18.04.2021Interview originally published in the 6th issue of the 空运行 (="Dry Run") hacker fanzine.
空运行 ("DRY RUN") ZINE
P.O. BOX 62
SHEN BAO BUILDING
118 RONG HUA ROAD,
FUTIAN FREE TRADE ZONE,
***0. What is the problem with the IT Security Industry?
The Information Security Industry emerged towards the end of the 20th century as a response to a fast-paced digitisation trend and evolved from that point as an organic concoction of very diverse -and often contradictory- tendencies. It has not had the opportunity, or the luxury, to properly define itself or align itself with its (hastily) stated purpose. It lacks formalisation, a central philosophy, a code of conduct and a consensus on metrics. The COVID-19 pandemic has only made matters worse; the industry keeps growing exponentially without even pretending to make an effort, take a step back and re-examine its core principles and assumptions.
In essence, the industry is a hack, and a pretty basic one at that.
The rates most companies charge for information security services are extortionate, which, in turn, makes these services accessible only to a few select clients, typically in the financial sector. There's an uneasy affinity between the Cybersecurity Industry and the Banks: besides being the only sector that can actually afford us, the financial sector is probably the only other industry that is equally elitist, greedy and short-sighted. While the banks are spending fortunes on specialised assessments such as red team attack simulations, there are entire sectors and populations which are lacking even the most fundamental training and support in relation to information security.
The irony of the matter is that at the core of this industry are a bunch of geeks who swear by open source software, information sharing and playing with computers. It's quite astonishing how the industry somehow socially engineered us into pursuing careers and paychecks we don't need, and, ultimately, into supporting a rich elite maintain its status. From a distance, the whole thing looks like an unnaturally acted farce.
We are standing at a crucial crossroads. With the Internet currently being our only means of connection, and hunderds of millions entirely exposed to the (digital) elements, it is borderline criminal negligence on behalf of those of us who work in Information Security to just stand on the sidelines and let this rotten state of affairs perpetuate.1. What can we do to change things, then?
We can start by trying to create a more accessible industry. Amongst other things, more accessible means helping outsiders get in the industry (this is one of the core objectives we have as Greenbridge). It also means that we must provide our services (much) cheaper to anyone who needs them. To do this, we can, and probably should, take a hard look at ourselves. Do we need these scandalous salaries? Most genuine geeks have a shaky relationship with money, and in most cases tend to see money as a distraction. Sure, we need some of it to buy gear, beer and coffee, but other than that, most of us realise that money creates complications and obligations which we would rather avoid. And what about all these performance reviews, and career paths, and all that crap our companies have signed us up for? What have we got to prove, and to whom?
It only takes a moment of clarity to realise that we are the ones driving this industry forward, and we've got the power to change it radically, from the inside.2. How did you get interested in Animal Welfare?
Some people in our team have a strong connection to the 90s punk and hardcore scenes. There were many bands -Earth Crisis is a good example- who were very vocal in their vegetarian/vegan stance at the time. Even though we did not take this message particularly seriously back then, this is when we somehow got introduced to the concepts of Animal Welfare and Animal Rights. Over time, we started getting more interested in the subject and also met various bright people who are actively involved in the Animal Rights movement.
The way we treat nonhuman animals is probably the greatest pitfall of our era. Humans like to debate fiercely on whether the death penalty is appropriate for anyone at all, even for the worst criminals, and usually -rightly- conclude that it is never justified. At the same time, we kill over 72 billion land animals -over 1 trillion animals if you take into account aquatic life- per year for food we don't technically need, and yet manage to keep a straight face. And why? Because it tastes good on the palate. You don't have to be a hardcore utilitarian to see the problem here.3. Why should one take your preaching seriously when you are not even vegetarians?
Most of us prefer to skip meat whenever possible, but will eat meat when in the company of meat eaters. This is known as flexitarianism.
It's difficult to keep the balance in these matters. Greece is a country where meat eating is deeply engrained into the social fabric, particularly in the countryside. By assuming a hardline stance and refusing to eat meat at all, or even dairy, you risk being dismissed as a weirdo with fringe views. To paraphrase Peter Singer, we feel that the main point is not personal purity, but reducing animal abuse to the extent possible, while adjusting to the environment and one's one weaknesses.
