Some of the pioneers of Defcon, Gail Thackeray and Dead Addict, take the floor at Defcon 20 to recall how it all started and compare it to where it is now.
Gail Thackeray: Good morning, my name is Gail Thackeray and I was at DEFCON 1; I was the only prosecutor they invited to come (who would?), and my assignment then was to debate the issues of hacking, and initially, when Dead Addict called me, I told him I don’t attend such conventions, and later on we had some discussions, and I did go. It was very interesting for all of us: I got up in front of a very tiny group of people in a very tiny conference room in the old Sands, and I said: “There’s no debate. You’ve already lost; hacking’s illegal in 50 states, the federal government, and a lot of other countries.” And it went downhill from there.
So let’s go back: where were we at DEFCON 1? First of all, I’m thrilled to see how many women are in the audience. At DEFCON 7 Kevin Mitnick was still on the lam, and the FBI sent an agent to try and capture him if he showed up. And even though “Spot The Fed” was a big deal as late as DEFCON 7, and they spotted a bunch of feds and trotted them out on the stage, they never got the FBI agent, and you know why? She was a girl.
So what we had at DEFCON 1 were a bunch of cops who were suddenly confronting a world they knew nothing about: cops were not using computers then. And we had a bunch of hackers, some of whom were doing exploratory, interesting stuff, some of whom were doing very expensive destructive stuff, which is what led to the prosecutions of the late 1980s and early 1990s that got all the press attention, and it started the debate and led to DEFCON, led to the formation of the Electronic Frontier Foundation. And I want to add for those of you who think we were always divided communities: I was an early member of the EFF.
At the point when DEFCON 1 happened, we had a huge national debate going on, a lot of it was being played out and distorted in the press, because we had cops who didn’t understand the technology; we had hackers who didn’t understand why other people were mad at them, and we had the press who couldn’t talk to either of those groups.
I remember there was a conversation going on on The WELL – some of you may remember The Well, there was no Internet then, so you had to be paying very large long-distance bills if you were commuting to The WELL. And some of the best educated press people in America were asking things like: “In Operation Sundevil, where you did 19 simultaneous search warrants across the country, nobody got arrested” – “Well, that’s why we call them a search warrant. The arrest warrant is when you use the information from your search warrant to arrest the guy who did the bad stuff.”
We had different factions who could not communicate at DEFCON 1, and that’s kind of what led to DEFCON 1, right? We were all really nervous: the hackers weren’t necessarily cool with being in a room with a prosecutor. I did have to ask them not to commit any felonies in front of me, and the cops were not at that time comfortable with being on the stage with a hacker, or even in the same room, unless they were interviewing said hacker.
I want to say that 20 years later, we’ve come a long way in our ability to communicate, this is proof of that. We don’t agree on a lot of things, but post 9/11 we agree on a lot of things. The fact that this many people here want to hear what the General will have to say in a few minutes, is proof that you’ve changed. The fact that so many law enforcement and security people are here is proof of the fact that we’ve changed.
What we had at the time of DEFCON 1 was mass confusion: the issues weren’t all that clear, the factions didn’t share a language. Today we have cops using computers. It was actually law enforcement that pretty much invented the field of computer forensics. I know those early guys, and they were writing code, because they were desperate, they needed help. They went to Peter Norton and they got some tweaks to Norton utilities, and that was kind of the beginning of computer forensics: the stuff they were writing and what Peter Norton did to assist this.
Now, some of you are in the position of protecting the systems that we all rely on, and I think everybody in this room can agree that whatever we think about the exploratory form of hacking, there is a reliability factor that we all depend on in the civil society, and that means that you don’t take risks and endanger my stuff, and that was the fundamental divide we had at DEFCON 1, we’re still debating it now.
As Americans, I don’t think most of you, who are here Americans – we have a lot of foreign guests – as Americans I don’t think most of you would take kindly to a group of hackers from some other country shutting down any of our infrastructure, especially if it affects you.
We have evolved in our attitudes towards privacy over 20 years. We’re still arguing about it – I know some of you are pretty mad at Facebook about every 6 months. Privacy is where you feel you’re invaded. Hackers didn’t at that time, from my point of view, respect other people’s property and other people’s privacy.
There’s a lot of misinformation about those early prosecutions. A couple of the high-profile ones that led to DEFCON and the EFF were actually fraud investigations. Huge financial losses were being suffered as a result of some people’s behavior. The cops didn’t sit around and say: “Gee, whose civil liberties can we go trample on today? Oh, let’s pick hackers.” The cops are responsive to a need, a demand from their constituents, which is, at some point, in the lives of all of us. And that’s what happened: we were still trying to solve huge financial losses. You know why we don’t have as many hacker cases today? Because you all have Internet access for free. You’re not running up other people’s phones bills, and you’re not robbing other people off their credit cards as much.
