11.01.2022

The Greenbridge Interviews #2: klaus

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

My name is Klaus Agnoletti, aged 46. I have been an infosec professional since 2004. I reside in Copenhagen, Denmark with my wife and two cats. Recently my professional career changed direction and I started my first job in marketing. For many years my big passion has been the infosec community where I have been arranging meetings in our local OWASP chapter and co-founding our local Security BSides conference. Some time ago I decided to pursue that - even though no job seemed to be available for that in Denmark - because that’s what makes me happy. And apparently working with the infosec community is marketing so here I am now.

Since August I have been Head of Community at a small startup called CrowdSec where we facilitate the development of an open source security tool that enables users to share intelligence about the cyberattacks they’re seeing, thereby helping each other protect against cyber criminals - all for free. Basically my job is to help the community grow; the bigger the community of users is the better and more intelligence is being collected and shared - and the better CrowdSec works.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

I’ll throw in a controversial opinion here: The rising demand of infosec products and professionals has nothing to do with what we as an Industry have done. On the contrary it’s what all the cyber criminals have done and keep doing that has made the biggest impact. The only good thing that has ever come out of ransomware is the attention on infosec from laymen meaning that everybody is so scared of getting hit by ransomware that that fear motivates them into allocating resources. But honestly, people don’t get motivated the right way by fear. They should simply have a good level of security because it makes sense and because it’s the right thing to do. I don’t think that will ever happen, though.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

I honestly think that one of the most embarrassing and unbearable failures of all industries is the state of security of the IT systems that’s supposed to be their bread and butter. That so many board of directors and CEOs for so many years have ignored their well-meaning CISO (if they even had one) and their tireless efforts to get the attention of the management so they could fix all those critical vulnerabilities that they have been reminded about daily for years and years. And that the only reason why so many companies have finally started to wake up is the fact that they’re scared shitless about being a victim of ransomware. And once they wake up the only thing that they do about it (since everyone else is doing the same) is to throw money at the problems.

Don’t get me wrong: If you don’t allocate the right amount of resources and mandate to your security organization you will never achieve any kind or reasonable level of security. But on the other hand there’s a limit to how much money you can throw at a problem before it starts to lose its effect; that the level of security stops increasing significantly at some point no matter the size of your infosec budget. There’s a number of reasons for this. One is that there is a shortage of qualified people out there - that in some parts of the world salaries in infosec have risen to a level where it’s getting ridiculous. This attracts greedy, incompetent people who are just there for the money and don’t know what they’re doing. Another reason that I’ll address a bit more thoroughly is the fact that we’re looking at the problem in the wrong way.

In spite of what many think, the lack of a proper level of infosec within companies is not a complicated problem. Solutions to complicated problems are what comes out of big thinkers like Socrates and Einstein. Instead this is a complex problem like e.g. sending people to the moon or building something very complex and large. There are so many things that need to be done perfectly over and over for you to succeed. Complex problems can be solved by large teams that work together as one entity.

So why don’t we start treating this as a complex problem and work together to fix it? Well, one reason is that people don’t know that it’s a possibility and that people are used to fixing problems by throwing money at them. It just so happens that the approach is wrong and we have to do something else. That’s one of the reasons why CrowdSec was founded. It’s open-source software that builds a large CTI (Cyber Threat intelligence) network that allows users to work together to fight cyber criminals. Let me explain how: CrowdSec blocks bad traffic by parsing logs and sharing data on the attacks that it sees in an anonymous way. It only collects ip of the attacker, metadata on the attack and a timestamp. Once an attack is detected, traffic is blocked, either on firewall level or directly in a given application and the data on the attack is shared...

We truly believe that by creating a large, autonomous CTI network which can block the bad guys’ IPs every single time they start their dirty business, it is possible to prevent them from operating - or at least make it really, really hard. And that is the ultimate goal: Making the world a better place by shutting them down.

