On hackerspaces, Fox-IT and OHM2013
A recent blogpost by PUSCII lamented the lack of moral fiber in Dutch hackerspaces. While well written, I do think their statements are not fair to all the people currently spending their free time to make the Dutch hackerspace community a vibrant and thriving part of society at large. The resulting mass-hysteria on twitter among German hackers gave me an uncomfortable feeling. My thoughts were torn between ‘if intolerance is leading, fuck the hackerscene’ and ‘there are some very good points being raised here’.
Disclaimer
This blogpost attempts to capture some of my more prevalent thoughts. Note that this blogpost reflects my own personal opinions and obversations, and not those of the OHM2013 organisation as a whole, Fox-IT, any of the hackerspaces I mention in this post nor any other organisation, collective, club or assembly I am part of.
Hackerspaces
There is a theme in PUSCII’s blogpost that reverberates with my own thoughts. Hackerspaces come in many forms. I have visited maybe a hundred of hackerspaces in the past years in a handful of countries, and all are different. In fact, the definition of what constitutes a hackerspace is one that leads to a lot of email threads on the hackerspaces list, many blogposts with varied opinions on the subject, extensive IRC chats. No agreement has been reached.
Within The Netherlands, hackerspaces are a relatively new phenomena. Whereas ASCII and PUSCII may be seen as the earliest hackerspaces in our country, they have always had a more revolutionary perspective on the world. Much like many of the German hackerspaces, they are instruments of the revolution. Many hackerspaces in Germany, really CCC club houses, see it as their mission to provide the infrastructure to help in the greater cause. They have, for example, set up media labs to edit videos that educate the public. They organise ideological discussion meetings.
The current hackerspace movement in The Netherlands is a young one. Sparked by HAR2009, regional groups started to form new initiatives. Initially, these Dutch hackerspaces (when looking at the surface) were mostly places ‘playing with LEDs’. Yet, among those who set up and visit those hackerspaces are many who have the vision that hackerspaces (and in fact, hacker-community) are more than just playgrounds for technophiles.
When I started Revelation Space in The Hague, I had a vision of a hackerspace that would be more like the German CCC club houses. Places where people with a critical view of the world and an inquisitive take on developments surrounding technology, the state and the people gather to engage in (hack)tivism and generally make the world a better place. My ambitions were high, and initially Revelation Space was more of a place where people would just play with LED’s.
Recently though, as the space has matured, I see that activities such as I had envisioned originally, are becoming a part of the daily praxis at Revelation Space. For example, a number of members decided to set up a hotline for hackers, to anonymously report security incidents. They fill in a gap, in a bottom-up way, where our government is failing. The law still puts well-meaning and ethical hackers in a tough spot that discourages reporting issues with security of systems containing privacy sensitive information.
Not only are individual hackerspaces constantly evolving, the hackerspace movement as a whole is changing. More and more hackerspaces open their doors in The Netherlands. Among them are also those of a more reactionary nature, where the focus inherently is more on activism than on tinkering (but never exclusively either one of them). As the hackerspace culture in The Netherlands matures, we will likely see a better balance between pure techno-love and tinkering on the one hand and hard-core hacktivism on the other hand.
OHM2013
I feel sorry that there are people who have expressed they will no longer help out at OHM2013 or no longer visit OHM2013 because of a single sponsor. I don’t feel sorry for OHM2013: it will happen with or without them. And it will be awesome. There will be blinking leds, but there will also be many interesting people. Activists, idealists, pragmatists, all on one field. The sheer potential of useful encounters and discussions that move our thoughts beyond what we can get from experience in isolation alone is awe-inspiring.
Contrary to the German CCC, The Netherlands does not have a structure that allows hackers to organise and meet on a regular basis. The hackerspaces have a role in this, but by nature can not attract the thousands that flock together to the four-yearly hacker camps. And that underlines the importance of the events in the series of OHM2013. They have an important role within the Dutch hacker community.
And of course, there are always people who disagree with the choices made by the group of volunteers putting these conferences together. In 2005, a group of revolutionaries was of the opinion that a community event must be free for all, not something one would have to pay for. Sidestepping the morbid reality of having to pay for equipment to set up an in-promptu network for 3000 hackers, having to pay for tents to house 3000 hackers and those who speak to them, having to pay for showers and toilets to keep 3000 hackers from drowning in their own shit and puke, they set up ‘squat the hack’ and decided that contrary to all the other visitors they did not have to pay for that edition of the camp.
