Saturday, May 16, 2015

Our Lord of the Flies moment

In its war on researchers, the FBI doesn't have to imprison us. Merely opening an investigation into a researcher is enough to scare away investors and bankrupt their company, which is what happened last week with Chris Roberts. The scary thing about this process is that the FBI has all the credibility, and the researcher none -- even among other researchers. After hearing only one side of the story, the FBI's side, cybersecurity researchers quickly turned on their own, condemning Chris Roberts for endangering lives by taking control of an airplane.

As reported by Kim Zetter at Wired, though, Roberts denies the FBI's allegations. He claims his comments were taken out of context, and that on the subject of taking control a plane, it was in fact a simulator not a real airplane.

I don't know which side is telling the truth, of course. I'm not going to defend Chris Roberts in the face of strong evidence of his guilt. But at the same time, I demand real evidence of his guilt before I condemn him. I'm not going to take the FBI's word for it.

We know how things get distorted. Security researchers are notoriously misunderstood. To the average person, what we say is all magic technobabble anyway. They find this witchcraft threatening, so when we say we "could" do something, it's interpreted as a threat that we "would" do something, or even that we "have" done something. Important exculpatory details, like "I hacked a simulation", get lost in all the technobabble.

Likewise, the FBI is notoriously dishonest. Until last year, they forbad audio/visual recording of interviews, preferring instead to take notes. This inshrines any misunderstandings into official record. The FBI has long abused this, such as for threatening people to inform on friends. It is unlikely the FBI had the technical understanding to understand what Chris Roberts said. It's likely they willfully misunderstood him in order to justify a search warrant.

There is a war on researchers. What we do embarrasses the powerful. They will use any means possible to stop us, such as using the DMCA to suppress publication of research, or using the CFAA to imprison researchers. Criminal prosecution is so one sided that it rarely gets that far. Instead, merely the threat of prosecution ruins lives, getting people fired or bankrupted.

When they come for us, the narrative will never be on our side. They will have constructed a story that makes us look very bad indeed. It's scary how easily the FBI convict people in the press. They have great leeway to concoct any story they want. Journalists then report the FBI's allegations as fact. The targets, who need to remain silent lest their words are used against them, can do little to defend themselves. It's like how in the Matt Dehart case, the FBI alleges child pornography. But when you look into the details, it's nothing of the sort. The mere taint of this makes people run from supporting Dehart. Similarly with Chris Roberts, the FBI wove a tale of endangering an airplane, based on no evidence, and everyone ran from him.

We need to stand together on or fall alone. No, this doesn't mean ignoring malfeasance on our side. But it does mean that, absent clear evidence of guilt, that we stand with our fellow researchers. We shouldn't go all Lord of the Flies on the accused, eagerly devouring Piggy because we are so relieved it wasn't us.

P.S. Alex Stamos is awesome, don't let my bitch slapping of him make you believe otherwise.


John S said...

Are you fucking trolling?

There is no "security research union". I'm a security researcher and I want absolutely nothing to do with the likes of Roberts and all the blackhats that call themselves security researchers (Weev is included here). I don't want to be associated with the egotistical assholes that think they know a whole lot more than, say, *people that build airplanes*. At some point, the best security "patch" is to go after the attacker, because you can't fix every fucking thing.

Furthermore, there is not "no evidence". There is clear evidence of him making a Tweet that could be construed as a threat, especially combined with his past Tweets about hacking planes- it shows he might have the ability to tamper with the plane. Combine that with his exact flight info, and technical terminology only known to the plane's designers and someone determined to tamper with a plane. This isn't much different than a bomb threat.

Who cares if this guy's intent isn't malicious? someone that idiotic is a danger to himself and others and shouldn't be trusted with scissors let alone a plane full of people.

This isn't a free speech issue. But if you really believe in this, then I challenge you to stand with him by making the same sort of Tweets. See where that lands you.

Unfortunately, the appropriate "patch" to be applied here is increased paranoia against anyone that looks like a hacker. And if that happens, I'm going to be very sad but I'm going to agree with it. Because a security researcher just threatened to tamper with a fucking airplane in the name of unethical research.

Unknown said...

Kudos on the original post. See here for substance with links.

Too many new people are clueless about how much effort has been made for 25 years to highlights these known vulnerabilities. Am sick and tired of people being a) stupid and b) irresponsible.

Unknown said...

Dear John S., You know nothing of the context. Everything he tweets, we can have the same cards stack against. Did you read the context of his conversations, that involve a large plethora of people discussing security holes? His sarcasm attracting Feds? That can happen to anyone. And we do already, stand together, because like it or not, you and I make inappropriate jokes all the time, and that appropriation is at the discretion of every individual. It's up to the plethora to save the individual, not condemn them in the crossfire between single-minds. We're all fucking trolling. Get your head out of that ass, and recognize the indifference between any spit and shit we post. You're not innocent. But "we" can justify your actions.

John S said...

He deserves as much sympathy as someone who makes a joke about having a bomb on a plane. Exactly none.

Hristos said...

I read all the comments and i am so intrigued to find out why is everyone missing the point of this Post...

Let me type what i got from it in the most simple manner i can :

Person1 : Hey, i found that you can patch in to a network on a plane, lets exaggerate and put it on twitter, i am called a sec-researcher after all.

person2 : Boss, this guy said that he can control a plane

bossof2 : FBI there? someone threaten us that he will control a plane

fbiperson1 : NSA there? ( come on, we all know NSA was involved ) Who is this guy that threats us?

nsaperson1 : just do the usual procedure, if we stuck somewhere we will legislate something to get unstuck

On the press release ALL of the reporters want to make a story out of that, security flaws? on a plane? that's is a juicy story right? and as a reporter that want to beat the competition and doesn't really understand what person1 did, fill in the technical gaps will whatever you want.

See the problem? All guys in that chain of command are calling, and have called themselves, aware of the dangers of (un)privacy laws and are wishfully blind, as we all are.

To the point though. What i get from this whole post is that we have an inability in communicating security flaws ( among others), and how FBI or anyone ( including this Post's commenters )exploits that by punishes that inability, promoting himself on a higher position meanwhile. that's all

In a time and place where our brains cannot process the amount of information "out there", "in the wild", we fail to communicate, we were not evolved for that, our nature as humans is to divide, suppress and control. It is all around us, just take a look :)