This part is dedicated to the interactions between the Government and the hacker researcher communities, also covering recommendations to both parties.
Now the fourth story, and maybe I’ll do the fifth story about Barnaby Jack and Abu Dhabi – yeah, I think I’ll do that. Sorry, I mention Barnaby Jack and I just start getting a little teary.
Fourth story is more of a kind of plea to both the Government communities and the hacker researcher communities, from the vantage point of both. I don’t have a lot of examples of our community, the hacker researcher community, really reaching out in a proactive and positive way to educate and enlighten the Government. We do it, but we do it really ad hoc. And I think we need to try a little harder to do specific examples.
I’ve been a little upset about some of the things on the news lately, and actually one of your options – it is a scary option – is to actually go inside and try and fix them there. People will fight you tooth and nail. It is not for the faint of heart. But that’s actually what I did when I went over to DARPA. I didn’t go there because I thought it was cool; I didn’t go there because I wanted to be a part of the Government. I actually went there because I thought that they and other parts of the Government had kind of lost their way. And I had an opportunity to go in and fix it.I did get a really nice unofficial email from somebody recently, and it was about CFT, which makes me think that we actually, because you guys were all a big part of that, did manage to pull some of that off. So I’m going to quote from this email I got to my personal account. The person said: “I recently had a meeting with all the agencies and the DoD services, and listening to them it was my turn to be terrified because of how out of touch with reality they were with cyber security and cyber defenses, and it made me realize how much I and the DoD owe you,” and that’s us “…for Cyber Fast Track.” And here is the part where I was happy, he said: “I thought CFT was showing the Government how they should be doing contracting. But now I actually understand what you were doing. It was showing the Government what the real state-of-the-art is and why they should be afraid of people on the inside who continue to just preach the status quo and throw money at the same problems the same way they had done before.”
So, that was actually pretty cool because they’re starting to realize that. And I’ve heard people at high levels, flag officers, a couple pockets, starting to refer to hacker researchers as researchers. It was hacker equals researcher, not hacker equals criminal. I thought that was really cool. It’s not saying that we should all go in and support the DoD, and I’m not telling you that you should like the DoD. I’ve got a lot of issues with the DoD, and I’ll continue – I’m sure they’ve got a lot of issues with me. This talk might even be one of them.
But what happens there is now that they know where some of the real ideas and some of the real talent come from, they’re undoubtedly going to try and reach out and tap into it in various ways, and this kind of goes back to an earlier story where they kind of projected their problems and their images and their goals on somebody else. There’s likely to be some uninformed and failed outreach efforts, so I’ve got a couple of recommendations to the Government that maybe will help with that.
I think it’s really cool when Government officials throw on blue jeans and a black T-shirt, because of course then they’re part of our community…But that’s not necessarily all there is to interacting with us. And it makes sense, before you present at a conference like this, that you should probably consider attending one and actually interacting and getting to know the people. There was one guy who was a three-star general who did that at ShmooCon, and I thought that was one of the coolest things because he wasn’t there for any agenda. And I remember conversations with him afterwards. He actually had an understanding. He was like: “Oh, this is awesome! No, there’s no way people should try and go in and mess with them or try and coop them.” I was like: “Yeah, exactly!” You know, that’s us, that’s the citizens, that’s the population of the U.S.
So the message to the other ones who haven’t really made that turn is go and actually interact. Now, the response I’d get was: “The schedules…too crazy. Can’t possibly do it.” I saw those schedules, and sometimes I was even on those schedules. But if it’s important enough… I know, I acknowledge, they are crazy schedules, these guys work like bears, which doesn’t mean that they sleep for half a year – bad analogy as soon as I said it. I was going to say like a swear word, and bears came out instead. Anyway, if it’s important enough for you to want to reach out to a community, you’ve got to go out and you’ve got to make the effort and you’ve got to put it in your schedule and you’ve got to go interact with them on a one-on-one level first. Because that’s showing your homework, and doing your homework shows respect.
