IMO, when the director of the NSA goes on-stage at DEFCON and the result is anything other than tomatoes being thrown and him being booed off the stage, something is wrong.
While it is true that hackers are not a single minded collective, and some hackers may have sympathy for the NSA, I'd hope that most hackers would see the NSA as what it is: just one more head of the Medusa that is the US government, in all it's civil liberty infringing, experimenting on it's own citizens program, illegal wiretapping, constitution ignoring glory. The NSA are not - so far as I'm concerned - the "good guys." Some individuals in the NSA may be "good guys" but the agency is just a tool of a government that is out of control.
"We don't keep files on every American citizen" Yeah, right... this guy would have had more credibility if he'd just said
"Yeah, of course we do. You know it, we know it, so why beat around the bush."
I really don't understand the "tomatoes and booing" plan.
At the panel in the room immediately before the director of the NSA spoke ( https://www.defcon.org/html/defcon-20/dc-20-speakers.html#DA ), the point was made that cops, prosecutors, lawyers and the press have been invited to DEFCON since DEFCON 1.
These people exist all existed before they spoke at DEFCON, and do after, too. They have plans and goals, and to the extent that they want to explain them, I'm willing to listen. If I want opposing opinions, I can get them in at least four other tracks.
I don't have to believe him, but I feel honor-bound to let him say his piece without being an asshole about it.
I'd hope that most hackers would see the NSA as what it is: just one more head of the Medusa that is the US government, in all it's civil liberty infringing, experimenting on it's own citizens program, illegal wiretapping, constitution ignoring glory.
The NSA does some questionable stuff, but it also does some awesome stuff. The first thing that comes to mind is SELinux.
On a tangent, don't forget that we need an organization like the NSA (or at least like what the NSA should be). The more ubiquitous computing becomes, the more important that role will become. So, don't advocate chopping off a head of the Medusa; advocate fixing what you see as wrong.
> don't forget that we need an organization like the NSA
For those of us who have already forgotten or have never known the reason for its necessity, could you explain why?
Internationally and historically, similar levels of state communications monitoring are correlated with the need for self-preservation by authoritarian regimes. There are also many modern day states which do not possess an agency directly analogous to the NSA.
One of the big problems with NSA is their dual mission of defense and offense. Dual mandates are really dangerous for bureaucracies -- the federal reserve has a similarly conflicted dual mandate of price stability and employment, no as a result it behaves a bit like a highly medicated insane person at times. NSA does the same thing -- releasing SELinux and trying to prevent the spread of encryption in protocols and operating systems simultaneously.
I believe that cyber-warfare, while fanciful-sounding in name, is going to be a part of the future whether we like it or not. In which case, the NSA seems the best positioned to conduct the USA's end of it.
If this is a justified belief rather than a faith-based belief, you'll need to offer a refutation of Thomas Rid's "Cyber War Will Not Take Place", which holds that cyber-war is contradictory because acts of cyber-war do not fulfill the definition of acts of war: http://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608...
If you mean to suggest that the reason for the NSA is for the US government to act as an authoritarian regime (presumably meaning something like a totalitarian state or dictatorship or tyranny), why don't you just say so? And if you don't mean to suggest it, then what is the meaning of your purported correlation?
I don't; to negate the position that the existence of communication surveillance agencies can be considered both beneficial and necessary for an arbitrary population by assumption.
Who even uses SELinux besides government/defense contractors? Do you remember the Clipper chip? The list of horrible things the NSA has been involved with is long.
We absolutely need defense for government IT. That should still be smaller than what the government devotes to that task now, but at the NSA level, I get the feeling that most dollars and head count is not going to defense.
I think it is a legitimate question how much of an offensive information warfare standing capability a country needs when not at war, and what level of dirty tricks intelligence agencies should pull in peacetime to monitor adversaries. Particularly due to the non financial costs of this monitoring -- losing our moral standing as a free and fair country, incidentally monitoring citizens or those present in the USA, in violation of the constitution (especially due to the tortured "five eyes" sharing agreements, which, if they weren't governments, would be viewed as a conspiracy and some kind of constructive crime), etc. I judge all of this stuff by "does it make us safer", and at some point, it clearly goes the other way. I think that point is several hundred billion dollars a year less spending than what we have now (well in excess of a trillion). Maybe 50-75% less spending.
The real problem and danger to us, from the very demons that guard our country, is that they are not being properly restrained by a Congress controlled by primitivists, idiots, mentally deranged, corporate agents, the unprincipled, and psychopaths not suited for today's world and allow the security state instruments to operate extra-constitutionally with impunity.
Simply put; affection and trusting the NSA (or any other security state instrument) is trusting and making a deal with the devil. I wish you understood the gravity.
