A veteran hacker and computer security researcher spoke to a group of young computer science students at Sonoma State University, offering an alternative view of job recruitment by the military-industrial complex's growing global InfoSec sector.
InfoSec = Information Security
As part of the Computer Science Colloquium, "a series of weekly public guest lectures on cutting-edge topics related to computer science." Cooper Quentin, a staff technologist, programmer, and activist employed by The Electronic Freedom Foundation was invited to present his expert point of view from the "front lines" of a battle over information and security, where hackers are the primary actors on a stage of cyber warfare.
Approximately 50 Computer Science students filled every available desk to attend Quentin's presentation entitled, "THE MORAL CHARACTER OF HACKING."
Countering Recruitment on Campus with a Different Perspective
Crowding in the hall outside the door of room 2016, before the lecture was to begin, several students when asked about their intentions after college expressed interest in government InfoSec jobs, which they believed offered careers that would put them in a position to defend national security. However, Quentin's hour-long talk and PowerPoint presentation would offer students a different view of this career path and even strong warnings.
After a modest introduction of himself, Quentin shifted his attention to the EFF and the cultural, political, and technological issues that drive their efforts. The EFF was founded in 1990 and their mission is to assure, "When you get on the internet, your rights come with you." Quentin said.
The organization's website states, "EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows."
One of their most known "tactics," as Cooper described, is their legal work with programs such as the Coders Rights Project which helps protect computer security researchers from prosecution while conducting their work, "and helps protect them when they do get in trouble." Quentin said.
The non-profit also targets what Quentin called "draconian laws" like the Computer Fraud and Abuse Act which is used to punish Hackers with what he characterized as, "extreme sentences."
EFF has an activism component also, and Quentin proudly shared a photo of a blimp hovering over a building with a sign attached reading, "NSA ILLEGAL SPYING BELOW".
The blimp was launched by the EFF in conjunction with eco-activist organization Greenpeace and the building it was flying over was the NSA Data Center in Utah.
HTTPS (HTTP Secure) is the evolution of the Hypertext Transfer Protocol (HTTP) to secure computer network communications.
Quentin explained another component of the EFF strategy is to confront the power struggles of the internet by creating mitigating and power equalizing technologies. CertBot is a technological project that acts as the "client" that enables a user to generate an SSL certificate, small digital files that allow for secure connections from web servers to browsers, to be installed on your system and make it "as painless a possible."
Let's Encrypt is another project, that offers free SSL certificates to encrypt connections to websites whenever possible. Quentin says EFF has the goal of "encrypting every website on the planet." At last count, Quentin estimates that over 5-million certificates have been issued in just over a year of CertBot's implementation that makes them the second largest issuer of certificates in the world.
After the introducing EFF, Quentin shifts by confessing he is not there at the University to talk about the EFF but rather to talk about the "military-industrial complex, what it is and why you should not work for it and why you might be tempted to."
He polled the roomful of students to see who has heard the term military-industrial complex and nearly all the students raise their hands. Not surprised, he acknowledges that the event is happening in a Northern California State University, and that, "There are a lot of old hippies around here." Students laughed, then he presented his next slide, a portrait of Dwight Eisenhower, army general and 34th President of the United States, "Not a hippie." Quentin noted.
He recited part of Eisenhower's infamous farewell address, " . . . we can no longer risk emergency improvisation of national defense; we have been compelled to create a permanent armaments industry of vast proportions . . . This conjunction of an immense military establishment and a large arms industry is new in the American experience . . . The total influence-economic, political, even spiritual, is felt in every city, every statehouse, every office of the Federal government . . . Our toil, resources, and livelihood are all involved; so is the very structure of our society. In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist. We must never let the weight of this combination endanger our liberties or democratic processes. We should take nothing for granted, only an alert and knowledgeable citizenry can compel the proper meshing of huge industrial and military machinery of defense with our peaceful methods and goals, so that security and liberty may prosper together."
