was we’re not funny research anymore it’s all classified now his work got rolled up in that now whether that was actually while it’s being pulled back or if that was just a

Perceived message I don’t know so if you think about it here’s a non-us citizen does change things who’s made a life decision to go to graduate work though you know kind of leave the community that we knew him in and all of a sudden his funding gets pulled and

He’s told that he’s not allowed to know what it was that he was doing not allowed to know what it was that he had you know that’s covered in no actual reason as to why the funding is amiss kind of what it’s like when you’re a graduate student and somebody pulls your

Funding sort of thing and this just really really wrote the wrong he said this is the wrong reason for classification if that’s why he lost his funding this is designed to keep people ignorant and withhold information to keep of folks disadvantaged he said at that point that he decided that he was

Going to devote his life to exposing people who tried to keep secrets and hence WikiLeaks was born so when folks in the DoD would ask me hey you know you know this WikiLeaks thing and and what are your thoughts on on how we could like you know address it they’re a

Little surprised my answer going when you know by some accounts the government actually created it in the first place it was that at that point during the night at the in the restaurant doing goes well so you know that’s what I’ve been doing for the past ten years you

Know what are you up to I so don’t want about to go work at our books so that’s my first story second story it is about anonymous and the department I remember anonymous from way back I mean anonymous I use it as like you know a proper noun but obviously we’re all

Familiar it’s much more it’s kind of a movement of thought you know it’s it more ephemeral than that and when I remember him that you know they were going after Scientology and all right yeah yeah there was all the four Chan’s what is soap opera stuff going on and at

Some point their scope or the target you know expanded to include the government and general wisdom was that the triggering event was the DoD’s response to the WikiLeaks and Manning etc but the way I saw it there was actually something else that was a bit more

Subtle that folks and realized it so in 2011 the DoD released the strategy for operating of cyberspace there was some very minor backlash to some of the wording initially I think there was an initial small version of it that went out and it was followed by a

Later one but there was some more specific backlash and chatter in the hacker researcher community the strategy stated that the DoD was going to you know treat cyberspace of domain to conduct operations in and it appeared kind of modeled off of outer space through space as a domain and there were some confused

Conversations well why is anybody upset if you treat cyberspace is a domain you know there wasn’t that much of a set with reading space and you know nobody lives in cyberspace which you could have kind of only hear inside the government like a statement like that it’s cuz if

You think about it you know we all live in cyberspace and the hacker researcher community made its there you know made cyberspace made the Internet and you know online you know our homes well before the government everybody else kind of made it just you know where they

Always live and did everything in so if you send a message that you know that’s somebody’s backyard and that you were going to militarize and you know prep for war in somebody’s backyard that can sound really scary and it can galvanize folks to respond one of the problems was

There was not an understanding as to who the message was actually intended for so in addition to treating it as a domain they said something else which was and in response to and I’ll paraphrase little bit in response to hacks will consider responding with kinetic force so if you don’t actually specifically

Call out who the recipient of the message is everybody reading it thinks it’s directed to them I read it I thought it was directed to me and I’m going like you know what the heck you know I joke like my buddy and I replaces you know his you know the you know HTML

You know the mini web page you know and that’s considered a hack and all of a sudden I’ve got somebody launching a Patriot missile at me this this this makes no sense you know what level of hack because if we look at like CFAA response you know maybe they actually think a

Patriot missile is the right thing before you know it’s facing a website yeah I don’t know and none of these are the right questions because I’m not the intended audience but of course I’m reading it as a as if I was and of course the logical next

Question is wait do they understand how attribution works because you know what what if what if I do it you know bouncing through an ally you know what if I do it from within the US are they gonna kinetically respond against themselves I mean this

Is and we kind of go okay wait back up if the message we’re directed so let’s say you know other countries other you know somebody in specific that’s got a significant power that they say look we’re talking with a critical infrastructure or something of that

Nature if you turn off the lights in New York we’ll probably be able to figure out who you are because you’re not a small little hacker to facing websites and maybe there’s attribution in place that we can respond to that would have been an entirely different sort of

Message and I wouldn’t have read it as the whole like wow if I get root on something in my own system you mean is the government going to shoot me which is just silly but I wasn’t the only person who read it that way and it’s

Nice having been in this field and in the hacker research community for he’s going on almost 25 years watching over 25 years and some folks for sending me hey if you’ve seen what’s going on in the chat rooms and there were some folks who were claiming affiliation are

Claiming support of anonymous that we’re going hey you know have you read this look who’s trying to prep for war on our backyards you know do they even understand how attribution works this is [ __ ] if they think they can find me it’s on let’s go and the next thing you

