Surveillance scandal rips through hacker community

LAS VEGAS -- It used to be that the playful Defcon contest of "Spot the Fed" gave hackers and the government agents tracking them a chance interact in a less serious manner.

Hackers who found a government agent among the conference attendees would wear with pride T-shirts that read, "I spotted the Fed." The agent would be given a shirt that read, "I am the Fed." And by flipping the cat-and-mouse dynamic for at least one weekend a year, the two groups more or less came to a greater understanding of each other.

The relationship had gotten friendly enough so that when Gen. Keith Alexander, the director of the National Security Agency, visited Defcon for the first time last year, the conference's founder Jeff Moss told CNET, "It's eye-opening to see the world from their view," and noted that he had wanted to score an official visit from the NSA since Defcon began.

It would go too far to say that the uneasy marriage of friendship between the two groups now lies torn asunder in an acrimonious divorce. Hackers, information security professionals, and security experts looking to turn their knowledge into businesses won't stop working or communicating with the U.S. government. But the response to the scandal has driven many of them back to their more skeptical roots.

"What we need to realize is that [Gen. Alexander] is asking us to destroy ourselves," said Moxie Marlinspike, a well-known information security professional and entrepreneur who has had equipment seized and returned and been detained but never charged by the U.S. government.

"The types of programs that he's developing are part of this trend of more efficient law enforcement, toward this world of 100 percent effective law enforcement," said Marlinspike, who uses the alias to protect his legal name.

Marlinspike told CNET that he thinks the NSA is interested in hiring hackers because they tend to have an approach to critical thinking that produces an unusual mindset. Hackers are people, he said, who are "not always abiding by the letter of the law, but are not exactly harmful, either."

"The problem is that he's asking us to participate in the destruction of the zone where hackers exist," Marlinspike said.

No single hacker voice on NSA Information security professionals are not unified in their interpretation of Alexander's attempt at a mea culpa at last week's Black Hat conference here. Alex Stamos, a network infrastructure and security expert and the chief technical officer of Artemis, the company proposing the .secure top-level domain for a safer Internet, said that Alexander was actually aiming his talk not at independent security researchers but the security teams at security companies.

"If you're a security researcher at a large cloud company, you have to include the NSA on your list of threats that you have to protect against," he said. Stamos has done government security consulting in the past, although he told an audience at his Defcon session discussing professional ethics for "white hat" or "good guy" hackers that he would reconsider doing so in the future.

Christopher Soghoian, a senior policy analyst and principal technologist with the American Civil Liberties Union, agreed. "I think you've got an extra threat in your threat model, and that threat is the NSA."

Marc Maiffret, a white hat hacker who narrowly avoided serious legal consequences for his teen hacking and has testified in front of Congress on security issues, said that the situation is more than a little ironic.

"We don't want the NSA to monitor anything, but the whole goal of what [security professionals] do for the most part is to monitor everything. We should have the same safeguards to make sure that those abuses aren't happening," he said, referring to the recent surveillance revelations leaked by Edward Snowden.

The ACLU's Soghoian said that the lack of public discussion is at the core of the problem and has impeded the government's achieving its stated security-and-safety goals.

"The FBI has a unit now that does nothing but hack into people's computers, extract documents, control Webcams," he said. "The FBI's role as an offensive cyber actor significantly undermines their cause. How can an agency warn people about malware when it's using malware itself?"

One security start-up that had an encounter with the FBI was Wickr, a privacy-forward text messaging app for the iPhone with an Android version in private beta. Wickr's co-founder Nico Sell told CNET at Defcon, "Wickr has been approached by the FBI and asked for a backdoor. We said, 'No.'"

The mistrust runs deep. "Even if [the NSA] stood up tomorrow and said that [they] have eliminated these programs," said Marlinspike, "How could we believe them? How can we believe that anything they say is true?"

Where does security innovation go next? The immediate future of information security innovation most likely lies in software that provides an existing service but with heightened privacy protections, such as webmail that doesn't mine you for personal data.

Wickr's Sell thinks that her company has hit upon a privacy innovation that a few others are also doing, but many will soon follow: the company itself doesn't store user data.

"[The FBI] would have to force us to build a new app. With the current app there's no way," she said, that they could incorporate backdoor access to Wickr users' texts or metadata.

"Even if you trust the NSA 100 percent that they're going to use [your data] correctly," Sell said, "Do you trust that they're going to be able to keep it safe from hackers? What if somebody gets that database and posts it online?"

To that end, she said, people will start seeing privacy innovation for services that don't currently provide it. Calling it "social networks 2.0," she said that social network competitors will arise that do a better job of protecting their customer's privacy and predicted that some that succeed will do so because of their emphasis on privacy.

Abine's recent MaskMe browser add-on and mobile app for creating disposable e-mail addresses, phone numbers, and credit cards is another example of a service that doesn't have access to its own users' data.

Stamos predicted changes in services that companies with cloud storage offer, including offering customers the ability to store their data outside of the U.S. "If they want to stay competitive, they're going to have to," he said. But, he cautioned, "It's impossible to do a cloud-based ad supported service."

Soghoian added, "The only way to keep a service running is to pay them money." This, he said, is going to give rise to a new wave of ad-free, privacy protective subscription services.

The issue with balancing privacy and surveillance is that the wireless carriers are not interested in privacy, he said. "They've been providing wiretapping for 100 years. Apple may in the next year protect voice calls," he said, and said that the best hope for ending widespread government surveillance will be the makers of mobile operating systems like Apple and Google.

Not all upcoming security innovation will be focused on that kind of privacy protection. Security researcher Brandon Wiley showed off at Defcon a protocol he calls Dust that can obfuscate different kinds of network traffic, with the end goal of preventing censorship.

"I only make products about letting you say what you want to say anywhere in the world," such as content critical of governments, he said. Encryption can hide the specifics of the traffic, but some governments have figured out that they can simply block all encrypted traffic, he said. The Dust protocol would change that, he said, making it hard to tell the difference between encrypted and unencrypted traffic.

It's hard to build encryption into pre-existing products, Wiley said. "I think people are going to make easy-to-use, encrypted apps, and that's going to be the future."

Longer-term solutions Right now, the intersection of individual information security experts, governments, and private companies large and small is at a crisis point. How they untangle and compromise their competing interests could have far-reaching ramifications for all.

Maiffret, the teen hacker turned respected infosec expert both inside and outside the infosec community, thinks that the government is going to have to give up some ground.

"I think they know they need to say more. How do you say more, and not jeopardize things," is the question, he said. "There is a better middle ground. It's just like businesses accepting social media, it won't happen overnight."

Companies could face severe consequences from their security experts, said Stamos, if the in-house experts find out that they've been lied to about providing government access to customer data. You could see "lots of resignations and maybe publicly," he said. "It wouldn't hurt their reputations to go out in a blaze of glory."

Perhaps not surprisingly, Marlinspike sounded a hopeful call for non-destructive activism on Defcon's 21st anniversary. "As hackers, we don't have a lot of influence on policy. I hope that's something that we can focus our energy on," he said.