While it is true that hackers are not a single minded collective, and some hackers may have sympathy for the NSA, I'd hope that most hackers would see the NSA as what it is: just one more head of the Medusa that is the US government, in all it's civil liberty infringing, experimenting on it's own citizens program, illegal wiretapping, constitution ignoring glory. The NSA are not - so far as I'm concerned - the "good guys." Some individuals in the NSA may be "good guys" but the agency is just a tool of a government that is out of control.
"We don't keep files on every American citizen" Yeah, right... this guy would have had more credibility if he'd just said
"Yeah, of course we do. You know it, we know it, so why beat around the bush."
At the panel in the room immediately before the director of the NSA spoke ( https://www.defcon.org/html/defcon-20/dc-20-speakers.html#DA ), the point was made that cops, prosecutors, lawyers and the press have been invited to DEFCON since DEFCON 1.
These people exist all existed before they spoke at DEFCON, and do after, too. They have plans and goals, and to the extent that they want to explain them, I'm willing to listen. If I want opposing opinions, I can get them in at least four other tracks.
I don't have to believe him, but I feel honor-bound to let him say his piece without being an asshole about it.
The NSA does some questionable stuff, but it also does some awesome stuff. The first thing that comes to mind is SELinux.
On a tangent, don't forget that we need an organization like the NSA (or at least like what the NSA should be). The more ubiquitous computing becomes, the more important that role will become. So, don't advocate chopping off a head of the Medusa; advocate fixing what you see as wrong.
For those of us who have already forgotten or have never known the reason for its necessity, could you explain why? Internationally and historically, similar levels of state communications monitoring are correlated with the need for self-preservation by authoritarian regimes. There are also many modern day states which do not possess an agency directly analogous to the NSA.
I think it is a legitimate question how much of an offensive information warfare standing capability a country needs when not at war, and what level of dirty tricks intelligence agencies should pull in peacetime to monitor adversaries. Particularly due to the non financial costs of this monitoring -- losing our moral standing as a free and fair country, incidentally monitoring citizens or those present in the USA, in violation of the constitution (especially due to the tortured "five eyes" sharing agreements, which, if they weren't governments, would be viewed as a conspiracy and some kind of constructive crime), etc. I judge all of this stuff by "does it make us safer", and at some point, it clearly goes the other way. I think that point is several hundred billion dollars a year less spending than what we have now (well in excess of a trillion). Maybe 50-75% less spending.
Feds have been an integral part since DEF CON 1. They're welcome, and booing them of the stage is just childish. Again, I'm pretty sure the majority of hackers don't agree with them, and may even think they're a bunch of morons, but it's still interesting to hear what they have to say. People do get booed of the stage, but for entirely different reasons, e.g. http://news.cnet.com/8301-10784_3-9755135-7.html (and watch the video, it's hilarious).
(Also, talking about security-people-hackers on a site primarily focused on programming-startup-hackers confuses the crap out of me.)
So, "keep your friends close, and your enemies closer?" :-)
Anyway, you make a good point, and there are good reasons to let the NSA guy have his say. But when you look at the abuses perpetrated by the US government over the years, it's hard to feel good about hanging around and listening to more propaganda from their representatives. And chucking tomatoes at him would send a strong message "don't assume that we are on the same side, or that we are going to support your agenda" or whatever.
From the Hacker News Guidelines: "On-Topic: Anything that good hackers would find interesting."
The folks at DEF CON are some of the best hackers out there. Have you seen any of the presentations?
> Basically the contest goes like this: If you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out. Just get my attention and claim out loud you think you have spotted a fed. The people around at the time will then (I bet) start to discuss the possibility of whether or not a real fed has been spotted. Once enough people have decided that a fed has been spotted, and the Identified Fed (I.F.) has had a say, and informal vote takes place, and if enough people think it's a true fed, or fed wanna-be, or other nefarious style character, you win a "I spotted the fed!" shirt, and the I.F. gets an "I am the fed!" shirt.
http://www.defcon.org/html/defcon-13/dc13-spotthefed.html
edit: Oops, should have read the article first, it is mentioned there :/
http://www.ted.com/talks/marc_goodman_a_vision_of_crimes_in_...
What the NSA is doing is frightening. What the cartels and other criminals is doing is the stuff of nightmares. One doesn't necessairly justify the other, but it's good to think about.
Stuxnet was written at the NSA, the other worms were almost certainly were partially written there. The MD5 signature collision attack was almost certainly developed there. You could imagine that they now have dozens, if not hundreds of developers working on finding 0day and integrating new exploits into their attack arsenal of worms.
I suddenly have a handful of friends form the old underground who went from working openly in the security industry on papers, audits etc. to no longer talking about who they work for.
I can only put two and two together and conclude that the NSA has been on a hiring binge the past few years and are hiring all the best security guys (exploit developers, more specifically).
This is a hacker community and while not a single minded collective I believe there are many popular views that are diametrically opposed to some of the goals of the NSA. He mentioned that he wished the internet would be perfectly secure and then went on to mention how this would protect American IP laws. His definition of secure internet does not include values such as censorship resistance or freedom of expression/information.
He also tried to tell everything how great it would be if we all had IDS's that reported back to the NSA in realtime.
We were not allowed to ask questions. They brought up a paper with questions that must have been determined BEFORE the talk happened which isn't fair to the attendees.
I wish there was a DEFCON panel to discuss this. Everyone just clapped and seemed cool with him from my perspective. I'm not against the director talking at DEFCON, but I don't think we shouldn't be accepting his ideas without more public criticism and discourse.
The most interesting question was about whether the NSA would prefer a perfectly secure internet or a usefully insecure one (roughly paraphrased).
That's not far from what I wanted to ask: given the offensive value of 0-day exploits (as seen with Stuxnet, regardless of who actually did it), can agencies in "Cyber Command" really be trusted to give theirs up via responsible disclosure?
[1] https://www.eff.org/files/filenode/att/section1006summary101... See in particular ex-NSA officer William Binney's testimony.
[2] https://www.eff.org/node/55051
[3] https://www.eff.org/deeplinks/2012/03/nsa-chief-denies-abili...
[1] http://www.washingtonpost.com/world/national-security/us-int...
Right. Defcon Kids. An actual con within DEFCON sponsored by the NSA and AT&T, among others. That alone is the creepiest thing I've seen all week, enough so that the first time I saw the posters I was absolutely sure they were some kind of vicious parody.
That said, don't be dishonest. The media should not be calling someone who discovered they could make time-based events in games happen by changing the time a "hacking prodigy"[1], and the website of a hacking con, whose others should know better, should not be saying it "allow[s] for exploit code to run on servers"[2]. It devalues the real thing :)
[1] http://www.darkreading.com/blog/231300589/tween-hacker-s-tim... [2] http://www.defconkids.org/?page_id=505
"He held firm that the internet defences could be ramped up without sacrificing privacy or civil liberties."
However, he seems to be a staunch pro-IP advocate with this statement: "Look at all the intellectual property we've lost over the past decade,"
He should be asked how does one prevent an idea from being easily copied. Because, that's the fundamental problem behind criminalising altruistic IP infringements.
Personally; my hunch is that congress has no idea how to tackle widespread piracy, even NSA doesn't. There's also many 'cyber' companies that are complaining about security issues (Decentralised/Centralised attackers such as Anon/Wikileaks). So, NSA is requested to get into those. One step is a careful PR spokesperson to recruit (Notably, the clothes and charm). Also, to instil uncertainty and doubt among hackers.
