Skip to main content

After Snowden leaks, feds lose their hacker cred at Def Con

After Snowden leaks, feds lose their hacker cred at Def Con

/

Can spooks and hackers bury the hatchet post-PRISM?

Share this story

High-Five the Fed @ Def Con 21
High-Five the Fed @ Def Con 21

"I haven't sensed this level of tension in the community since the crypto wars in the late '90s," said Jeff Moss, aka "The Dark Tangent," remembering when the US government nearly outlawed strong cryptography. He was addressing the audience at Black Hat, the computer security conference he founded almost two decades ago. The tension surrounded the speaker he was introducing: General Keith Alexander, director of the National Security Agency.

It was the second time Alexander’s presence caused a ruckus at a Las Vegas hacker convention. Last year, hecklers briefly taunted the general during his keynote address at Def Con, Moss' more casual computer security pow-wow. But following recent disclosures by Edward Snowden about the agency's massive spying apparatus, the NSA chief's presence provoked more unease among traditionally privacy-minded hackers. Moss had prepared for this. For the first time, citing the NSA leaks, he had asked federal agents not to attend Def Con.

For the first time, feds were asked not to attend

That was a sharp break with tradition — where attendees once played tongue-in-cheek games of "Spot the Fed," Def Con's cautious intermingling of hackers and spooks had changed. "There are definitely more of them this year — they're just being sneakier about it," said one five-year attendee who, like many, wished to remain anonymous. Another young hacker played his own version of the game, using a cardboard sign to solicit high-fives from secret agents. Joking aside, recent events have clearly had an impact: Alex Stamos, a security researcher who has worked with government agencies, lamented that relations between white hat hackers and the US government have "gone backwards about 10 years" since the Snowden revelations.

"In the beginning they were like the mystery men," said Moss, who now works as an advisor to the Department of Homeland Security. "I thought, well, they're gonna be at the con anyway, so I'll just invite them. That way, even if they don't show up, it's sort of like 'I know you're watching' — you know that I know that you know."

Like any smart security researcher, feds attend the conference to network and spot new trends. "They use it as sort of a crystal ball. If researchers are talking about it now, it's probably gonna be a big deal a year from now," said Moss. (This year, those trends included car-hacking, breaking home security systems, and using distributed surveillance devices to monitor entire neighborhoods.)

"insecurity is mostly being leveraged by governments against people."

But the fed presence is inseparable from how governments ultimately put that knowledge to use. The increasing use of security exploits by nation-states has slowly shifted the security landscape, says Moxie Marlinspike, the pseudonymous hacker behind free mobile privacy apps TextSecure and RedPhone. "For a long time, the insecurity of the internet was being used by people I liked against people I didn't like," he said. "But lately there's been this real inversion where insecurity is mostly being leveraged by governments against people." On Friday, the ACLU's Chris Soghoian talked about one such tactic, where the FBI utilizes security exploits to remotely, covertly activate the microphones in laptops and Android phones.

Security researcher and Def Con veteran Dan Kaminsky understands the discomfort, but says it's helpful to remember that governments are sprawling entities made up of people with different interests.

"The problem is looking at the government like it's one single group of people," he said. "The hard thing is when the government comes to Def Con saying, 'Hey, we need your help making the world safer,' while other guys from the government come saying, 'Hey we need your help to blow stuff up.'"

Dsc_0227

Peiter "Mudge" Zatko, a former member of the famous hacker group Cult of the Dead Cow went on to become the head of the Cyber Fast Track program at DARPA in 2010. But he says he didn’t join because of any desire to work for The Man; instead he felt parts of government had lost their way and saw "an opportunity to go in and fix it," as many hackers are compelled to do. Like Kaminsky, he urged hackers to not just bristle at the NSA surveillance machine, but also seek out and reward positive efforts in government, like Rep. Zoe Lofgren's movement to reform the Computer Fraud and Abuse Act.

"I think challenging the government is your patriotic duty as a citizen," Mudge reassured. "It's painful for both sides, but it's something that has to happen and it's why we're such a great nation." He sees hackers willing to challenge the NSA, but doesn’t see the agency doing much to meet them on middle ground. General Alexander may be willing to throw on a black t-shirt and jeans while giving a recruitment speech in Vegas, but his agency — and feds in general — doesn’t do the one thing that hackers always respect: contribute useful technical information. "What would it be like if you had a senior official from a very technical agency come out and actually give a technical talk?" Mudge asked.

The federal government isn’t winning many hearts in the hacker community right now, and it doesn’t help when officials dismiss them as "anarchists" and "nihilists," as ex-NSA chief Michael Hayden described Edward Snowden supporters this week. Cybersecurity has become a major concern within the US government that eclipses fears of terrorism among some high-ranking officials. And in an era when hackers arguably wield more power than ever before, the feds need all the friends they can get.