Quentin shared his interpretation of Eisenhower's words as a warning, stating that, "He (Eisenhower) was helping us recognize that a government that is so preoccupied and entrenched with war and the industry of war might be a threat to democracy if democracy is not the government's primary mission."
Noting that the Department of Defense was formally called the Department of War before being changed in 1949, Quentin quipped that the former name was "a bad look."
HOW DOES MILITARY-INDUSTRIAL COMPLEX APPLY TO US?
Quentin says hackers and organizations like the EFF are particularly affected and should be concerned about the military-industrial complex's activity and influence in computer information sector, that according to him, include the activity of organizations like the CIA, NSA, U.S. Cyber Command (underneath The Air Force command responsible for cyber war and cyber defense operations), The FBI Cyber division (responsible for law-enforcement within the U.S.
It also includes defense contractors Quentin said and cited the examples of Lockheed Martin and Palantir (a private intelligence company that has a history of helping the CIA and NSA organize and graph huge amounts of digitally collected data), and Hacking Team which created "lawful intercept" software that infamous hacker Palantir later revealed was being deployed against dissidents and journalists. Quentin then added that Peter Thiel, an American businessman, who incorporated Palantir in 2003 and sat on its board as chairman up until 2016, " . . . is now on Trump's advisory council."
Offensive Hacking is Really Fun
"I'm a Hacker." says Quentin, "and I grew up as a hacker. I did some things in high-school that we shouldn't really talk about, but offensive hacking is really fun. Hacking is really fun. Security work is really fun. I grew up watching "Hackers" you probably grew up with Mr. Robot. It's a really cool, romantic thing. You get to solve fun puzzles, there is an element of danger, you might get caught. There is an element of outsmarting other really smart people. There are a lot of reasons that offensive hacking is really fun. Unfortunately, if you get caught hacking, you go to jail."
Quentin reminds the students that under the Computer Fraud and Abuse Act a hacker who is "just out to have fun," and didn't intend to cause any harm will still face harsh penalties if convicted.
(No official release date yet, but season three released October 2017 – so Octoberish 2018??? Stage 3??)
"Hackers is a 1995 American crime film directed by Iain Softley and starring Jonny Lee Miller, Angelina Jolie, Renoly Santiago, Matthew Lillard, Jesse Bradford, Lorraine Bracco, and Fisher Stevens. The film follows a group of high school hackers and their involvement in a corporate extortion conspiracy." wikipedia
With this threat looming, Quentin explains, one might believe that the only option for a hacker to exercise their skills or "scratch this offensive-hacking-itch" is to choose a career path as a government hacker. He explained that this path doesn't so much look like the fictional F-Society from television's Mr. Robot or the 1995 American crime film movie Hackers.
Instead it looks like soldiers sitting in a cyber command room he said as he presented a photo of what looked like any institutional computer office with cubicles, desks, and workstations, or in his opinion, "a little bit like Evil -Corp" the antagonist corporation from Mr. Robot.
Quentin said the perception that the military-industrial complex career path is the singular option to "offensively hack" and still be on the side of the law is because "the government having a monopoly on violence is the only entity that's allowed to break the laws for its own good." Computer scientists who have an offensive-hacker impulse then might come to believe that this is their only path forward but Quentin suggests that this is a bad idea
Why is This is A Bad Idea
Donald Trump infamously asked for aide from international hackers calling out over national television “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” in reference to some of Hillary Clinton's alleged missing emails “I think you will probably be rewarded mightily by our press.” he said.
First, meet your new boss," Quentin said as he clicked to a photo of Donald Trump. "I am not here to be partisan, but think about it and decide for yourself if (hacking for a government with Trump as Commander-In-Chief) is a good idea or not."
Often hackers in these cyber-commands don't really know what they are working on. Much of what happens in offensive government hacking is focused on what the industry calls, "signals intelligence". Quentin explained. "This intelligence is used for spying or diplomatic intelligence, but more and more it is used to decide to who to target with drones and other military strikes."