We also have better educated cops. We have spent a lot of time training them; they’re still not where they need to be – they’re light years behind most of you. But we have officers: the Arizona computer forensics lab at the anti-terrorism center where I now work, is a marvelous resource. And we have people who specialize in things that weren’t even invented when DEFCON 1 was happening.
Phone forensics – that’s an oxymoron, there is no forensics with phones. For most phones you can’t do a true forensic examination, so we’re doing with phones now, and with GPS and all the other widgets, what we were doing in a very primitive way at the time of DEFCON 1.
One of the legends of the computer investigation early committee, which was a federal loose group that was trying to tech each other: “What is this stuff, how are we dealing with it, what’s the law? There’s no law. What do you mean there’s no law, this is a bad thing?” We were involved in all those early issues in law enforcement; we had some contact with members of the hacker community, some of them educated us, not always as volunteers. Their interviews were extremely educational, and I’m proud to say, as far as I know, as of 4 years ago, all of my alumni are really respectable citizens, and most of them are working in the computer security field. So the hacker community has evolved to become part of the solution, and not just the problem.
When we look at the evolution, and that’s a common thing Dead Addict and I were talking about last night – the evolution of the whole community, not just DEFCON community, but the whole society around us: as the General will talk about, we have more stuff in common than we have disagreements about. You don’t want me or any of my alumni shutting down the electricity when you’re working on an important project. We don’t want other countries taking our stuff, giving it away, so that our brilliant minds, and some of you in this audience actually make money from your skills when you’re not at DEFCON – you don’t want people stealing your stuff; you don’t want people data mining your stuff and misusing it. Those are all areas we have in common.
And I think DEFCON and EFF have contributed greatly to the shared understanding that brings us all here, listen to the General. So I’m going to turn this over to Eli, oh, sorry, Dead Eli, and let him give you the other side of the perspective of DEFCON 1. Just think: when we were here the first time, half of you weren’t born, nobody had a computer except for people in the room, who were not cops; we didn’t have the Internet and we didn’t have the conversation going. Look how far we’ve come in 20 years. Thank you.
Dead Addict: First of all I’d like to thank Jason Scott; if anyone’s looked on your DVD, there’s a good amount of material, including the issues of Tap from way back scanned and all those came from textfiles.com, so if you like this sort of thing you found on the DVD, visit textfiles.com. The community owes him. He’s our historian, so thanks, Jason Scott.
So, I’d like to talk a little bit about some of the motivations at DEFCON 1 and why we brought people in groups together that hadn’t been brought together before. As far as I know, DEFCON was the first hacker conference to actually invite law enforcement. This was something new. At the time, I’ll be honest, at least for myself it wasn’t to try to get some understanding of the two sides and bring everyone together, or anything like that.
We knew they were going to come anyway, they actually went to all the hacker conferences, then busted people when they were doing silly, stupid things, so we thought we’d just invite them, and then all the hackers would know: “Hey, the cops are here, let’s have a weekend free from blatant felonies all over the place.” And it worked out: the only arrests that I am aware of that occurred at DEFCON over the years have been alcohol induced, party-related offences for the most part, so you’ve got 15,000 drunk people together and that will happen occasionally.
So, we brought in Gail Thackeray, the most terrifying conversation I ever had, and when I invited her, she was actively prosecuting two or three very good friends of mine, including one of the DEFCON 1 speakers who wisely changed his talk from security related to car repair; it was an awful train wreck of a speech, but he stayed out of jail, so that was probably wise.
Also we invited the press. That was a relatively new thing too – I don’t think hacker conferences had done that in the past years, so that was something new. I had this idea of the checks and balances system, it was sort of what was going through our minds, and it was just me and Jeff planning DEFCON 1.
So the idea was: “Ok, we’ll bring the feds, because they’re coming anyways, we’ll invite them. And then, in case they do anything ridiculous that we think might violate someone’s civil liberties, we’ll bring the press there so they can report on that.” And that hasn’t happened; all these various stakeholders behaved relatively well, except for a single undercover reporter a number of years ago. I blame her employer.
So we brought the press in, and at the time the press coverage on security issues and hacking issues was abysmal; they were ignorant; the stories in most mainstream publications were truly awful. In addition to that we thought: “Well, bring in the prosecutor, because they’re going to come anyways; bring in the press to cover everything; we should bring some civil liberties lawyers in, in case anything bad happens, so we have lawyers on side.” And while there hasn’t been any law enforcement action over the years, thankfully, at DEFCON, having civil liberty lawyers around has been a wonderful thing for DEFCON speakers, because companies often don’t like it when we reveal the flaws, and they like to keep that a secret. And we’re not very good at keeping those sorts of secrets, which is why we rock.