3. Can you name some people you look up to in the world of IT Security? Why?

Yes, I look up to the good folks at Black Hills Information Security. They have big hearts and think of the community and everyone else a lot. They firmly believe that good things come to those who do good. And I respect that deeply. In particular I look up to their community manager Jason Blanchard because he inspired me to get started in my new career path (which is one of the best things that has happened to me professionally in my entire career).

4. Which subfields of IT Security are the most exciting to work in right now?

Obviously I think it’s my own. I genuinely think that the way most infosec companies are doing sales and marketing is wrong. Everybody hates annoying salespeople. So why do companies keep hiring them and why do those sales people keep on bugging everyone with a bit of decision power to buy their stuff? Clearly it’s a situation everyone in it hates; the sales person hates to be forced to be pushy to reach a certain quota and the person in the other end hates it to because there’s a bunch of sales people knowing nothing about infosec and constantly trying to get in touch with them every single day to sell them whatever products that they probably don’t even need. Also, marketing is usually completely cut off from any real technical knowledge and any genuine wish to help customers solve their problems - unless they can be solved with whatever product they happen to market.

So how do we fix this? We need to start thinking differently about marketing, target user communities more efficiently and do sales completely differently. I simply don’t believe that it’s sustainable to have infosec marketing and sales that are so immensely annoying and unpleasant to be in for everyone involved. Community focused content marketing and relation selling are the keys here; where you understand your users and provide them value so they’ll genuinely want to buy your products or work with you because they think what you’re doing is cool. That’s how we do marketing at CrowdSec. First of all by giving away a lot of stuff for free, secondly by addressing the community directly by writing articles on new features in a language they understand and thirdly by making the community such a paramount part of our strategy that we simply won’t have anything if it wasn’t for the community that uses the software and reports attacks.

Another great example is Black Hills Information Security in the US. Everyone in the industry knows who John Strand is. And they don’t spend a dime on traditional marketing. Instead they run so-called ‘Pay what you want’ courses of a very high quality, they hold webcasts and other events with very clever people and give away their IR training card game ‘Backdoors & Breaches’ for free. All of this is directly focused towards the infosec community. And as I said before, almost everyone in the industry knows them even though they’re a relatively small infosec consultancy in the US and don’t sell their services outside the US. They even have their own merchandise store where they sell various logo t-shirts. 40% of those t-shirts are being sold in the EU where they - as I said before - don’t have any business.

5. What does it take to be a hacker in 2022?

It all depends on how you define the word ‘hacker’. To me that is not necessarily a cyber criminal breaking into other people’s stuff. To me a hacker is a general term of a person that always seeks to find novel ways to modify their surroundings so that their surroundings serve their own purpose and not the other way round. The most important part of that is definitely critical thinking. So to me that is the most important property of a hacker in 2022 :-)

As an example I chose to hack my way to a new career path earlier this year when I wanted a job that didn’t seem to exist. After I had created a presentation outlining what I wanted to do, I talked to all relevant infosec consultancies in Copenhagen and when that didn’t turn out, I started looking more internationally and ended up with my dream job as one of the two employees of CrowdSec not in France. To me there’s an important lesson there: Go with what makes you happy and hack your next job if that’s the only way (or just the most fun one).

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

Not really. I am a firm believer of straight talk and saying things like they are. I think people should focus more on solving problems rather than trying to punish those who speak about those problems.

7. Can you make some predictions for the future of the Industry?

I think (and fear) that we’ve just seen the beginning of ransomware. As we keep putting more and more stuff on the internet without thinking about securing them, we are simply asking criminals to ransom it. I believe that everything that can be ransomed will at some point be ransomed. And it doesn’t matter whether it’s your car, your house, your identity or maybe even an entire country.

8. Closing thoughts.

Thanks for allowing me to speak about what I find important in our field!

***

04.01.2022

The Greenbridge Interviews #1: p@tsman

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

I’ve been in the infosec industry for almost 20 years and I’m currently working at one of the world’s largest public cloud providers. Throughout my career, I have been dealing with digital risk challenges of large organizations in Europe, Middle East and Africa and some interesting (...) research in the fields of incident response, topological vulnerability assessment, and formal security policy grammars.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

Until recently, I think this was literally one of the hardest questions to answer, as there was too much noise in our industry, and achievements were crowned within our community only (…mostly as buzzwords or extreme marketing terms for the upper segment of enterprises).