Know there are a couple of websites two-faced Amanda didn’t mind of now this is where it gets kind of funky the facing of website is kind of a message it’s a little warning shot but that’s in a language that w’s don’t know so the Cubbies didn’t get the message as

Far as you know what I saw so here’s the initial strategy for operating in cyberspace that goes out probably directed to somebody else but by for messaging is misinterpreted by a group the group responds fires a warning shot the warning shot isn’t understood and it’s like hey what are these vagabonds

Doing look at the little street punks or whatever they’re not somebody who actually has a message that we should actually engage in and it’s just this little cascading effect so that’s kind of unfortunately where I saw you know the expanding of scope and a lot of MIS

Interfaces I’m not saying the two groups should be friends I’m not saying one group is good in one week’s back but when you send a message out into the world this is for both groups you really need to make sure it’s understandable by all the parties that

Are going to receive it you can’t assume it’s just gonna be read by the person you had in mind with all love and respect there’s one very obvious commonality between the hacker research group and the government and is that they’re they can be a very arrogant and expect everybody will speak their own

Language and that they don’t have to speak anybody else’s I think that’s a really common mistake so the recommendation for the government from my vantage point of both sides is figure out how your messages are going to be received by the more general populace of cyberspace because we all live there now

This is actually a great opportunity for diplomacy and you can kind of think of it like the lost city of Atlantis because cyberspace kind of took them I think at the world by surprise obviously hasn’t been around that long so what if Atlantis just back up and there was an

Advanced very technically capable group of people there you wouldn’t sit there and ignore them you wouldn’t content you attack them you probably actually try and understand and figure out how messaging if somebody else might be interpreted to them you might even find figure out where do you guys already you

Don’t see things eye-to-eye and where you have differences so my recommendations for the citizens of cyberspace is keep in mind that the government and in particular the DoD has very specific focuses and goals and they often only see things from their own point of view they’re really focused on

Doing that job and when you read things that appear to be a message directed to you or your community coming from an unlikely source you should question whether or not the message that they intended for you or if it’s just intended for somebody else really poorly

Worded and if you still think a response is necessary you really need to think about the message that you’re sending to make sure that you don’t make the same mistake every car my third story is let me give you a little background I have a lot of people

Approached me outside of work and go hey Mudge you know what’s going on we’re all owned and these were large companies that are oftentimes funded by taxpayer money I’ll just say it there are large government contracting organizations and like hey why don’t you like start a program that actually pays us to go

Clean up the compromises or at least figure out what happened and how bad the damage was by in that your job and it made me think that there’s actually there’s not a financial incentive for these companies that actually go fix the problems so the next question was is the inverse true

Can government contractors actually make more money by remaining compromised and continuing to lose intellectual property so this talk is called beam theories of which I was I was having dinner with an old friend his company goes into a well-known names organizations he posed a really interesting I thought hypotheticals when

We were to him crap back and forth and he said hey what do you think about the following chain of events first artists a gets compromised networks defended by their tool or vulnerable and as result a defense contractor gets compromised said defense contractor if you look up on Wikipedia

Is the one who made this really cool stealth drone later a really full stealth drone goes missing over enough you know middle eastern state what do you think about that chain of events oh my that’s terrifying he’s like yeah no no for an entirely different reason look

At it this way I have no clue that’s a hypothetical there are a whole bunch of rumors about what had happened but let’s assume that you as a country or a large organization that your advantage is technology you can feel the fastest and the best technology you’re ahead of

Everybody that’s your advantage someone else steal some of your cat what do you have to do you got to replace it with newer TAC right you got to keep your advantage put suppose a government contractor give some other super step needs to protect taller what does their government customer actually need to do

Well the government in that case misses all game theory hypothetical we need to pay someone to make the next version so that the people that just stole it don’t achieve parity is that they’re not even they could go to some other government contractor because of course you know

The one in question just lost everything but they actually most likely won’t and here is probably why the initial contract for very expensive research efforts can take a long time to put in place you’re talking over a year sometimes longer than you know sometimes you measure in years rather than within

Four months that was part of the coolness of CFT is that we were measuring that in days imagine if you’re in other something sequestration is what we’re under now we can take a little bit longer so if a government agency wanted to start a new program to replace tech

So that’s essentially starting the same program to do the same thing that you are already paying somebody to do hey it’s tough to get permission to do that because you got to go justify taxpayer money and beat when you spin it back up you’re gonna have to redo a lot of work

You’re gonna have to redo the contracting the jury had in place you can have to spin people up to up to speed on management side you’re gonna have to resubmit up the tech side and you’ve spent years putting that in place so why wouldn’t you just go back to the

