Calendar

April 2014
M T W T F S S
« Feb    
 123456
78910111213
14151617181920
21222324252627
282930  

Archives

My keynote at 27C3

Right here exactly five years ago Frank Rieger and myself held a lecture that was called “We lost the war”. It was about how we felt the fight over privacy and wider civil rights was going. For those of you who weren’t there: it wasn’t a very happy story. It was at the height of the post 9/11 paranoia. It was a done deal that the whole EU was going to have data retention and Frank and I set out to explore the future a little bit.

I guess the pessimism in our talk was partly inspired by the awe we felt over this perfect storm. What we saw felt like a desperate last stand in a world which was facing economic non-sustainability, climate change, major power shifts and the end of cheap oil and many other natural resources. All of this was happening in the next few decades. Each independently, these are factors capable of causing serious mayhem.

A lot of what we predicted for the short term did in fact play out. It is clear to many more people today than in 2005 that the world is headed for turbulent times and that this perfect storm is still very much out there. But obviously the fight over privacy is still ongoing, so in that sense we were wrong: we did not lose the war, at least not completely and not everywhere.

Germany

In Germany this became apparent when the Constitutional Court started defending privacy and civil liberties in earnest. Many of you already know this: they first told the government that cops cannot go randomly OCRing license plates from traffic whizzing by on the road just because they felt like it. Then they ruled that spying on people’s computers is like spying in their bedrooms, so it should meet the same stringent criteria. And to cap it off they killed the German data retention legislation, at least for now.

The Court saving the day in such a grand way was considered an unlikely outcome in 2005, even among people bringing these cases to the court. Imagine how easily these judges, like so many other judges, could have gotten these complex issues wrong.

If you compare Germany to a bus, then it’s like these judges leapt from their seats, pushed aside the driver and pulled the handbrake just before the bus tumbled into the ravine. For them and for all of us, I really hope the judges on the court live long enough for the rest of Germany to see it that way. At this point the bus driver is just trying to get these judges to release the damn brake so the bus can move on.

In March 2008, after the government-installed spyware decision but before it killed data retention, I wrote a long blog post admitting that I had given up too early and that, at least in Germany, the fight over privacy was ongoing.

The Netherlands

I live next door, in the Netherlands, where the perspective is a little different. For one we have a constitution but no Constitutional Court. Under the dutch system, it is simply assumed that parliament would never introduce laws that would violate the constitution. So our constitution serves as a ‘voluntary guideline for legislators’ if you will. And just in case the constitution might still get in the way, every prohibition ends with ‘unless warranted by law’. I don’t want to be only negative, I guess our constitution does protect us from municipal governments going rogue, as they cannot make laws.

What this means in practice is that in the Netherlands you need a Parliamentary majority to stop anything bad from happening. So in the Netherlands fear-mongering can be more effectively used by the government to pass oppressive laws. And it has been. Against a backdrop of increasing xenophobia the Dutch are databasing everything that involves moving people, money or bits, to be used against us in various ways. We are at the point now where – without any specific suspicion – a dutch homeowner can get a letter announcing a search of their home in order to “make the city safer”. And whatever bits of surveillance state are missing are being built at breakneck speeds.

I think we can say that when it comes to civil liberties my country is downwardly mobile. Lots of reasons, but I guess on the top of my list is a profound crisis in the educational system now entering it’s 20th year which would be a talk in itself.

The Netherlands used to be a country like Sweden or Denmark. Then it was a country like Germany for a bit in the nineties and after a confusing period with political murders and truly insane political developments we are now approaching England. I’m still guessing we’ll level out before we reach Italy, but it really is becoming hard to tell.

I could talk more on some of the interesting things that are happening in The Netherlands but that would take a whole hour. What is important is that some of these things have served as examples of how things go wrong before the German Constitutional Court. After 25 years, the Netherlands have a leading role in discussions on privacy and civil rights again: we are now the negative example that helps keeps other countries avoid some of the worst transgressions.

The last thing I will say about the increasing differences between the Netherlands and Germany is that Germany is not immune to the things that have been happening in the Netherlands. Please remember that the market is not the answer for everything, make sure you keep your educational system functional, watch where funding for political parties comes from, keep resisting fear as a basis for politics and by – quite literally – all means defend your constitution and your constitutional court.