However, I think we’re -at last- witnessing democratization of security (mostly through cloud providers, where even small companies can have enterprise-grade security), while also watching digital risk conversations become the norm in board meetings.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

I think we haven’t managed to secure authentication (at all fronts): passwords simply don’t cut it, certificates are way too complex to understand & use, while biometrics are not universally accepted. Having said this, secure authentication protocols and standards are also not embraced by the development community and I’m afraid we’ll have to continue dealing with these issues for the foreseeable future (hoping to be proven wrong here).

We’ve also fallen victim to our own fallacies, shifting amazing amounts of time, money and energy into proxy-fied threats such as the auditors; ticking compliance boxes was -and still is in so many cases- the Mount Olympus of the business people. To me, this is not right; compliance is a by-product of good security, not its destination. I do not want to downplay the importance of compliance here, but information security is different; the auditor is not a threat actor (at least in the majority of the cases).

3. Can you name some people you look up to in the world of IT Security? Why?

There are a number of people that I greatly respect, and follow on an almost daily (or at least weekly) basis. Apart from the infosec “founding fathers” (Cory Doctorow, Gene Spafford, Steven Bellovin, Bruce Schneier, etc.), I particularly enjoy tweets from thought-leaders like Phil Venables, Anton Chuvakin, Joshua Corman and others.

I also follow some NPOs, collectives, bug-bounty hunters, “hackers”, industry and manufacturing experts, artists, etc. trying to aggregate, digest and think on as many different perspectives as possible.

4. Which subfields of IT Security are the most exciting to work in right now?

To me, cloud security is super exciting. As we’re seeing organizations of all sizes exploring and harnessing the benefits of the cloud (the pandemic has acted as a catalyst here) we also see many security principles heavily revisited; The shared responsibility model sets a new security paradigm, as there’s a level of abstraction to what the provider and what the users are responsible for. Furthermore, cloud-native apps are providing a totally different attack surface where traditional security controls (e.g. firewalls, IPS, etc.) are of little or no use. Finally, with the cloud serving as an innovation platform, Development, Operations and Security functions are frequently blended, calling for a different security approach.

5. What does it take to be a hacker in 2022?

Same as it was back in the 00’s, or even before: mindset, curiosity, persistence and luck (in this particular order).

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

To me, there’s no silver bullet here; while transparency can help a lot (public algorithms, facilitate responsible disclosure, etc.) there are cases where this approach might have the opposite outcomes (e.g. disclosing competitive info, intellectual property etc.).

I believe that radical transparency has to do a lot with bias (mostly unconscious and particularly confirmation, survivorship, causal reductionism and emergence) as well as fallacies (like bandwagon, red herring, hasty generalizations, etc.), therefore it may also lead to enantiodromia.

7. Can you make some predictions for the future of the Industry?

I think we are in a pretty interesting phase for our industry, as we’re just passing the phase of being an after-market nice-to-have (same as seat belts back in the 70’s and airbags in the 80’s or 90’s). I don’t believe we’re yet into the stage of “by-default” or “by-design” but we’re seeing more security baked-in than ever before. On a macro-level, security startups are acquired by large IT companies and cloud providers, to be included in their core-offering. This is good news for our industry.

I also believe that our industry will continue to play an important role in digital transformation, and even become pivotal in geopolitical and regulatory issues. If someone’s looking for a career change, I can’t think of a better time investigating information security, as there’s a huge gap of talent to cover today’s demand, and an even bigger gap projected for the demands of the future (IoT, 5G, AI, Metaverse, etc.)

8. Closing thoughts.

Wishing everyone a Happy New Year, hoping to break information security stereotypes; I will start from “the users are the weakest link”, thinking of so many organizations refusing to enable SPF, DKIM and DMARC while taking a month (..) to install security updates. We’re all in this together!