"The thing that you are working on hacking might be five levels removed from what is actually happening with that information. And you will never know that the phone that you hacked, the information you found, was actually used to call a drone strike on somebody and because of your hacking somebody was killed." Quentin said.
Third, another downside of hacking for the government Quentin says is the loss of "bragging rights." Quentin reveals an insight into hacker culture and the fun thing about being a hacker by going out and to give talks about what they accomplished. He says, "This is the way a lot of criminal hackers get caught. Everybody wants to show-off their cool, elite hack that they did. Everyone wants to talk about how smart they are and that's all real fun. But if you work for the government or government contractor, your work is going to be classified and you are not really going to get to tell anybody about the cool, awesome, work that you are doing. So if you have a big ego this might not be a good idea, because I like to talk about the cool work I am doing."
Another problem of government hacking, Quentin claimed, is that a hacker might be doing work that you morally disagree with, Quentin. The EFF, for example, works a lot on the issued of spying, specifically the NSA's "vast warrantless surveillance of American Citizens." As a government hacker, "you might be complicit in some of these programs and violate the constitution and spying on your fellow Americans and not even know it." Quentin said. "Because you are building one small part of it."
Quentin said this was the situation the now infamous whistleblower, Edward Snowden, was confronted with when he made his "hard-choice," whether to continue his duties as a security consultant or to expose what he saw was an abuse of power at the least and possibly illegal.
Edward Snowden is a former Central Intelligence Agency (CIA) analyst and computer science expert and who leaked classified information from the NSA. He continues his personal mission abroad warning and educating about an emerging survielance state and its abuses.
In reference to Snowden's actions, "I am glad he did what he did, but I don't want to have to make that choice." Quentin admitted.
"A good reason to go work for the government, or a reason that is often stated, is well I want to stop terrorism. I want to hunt down child predators, and these are good and noble goals. Terrorists are obviously bad, child predators are obviously terrible, but you are probably NOT going to be dong that. Whether you are stopping terrorism is a very fine point but that's not most of the jobs. Most of the jobs won't be under those ideal conditions, stopping terrorists or child predators. You might be doing other things, like spying on Americans, firing drone-strikes, surveilling people on the border finding targets for ICE to round-up. If you are working in an industry you might be selling to oppressive regimes or helping build the pieces of a surveillance state, or undermining democracy in our own country or another country somewhere else in the world." Quentin warned.
Quentin continued to explain, "Getting into the military-industrial complex with the hope of fighting terrorism or child pornography is actually a gamble. You might not be doing that at all. You might receive orders which you see as immoral, but to disobey those orders could mean imprisonment or exile."
Being careful to not overstate his position Quentin acknowledged the importance of national security stating. "Protecting national security is important, I don't argue that point. I'm a security researcher, I certainly think national security is important. But I think there might be better ways to do that than joining the military-industrial complex."
"You can find and fix vulnerabilities in our national infrastructure as a great way to protect national security. You can work for a computer emergency response team if you want to work for the government. These are government organizations who are tasked with ensuring our information security infrastructure. You can right usable security software like Signal, a secure messaging application, which is now being used by members of the Federal government to secure their messages." Cooper explained.
Considering that more than 50% of the world's websites are encrypted now because of the efforts EFF, for the first time in the history of the internet, that solving hard problems, going up against other smart adversaries, and maybe a little bit of risk is what makes hacking fun Quentin explained.