Back to “We lost the war”

We actually ended up motivating a lot of people by pointing out the seriousness of the situation. Also, people see that technology there is this persistent myth out there that if the civil rights situation gets really bad, the hackers will show up and magically save us. I think it has been healthy for people out there to hear hackers tell them that the situation is this grim and that they saw no easy answers.

But we also demoralized a few people. Maybe we should not have been so negative. But in the 17 years before “We lost the war” I did bring a lot of my amazement, joy and positive outcomes to Congress, for instance phone phreaking, pager receivers, XS4ALL and the fight against Scientology. And I did so afterwards as well with the whole voting machine episode.

Allow me to delve a little bit into my own psychology and that of our species.

I am probably blessed with a mild form of bipolarism. I don’t really get clinically depressed. I don’t stay in bed for weeks, nor do I contemplate suicide. But I do have my ups and downs and around 2005 this came together with my mid-life crisis and I was mighty grumpy and pissed off. Sure there were personal factors, but the situation in the Netherlands and the world was part of the problem. This did get to a point where more and more people were telling me to see a doctor. They told me: “There are pills to make you happy again you know…”.

Now the role of depression in the individual is understood to be to force change that is painful or expensive in the short term but much needed in the long term. Reading up on the truly insane numbers of people on anti-depressants and other psychoactive pharmaceuticals in our society, I cannot help but wonder whether this “unhappiness forces change” principles stops at the individual. Could it be that we’re prescribing anti-depressants to so many people that we are now below the threshold of relatively smart, relatively resourceful but unhappy people needed to bring change?

My sense is that this is a huge story. The story of a civilization destroying its capability to fix itself by making everyone artificially happy. This may not be our field per se, but I feel this is at least as big a story as many of the issues that this community is working on. I think in future we will see a scientific field called “pharmacological political science”. I have a feeling that people of the future cannot really understand our time without it.

One of the positive suggestions we did offer in “We lost the war” was to focus on battles that could be won. If I had I listened to all these other people around me, I would have been taking Prozac or Zoloft in 2005. My life would have been different and possibly much happier, especially in the short term. But a lot of things that happened to me since then would probably not have happened, because they involve me being angry and attempting to do something about it.

Electronic Voting

My city, Amsterdam, opted to buy electronic voting machines for the elections of 2006. I knew there was no possibility to verify election outcomes and that one had to essentially trust proprietary and secret software to have trust in the outcome. I spent the next two and a half years investigating, campaigning, lobbying and lawyering. Around the same time Ulrich Wiesner and his father Joachim were fighting voting machines in Germany. I won’t get into all the details because the story has been told at previous congresses already. The short version is that the ensuing fight involved large parts of this community and that today these machines are not legal for use in elections in either country.

In Germany that outcome is cemented in place with a Constitutional Court ruling that gives citizens the right to see with their own eyes where election results come from. In the Netherlands we’ll have to fight this battle over and over again, all the time debating complex issues with small-town mayors and municipal employees.

The past year or so

Without going into every detail of what I did since 2005, I did have a bit of a crazy past year. Maybe not quite as crazy as some of my friends, but still. For one I probably travelled more in the last year and a half than I did in the ten years before that.

It started October of 2009, when Julian Assange and myself were keynote speakers at the Hack In The Box hacker conference in Kuala Lumpur, Malaysia. We subsequently spent a month in the sun traveling Malaysia, Thailand and Cambodia and we got to know each other pretty well.

A month or two after, at the previous congress, WikiLeaks was still a relatively obscure geeky but gutsy journalism project. Julian and Daniel got a standing ovation while they stood on this stage speaking about WikiLeaks and about new opportunities for protecting freedom of the press in Iceland. Three weeks later, I was was in Reykjavik with them and others to help write the proposal for IMMI, the Icelandic Modern Media Initiative.

Then I was home for a week before leaving for India to speak on voting machines. All of India has been voting on black box style voting machines for the past decade, and it’s beginning to dawn on people there that there is a problem with transparency. I was there with Alex Halderman, a e-Voting related professor from the University of Michigan and Till Jaeger, the German lawyer who won the case against voting machines here in Germany. Together we met with politicians and we spoke at conferences. But probably the most important thing that happened was for Alex and myself to study an actual Indian voting machine together with our Indian colleague Hari Prasad.