Even in 1989, the Galactic Hacker Party was accused by some more extermist squatters in Amsterdam of being a platform for ‘those evil corporate computer people with their capitalistic computer machines’ (mind you, computers were still something of an oddity back then).
In 2009, some people accused the HAR2009 organisation of being corporate sell-outs who only were in it for the money. Despite the fact that I personally, as one of the driving forces behind that edition, nearly went bankrupt because I chose to work on HAR2009 instead of doing paid work.
And now we have a group of people condemning the entire event based on rumours about a single sponsor. So be it. One cannot please everyone at the same time, yet having this conference is paramount to the further maturing of the Dutch hackerscene. Not only that, it gives the newer generations of hackers a chance to meet the older generations. And to meet the many passionate individuals who fight for their causes and ideals.
So, all in all, if you do decide not to come to OHM2013 because your leaders tell you it is considered bad form to do so, then that is your loss. You will miss out on a unique opportunity to educate others on your ideals and to be exposed to radical new ideas that may broaden your mind.
Fox-IT
About a year ago I was contacted by Walter from Fox-IT. He saw my skills and my ideals and thought they would make a good match with those of Fox-IT. At first I was skeptical, but after the first few talks my opinion turned around.
Some now believe I have become a slave of the dark side. That is ok, for I know it is not the case. Working on ‘the inside’, I can see that among those people making up Fox-IT are also the same idealists that I am. There has always been a lot of debate about, for example, Replay (the so-called ‘wire-tapping’ software which is basically a pimped sort of wireshark without the capturing abilities). Not because of the software, but of the possible business decisions made at the time.
I would invite all the critics, those who click ‘retweet’ on tweets full of allegations, to come to OHM2013 and meet Fox-IT. Talk to the people who work there. You will find out they are not all that different from yourself.
As an example, recently someone brought up the subject of a ‘police trojan’ on the internal nerds mailing list. He had heard something about it, and thought Fox-IT could develop such a tool to aid in catching cyber-criminals. It made me feel warm and fuzzy inside to see the outspoken ‘NO we can not develop such software’ present in all the replies to that thread. My colleagues, like me, are intrinsically against such practices for all the same reasons that the criticasters are.
Heck, talking to Ronald Prins (CEO of the company, and for some the personification of evil on this world) you might even find out his opinions are much more balanced than the impression you might get when you let the media filter his statements for you. Note that I do not feel inclined to defend his opinions here or anywhere, as I myself sometimes vehemently disagree.
I have seen that the consciousness of Fox-IT is a very active and vocal one, and is formed by the moral fiber (to use an overloaded term) of those who work there. Even before the fefe-isation of this discussion, my colleagues expressed doubts and worries about Replay (sold in 2011 and no longer a product of Fox-IT). When the German community went into a dogmatic stance against OHM2013 because of the sponsorship, the discussion within Fox-IT naturally increased as well. I have spent many hours the last few days at my desk, in the hallways and the canteen. I am impressed by the insightful and intelligent remarks and questions.
Yes, Fox-IT develops tools that help the police catch bad guys. If you are radically against any form of authority, that might rub against your fur. I am not a big fan of the police and their more violent nature myself, having spent a fair amount inside police cells. I have walked in demonstrations where the police clubbed down demonstrators without provocation. But I have also been glad the police was around when a pretty fucked-up individual was about to attack me. Those two police officers might very well have prevented that I ended up bleeding to death on platform 12 of Amsterdam Central station.
So there are two sides to every story. And while some of you may think Fox-IT is engaged in activities that don’t jive with your morality, I believe (from observation and discussion) that this is not the case. Ronald Prins has a vocal opinion, but in expressing it he may not always act in accordance with the larger group of people that make up Fox-IT. Personally, when I disagree with his statements I will tell him (and in fact, he consults me and many others within Fox-IT on a regular basis). I do not see Fox-IT engage in activities that I am vehemently opposing: “state-sponsored malware”, making products to listen in on phone calls or internet traffic, prosecute hackers who are on the good side or otherwise participate in far-reaching violations of basic civil rights. If I would see such activities, I would have terminated my employment without further thought.