Feds have been an integral part since DEF CON 1. They're welcome, and booing them of the stage is just childish. Again, I'm pretty sure the majority of hackers don't agree with them, and may even think they're a bunch of morons, but it's still interesting to hear what they have to say. People do get booed of the stage, but for entirely different reasons, e.g. http://news.cnet.com/8301-10784_3-9755135-7.html (and watch the video, it's hilarious).
(Also, talking about security-people-hackers on a site primarily focused on programming-startup-hackers confuses the crap out of me.)
Again, I'm pretty sure the majority of hackers don't agree with them, and may even think they're a bunch of morons, but it's still interesting to hear what they have to say.
So, "keep your friends close, and your enemies closer?" :-)
Anyway, you make a good point, and there are good reasons to let the NSA guy have his say. But when you look at the abuses perpetrated by the US government over the years, it's hard to feel good about hanging around and listening to more propaganda from their representatives. And chucking tomatoes at him would send a strong message "don't assume that we are on the same side, or that we are going to support your agenda" or whatever.
Back in the days, there was actually a game called "Spot the Fed".
> Basically the contest goes like this: If you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out. Just get my attention and claim out loud you think you have spotted a fed. The people around at the time will then (I bet) start to discuss the possibility of whether or not a real fed has been spotted. Once enough people have decided that a fed has been spotted, and the Identified Fed (I.F.) has had a say, and informal vote takes place, and if enough people think it's a true fed, or fed wanna-be, or other nefarious style character, you win a "I spotted the fed!" shirt, and the I.F. gets an "I am the fed!" shirt.
Fully agree, when the NSA says "secure cyberspace and protect civil liberties", they mean, put Julian Assange behind bars and ensure the government is at liberty to withhold information from the people.
Arguing that the US government in entirety is evil may be a difficult case, but arguing that an agency that spies on law abiding citizens is evil is easier.
The problem is that the NSA (and USG in general) views security in terms of perpetuating the status quo, rather than letting broken institutions fail so that better approaches can take their place. It's akin to how the guy putting a skimmer on ATMs is at worst a red herring - the banks are the actual culprit by still using info-only cards with plaintext account numbers, 36 years after D-H! In order to actually move forward, at some point ATM impersonation should stop being considered fraud as the banks have had plenty of time to understand that their assumptions are utterly faulty and that they actually know nothing about the identity of an ATM user (and therefore under the current system have no authorization for withdrawals). But instead of secure user-based tokens with explicit capability limits, we get ever more feel good patches on a fundamentally unsolvable problem.
'The citizens' is referencing the group uniformly. 'Citizens' and 'USG' clearly have a large intersection, but the point is that importance should be distributed throughout the former. That some citizens are bad actors doesn't change this.
I was drawing a parallel with bank security as the same institution-based priorities apply to the NSA. Their version of 'security' primarily involves securing the position of USG and its subsidiaries by monitoring everyone to gain intelligence against possible threats (including the non-criminal threats). This makes the citizens, who should be the most important, less secure.
Nonsense. Often the case is you vote someone in, and then they turn around and do things they were not voted in to do, or do things they campaigned on not doing or vice versa.
It's always worth seeing a counterpoint - seeing what truly evil entities (such as drug cartels) are doing with technology, to see why a discussion between the NSA and hackers might be a good thing. To that end, I recommend the following Ted talk:
What the NSA is doing is frightening. What the cartels and other criminals is doing is the stuff of nightmares. One doesn't necessairly justify the other, but it's good to think about.
It's interesting that you use that TED talk to support your view, when the speaker is advocating not leaving security up to the professionals and instead approaching the challenges as a group in a very open fashion (he even mentions openly publishing the DNA of world leaders).
OK, I thought about it. I concluded that the smart thing to do is to end the War on Some Drugs and stop the escalation between the immovable, inevitable rocks on one side and the forces with infinite Federal funding on the other side.
I saw the talk. Much of the talk made the assumption that the hacker community has the same goals and values of the NSA. This NEEDS to be justified.
This is a hacker community and while not a single minded collective I believe there are many popular views that are diametrically opposed to some of the goals of the NSA. He mentioned that he wished the internet would be perfectly secure and then went on to mention how this would protect American IP laws. His definition of secure internet does not include values such as censorship resistance or freedom of expression/information.
He also tried to tell everything how great it would be if we all had IDS's that reported back to the NSA in realtime.
We were not allowed to ask questions. They brought up a paper with questions that must have been determined BEFORE the talk happened which isn't fair to the attendees.
I wish there was a DEFCON panel to discuss this. Everyone just clapped and seemed cool with him from my perspective. I'm not against the director talking at DEFCON, but I don't think we shouldn't be accepting his ideas without more public criticism and discourse.
The questions weren't scripted, at least some of them weren't. DT was checking his twitter and I saw at least dave aitel's one about Cyber Command growth/size on there.
