05.08.2021Interview with the hacker group LUMINISCENCIA. Originally conducted in Spanish.
***0. Please introduce yourself and your crew to our readers.
Hi Greenbridge people. This is ^stalemate^. I am part of the LUMINISCENCIA hacktivist crew. Our crew formed spontaneously in the midst of 2019. Our members are based in various countries but we operate predominantly in Latin America. Mostly Colombia and Brazil at the moment.
We are animal welfare hacktivists. We try to make Latin American people aware of the realities of eating meat and contribute towards a world which treats animals better. But we are not extremists. We are just trying to put our computer skills to use in order to bring about changes to our environment which most people would welcome if only they took a minute to think.1. What have you done so far?
In the second half of 2019, we targeted two large meat producers, one in São Paolo (BR) and one in Medellin (CO). We scanned their ranges for low-hanging fruit and within a few hours were spoilt for choice on how we would get inside.
As you would imagine, the meat industry has very poor information security practices. Both targets managed their own infrastructure, with shitloads of RDP listeners open to the internet, OWAs with poor password policies, account reuse, publicly exposed shares and a bunch of other things. If I were to guess, I’d imagine looking into their network security hadn’t even crossed their mind, because they considered that no one would have serious reasons to target them, when they can target the banks.
We went into their networks quietly and spent the following couple of weeks doing passive information gathering. We followed different approaches with these two targets, but the core idea was the same: Identify embarrassing secrets and threaten to publish unless the mark meets your demands.
For the Brazilian target we went for their CEO’s inbox. As expected, we found ample incriminating material in his corporate inbox, of a very, very personal nature. We took evidence and screenshots and left their network as quietly as we went in. Then we gave it a month or so of waiting time.
At some point, the CEO received a message from us including a sample from our loot, in which we were explaining that we had accessed his inbox and that we would leak the material if he did not agree to our terms. We asked him to publish a blog post in his company’s social media, signed personally by him, explaining that he encourages people to consume less meat and try out lab-grown meat, citing environmental, ethical and health reasons. We’d actually composed the post for him in a fairly light-hearted tone, as if he’d had some sort of “spiritual” revelation; he’d only need to agree to publish it.
And publish he did, the very next day. The post became viral, and gathered over 100K views within a few days. It’s difficult to measure the exact impact this incident had from an animal welfare perspective. I know for a fact two things: that many, many people in Brazil took a minute to think about their eating habits, and that, as I type this, a huge meat producer in Brazil has committed to introducing lab-grown meat to their menu.2. Would you actually dox him if he didn’t publish your message?
I am not sure, it’s an area of disagreement within our crew. Personally, I don’t see the point of doxing someone in this scenario. I don’t see how it can help the animals. Other members in our crew feel that this kind of direct action would draw attention and show the world that we are serious about our work. And that it would help animals indirectly, in the long run, provided that we wrote a strong statement to go with it which would explain our rationale for doing this. All I can say now is I am glad we didn’t have to push in this case, as the guy cooperated right away.
I don’t think that causing extreme distress to anyone is justified, ever. Exposing someone so mercilessly from our position of absolute, asymmetrical power would not be right, in my opinion. This particular guy, as you’d expect from a CEO, is a middle-aged, rich, obnoxious man who represents most of the things we stand against. But he actually worked with us; and we honored our agreement.
After the incident, I think he sounds different, when on TV. The differences are subtle, but noticeable. He just sounds more concerned, perhaps more human.3. What about the other target?
For the Colombian target, we used a similar approach as before, scanning their networks and finding more than one, easy way in. In this case we found very disturbing material in one of their shares related to their work practices. I don’t want to go into the details here; suffice to say that there were many, many very sick animals in their factories.
We decided to send the material to the press. But as the story entered the mainstream domain and got dressed in formal language, it lost its punch and momentum. Yes, there was a minor scandal, and supposedly an investigation was launched into the conditions animals were kept in in this meat producer’s premises. But as the meat lobby is extremely powerful, one can assume that the inspectors got some cash, some gentle warnings were given, and a half-assed report about working on animal welfare that nobody would ever read, was produced.
This was a lost opportunity and a wakeup call for us that we’d have to change strategy.4. Change strategy how?