So the civil liberties folks came, and it turns out that we need protection from the corporations and not from the feds, which was a surprise and I’m thankful they’re here. This year we have the CPSR – originally Computer Professionals for Social Responsibility, and later the EFF came, and this year the ACLU is here, as well as the National Lawyers Guild. So there is a wide variety of civil liberties groups. Years ago one of our DEFCON stickers was cut up and rearranged to FEDCON, because, frankly, there’s a lot of feds here.
A lot of the feds that are here are hackers, just straight up. So that’s ok; that wasn’t necessarily the case when they first started coming, but it’s certainly the case now. And there are a lot of folks that work for the government that are really, truly part of our community. They’re not the other, they are us. And I think that’s helped, I think that’s helped a lot, and instead of viewing the government as the enemy, we just need to infiltrate them and make the government to be what we want.
So, the idea was a whole huge set of checks and balances, and it might have been a silly theory, and it turned out we didn’t actually have to fear law enforcement as much as we thought we did. But also, I think, letting everyone know: “Hey, this is a weekend of partying, have fun and exchange information; and ramping obvious criminal activity and multiple felonies – do that on Tuesday.”
So, the initial motivation was checks and balances. What ended up happening was something better and different than was imagined, and that was a greater understanding of all the various parties, and all of these groups understood the motivations of the others and feared the others less. Now we kind of get along to a very large extent. Also helpful, I think, back 20 years ago there wasn’t serious mafia criminal organized crime making millions and millions of dollars off of cybercrime. And, frankly, the cops have much better things to do than to deal with trespass explorations.
And again, I remember when I could pay $20 a month and quit being a felon – that was awesome, I slapped out those $20 for an ISP the moment I could do that. For those who weren’t there back in the day, it’s kind of an odd idea: “What do you mean you’re a felon to get on the Internet?” Well, there was no .com, there were no ISPs. If you weren’t associated with a university, the only way you were going to get on the Internet was, essentially, break some rules.
The press, I think, is interesting – I’m on the press team, so I’ll talk a little bit about that. They’ve gotten a lot better over the years. Over the years the press presence is growing, and over a hundred different media organizations are at DEFCON, including every major television network. I’ll tell you who’s not allowed though: there is one segment of press that tried to get into DEFCON 1 and has tried over the years to get into DEFCON – local press. So, Las Vegas, anything – I’ve nothing against the Las Vegas press, it’s just generally, as a rule of thumb, local press sucks, so they don’t need to come in and we don’t want an understanding with them. I’m sorry if anyone here is with some local press somewhere, I’m sure you do a good job.
The activists have changed over the years; the nature of activism; EFF is more of a mainstream organization. If you look at what they do, if you look at the contents of their activities, their lobbying, their lawsuits, all of this – it spans a huge wide range of activities. I thank everyone here for supporting them, and I found out yesterday that Gail was a member of the EFF and I liked her even more when I found that out. So, thank you, Gail. And what I really appreciate actually is having people within the government and within the law enforcement who have a deep understanding for the need of civil liberties, and that’s important and I’m really happy about that.
Also I want to mention something about government in general, people often refer to it as a single monolithic entity, and in fact there is a ton of different pieces of government, and they have kind of competing agendas, conflicting agendas. For example, the Federal Trade Commission, which is: “What does that have to do with anything?” – well, they actually hired one of us, a privacy advocate and technologist, and I think he’s speaking right now, Christopher Swegan. There are federal agencies that have the same passion for activism and protecting consumers that some of us do.
Then there is also the FBI, which, like I said, they are busy with actual real scary cybercrimes and nation states and whatnot. The NSA, and I’ll briefly mention this: I was going to talk about how our interests are overlapping; and yes, many of us fear the NSA in some ways, there’s secrecy and things unknown about their surveillance capabilities and their offensive capabilities.
So in some ways we have interest in offensive capabilities too, so there’s an interest we share in common. But more than that, they have a leadership role in protecting our infrastructure, and everyone wants an Internet so they can plan it, and they’ve supported Linux SE, they’ve supported various hardening guides and want our overall infrastructure to be secure and want to share the knowledge to help spot vulnerabilities. And so, in that way I’m very happy: the more public they are with this and the more open they are with that, I think the better defensive posture everyone has.
So, I think I’m running out of time. Thank you all and enjoy your DEFCON!