The next suggestion to them – and this is what I tried to encourage inside – is you can’t go out and do a recruiting pitch, because it comes across really poorly. I used to get so bent out of shape when I would see a Govie stand up at a hacker conference, and I’m like: here it comes. “We do awesome stuff but we can’t tell you anything about it. Trust us. You with the mohawk, if you shaved your hair, if you put on a suit or maybe even a uniform, stopped smoking dope, you could come work for us and actually do something with your life.”
That’s how I interpreted it. Now, that might not be the message. It might just be a “look, we need help and we’re trying to reach out to you,” but it’s just a “take, take, take” sort of message: “What can you do for us today? What can you do for us now?” And to me it was offensive. What would it be like if you had a senior official from a very technical agency come out and actually give a technical talk? Because this is a Ameritocracy. That’s where this community came from. Ameritocracy is your value in the community and it’s based upon how much you contribute to that community. I know a lot of people are like: “Why the hell did Mudge go over and go to the DoD? He was one of us and now he’s one of them.” And I had spent 10-15 years contributing to this community, and I wasn’t about to stop. And when I was there I was able to actually fight for this community and try and make sure that the interactions were a little bit better and that we were treated and engaged with normally. Those 10-15 years of contribution gave me enough grace period to build trust up again on both sides. And you’ve got to do that, and you do that by interacting with people.
So the value of somebody in one of those agencies coming and giving a technical talk wouldn’t be that you learned something really cool about how SELinux was actually done and why it was done, or what the internal battles were to get it across. It wouldn’t be that somebody is going through the technical components of one of the numerous patents that are out there, let’s say, IP geolocation, you know, the ones that we’ve read about. It would actually be that they’re engaging us and interacting with us in our own language and treating us as peers and starting a dialogue.
So, I think I will give the Barnaby one after this. But I’m going to summarize this one here. Am I pleading that we should not challenge the Government? Absolutely not. I think challenging the Government is your patriotic duty as a citizen, and I think it is very important to do. It’s painful for both sides, but it’s something that has to happen and it’s why we’re such a great nation.
You can’t train a dog just by repeatedly beating it. I mean, it will learn some stuff, but it will probably learn stuff that you weren’t intending and it will bite you at some point. So, when you see the dog do something good, it’s nice to give it a treat, and there are certain little pockets inside the Government. And one of the things that I think we as a community can do better is, yes, we need to challenge the stuff that we’re seeing. We need to challenge the things that are in the news.
But if you see a small pocket of hope, like if you see a Congresswoman that’s helping put through Erin’s Law, you know, changing things like CFAA. Somebody is going to change CFAA, we need to support them, we need to help them, we need to encourage them for actually going, because they’re going to get a lot of crap thrown at them. And they’re actually doing the right thing and there’re not a lot of people supporting them. So we need to be more vocal as a community to actually support them.There was a Colonel in the Army who managed to get the NSA to have to include “Little Brother” as a book that they read as part of their training. Have you read Cory Doctorow’s “Little Brother”? That’s awesome! That helps sensitivities. That guy caught a lot of crap for that, and it was really cool. I mean, there’s nothing wrong with that book. That book gives you a new way of looking at things. And the more ways you have of looking at it, the more understanding you have and the more positive outcome. That guy – I mentioned he’s a Colonel, he’s over at West Point, his name is Greg Conti, I’ll call him out. He was one of the people who encouraged the cadets to actually go out and talk at our conferences and contribute. The build your own UAV at a 99.99% discount by Mike Weigand was an example of that.
It’s engaging, and that’s actually sharing in a creative dialogue at ShmooCon. He and his colleague walked through their training course that they ran at Fort Meade to try and socialize folks. It was “Lessons of the Kobayashi Maru”. I highly recommend you go watch this talk, because he had to teach them how to cheat. And it’s hilarious and it’s insightful and it’s humanizing. Most importantly, it’s humanizing. So, where we see those pockets of hope and of outreach and of engagement, I’d just really like to ask all of us to try and figure out a way for each time we’re challenging something else to try and encourage the good behavior.