Then I was home for three weeks before leaving for Iceland again, this time to help out on releasing the now famous Iraqi helicopter video. This was not planned: I read the WikiLeaks twitter feed, concluded that Julian needed help so I flew out a few hours later. I stayed for two very hectic weeks, helped produce the video and travelled with Julian to a press conference in Washington.

After that I had to get back to writing the study on the Indian voting machines. Which, hardly surprising, were just as easy to manipulate as any other black box voting system ever studied: we proved yet again that anyone with access to the machines could change the outcome of elections.

Then later in the year I went to Brazil to look at e-Voting there. Their systems are even more dangerous than anyone else’s. The Brazilian voting machines get the ID-card numbers of the voters entered into them, and newer versions even have fingerprint scanners. But of course the software would never lie about the results or store the votes and voters in the same database. And since it prints out hashes of all the program files, it could never be manipulated. Brazil has perfectly secure electronic voting machines. Until we get our hands on one of them, that is.

After Brazil I was home for a week again before traveling to India again two weeks ago. This time we were there to help solve the problem instead of merely pointing it out. Alex Halderman and myself were invited to a conference on voting but as we arrived we were detained for a night and half a day at the airport because we had apparently “violated the terms of our visa” the last time we had travelled to India.

India’s main intelligence agency had somehow investigated us as part of an international conspiracy to destabilize the country. We were eventually released after we promised not to attend the conference. From a PR standpoint this whole thing made little sense. I wonder how many tourists have CNN waiting for them as they leave the airport terminal building.

Meanwhile India still has a serious problem that needs fixing. India is the type of country that could easily slip into serious violence if there is too much doubt in election outcomes. This is story to be continued.

As a funny side note Brazil and India apparently signed an agreement last month to work together on unspecified matters involving election organization.

WikiLeaks

So I helped WikiLeaks release the video. After that, I needed to get back to my e-Voting related work, but I could have stuck around helping WikiLeaks also. They could probably have used me when they released the war diaries or these cables.

That did not happen. I guess I could make up all sorts of stories about how I disagreed with people or decisions, but the truth is that in the period that I helped out, the possible ramifications of WikiLeaks managed to scare the bejezus out of me. Courage is contagious, my ass.

I wish Julian and his people well, but I can’t live a life out of a backpack while on the run. Not to mention the fact that Julian has better hair and does much better soundbites.

So what are we to make of WikiLeaks? It’s clear that recent events will impact the world, and our corner of it, for some time to come. But it’s really early to tell how, as things are still going on. WikiLeaks could well come out victorious in a new generational conflict, mentioned in the same line with the suffragettes and the Vietnam protesters. But as it stands today, my friend Julian is potentially facing prison time or even assassination for what essentially amounts to practicing journalism.

At the same time, many people friendly to the ideals behind WikiLeaks are beginning to wonder what has been unleashed. Some of my friends have said Julian has “angered the Gods”, Bruce Sterling recently accused him of “weeing all over the third rail” and a good friend of mine said Julian was committing “suicide by cop”.

Whatever we make of it, present anger and fear at governments over WikiLeaks will probably up the pressure to curb internet freedoms. Whether connected to WikiLeaks or not: Cryptowars 2.0 has just been announced. There’s a new American proposal to make all providers of any kind of online service provide the authorities with cleartext of everything that happens.

As a result of WikiLeaks, authorities the world over will probably try even harder to clamp down on internet freedom, so organizations resisting this will have to work harder also.

But regarding WikiLeaks we also need to calm down a bit. There’s obviously some very big things going on here that we need to keep watching intently. But just because we like or share some of the principles at stake here doesn’t mean our community is all of a sudden drawn into a war with a ridiculously well-armed superpower or with anyone else.

Whatever our role is, it is certainly not to deny freedom of speech to people or organizations who don’t like freedom of speech. This whole Anonymous thing is so getting on my nerves. People ask me “Anonymous… That is the hackers striking back, right?” And then I have to explain that unlike Anonymous, people in this community would probably not issue press release with our real names in the PDF metadata. And that if this community were to get involved, the targets would probably be offline more often.