We decided that we’d focus on the consumers, not the producers.
Through OSINT and simple social engineering tricks, we got hold of a massive mailing list containing tens of thousands of e-mail addresses belonging to meat lovers around the continent.
We had some long discussions about how we could put this list to use. As we were not planning to hack into these people’s personal accounts, we had to come up with a strategy that would bring results differently, without exposing secrets or otherwise doxing them. We agreed on one thing: In this particular target group, most people don’t give two shits about the environment or animal welfare, but they do care about their own health and well-being.
We composed a serious-looking message, supposedly coming from one of latin america’s largest steakhouse chain restaurants and explained, citing a nonexistent research paper, that frequent meat consumption, particularly red meat, was now clearly linked with reduced sperm count and erectile dysfunction in men, and fertility problems in women. We went on explaining that, although this piece of news is very concerning to meat lovers and damaging to our own business, our consumers’ health is top priority, and closed the message with a recommendation for radical reduction of meat consumption.
This message made the headlines multiple times and made quite an incredible furore. Once again, we have no practical means of measuring the results, but the overall feeling is that the message struck a nerve with many people, made a strong impact, and ultimately spared many animal lives.
This was in the mid 20s, right at the epicenter of the covid-19 pandemic. As you may have heard, most cities in Brazil did not enforce lockdown policies no matter how high the bodies were piling up; restaurants were mostly open. People kept eating picanhas. And we were kept busy with our hacktivist project.
From that point onwards, we have launched several campaigns, always targeting the consumers, using various approaches. We have used fake websites, social media accounts, impersonation, fake rewards, fake research, fake news, culture jamming techniques and many combinations of the above. The objective always being to discourage people from binging on meat or otherwise abusing animals.
We do not intend to stop any time soon.5. What are your secops like?
As we are geographically and temporally distributed all over the world, we split the work in units, each of which can be undertaken by a single member. Besides, that, we have a few hard rules that we try to stick to at all times:
- Use encrypted OTR messaging to coordinate attacks and share information.
- Store all operational data encrypted, offline.
- Launch attacks from another country’s IP range.
- Be discreet about LUMINISCENCIA membership when talking to outsiders.
We are a fairly small team, less than ten people. I only know personally two or three people, but have worked with pretty much everybody in LUMINISCENCIA. Our recruitment process is fairly simple: Anyone of the older (=more than a year of membership) members can bring someone new in. The rule is that the recruiter is responsible for the new joiner and vouches for them.
We prefer joiners who have the right character and disposition as well as a genuine desire to help the animals. Technical skills are important but there is nothing that cannot be learnt given time and commitment. Character flaws such as greed and vanity, on the other hand, are not only extremely hard to control, they can be fatal to a structure like ours.7. How do you feel as a female hacker?
Actually, my gender is irrelevant as far as LUMINESCENCIA is concerned. Besides a couple of members who know me personally, most of my peers don’t even know that I am a woman.
It’s quite interesting when I meet people in person though. I don’t look at all like a hacker stereotype, as portrayed by the media: no blue hair, fishnet tights or nine inch black nails. I don’t even look geeky. Just a female nobody. In this context, people get _very_ surprised when conversations get technical, and I often find myself at the center of unsolicited romantic attention.
Which is a damn shame, as I am only interested in women.8. Closing Thoughts.
Love is the only force capable of destroying the universe.
Esta entrevista es falsa.
This is a partial list of
George Ziakas, currently @ NCC Group Europe
Theodoros Malachias, currently @ Deloitte
Nikolaos Zisimos, currently @ NCC Group Europe
Dimitris Prapas, currently @ NCC Group Europe
Yiannis Kapsalis, currently @ Wetransfer
Mykhailo Kovchan, currently @ NCC Group Europe
Fotis Dilaris, currently @ Solutionlab
Giotis Dimotikalis, currently @ NCC Group Europe
18.04.2021Interview originally published in the 6th issue of the 空运行 (="Dry Run") hacker fanzine.