***

11.12.2021

Interview with the anonymous publishing house multitudes

***

0. Please introduce yourself and your project to our readers.

Hi! My name is Melanie. I am a member of the multitudes anonymous publishing house. We are a small team from different backgrounds: translators, linux geeks, journalists, science fiction fans, all sharing our love for the written word. We started our operations in 2016, mostly publishing pamphlets and various short essays. About a year ago, we've started taking the project more seriously and have published three books.

The purpose of the multitudes project is twofold: primarily, we want to support talented writers who express controversial, quirky ideas. We feel that it is important to support uncompromising, sometimes dangerous freedom of thought and expression in our current landscape that often suppresses fringe views. The second objective is related to anonymity: we want to create a truly anonymous publishing machine, in which noone knows the real identiy of the person they are working with; yet work is done, text is translated to English if need be, edited and proofread, and a professional-looking publication is produced.

1. Why anonymous publishing?

People have different reasons for not wanting to reveal their identity. The most obvious reason is that many authors come from oppressive backgrounds, either countries or families, which would give them a hard time about their work. Others like to change identities, and adopt different personas depending on what they are doing. Some people do it for fun.

From our side, we like the idea of focusing on what is being said, rather than who is talking.

2. Tell us about the books you've published.

ΨΤΜ - Mirror

This is the first book we published and, for most of us @ multitudes, a personal favourite. It is a very original experiment on direct democracy. The authors explore the concept of an apolitical party which, when voted into parliament, will function as a direct democracy vehicle for the party's members.

They describe a detailed architecture for the web portal which is used for all matters related to the party. They propose the use of a web of trust architecture combined with heuristic methods and even bits of artificial intelligence in the mix, in order to verify that all registered members of the portal are unique humans (rather than groups of people or bots), permanent residents of the country in question, and over 16 years of age, without worrying about their real identity. They also explain the concept of the orators: a group of users who take on the task of explaining the content and intent of laws to the members of the platform, each time a vote is scheduled to take place.

Overall, it's an extremely interesting take on injecting direct democracy into parliamentary democracy.

Th0r - Uncanny Connections

In this very current book, Th0r describes an reverse ecosystem for the new globally connected, remote work economy. Rather than having employers from rich countries look for labour in cheap(er) countries, Th0r's platform incentivizes workers from rich countries to offer their skills and employment to cheap(er) countries. He does that by providing a rewards system, backed by an altcoin, which makes up for the money lost via wage differences.

Th0r has done impressive research here. He presents historical examples of similar initiatives, and discusses why each one of these initiatives did not realise its full potential. In his own solution, he groups countries in five tiers, according to the average wage paid to a number of different professions that can be conducted remotely. In cases of more than one "hop", the altcoin rewards are bigger.

The idea Th0r presents is not particularly controversial, but an important one nevertheless. We sincerely hope someone picks this up and transforms it into a real project.

SM - Clonedown

This is a cyberpunk porn novel. It's the story of a woman and her adventures with her partner and three of his clones. Besides the (very graphical) sex acts described, there are large parts of insanely technical narrative related to information security, politics, drugs and genetics.

3. How can one get hold of these books?

All three books are available in the dark web in digital format, using a CC BY creative commons licence. As far as we know, at least one of them has leaked into the surface web. Part of the multitudes project is to provide not just a book product, but a tinge of mystery, and a rare opportunity for the interested reader/seeker to do some research.

We have also printed 50 hard copies of each book, which we sent out to the authors so that they can hopefully make a bit of cash via their work. Readers interested in getting hold of hard copies are welcome to drop us a line; or simply contact the authors directly after tracking down these books.

4. What are your book publishing criteria?

We are very interested in original, provocative work that pushes boundaries. We ask that the material is no less than 25000 words - that is about 60 pages, and written in one of the 6 languages that we can work in: English, Greek, Spanish, French, Indonesian & Mandarin Chinese. We commit to replying to every single submission we get. Hit us up!