This is a mental maturity issue: our community has generally succeeded in giving black belts in computer security karate only to people that have proven a certain level of mental maturity. Yes, some of us could probably do some real damage to Paypal and Mastercard. But then we also understand that no good comes from that. In the unlikely event that someone here has not yet reached this level of maturity, please do not connect your machine to the network and talk to some of the other people here for additional perspective.

On the positive side, some of the issues we care about are going to be getting lots of attention, and this attention can be used for good if we keep our wits about us.

And I finally have cellphone coverage in my office downstairs.

Looking at today

As we enter uncharted terrain, we are the first generation in a long time to see our leaders in a state of more or less complete helplessness. Most of today’s politicians realize that nobody in their ministry or any of their expensive consultants can tell them what is going on anymore. They have a steering wheel in their hands without a clue what – if anything – it is connected to. Meanwhile the brakes are all worn out and the windy road at the bottom of the hill approaches. Politics is becoming more and more the act of looking at least slightly relaxed while silently praying the accident will happen sometime after your term is up.

Now of course I am not being completely fair. The fact that politicians are generally helpless in terms of public policy doesn’t mean to say I think they are stupid. They do have a vague sense of what might be coming and they’re acting accordingly. To judge their efficiency take a good look at the remaining public funds and public infrastructure and see who owns it in 5 years time.

Our leaders are reassuring us that the ship will certainly survive the growing storm. But on closer inspection they are either quietly pocketing the silverware or discreetly making their way to the lifeboats.

Even politicians that are the exception, ones that “get it” and that want to help get us out of this mess are increasingly indistinguishable from those that just pretend. We will have to learn to navigate a world in which every imaginable aspect of being genuine or sincere has 10.000 spindoctors working on how to transplant it to the fake turds that run things.

Now this all sounds really smug. Like we, the hackers, the geeks, somehow have all the answers. We don’t. But we do have some important parts.

For one we understand the extent to which complexity can be our enemy. We’ve optimized our privatized world to get that last 2% profitability. And we’re already in a situation where everything we need comes just-in-time from China, assuming that we’ll need exactly the same things today as we needed this time last year. Everthing is interconnected and if one thing fails the whole system goes down. The winter chaos that has broken out all over northern europe is just another sign of this lack of slack.

We also live in a world that increasingly has different pockets of reality, different narratives. In that context, I think we can all see that our narrative is gaining importance.

At the same time Apple, Google, Facebook and the more geographically challenged traditional governments will try to make all of humanity enter their remaining secrets, they’ll try to make attribution of every bit on the internet a part of the switch to IPv6, they’ll further lock us out of our own hardware and they’ll eventually attempt to kill privacy and anonymity altogether.

We still have to tell most of the people out there, but privacy is not in fact brought about by some magic combination on the intentionally confusing privacy radiobutton page on Facebook. It does come from, among other things, code some of us have already written and code that we still need to write: we need many things by yesterday. And we need to properly security-audit the tools we build, even if that means we can’t put in new features as quickly.

The future

As for the future, I stand by our basic story in “We lost the war”: it’s going to be a mess. I’ve just calmed down a lot when I decided for myself that this is not only bad news. Let’s face it: the current situation was never sustainable anyway. And people, both in rich and in poor countries, are not very happy now. Just remember the massive loads of ant-depressants apparently needed to keep us going. The decline of the Roman Empire was probably a very interesting period to live in and for most inhabitants life simply went on, with or without Rome.

OK, so the world is going to be a mess for a bit… You are maybe asking yourself: “What do I do with this knowledge?”. First of all, John Stewart nailed it when he recently said “we live in difficult times, not end times.” The future is not about finding solitude and a farm on a hill, it’s not about guns and ammo. But it is about having working trust relationships with the most varied group of people you can find. And it is about imagining beyond today and picking up a wide range of skills. It’s about positioning yourself such that you have some flexibility. Even if everything stays the same, there’s not much risk in any of that.