空运行 ("DRY RUN") ZINE
P.O. BOX 62
SHEN BAO BUILDING
118 RONG HUA ROAD,
FUTIAN FREE TRADE ZONE,
***0. What is the problem with the IT Security Industry?
The Information Security Industry emerged towards the end of the 20th century as a response to a fast-paced digitisation trend and evolved from that point as an organic concoction of very diverse -and often contradictory- tendencies. It has not had the opportunity, or the luxury, to properly define itself or align itself with its (hastily) stated purpose. It lacks formalisation, a central philosophy, a code of conduct and a consensus on metrics. The COVID-19 pandemic has only made matters worse; the industry keeps growing exponentially without even pretending to make an effort, take a step back and re-examine its core principles and assumptions.
In essence, the industry is a hack, and a pretty basic one at that.
The rates most companies charge for information security services are extortionate, which, in turn, makes these services accessible only to a few select clients, typically in the financial sector. There's an uneasy affinity between the Cybersecurity Industry and the Banks: besides being the only sector that can actually afford us, the financial sector is probably the only other industry that is equally elitist, greedy and short-sighted. While the banks are spending fortunes on specialised assessments such as red team attack simulations, there are entire sectors and populations which are lacking even the most fundamental training and support in relation to information security.
The irony of the matter is that at the core of this industry are a bunch of geeks who swear by open source software, information sharing and playing with computers. It's quite astonishing how the industry somehow socially engineered us into pursuing careers and paychecks we don't need, and, ultimately, into supporting a rich elite maintain its status. From a distance, the whole thing looks like an unnaturally acted farce.
We are standing at a crucial crossroads. With the Internet currently being our only means of connection, and hunderds of millions entirely exposed to the (digital) elements, it is borderline criminal negligence on behalf of those of us who work in Information Security to just stand on the sidelines and let this rotten state of affairs perpetuate.1. What can we do to change things, then?
We can start by trying to create a more accessible industry. Amongst other things, more accessible means helping outsiders get in the industry (this is one of the core objectives we have as Greenbridge). It also means that we must provide our services (much) cheaper to anyone who needs them. To do this, we can, and probably should, take a hard look at ourselves. Do we need these scandalous salaries? Most genuine geeks have a shaky relationship with money, and in most cases tend to see money as a distraction. Sure, we need some of it to buy gear, beer and coffee, but other than that, most of us realise that money creates complications and obligations which we would rather avoid. And what about all these performance reviews, and career paths, and all that crap our companies have signed us up for? What have we got to prove, and to whom?
It only takes a moment of clarity to realise that we are the ones driving this industry forward, and we've got the power to change it radically, from the inside.2. How did you get interested in Animal Welfare?
Some people in our team have a strong connection to the 90s punk and hardcore scenes. There were many bands -Earth Crisis is a good example- who were very vocal in their vegetarian/vegan stance at the time. Even though we did not take this message particularly seriously back then, this is when we somehow got introduced to the concepts of Animal Welfare and Animal Rights. Over time, we started getting more interested in the subject and also met various bright people who are actively involved in the Animal Rights movement.
The way we treat nonhuman animals is probably the greatest pitfall of our era. Humans like to debate fiercely on whether the death penalty is appropriate for anyone at all, even for the worst criminals, and usually -rightly- conclude that it is never justified. At the same time, we kill over 72 billion land animals -over 1 trillion animals if you take into account aquatic life- per year for food we don't technically need, and yet manage to keep a straight face. And why? Because it tastes good on the palate. You don't have to be a hardcore utilitarian to see the problem here.3. Why should one take your preaching seriously when you are not even vegetarians?
Most of us prefer to skip meat whenever possible, but will eat meat when in the company of meat eaters. This is known as flexitarianism.
It's difficult to keep the balance in these matters. Greece is a country where meat eating is deeply engrained into the social fabric, particularly in the countryside. By assuming a hardline stance and refusing to eat meat at all, or even dairy, you risk being dismissed as a weirdo with fringe views. To paraphrase Peter Singer, we feel that the main point is not personal purity, but reducing animal abuse to the extent possible, while adjusting to the environment and one's one weaknesses.
In a more general sense, one can support a cause either by funding it, propagating it or living it. Of these three, the last one has the smallest effect when it comes to absolute numbers of reducing animal suffering. Smaller perhaps, but not negligible. At the end of the day, we are flawed humans making an effort, no question about this.4. What does it take to be a hacker in 2021?