In a more general sense, one can support a cause either by funding it, propagating it or living it. Of these three, the last one has the smallest effect when it comes to absolute numbers of reducing animal suffering. Smaller perhaps, but not negligible. At the end of the day, we are flawed humans making an effort, no question about this.4. What does it take to be a hacker in 2021?
Assuming that one satisfies the core prerequisites -physical & mental health, and uncensored access to the internet-, it primarily takes an open mind and a desire to learn.
We have noticed that many of the most talented hackers do not come from typical Computer Science & engineering backgrounds. A foundation in Computer Science and a familiarity with basic security concepts are essential but besides that, it takes a creative, analytical mind willing to explore unchartered territory. Social engineering is a huge part of hacking in our era. While software and hardware get tighter, more layered and more robust protection mechanisms year after year, the human element is still very much subject to manipulation and will continue being so for a long time.
One of Greenbridge's side projects is a physical artist space in Trikala, central Greece. We hope to have the space up and running by autumn 2021, by which time the pandemic should be mostly under control. When ready, the space will be able to house small, analog performances with up to 40 spectators. Our vision is to use this space as an incubator where people interested in information security and people with a creative arts background can meet. We see tremendous potential in introducing these two communities. We've done something similar, at a much smaller scale, in the past.5. What should a (new) hacker ethic comprise?
The hacker manifesto was written 35 years ago, but its core concepts of curiosity, community, the pursuit of truth and non-discrimination are more valid and relevant than ever. What has, perhaps, changed a bit is the scope of hacking, which has definitely expanded beyond the confines of computers into a much more diverse array of domains.
Furthermore, if one were to consider the traditional triad of Confidentiality, Integrity and Availability as a basis for the conversation, the focus has probably geared towards integrity rather than confidentiality, which was the case a couple of decades ago. We do have strong encryption and anonymity tools that work today, but unless there are truly serious reasons to hide one's identity, the effort it takes to use these tools consistently and diligently usually outweighs the benefits of anonymity. Edward Snowden's revelations and the wikileaks project are not just two of the most important hacker developments of the 21st century, but also very indicative of today's push towards radical transparency. Hackers could play a key role in guarding the integrity of information, while exposing misconduct.6. How has the response to the project been so far?
We've just started out in January 2021, so it's all very fresh still. We've been in contact with various people both at the candidate and the employer sides in a number of countries, and the comments we have heard are positive and encouraging. If you like what you see @ Greenbridge, we strongly encourage you to get in touch, particularly if you are an aspiring infosec geek who hasn't managed to penetrate into our embarassingly walled-up industry.
We try to keep a minimalist, grassroots approach on Greenbridge. We do everything ourselves on an next-to-zero budget. This means that web design, graphics, templates, legal, web development, communication, networking, SEO, assessment methodologies, research, writeups, accounting, promotion, recommended curricula, procedures and everything in between are all done by a handful of people in a DIY and rather primitive manner. We believe in doing things slowly and organically in order to build foundation at the beginning of most projects, including this one.7. What is the future of the Industry?
There's so much going on right now it's very hard to make any predictions at all, let alone long-term predictions.
Our view is that Information Security will likely make up an integral part in various industries which traditionally have considered us irrelevant.
The Decentralised Finance space as well as the new blockcain related technlogies is a good example. Right now, the DeFi space is somewhat notorious as it has been hijacked mostly by idiots who are looking for a get-rich-quick scheme. Altcoins are not used as payments, but mostly as an alternative investment, and the marketplace is extremely volatile and premature. But the potential is undeniable; the dust will settle at some point soon, and the companies leading this space will be need to thoroughly look into their modus operandi. Our understanding is that there have not been any serious reviews into the security implications decentralised finance may have. As this industry is heavily dependent on encryption algorighms and mathematics, many of the information security tools of the trade would be very relevant here.
There is also enormous potential in transforming the (now broken) media sector. Right now, the media is bloated, messy and entirely untrustworthy, as there is no reliable way of verifying whether a piece of news is true or false. Fake news spreads much faster than real news. The public is disoriented, agitated, in disbelief. Again, information security techniques could come in very handy to check the integrity of news stories, verify sources, and eventually create a more reliable and accountable industry.
Lastly, we expect that Artificial Intelligence and Task Automation are forces that will profoundly transform not just the Information Security Industry but the entire edifice of human civilisation.8. Closing thoughts.