People that you already have a relationship with already have a contract with they already know what what they lost or you know maybe you know what they lost and stuff and you can tell them because they’re your customer so you just pay them to give you the next thing remember they’re not

Financially incentivized to go fix how they were actually compromised in the first place or clean it up to staying with a really familiar solution or situation is comfortable which makes us a trap that a government funding source can actually be perfectly susceptible to now you can view this on a case-by-case

Basis and kind of staying with the cup same contractor even makes sense but you step back and listen to what they talked about in the media you may see something that’s a larger picture that seems like an endless list of technologies and I think being stolen and each time it

Happens that company is in a situation where a there’s really no penalties or reprimands for it on the contrary they’re actually rewarded with more funding so because their customer needs to take them to make the next text to replace the stuff that just got stolen to

Replace the stuff it just got stolen to replace the stuff it just got stolen so yeah goons there is a [ __ ] because if you look at it this angle and part of the neat thing about game theory is a good quality of the erotic without realizing that you’re doing it

Government contractors can actually be in a situation or are actually in a situation that they’re financially incentivized in some places not to listen to their network system ends and not actually to really deal with the problem perhaps the wave with the drastic changes that need to be made the fourth

And kind of closing story and maybe they’ll do a fifth story about a part of you jacking the four-star sorry and I just mentioned Barbie genital and I think I might stick just with my story then poor story closing is more of a kind of plea to both the government community as an

Actor researcher communities cos funded antics put in both I don’t have a lot of examples of our community the hacker researchers community really reaching out in a proactive and positive way to educate and enlighten the government we do it but we do it really ad hoc and I

Think we need to try a little harder to do specific examples I’ve been a little upset about some of the things in the news lately and actually one of your options it is a scary option is to actually go inside and find pigs in there people will fight you to the nail

It is not for the faint of heart that’s actually what I did when I went over to DARPA I didn’t go there because I thought it was cool I didn’t go there because I wanted to be a part of the government I actually went there cuz I thought that they other

Parts of government had kind of lost the light and I had an opportunity to go and fix it I did get a really nice unofficial email from somebody recently about cfd which makes me think that we actually because you guys were all a big part of that did manage to pull some of

That off so no quote from this email I got to my personal account I recently had a meeting with all the agencies and DOD services and listening to them it was my turn to be terrified because of how out of touch with reality they were with cybersecurity and cyber defenses

And it made me realize how much I and the do do you and that’s us for cyber fast track and here’s the part where I was really happy so I thought see if he was showing the government how they should be doing contracting but now I actually understand what you were doing

It was showing the government that the real what the real state of the art is why they should be afraid of on the inside who continue to just preach the status quo and throw money at the same problems the same way they’ve done before so that was actually pretty

Cool because somebody they’re starting to realize that and I’ve heard people at high levels flag officers a couple pockets we’re starting to refer to hacker researchers as you know researchers the attacker equals researcher not hacker equals criminal and I thought that was really cool it’s not saying this talk might you can be

One of them but what happens there is now they know where some of the real ideas and some of the real talent come from they’re undoubtedly gonna try and reach out and tap into it in various ways and this kind of goes back to an earlier story or they kind of projected

Their problems in their images and their goals on somebody else so there’s likely to be some uninformed and failed outreach efforts so I’ve got a couple of recommendations to the government but that maybe will help with that so I think it’s really cool when government officials throw along blue

Jeans and a black t-shirt because of course then they’re part of our community okay but that’s not necessarily all there is interacting with us and it makes sense before you present at a conference like this you should probably consider attending one and actually interacting and getting to

Know the people there was one guy there was a three-star general who did that MOOC on and I thought that was one of the coolest things and he wasn’t there for the agenda and I remember conversations with him afterwards he actually had an understanding he was like oh this is awesome

No there’s no way people should try and go in and mess with them we’re trying to co-opt then we’re trying you know I was like exactly you know that’s awesome that’s that’s this is that’s the population of the US so the message to the other ones who

Haven’t really made that turn is going actually in Iraq now the response I get was the schedules too crazy you know can’t possibly do it and I saw those schedules when sometimes I was even on those schedules but if it’s important enough I know I know I know

They are crazy schedules these guys work like like bears which is what’s gonna say like if swear word bears if it’s important enough for you to want to reach out to a community you got to go out and you got to make the effort you

Got to put it in your schedule and you got to go interact with them on a one-on-one level first because that’s showing your homework and doing your homework shows respect the next minute the next suggestion for them is and this is what I tried to encourage inside is

You can’t go out and do a recruiting pitch because it comes across really poorly I used to get so bent out of shape when I would see a gobby stand up at a hacker conference and I’m like here it comes we don’t want some stuff but we can’t