5. How do you deal with disturbing material? Where do you draw the line?

We only accept submissions via e-mail and we filter out all images, which takes care of a large portion of disturbing submissions (as well as tons of junk). As far as text submissions are concerned, we have only once received material that we considered publishing but eventually rejected because it was shocking. It was not only the extreme nature of the subject matter; the draft also contained many disturbing references to real people, the veracity of which we had no way of independently checking.

6. Where does the multitudes team stand, politically speaking?

Great question. Perhaps I can start by saying that we can't even agree on definitions of what is left and right within our team. We come from a bunch of different cultures; what is considered left for some is considered center for others. And what is considered right today even for those in adjacent cultures may be rebranded tomorrow.

My personal opinion is that the conversation about the left/right political spectrum is both outdated and irrelevant. As mentioned earlier in this interview, we all value freedom of speech and are willing to take some bullets, so to speak, for publishing controversial, provocative content. We are all influenced by the principles of Open Source Software, we strive to treat all human and non-human creatures with respect, and tread lightly on our planet. What does all that make us? I am not sure. If I were to put a tag onto our team, it would probably be social libertarian.

7. What is in the multitudes pipeline?

We are currently working on an insane book written by Baru Fajr, a trans Indonesian woman, entitled "zero trust secure encounters". The author is introducing the concept of a no-tech casual hookup network, whose target is that invidivuals have "intimate encounters", to use her own term, with others, without compromising their identity even to the person they are meeting with. She proposes the use of dark rooms, as well as anonymous vouching by existing members of the ztse network. She mentions many different, bizarre ideas, including "free" and "scripted" encounters, verification of objects used during these sessions, and many other things.

Publishing this book is extremely interesting and very challenging for us. Translating from Indonesian is one thing; there is also the difficulty of doing sanity and technical checks on her work, as many of the concepts she discusses are tangled and, as written right now, borderline unreadable.

8. Closing Thoughts.

We hope that when the pandemic is finally over, humanity will be a tad wiser. Let us hope that by 2030, every person on earth will have access to Universal Health Coverage, universal basic income, and unrestricted access to the internet.
Ini adalah wawancara palsu.

***

05.08.2021

Interview with the hacker group LUMINISCENCIA.
Originally conducted in Spanish.

***

0. Please introduce yourself and your crew to our readers.

Hi Greenbridge people. This is ^stalemate^. I am part of the LUMINISCENCIA hacktivist crew. Our crew formed spontaneously in the midst of 2019. Our members are based in various countries but we operate predominantly in Latin America. Mostly Colombia and Brazil at the moment.

We are animal welfare hacktivists. We try to make Latin American people aware of the realities of eating meat and contribute towards a world which treats animals better. But we are not extremists. We are just trying to put our computer skills to use in order to bring about changes to our environment which most people would welcome if only they took a minute to think.

1. What have you done so far?

In the second half of 2019, we targeted two large meat producers, one in São Paolo (BR) and one in Medellin (CO). We scanned their ranges for low-hanging fruit and within a few hours were spoilt for choice on how we would get inside.

As you would imagine, the meat industry has very poor information security practices. Both targets managed their own infrastructure, with shitloads of RDP listeners open to the internet, OWAs with poor password policies, account reuse, publicly exposed shares and a bunch of other things. If I were to guess, I’d imagine looking into their network security hadn’t even crossed their mind, because they considered that no one would have serious reasons to target them, when they can target the banks.

We went into their networks quietly and spent the following couple of weeks doing passive information gathering. We followed different approaches with these two targets, but the core idea was the same: Identify embarrassing secrets and threaten to publish unless the mark meets your demands.

For the Brazilian target we went for their CEO’s inbox. As expected, we found ample incriminating material in his corporate inbox, of a very, very personal nature. We took evidence and screenshots and left their network as quietly as we went in. Then we gave it a month or so of waiting time.