If on the other hand some of the structures around us indeed implode, we as a community will become no less important. Again: the world is not going to end. I promise there will be no zombies and humanity will survive. A lot of structures will survive. It’s just going to be quite messy for a little bit. Lots of people will freak out. For us the news sites will just be more like Fefe’s blog and the TV news will be more like the Fnord show.

If the shit hits the fan, a lot of things are going to be decentralized, but in a still very networked world. Some of us will likely be reverse engineering and then reengineering systems to get rid of some of the crazy complexity and dependencies. Improvising and doing more with less is something we are good at, not to mention making things when we need them and repairing them instead of throwing them away.

We come in peace

We’re not called Chaos Computer Club because we cause chaos. If anything, a lot of our collective work has actually prevented chaos by pointing out that maybe we should lay some decent virtual foundations before we build any more virtual skyscrapers.

Wau Holland explained the name to me: he felt there was universal validity in a set of -then rather new- theories that explained complex systems and behavior from random events and very few very simple rules. This helped him explain a lot of how the world worked and how one could navigate a future a la ‘shock wave rider’.

We may not cause chaos, but we do understand some small part of how chaos works, and we have been able to help others deal with it better. As this world becomes more chaotic and ad-hoc, we can help.

Congress

This is the 27th Congress. I know 27 is not a nice round number like 23 or 42. But since I’m 42 years old this year I get to take a little helicopter view. I think we should all be proud of what has been created here. There is a video of the 24th Congress made by Kirian Scheuplein and others. I can show that video to a wide variety of people and they generally first say “Wow” and then “When is the next one?”

And that sums up the importance of this event. It has drawn countless people into this community. Many of whom didn’t know what a printer driver was. They weren’t FreeBSD kernel hackers or LISP programmers, but they are now as much part of this community as anyone else. More than anything this rather impressive gathering is what we use to show off how many sides there are to hacking.

We may have been involved in some kind hacking before we got here. But this congress, more than anyplace else, is where it all comes together. This is where we decided that this is all so interesting and important that we wanted to dedicate some part of our lives to it.

Which brings me to how sad it makes me that we now needs to click our tickets in the exact right few hours or otherwise they are gone. The people that set up the ticket system have done a great job making the best of a potentially very bad situation. But we have to face the fact that this magnificent building is becoming too small or rather that we are becoming too many. Either way, we have arrived at the point where we begin to clog up one of the main pipes feeding us new people. In my view, congress will eventually need to grow. Maybe next year, maybe the year after, but soon.

Now this meets with thoughtful opposition from people I respect and take very seriously. Slowly morphing this event into its next size up – say five to six thousand people – is challenging and if things go wrong it could very well kill it altogether. The negative example often used around me is DEFCON, an event I have not yet visited.

But I have done some research. DEFCON 6 – held 12 years ago in 1998 – had about half as many attendees as we have in this building today and according to what I can find online already suffered from all the problems associated with DEFCON today in full force: no real sense of community, way too much influence from the corporate and military universes, a sense of us versus them, misbehaving goons, a giant drunken frat party. I guess what I am saying is that maybe there are some issues inherent to DEFCON that don’t seem to bother this event to quite the same degree.

But it’s not just group culture that will be an issue. We’ve seemingly reached the limits of what a purely volunteer organization can do. Growing Congress is going to be challenging and dangerous. So I’m not saying we shouldn’t be very careful. If we do decide to grow, it will take all the talent we have to keep many of the aspects of this event that we like and need. At best the event is going to be in mortal danger for a few years.

But not growing has risks and dangers too. No matter how brilliantly we set up the distribution of tickets, when the hours to click a ticket become minutes, most of the potential new blood – and many of us – will be locked out.

There are other solutions to the same problem, which I am not discounting. For instance we could maybe make more Congresses, either simultaneously or not. I haven’t missed a Congress since 1988 and I guess I am just personally quite attached to being together with the whole lot. Whatever we decide, the next few years will test our ability to listen to each other, come up with ideas and work together to make them happen.

In Closing

Anthropologist Margaret Mead once famously said “Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it’s the only thing that ever has.”

Now that’s all nice and well, but this gathering and this community have proven that there is still a sizable niche for really large groups of committed citizens.

Have an excellent Congress everybody…

55 comments to My keynote at 27C3

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*