Conclusion
I am not one to make decisions based on popular opinion. That makes me a loner. I choose to work for Fox-IT, a company perceived by many of my peers to be at the wrong side of the sharp line dividing good and evil. It has led to intolerant and outward hostile reactions from some of them. Still, I am at peace with that decision. Even though people may not understand, I am where I need to be: in peace with myself, my decisions and my ideals. I wish everyone the same.
April 2nd, 2013 at 15:54
Great post. I read the hackerspace thread, but I didn’t have any counterpoint or other view to consider it with. While I can’t make it in 2013, I will be sure to point people to this post when I hear them ranting non-sense.
April 4th, 2013 at 15:10
My initial response was quite critical about Fox-IT, and I still think the marketing of it is very much one-sided and detrimental to hackers (Fox-IT really should use “crackers” instead in their website). I don’t bear the security industry in my heart either, because of its market incentive to militarize the world instead of engineering long term solutions to help society as a whole, not only the dominant part of it. Groente’s post very much saddened me and got me depressed for a couple of days.
But then, as reactions piled up, I realized that many comments came from some irrational anger, some disgusting gregarious instinct, some lynch mob. I appreciate that you kept things balanced. It’s important to keep in mind the complexity of situations.
OHM will be the first NL Summer camp I miss since HIP’97, but for the only reason that I’m not in Europe anymore. I’ll follow the event from abroad, with the same pleasure as always. And yes, as someone suggested in a comment on Groente’s blog, if people don’t want Fox-IT to sponsor Hxx 2017, they can pour in 10 EUR more while they are at OHM 2013, or during the whole period of 2013-2017, to avoid the need of a Gold Sponsor.
April 7th, 2013 at 00:52
Hey gmc,
Thanks for your elaborate reply. First of all, I am very grateful for the amount of time and energy you, and many others like you, have put into making OHM and the numerous hackerspaces with all their activities happen. The extent of the moral outrage triggered by my post took me a bit by surprise and it saddens me to see people mistaking what was meant as a critical note and food for discussion for an all-out call to boycott. The Dutch four-yearly hacker camps are indeed one of the very few places where we can meet as a community in all its diversity and discuss exactly these kind of issues, missing out on that over a single mistake would be tragic.
Having said that, I am still very concerned about your employer recruiting within our community. There is a dualistic side to law-enforcement, indeed one of their functions is to catch the ‘bad guys’. However, as you’ve experienced, they are also an instrument for political control. It doesn’t take a revolutionary to suddenly be labeled as ‘the bad guy’ when fighting for ones causes and ideals; (h)acktivism often involves crossing the lines of what is lawful in order to do what is morally just. Unable to deal with these ethical complexities, the police (and let’s not even get started on the secret service) have a bad habit of criminalizing civil disobedience and political dissent. This makes me very distrusting towards their judgement on what constitutes a ‘hacker on the good side’. Note that the security industry also seems unable to deal with these complexities, it is exemplary how the certification program for ‘ethical’ hacking doesn’t actually deal with any ethics worth mentioning.
Unfortunately, the involvement in prosecution and law-enforcement is only part of the reason my eyebrows frown upon looking at the business Fox-IT is involved in. What raises them even further is the international branch. It seems safe to say that Fox-IT has some particularly shady international customers. A more recent example is the training given to the Ukrainian security service SBU, an organisation infamous for illegal surveillance, corruption, torture and intimidation*. With the wiretapping branch sold off, I’m willing to believe that Fox-IT might not be directly involved in these malpractices, but are these really the kind of organisations you want to conduct business with? Despite your reassuring words on the moral fiber of your co-workers, I’m left with a seriously bad feeling about the role of ethics in the company’s decision making.
Returning to Dutch politics, there’s the matter of ‘hacking back’. It pleases me to read the workers are in no mood to create state trojans. However, given the extensive amount of lobbying Fox-IT has done, it seems naive not to presume there’s a business case lying ready there. The letter to parliament on which the new law proposal is to be based** casts a gloomy light on the future that awaits us. Actively cracking target systems is to become a new standard method for law enforcement, supposedly safeguarded by the same mechanisms that surround wiretapping. Given the shocking statistics on the Dutch use of wiretapping, that safeguard doesn’t really amount to much. With that in mind, I foresee your job is going to give you quite some extra moral dilemmas in the not-so-distant future.