Even if they weren't scripted, they were mostly softballs, and the talk was more an introduction than a detailed roadmap.
The most interesting question was about whether the NSA would prefer a perfectly secure internet or a usefully insecure one (roughly paraphrased).
That's not far from what I wanted to ask: given the offensive value of 0-day exploits (as seen with Stuxnet, regardless of who actually did it), can agencies in "Cyber Command" really be trusted to give theirs up via responsible disclosure?
Your definition of "responsible" is not the same as everyone else. Try asking an actual question, not a question disguised to inject a moral judgment and re-ignite the disclosure debate that everyone was sick of 20 years ago.
Late to the party, but... you really couldn't find a question in there? Let me try again.
My definition of "responsible" doesn't matter. I was suggesting that the government could adopt a policy it considers responsible, rather than just sitting on the exploits and using them for strategic advantage.
Unless there's a definition of "disclosure" that involves failing to disclose things to those in a position to fix the problems.
"We don't keep files on every American citizen": depends how you define 'files' and perhaps there is 1 American citizen they don't keep files on, so not 'every'. But we have on sworn testimony that the NSA keeps all of your emails [1] & a large chunk of your electronic communications & spies on American citizens[2][3].
He not only said files, but also "dossiers," which is even more formal. Nothing about having huge buckets of already-collected data from which these files and dossiers can be compiled later.
I can't believe the director of the NSA (also an Army General) showed up in bluejeans and a t-shirt. I'm sure it was a PR move, but I still can't believe it.
probably a recruitment drive for the interception center they are building. That 260 million people statement is pretty stupid, considering facebook is in and around 4 times that. How stupid does he think people are?
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/
Not just for the interception center, but they are recruiting the best pen testers and vulnerability writers since they run the main offensive arm for the US Government.
Stuxnet was written at the NSA, the other worms were almost certainly were partially written there. The MD5 signature collision attack was almost certainly developed there. You could imagine that they now have dozens, if not hundreds of developers working on finding 0day and integrating new exploits into their attack arsenal of worms.
I suddenly have a handful of friends form the old underground who went from working openly in the security industry on papers, audits etc. to no longer talking about who they work for.
I can only put two and two together and conclude that the NSA has been on a hiring binge the past few years and are hiring all the best security guys (exploit developers, more specifically).
It was the most condescending speech I've ever witnessed given to adults. It certainly didn't raise my opinion of the NSA. Once you see the video, you will agree.
It did seem half-aimed at children. Especially after the corny opening to introduce one of the Defcon Kids ("help grandpa find his arrow keys", or whatever he was going for).
Right. Defcon Kids. An actual con within DEFCON sponsored by the NSA and AT&T, among others. That alone is the creepiest thing I've seen all week, enough so that the first time I saw the posters I was absolutely sure they were some kind of vicious parody.
I think Defcon Kids is awesome - hacking is a very fun skill which, like programming in general, interested kids should be encouraged to learn.
That said, don't be dishonest. The media should not be calling someone who discovered they could make time-based events in games happen by changing the time a "hacking prodigy"[1], and the website of a hacking con, whose others should know better, should not be saying it "allow[s] for exploit code to run on servers"[2]. It devalues the real thing :)
There's a lot of angry comments, but this is a step in the right direction for the NSA. Hayden would've never showed. He had a disdain for hacker types and so-called privacy advocates.
"He held firm that the internet defences could be ramped up without sacrificing privacy or civil liberties."
However, he seems to be a staunch pro-IP advocate with this statement: "Look at all the intellectual property we've lost over the past decade,"
He should be asked how does one prevent an idea from being easily copied. Because, that's the fundamental problem behind criminalising altruistic IP infringements.
Personally; my hunch is that congress has no idea how to tackle widespread piracy, even NSA doesn't. There's also many 'cyber' companies that are complaining about security issues (Decentralised/Centralised attackers such as Anon/Wikileaks). So, NSA is requested to get into those. One step is a careful PR spokesperson to recruit (Notably, the clothes and charm). Also, to instil uncertainty and doubt among hackers.
If you watch some of his earlier speeches it is pretty clear that "intellectual property loss" is code for "chinese industrial espionage". This guy doesn't care about your game of thrones torrents.
While it is true that hackers are not a single minded collective, and some hackers may have sympathy for the NSA, I'd hope that most hackers would see the NSA as what it is: just one more head of the Medusa that is the US government, in all it's civil liberty infringing, experimenting on it's own citizens program, illegal wiretapping, constitution ignoring glory. The NSA are not - so far as I'm concerned - the "good guys." Some individuals in the NSA may be "good guys" but the agency is just a tool of a government that is out of control.
"We don't keep files on every American citizen" Yeah, right... this guy would have had more credibility if he'd just said
"Yeah, of course we do. You know it, we know it, so why beat around the bush."