At some point, the CEO received a message from us including a sample from our loot, in which we were explaining that we had accessed his inbox and that we would leak the material if he did not agree to our terms. We asked him to publish a blog post in his company’s social media, signed personally by him, explaining that he encourages people to consume less meat and try out lab-grown meat, citing environmental, ethical and health reasons. We’d actually composed the post for him in a fairly light-hearted tone, as if he’d had some sort of “spiritual” revelation; he’d only need to agree to publish it.

And publish he did, the very next day. The post became viral, and gathered over 100K views within a few days. It’s difficult to measure the exact impact this incident had from an animal welfare perspective. I know for a fact two things: that many, many people in Brazil took a minute to think about their eating habits, and that, as I type this, a huge meat producer in Brazil has committed to introducing lab-grown meat to their menu.

2. Would you actually dox him if he didn’t publish your message?

I am not sure, it’s an area of disagreement within our crew. Personally, I don’t see the point of doxing someone in this scenario. I don’t see how it can help the animals. Other members in our crew feel that this kind of direct action would draw attention and show the world that we are serious about our work. And that it would help animals indirectly, in the long run, provided that we wrote a strong statement to go with it which would explain our rationale for doing this. All I can say now is I am glad we didn’t have to push in this case, as the guy cooperated right away.

I don’t think that causing extreme distress to anyone is justified, ever. Exposing someone so mercilessly from our position of absolute, asymmetrical power would not be right, in my opinion. This particular guy, as you’d expect from a CEO, is a middle-aged, rich, obnoxious man who represents most of the things we stand against. But he actually worked with us; and we honored our agreement.

After the incident, I think he sounds different, when on TV. The differences are subtle, but noticeable. He just sounds more concerned, perhaps more human.

3. What about the other target?

For the Colombian target, we used a similar approach as before, scanning their networks and finding more than one, easy way in. In this case we found very disturbing material in one of their shares related to their work practices. I don’t want to go into the details here; suffice to say that there were many, many very sick animals in their factories.

We decided to send the material to the press. But as the story entered the mainstream domain and got dressed in formal language, it lost its punch and momentum. Yes, there was a minor scandal, and supposedly an investigation was launched into the conditions animals were kept in in this meat producer’s premises. But as the meat lobby is extremely powerful, one can assume that the inspectors got some cash, some gentle warnings were given, and a half-assed report about working on animal welfare that nobody would ever read, was produced.

This was a lost opportunity and a wakeup call for us that we’d have to change strategy.

4. Change strategy how?

We decided that we’d focus on the consumers, not the producers.

Through OSINT and simple social engineering tricks, we got hold of a massive mailing list containing tens of thousands of e-mail addresses belonging to meat lovers around the continent.

We had some long discussions about how we could put this list to use. As we were not planning to hack into these people’s personal accounts, we had to come up with a strategy that would bring results differently, without exposing secrets or otherwise doxing them. We agreed on one thing: In this particular target group, most people don’t give two shits about the environment or animal welfare, but they do care about their own health and well-being.

We composed a serious-looking message, supposedly coming from one of latin america’s largest steakhouse chain restaurants and explained, citing a nonexistent research paper, that frequent meat consumption, particularly red meat, was now clearly linked with reduced sperm count and erectile dysfunction in men, and fertility problems in women. We went on explaining that, although this piece of news is very concerning to meat lovers and damaging to our own business, our consumers’ health is top priority, and closed the message with a recommendation for radical reduction of meat consumption.

This message made the headlines multiple times and made quite an incredible furore. Once again, we have no practical means of measuring the results, but the overall feeling is that the message struck a nerve with many people, made a strong impact, and ultimately spared many animal lives.

This was in the mid 20s, right at the epicenter of the covid-19 pandemic. As you may have heard, most cities in Brazil did not enforce lockdown policies no matter how high the bodies were piling up; restaurants were mostly open. People kept eating picanhas. And we were kept busy with our hacktivist project.

From that point onwards, we have launched several campaigns, always targeting the consumers, using various approaches. We have used fake websites, social media accounts, impersonation, fake rewards, fake research, fake news, culture jamming techniques and many combinations of the above. The objective always being to discourage people from binging on meat or otherwise abusing animals.

