Tuesday, February 26, 2013

Context matters: we only appear to be blackhats

After the #Shmoocon cybersec conference, a bunch of us were hanging out in the bar playing “Cards Against Humanity”. The rules are just like the family game “Apples to Apples”, but with content that’s not so family friendly. For example, “Harry Potter erotica” which was the winning card for the suggestion “A new interactive exhibit that will expand Smithsonian's audience”.

An eavesdropper might conclude that we are a bunch of child molesters, murderers, rapists, or racists. Of course we aren’t. We are crass and jaded; we are only pretending to be horrible people.

Being crass should not be a crime, but that’s essentially what Andrew Auernheimer was convicted of. This was the case where AT&T accidentally published the emails and device ideas of the first iPad customers. Andrew downloaded them and published proof of the problem to Gawker. His "coconspirator" pled guilty, testified against Andrew, and provided private emails to prosecutors that "proved" Andrew's bad intentions. These emails disclose things like Andrew talking about stealing the information and wanting to profit from the event. That made his simple actions look very nefarious.

But that’s how we in the cybersec community always talk. When we find cybersec problems, we dream of the worst ways we can be horrible people and exploit them. If you listened to any of our private conversations, you’d be convinced that we were all secretly one step away from triggering World War III.

I’m pretty sure had I been in Andrew’s place, the prosecutors would’ve found much worse to hang me by. Indeed, you’ll find much in my public Twitter feed and blog posts to convict me of. When the Mars Curiosity Rover landed last August, and the first pictures arrived from the planet, I was about to tweet the URL to view those pictures. But the site was already failing under the load of all the nerds worldwide getting those pictures. Therefore, I changed my tweet to comment on the fact that this was essentially a DDoS attack – the sort of attack that activists do against large corporations they don’t like. I therefore made the humorous tweet “Join our DDoS against NASA and click” on their website.

Of course, I’m not against NASA, nor do I think anybody else is. I can’t imagine why anybody would want to DDoS them. It should be obvious that my tweet is humor. But, prosecutors taking this out of context might use it to try to convict me, to prove to jurors of my evil intent.

Had Andrew actually wanted to profit from those email addresses he found, he would not have published them on Gawker. Had he known his access was “unauthorized” according to the CFAA (the anti-hacking law), he would not have published them on Gawker. His actions should prove, beyond a shadow of a doubt, that his intent were benign, and the same actions all security researchers perform. Yet, because the jury doesn’t understand the context of our evil thoughts, Andrew was convicted.

This was what was going through my mind as I was playing the game, trying to portray an evil persona to be funny. I kept thinking “I sure hope the FBI hasn’t bugged this table or we are all going to jail”. By the way, Mr. FBI Agent, having been soundly beaten in the game by @thequux and @maradydd (and being a bit resentful about it), I’ll gladly testify to their low moral character. Call me.


Peter Maxwell said...

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

Johnson said...

"talking about stealing the information and wanting to profit from the event...But that’s how we in the cybersec community always talk."

No, it's not.

Agroturystyka mazury said...

Czytam twoje posty. Miła lektura przed snem

Wirtualne biuro said...

Fajne podsumowanie tematu.