Tell you anything about it trust us you know you know with the mohawk if you you know she get your hair put on a soup maybe even a uniform stop smoking dope you could come work for us and actually do something with your life and it’s like that’s yummy that’s how I

Interpreted it now that might not be the message it might just be a look you know we need help we’re trying to reach out to you but it’s just a take take take sort of message what can you do for us today you know what can you do for us now and you

Know to me it was offensive what would it be like if you had a senior official from a very technical agency how about then actually give a technical talk because this is a meritocracy that’s where this community came from the meritocracy is your value in the community

Is based upon how much you contribute to that community and that’s one of the reasons why I was really happy that if I know a lot of people are like why the hell did much go over and go the DoD he was one of us now he’s one of them and I

Had spent 15 20 years contributing to this community and I wasn’t about to stop and when I was there I was able to actually fight for this community and try and make sure that the interactions were a little bit better and that we were treated and engaged with normally

And those 10 15 years of contribution gave me enough grace period you know to build trust up again on both sides and you’ve got to do that and you do that by interacting with people so the value of somebody in one of those agencies coming and giving a technical talk wouldn’t be

That you learn something really cool about how selinux was actually done and why it was done or what the internal battles were to get it across it wouldn’t be that somebody’s going through the technical components of one of the paddies any one of the numerous patterns that are out there you know

Let’s say IP geolocation the ones that we’ve read about it would actually be that they’re engaging us and interacting with us in our own language and treating us disappears and starting a dialogue so I’m gonna summarize this one here am I telling us you’re I’m a my pleading that

That we should not challenge the government absolutely not I think challenging the government is your patriotic duty as a citizen I think it is very important to do it’s painful for both sides but it’s something that has to happen and that’s why we’re such a great nation [Applause]

We also need to I mean you can’t train a dog just by repeatedly beating it I mean it’ll learn some stuff but it’ll probably learn stuff that you weren’t intending and it’ll bite you at some point so when you see the dog do something good it’s nice to give it a

Treat and there are certain little pockets inside of the government and one of the things that I think that we as a community can do better is yes we need to challenge the stuff that we’re seeing when you have a challenge the things that are in the news but if you see a

Small pocket of Hope like if you see a congresswoman that’s helping put through Aaron’s law changing things like CFA I don’t deal with losing people somebody’s gonna change the FAA we need to support that we need to help them we need to encourage them for actually

Going because they’re gonna get a lot of crap thrown out and they’re actually doing the right thing and there’s not a lot of people supporting it so we need to be more vocal as a community to actually support them there was a colonel in the Army who

Managed to get the NSA to have to include little brother as a book that they read as part of their training have you read little brother Cory Doctorow that’s awesome that helped sensitivities that guy caught a lot of crap for that and it was really cool I mean there’s nothing wrong

With that book that book gives you a new way of looking at things and the more ways you have looking at it the more understanding you can have a more positive outcome that guy is also but say if Colonel he’s over at West Point name’s Greg Conti I’ll call him out he

Was one of the people encouraged the cadets to actually go out and talk at our conferences and contributes about you a build-your-own UAV at a ninety nine point nine nine you know percent discount by Mike we get was an example of that and that’s engaging and that’s actually sharing in the creative

Dialogues as shmoocon he and and his colleague walks through their training course that they ran at a at Fort Meade to try and socialize folks it was lesson to the Kobayashi Maru I highly recommend you go watch this talk because he had to teach them how to

Cheat and with it’s hilarious and it’s insightful and it’s humanizing most important is humanize so where we see those pockets of hope and of outreach and of engagement like this really like to ask of all of us trying to figure out a way for each time we’re challenging something else to

Fight encourage okay so let me try and get my Barnaby one without actually brought some demos we kind of break the academic solid chemical and you know what better people then Barnaby Jack when he was working with the I and the rest of the UI team actually come in

Problem is that conference you know like a lot of conferences very cheap they wouldn’t pay them come to the work or whatever so I said all right guys you know the frankly middle the night before is on the film myself which is a very very dangerous thing to do

Marna be had a great time I don’t think they went to sleep it just kept drinking they were on in the morning and the audience at MDS s I don’t think actually really understood how cool the technology was that was being demonstrated because this is almost 10 years ago at this point and

Barnaby was remotely compromising a wireless router replacing the firmware and then Trojan ago Microsoft updates that were going through it over the wire before they were to look at the VM system and then they were demonstrating boot route where they were getting an Ethernet so computer that was told not

To boot off the network the ethernet adapter was on the PCI board so it had direct memory access and it would still emit okay as a dead talked on this soon or disaster Mattia episode might end up leading the x-men talk about to show me ideas per minute after I see old can

Order so much unexpected stories from America inside the government alrighty