We do not intend to stop any time soon.

5. What are your secops like?

As we are geographically and temporally distributed all over the world, we split the work in units, each of which can be undertaken by a single member. Besides, that, we have a few hard rules that we try to stick to at all times:

6. What’s the crew like? What’s the recruitment process like?

We are a fairly small team, less than ten people. I only know personally two or three people, but have worked with pretty much everybody in LUMINISCENCIA. Our recruitment process is fairly simple: Anyone of the older (=more than a year of membership) members can bring someone new in. The rule is that the recruiter is responsible for the new joiner and vouches for them.

We prefer joiners who have the right character and disposition as well as a genuine desire to help the animals. Technical skills are important but there is nothing that cannot be learnt given time and commitment. Character flaws such as greed and vanity, on the other hand, are not only extremely hard to control, they can be fatal to a structure like ours.

7. How do you feel as a female hacker?

Actually, my gender is irrelevant as far as LUMINESCENCIA is concerned. Besides a couple of members who know me personally, most of my peers don’t even know that I am a woman.

It’s quite interesting when I meet people in person though. I don’t look at all like a hacker stereotype, as portrayed by the media: no blue hair, fishnet tights or nine inch black nails. I don’t even look geeky. Just a female nobody. In this context, people get _very_ surprised when conversations get technical, and I often find myself at the center of unsolicited romantic attention.

Which is a damn shame, as I am only interested in women.

8. Closing Thoughts.

Love is the only force capable of destroying the universe.
Esta entrevista es falsa.

***

18.04.2021

Greenbrige interview originally published in the 6th issue of the 空运行 (="Dry Run") hacker fanzine.

空运行 ("DRY RUN") ZINE
P.O. BOX 62
SHEN BAO BUILDING
118 RONG HUA ROAD,
FUTIAN FREE TRADE ZONE,
SHENZHEN,GUANGDONG
GUANGDONG PROVINCE
CHINA

***

0. What is the problem with the IT Security Industry?

The Information Security Industry emerged towards the end of the 20th century as a response to a fast-paced digitisation trend and evolved from that point as an organic concoction of very diverse -and often contradictory- tendencies. It has not had the opportunity, or the luxury, to properly define itself or align itself with its (hastily) stated purpose. It lacks formalisation, a central philosophy, a code of conduct and a consensus on metrics. The COVID-19 pandemic has only made matters worse; the industry keeps growing exponentially without even pretending to make an effort, take a step back and re-examine its core principles and assumptions.

In essence, the industry is a hack, and a pretty basic one at that.

The rates most companies charge for information security services are extortionate, which, in turn, makes these services accessible only to a few select clients, typically in the financial sector. There's an uneasy affinity between the Cybersecurity Industry and the Banks: besides being the only sector that can actually afford us, the financial sector is probably the only other industry that is equally elitist, greedy and short-sighted. While the banks are spending fortunes on specialised assessments such as red team attack simulations, there are entire sectors and populations which are lacking even the most fundamental training and support in relation to information security.

The irony of the matter is that at the core of this industry are a bunch of geeks who swear by open source software, information sharing and playing with computers. It's quite astonishing how the industry somehow socially engineered us into pursuing careers and paychecks we don't need, and, ultimately, into supporting a rich elite maintain its status. From a distance, the whole thing looks like an unnaturally acted farce.

We are standing at a crucial crossroads. With the Internet currently being our only means of connection, and hunderds of millions entirely exposed to the (digital) elements, it is borderline criminal negligence on behalf of those of us who work in Information Security to just stand on the sidelines and let this rotten state of affairs perpetuate.

1. What can we do to change things, then?

We can start by trying to create a more accessible industry. Amongst other things, more accessible means helping outsiders get in the industry (this is one of the core objectives we have as Greenbridge). It also means that we must provide our services (much) cheaper to anyone who needs them. To do this, we can, and probably should, take a hard look at ourselves. Do we need these scandalous salaries? Most genuine geeks have a shaky relationship with money, and in most cases tend to see money as a distraction. Sure, we need some of it to buy gear, beer and coffee, but other than that, most of us realise that money creates complications and obligations which we would rather avoid. And what about all these performance reviews, and career paths, and all that crap our companies have signed us up for? What have we got to prove, and to whom?