Now you seem like the kind of person who is very well aware of the moral dilemmas at stake, able to make – though I may still disagree – your own judgements and act in accordance. Nevertheless, working for and thus creating an economic dependency on a company that is on such moral slippery slope is something I would strongly advise against and their increasing presence in the hacking community makes me feel rather uncomfortable. Quite frankly, even your suggestion to have a nice chat with the people working at Fox-IT seems hazardous. Keeping in mind that “[they] do in fact have an undercover intelligence team which unearths the most exceptional info about new attackers and hackers”***, it would seem fair to at least warn the public at OHM to watch what they’re saying…
Anyway, this might be going too much into detail and lose perspective on the larger issue. Fox-IT is just an example and there are many similar companies and organisations – some far more blatantly evil – for whom the hacking community is one big pool of human resource. The question is how we can relate to this industry without losing our moral integrity. I’m looking forward to seeing you at OHM to discuss this IRL.
* mentioned in https://www.fox-it.com/nl/files/2011/09/foxfiles_22011_webversie.pdf, see https://en.wikipedia.org/wiki/Security_Service_of_Ukraine#SBU.27s_transgression_of_the_law for sauce
** http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2012/10/15/wetgeving-bestrijding-cybercrime/wetgeving-bestrijding-cybercrime-1.pdf
*** https://www.fox-it.com/en/files/2012/11/8429-FX-Fox-Files-2012-3-ENG.pdf
April 7th, 2013 at 10:23
@groente thanks for taking the time to reply. First of all, let me address some of your worries: I am not economically dependent on anyone or any organisation. There’s plenty of companies and organisations constantly asking me to work for them, so if it comes to it (for eg, when Fox-IT does indeed start to develop and sell state-sponsored malware) I have many options ready for me. In fact, even if there wasn’t such interest in my skills and talents, I can always choose to live under a bridge in some sunny country and forget about the digital bullshit all-together. Dependence on economic circumstances is problematic for many reasons, so I personally try to be fully aware of the possibility that at some point I will have no money to spend. Having been there before, I see it as a viable option. I won’t die.
As for your other comments: people should make up themselves whether they want to chat with people from Fox-IT or not. I’m not forcing anyone. Just keep in mind that, whereas the people from Fox-IT do not hide their employment, ever since the earliest editions of these events undercover operatives of various secret services have also been present (the same goes for any of the CCC events). There is no background check before a ticket is sold. This means that you should be careful what you tell to whom regardless of whether someone is working for Fox-IT. I hope people apply that same reasoning in their normal life outside of these events. If you have something to tell that might put you into a position where you can be blackmailed, prosecuted or whatever, you should be careful whom you tell it to.
I think the term ‘hacker’ in the marketing material of the ‘undercover intelligence team which unearths the most exceptional info about new attackers and hackers’ does not mean what you and I think of when we say ‘hacker’. For us, hackers are the good guys. For the CEO of some big bank however, the term ‘hacker’ refers to the criminals who steal credit card details and stuff like that. I think it is a good thing to keep in touch with what those bad guys are scheming, so we (the good guys, so to speak) can keep ahead in the digital arms-race (to use a cliche of the modern language). I also think the hacker community itself should reflect on their own ethics. While I know many ‘ethical hackers’ who are on the good side of things, I also know quite some people who call themselves ‘ethical hackers’, but at the same time boast about their cracks of large organisations and don’t hesitate to release private information obtained in those hacks to the public. Or ‘ethical hackers’ who sabotage systems to make a point. In my definition of ethics, that is unethical. Whatever your reasoning behind it.
You are right that the definition of ‘criminal’ is in flux, and depends on the political regime. Yet, I do not think we here in The Netherlands currently are in a situation comparable to (say) the stasi-period in Germany. Or the stasi-like situation in the US right after 9/11 where citizens were encouraged to snitch on their fellow citizens when seeing something ‘suspect’ (I’ve seen billboards there literally saying ‘see something suspect, call 1-800-somethingsomething). I also see positive developments within the Dutch governmental organisations due to interactions with ideologically driven people like myself. And there are many other people like me, who believe change must come from within and can never be forced from the outside. Like the definition of ‘criminal’, everything is in flux. Having had a religious upbringing (and the rejection of religion around my 12th), I’m not one to take a dogmatic stance on anything.