Quentin went on to offer students other examples of software that a hacker could write like TOR, an anonymous web browser, used by people all over the world including spies, and the military, dissidents in foreign countries, peoples who are victims of abuse, students, journalists, people who want to research sensitive topics, or people who want to circumvent censorship in their country or write secure messaging software like Signal that can make a difference and serve national security or at least impact people's personal security with
Cooper shared another story of a recent "project" that took place at Standing Rock, North Dakota where he was part of a team serving a large encampment of activists who were attempting to stop a pipeline from being built through Indian land there, specifically through a river in the area that many worried would be contaminated by a pipeline rupture poisoning the water supply for potentially millions of people. EFF had received reports that "strange things" were going on there, and specifically with cellular communications. Cooper went to the site to investigate if police, tasked with controlling the activists, were using an IMSI-catcher. The International Mobile Subscriber Identity-catcher tricks a user's cell phone into connecting to it like it would to a cell phone tower. This allows the IMSI-catcher user to eavesdrop on and intercept mobile phone traffic and record movements of cell users. The device is basically a "fake" mobile tower that can be used to locate an individual or determine who is in a particular area, quantify crowd numbers. "Furthermore," Cooper adds, "they can be used to spy on people's phone calls and text messages."
Cooper, wth the team comprised of EFF in conjunction with some university researchers, went there to investigate the possibility of these being used. They did not find any evidence of IMSI-catchers while they were there, Copper said, which he admitted being "a little disappointed about, but said "that was probably good they were not being used on the activists there, at least not while his team was investigated," he added.
They did claim to see a number of strange anomalies there involving the local information networks and as well as technological failures that could suggest there was some form of surveillance going on, but Copper is first to admit that the evidence wasn't conclusive, stating, "It could be just that technology can be weird and it sucks."
After sharing his experience at Standing Rock he told students "this is just one example of a "cool thing" one can do as a hacker."
Discovery of wrongdoing or not, this mission Quentin explained had another desirable consequence of such work, "by going to a major protest and making sure their government is not oppressing them with the power of digital communication technology and information, and digging deeper cuts through rumors, paranoia, and understanding." he said.
Another project he shares is work he did along with Eva Galperin, called Operation Manal. The operation was named after the manul cat, native to Kazakhstan. A "campaign of intimidation, kidnapping, and malware" was targeting one of EFF's clients, a journalist who runs Kazakhstan's only independent newspaper. As the team looked into the malware, they found other instances of the malware targeting other journalists and dissidents, including Kazakhstan's only opposition leader, by Kazakhstan's first and only President.
The two hackers were able to research and dissect the malware and determine it was " some 20-dollar, off the shelf malware" known as jRAT. They traced it back to the "command and control servers" which are the servers that command and distribute the malware and discovered several more hacking campaigns against completely different targets. With the gathered evidence EFF determined that and Indian company called Apen, "which is presumed to be a hacker for hire company." Cooper said.
This company has been implicated in previous attacks on government officials, several banks, and other dissidents as well. They surmised that this specific attack only targeted Kazak dissidents with what is known as "spear phishing," which targets individuals with deceptive emails in an attempt to elicit confidential information from their targets. The emails they were investigating were specifically crafted to appeal to dissidents to the government of Kazakhstan.
Based on the research and hacking, along with other leaked documents, the team was able to link the activity back to the government of Kazakhstan.
"Going up against a powerful adversary, a government, and its agencies, and infiltrating their command servers without them being aware Cooper says, "scratched a lot of his hacker itches. "And yes, it was all legal. That's what the lawyers told me."
Cooper shared a Citizens Lab report called "the Million Dollar Dissident." Citizens Lab researches government malware. The group had discovered three separate iPhone zero days, (zero days are obscured computer software vulnerabilities that hackers then exploit) which were used in a spearfishing campaign against Ahmed Mansoor, a human rights activist, based in the United Arab Emirates. The campaign was able to exploit his iPhone and install a spyware called, 'Pegasus'
Copper says that iPhone infiltrating products can be purchased for as much as a million dollars on a "zero-day black market," an underground marketplace for hacking malware and spyware.
Unlike the Kazak hack, that purchased a cheap malware, the group that attacked Mansoor's phone spent three-million dollars and based on this expenditure a profile of the infiltrators could be created. In collaboration with the mobile security company Lookout, Citizen Lab was able to find the exploits, publish the exploits, find the remote access trojan that the company was trying to install, and expose NSO Group as the culprit behind the hacks and a player in what has become a "spying industry." Copper said. "NSO Group is a great example of the industrial half of the MIC."