Assuming that one satisfies the core prerequisites -physical & mental health, and uncensored access to the internet-, it primarily takes an open mind and a desire to learn.
We have noticed that many of the most talented hackers do not come from typical Computer Science & engineering backgrounds. A foundation in Computer Science and a familiarity with basic security concepts are essential but besides that, it takes a creative, analytical mind willing to explore unchartered territory. Social engineering is a huge part of hacking in our era. While software and hardware get tighter, more layered and more robust protection mechanisms year after year, the human element is still very much subject to manipulation and will continue being so for a long time.
One of Greenbridge's side projects is a physical artist space in Trikala, central Greece. We hope to have the space up and running by autumn 2021, by which time the pandemic should be mostly under control. When ready, the space will be able to house small, analog performances with up to 40 spectators. Our vision is to use this space as an incubator where people interested in information security and people with a creative arts background can meet. We see tremendous potential in introducing these two communities. We've done something similar, at a much smaller scale, in the past.5. What should a (new) hacker ethic comprise?
The hacker manifesto was written 35 years ago, but its core concepts of curiosity, community, the pursuit of truth and non-discrimination are more valid and relevant than ever. What has, perhaps, changed a bit is the scope of hacking, which has definitely expanded beyond the confines of computers into a much more diverse array of domains.
Furthermore, if one were to consider the traditional triad of Confidentiality, Integrity and Availability as a basis for the conversation, the focus has probably geared towards integrity rather than confidentiality, which was the case a couple of decades ago. We do have strong encryption and anonymity tools that work today, but unless there are truly serious reasons to hide one's identity, the effort it takes to use these tools consistently and diligently usually outweighs the benefits of anonymity. Edward Snowden's revelations and the wikileaks project are not just two of the most important hacker developments of the 21st century, but also very indicative of today's push towards radical transparency. Hackers could play a key role in guarding the integrity of information, while exposing misconduct.6. How has the response to the project been so far?
We've just started out in January 2021, so it's all very fresh still. We've been in contact with various people both at the candidate and the employer sides in a number of countries, and the comments we have heard are positive and encouraging. If you like what you see @ Greenbridge, we strongly encourage you to get in touch, particularly if you are an aspiring infosec geek who hasn't managed to penetrate into our embarassingly walled-up industry.
We try to keep a minimalist, grassroots approach on Greenbridge. We do everything ourselves on an next-to-zero budget. This means that web design, graphics, templates, legal, web development, communication, networking, SEO, assessment methodologies, research, writeups, accounting, promotion, recommended curricula, procedures and everything in between are all done by a handful of people in a DIY and rather primitive manner. We believe in doing things slowly and organically in order to build foundation at the beginning of most projects, including this one.7. What is the future of the Industry?
There's so much going on right now it's very hard to make any predictions at all, let alone long-term predictions.
Our view is that Information Security will likely make up an integral part in various industries which traditionally have considered us irrelevant.
The Decentralised Finance space as well as the new blockcain related technlogies is a good example. Right now, the DeFi space is somewhat notorious as it has been hijacked mostly by idiots who are looking for a get-rich-quick scheme. Altcoins are not used as payments, but mostly as an alternative investment, and the marketplace is extremely volatile and premature. But the potential is undeniable; the dust will settle at some point soon, and the companies leading this space will be need to thoroughly look into their modus operandi. Our understanding is that there have not been any serious reviews into the security implications decentralised finance may have. As this industry is heavily dependent on encryption algorighms and mathematics, many of the information security tools of the trade would be very relevant here.
There is also enormous potential in transforming the (now broken) media sector. Right now, the media is bloated, messy and entirely untrustworthy, as there is no reliable way of verifying whether a piece of news is true or false. Fake news spreads much faster than real news. The public is disoriented, agitated, in disbelief. Again, information security techniques could come in very handy to check the integrity of news stories, verify sources, and eventually create a more reliable and accountable industry.
Lastly, we expect that Artificial Intelligence and Task Automation are forces that will profoundly transform not just the Information Security Industry but the entire edifice of human civilisation.8. Closing thoughts.