Anyway, i’m looking forward to the panel at OHM2013 that you are participating in. I won’t deny there is a moral slippery slope, and the only way to keep people aware of that and prevent people from slipping down that slope into the dark side is to have open debates like those.
While you regret the interaction between companies, governments and other agencies, they are a fact of life. The US has been recruiting among convicted hackers for years, giving them the choice of working for the NSA or sit out their jail-time. Countries like India have a rich history of patriotic hackers, who believe they are morally obliged to help their country by hacking and sabotaging Pakistani IT systems. Also, don’t forget that many of todays security firms actually came forth from the great fathers of the Dutch hackerscene you mentioned. I regularly have chats with some of them, and far from being dogmatic they too have evolved their look on the world as the world itself changed.
I could (and should) write more and more detailed answers to your post, but unfortunately I know have to return my attention back to some urgent OHM2013 organisational matters!
April 9th, 2013 at 12:02
Excellent, it seems we have arrived at some more fundamental points in the discussion and need no longer bother ourselves with the details on one specific company. Your definition of ethics, moreover your rejection of reasoning behind certain acts, is problematic. The – dare I say – dogmatic stance you take against for instance sabotage seems to based on a set of absolute rules. It is as if you have written your own moral book of law with rules to which to adhere, regardless of circumstance. Whereas such books of law may provide us with excellent rules of thumb to aid us in everyday decisions on what to do and how to act, they are merely a simplified model of what ethics is truly about. When we regard ethics from a Kantian perspective we must acknowledge the context around and reasoning behind our acts as integral parts of the maxim that underlies our act. They provide the clauses and subtleties which determine whether or not we may will our maxim as universal law. To give a concrete example, they make the distinction between sabotage for the sake of sabotage as bad and sabotage for the sake of preventing an oppresive regime from killing innocents as good.
Granted, that was a bit of an extreme example, but it goes to show how a proper conception of the ethical complexities is vital to making judgements on (h)acktivism. Merely judging by the book of law, be it your own or that of the state, will not do. I believe to a certain degree this also explains why the institutions of law-enforcement and security industry tend to be unable to appreciate or cope with (h)acktivism; their judgements are based on an oversimplified view of what constitutes right and wrong.
On a more socio-political note, yes, the definition of criminal depends on the political regime. And while the situation here in the Netherlands is incomparable to the DDR, I do not think it is fundamentally all that different from the US. We too are encouraged by the state to call 112 when we see something suspicious. We too have our railroad network deranged because someone forgot their bag. In fact, we have FBI agents embedded in the high tech crime unit and the Netherlands are notorious for using wiretapping on a scale that far exceeds that of the US. So despite our liberal and tolerant image and whilst our legal and penitentiary system are far less brutal, there is in fact much reason for concern. Our political climate is shifting and showing an increasingly repressive nature. Over the last decennium we have witnessed (had we paid any attention) a large number of new laws and regulations targetted against the public sphere and political dissent. So yes, the definition of criminal is in flux, but it is going in all the wrong directions.
Finally, to state that “change must come from within and can never be forced from the outside” is a grave insult to the numerous social movements which have accomplished exactly that. It can not be denied that good work can be done ‘from within’, but all too often it is limited to polishing the rough edges. To say that this is the only way would be to deny the dialectics of social change. If you are truly so bold as to make such a claim, I would be very interested in your argumentation.
April 9th, 2013 at 22:12
First of, Groente, I am not a philosopher, sociologist or historian. So if you want to discuss the deeper intricacies of said areas, i fear i am the wrong person for you. I’m just a guy who’s good with tech, cripled with ideals and a pragmatic (although I guess if you’re a philospher, pragmatism and idealism are mutually exclusive).
Anyway, as for the people sabotaging systems just to make a point about their abilities: that is, imho, senseless and has nothing to do with hacktivism.