Stunt Hacking
Cooper cited the story of two security researchers Runa Sandvik work of hacking TrackingPoint self-aiming rifles as another example of putting offensive hacking skills to good use as the researchers revealed the vulnerability of having a wi-fi enabled sighting device on a rifle. The two hackers were able to change the scope’s targeting system and to hit a target the hackers chose instead of the actual shooter. This revealed a potentially deadly vulnerability in the wrong hacker's hands. "Hacking a rifle? Playing with guns? A lot of fun of right? Guns and Hacking" Cooper said. He called this "Stunt Hacking". It will make you famous and you will have fun, he said.
"Who doesn't want a hack a car? Fun right?"
Cooper describes another stunt hack where Charlie Miller and Chris Valasek "completely owned" a Jeep Cherokee while it was cruising 70mph on the freeway. A journalist, Andy Greenberg, was driving the car and aware the hack was coming. He was part of the culmination of research that led to the takeover of this particular vehicle and revealed to the auto-industry the risk that comes with "turning a car into a smartphone" and the responsibility the industry must take for security if they continue to computerize vehicles and put them on a network. "Who doesn't want a hack a car? Fun right?" Quentin asked.
Quentin also shared the story of Katie Moussouris. Formally of Microsoft, she founded a new company called Hacker One. "Want to hack a company? Work for her and you can be on a Bug Bounty Program" which is when a company employs a hacker to attack their network or software to reveal their vulnerabilities and increase their security.
Cooper cites this important work as another example for new hackers to get the rush of hacker combat, get paid well, not go to jail and not being assimilated by the military-industrial complex's agendas and increase the security of the internet overall.
Pick a Cause You Care About and Get Involved
Cooper expressed concern that many non-profits need technological help because they often do not have budgets for a single IT person, let alone a security person or an entire security department and encouraged students to consider helping non-profits whose issues they care about, "as they are doing very important work around the world and often have very serious and powerful adversaries." he said. Volunteering for a non-profit and giving basic computer security advice, he said, is another way to bring meaning and purpose to one's hacking.
After expressing his alarm at the danger of hacking for the government and giving students alternatives to using their "hacking powers" Copper acknowledged that students may still want to seek out employment within the military-industrial complex. He said he asked students to be vigilant and dutiful in reporting wrongdoing and abuses.
"If you see things or you are ordered to do things that are immoral, against your ethics, or undemocratic, I urge you to consider leaking that information. I urge you to consider blowing the whistle and telling people."
Cooper spent part of his talk urging students to reconsider working for private security companies like Blackwater for example, and other international versions of that company warning that the ethics of the owners and management of these companies are likely compromised, that the work is likely lethal to others, and likely contracted by autocratic or undemocratic regimes with self-serving malicious agendas at the expense of citizens.
"I urge you to consider leaking that information. I urge you to consider blowing the whistle and telling people."
Quentin believes that part of the mission of the "superhero hacker" is to defend against the rise of the military-industrial complex InfoSec sector and help everyone, citizens, become smarter and more literate about computer security and information security "because that's how we stop these groups." Cooper said.
"We are always going to have hackers in the government. It's important that we have some hackers go and work for the government but it's important that you keep the government honest. And our government democratic. And keep our government accountable to its people."
Emphasizing the importance of the role the computer science students could play in the future Quentin said, "This is the foundation of democracy and hackers can be the front lines of that. We are, in fact, in a unique position to do that. We have a lot of power. Especially in this society. Computer Information Security has become extremely important and certainly technological literacy has become extremely important and an important locus of power. And we have all of that power. We are kind of like superheroes.
"And if we are superheroes, then there is the quote from my favorite superhero that is very important and very relevant to what I am talking about: "With great power comes great responsibility" and we should all keep that in mind. That we are hackers and we are powerful."
written by Ronny Joe Grooms