I am curious to what social movements you claim I have insulted. I’m not a revolutionary (yet?). We live in a country where we can have discussions like this, where we can criticize our government without being locked up or worse. Yes, there are things that we should be concerned about. The wiretapping you mention is a problem, and that is exactly why I also am not too happy about ‘hacking back’, given that the supposedly due diligence around wiretapping is failing. If that fails, i do not have a lot of confidence in the safeguards that supposedly would protect us from a government hacking back (also see my earlier blogpost on this subject in Dutch: http://wordpress.metro.cx/2012/11/03/de-hacker-gehackt/).
I’m nowhere saying that the issues you mention do not deserve concern and opposition. Yet, I am also not convinced that a radical departure from how things are now (a revolution, so to say) is viable nor useful in our situation. As a sidenote: looking (from a distance) at some of the contemporary revolutions, i’m not sure people are better of after the revolution than they were before. The resulting vacuum apparently attracts the next villain / dictator who is happy to take power with promises of leading the population from chaos to order.
As said, i’m pragmatic. I do not believe preaching revolution and dismissing people who are not activists or are not on the good side of the line dividing ‘good’ and ‘evil’ is helping in addressing the above issues. In fact, it is doing more harm than good. The more extreme your position in this, the more likely you’ll be dismissed as a member of the tin-foil hat brigade. I also am suspicious of people who are convinced that their moral convictions are the right ones, and point their finger at those who do not share their moral convictions.
Finally, governments, companies and organisations are made of people. They are not anonymous entities, they have a lively group of minds brought together. Together they form the consioussnes of the organisation. And the organisation itself is part of a larger ecosystem, society at large. One could choose to put oneself outside of an organisation (or society) and then lament the actions of the organisation. That is not likely to result in any change, and strengthens a ‘we’ vs ‘them’ vibe. Or one could be on ‘the inside’, and be part of the consioussness. For example, I am sure me being critical about, for eg, state sponsored malware carries way more weight within the decision-making process of my employer than an anonymous blogpost somewhere. So while I can actually actively try to prevent bad decisions, you are standing on the sideline mostly lamenting about bad decisions after the fact (pardon my simplification here, i’m sure things are slightly more nuanced than this :). I am, in my eyes, doing much more than just polishing the rough edges.
To wrap it all up, I do think we in essence have the same concerns about issues such as wire-tapping, privacy, freedom and more. And we both find different ways to do something about those concerns. I try to organise people, generally smarter than me on these subjects, and bring them together at events, hackerspaces and what have you. I have no doubt that, if it comes to it and the situation in The Netherlands would be really bad, I would become a revolutionary. Knowing what motivates me and how I act, that would be the most logical action for me. Yet, at this point, i’d rather be practical about things, and see where I can actually effectuate change in the world I live in. I’d love to see what you’re doing to address your concerns. Being a pragmatic person, I’m usually not too interested in engaging in philosophical debates, although I am not at all uninterested in such debates. I prefer to take a more active stance though. Educate, mobilize.
April 10th, 2013 at 21:31
Wait, I’m not trying to preach the revolution here. Honoustly, the idea of having a revolution in the Netherlands at this moment in time seems rather absurd. That doesn’t mean I don’t think we could do with some social change right about now. As for the movements who have succeeded in bringing about such change? Think civil rights, think LGBT, think labour, think women’s rights, etc.
Anyway, I don’t even regard the hacking community at large as a political movement, nor do I have any desire to try and turn it into one. There is a more politicized part, though, and since you self-identified as an idealist and a lot of our concerns do seem to overlap, I merely thought you’d be interested in exchanging ideas in this field (I actually enjoy having my moral convictions challenged every so once in a while). If you took personal offence, I regret that, it was not my intention to point fingers at anyone in particular.
What I do see is our hacking and playing and tinkering with technology has a strong socio-political impact, even where this may not seem apparent at first sight. This faces us with numerous political and ethical dilemmas, one of which I wanted to point out in my original post. This is not a matter of individuals, this is a matter of culture. I think it is of great importance we become more aware of this and act accordingly. Actually, Schneier wrote a pretty nice post related to this a couple of days ago, you might want to check it out: https://www.schneier.com/essay-420.html
As for your more personal questions, I have no desire to post publicly about my activities, let’s leave that for an IRL talk sometime.