It only takes a moment of clarity to realise that we are the ones driving this industry forward, and we've got the power to change it radically, from the inside.

2. How did you get interested in Animal Welfare?

Some people in our team have a strong connection to the 90s punk and hardcore scenes. There were many bands -Earth Crisis is a good example- who were very vocal in their vegetarian/vegan stance at the time. Even though we did not take this message particularly seriously back then, this is when we somehow got introduced to the concepts of Animal Welfare and Animal Rights. Over time, we started getting more interested in the subject and also met various bright people who are actively involved in the Animal Rights movement.

The way we treat nonhuman animals is probably the greatest pitfall of our era. Humans like to debate fiercely on whether the death penalty is appropriate for anyone at all, even for the worst criminals, and usually -rightly- conclude that it is never justified. At the same time, we kill over 72 billion land animals -over 1 trillion animals if you take into account aquatic life- per year for food we don't technically need, and yet manage to keep a straight face. And why? Because it tastes good on the palate. You don't have to be a hardcore utilitarian to see the problem here.

3. Why should one take your preaching seriously when you are not even vegetarians?

Most of us prefer to skip meat whenever possible, but will eat meat when in the company of meat eaters. This is known as flexitarianism.

It's difficult to keep the balance in these matters. Greece is a country where meat eating is deeply engrained into the social fabric, particularly in the countryside. By assuming a hardline stance and refusing to eat meat at all, or even dairy, you risk being dismissed as a weirdo with fringe views. To paraphrase Peter Singer, we feel that the main point is not personal purity, but reducing animal abuse to the extent possible, while adjusting to the environment and one's one weaknesses.

In a more general sense, one can support a cause either by funding it, propagating it or living it. Of these three, the last one has the smallest effect when it comes to absolute numbers of reducing animal suffering. Smaller perhaps, but not negligible. At the end of the day, we are flawed humans making an effort, no question about this.

4. What does it take to be a hacker in 2021?

Assuming that one satisfies the core prerequisites -physical & mental health, and uncensored access to the internet-, it primarily takes an open mind and a desire to learn.

We have noticed that many of the most talented hackers do not come from typical Computer Science & engineering backgrounds. A foundation in Computer Science and a familiarity with basic security concepts are essential but besides that, it takes a creative, analytical mind willing to explore unchartered territory. Social engineering is a huge part of hacking in our era. While software and hardware get tighter, more layered and more robust protection mechanisms year after year, the human element is still very much subject to manipulation and will continue being so for a long time.

One of Greenbridge's side projects is a physical artist space in Trikala, central Greece. We hope to have the space up and running by spring 2022, by which time the pandemic should be mostly under control. When ready, the space will be able to house small, analog performances with up to 40 spectators. Our vision is to use this space as an incubator where people interested in information security and people with a creative arts background can meet. We see tremendous potential in introducing these two communities. We've done something similar, at a much smaller scale, in the past.

5. What should a (new) hacker ethic comprise?

The hacker manifesto was written 35 years ago, but its core concepts of curiosity, community, the pursuit of truth and non-discrimination are more valid and relevant than ever. What has, perhaps, changed a bit is the scope of hacking, which has definitely expanded beyond the confines of computers into a much more diverse array of domains.

Furthermore, if one were to consider the traditional triad of Confidentiality, Integrity and Availability as a basis for the conversation, the focus has probably geared towards integrity rather than confidentiality, which was the case a couple of decades ago. We do have strong encryption and anonymity tools that work today, but unless there are truly serious reasons to hide one's identity, the effort it takes to use these tools consistently and diligently usually outweighs the benefits of anonymity. Edward Snowden's revelations and the wikileaks project are not just two of the most important hacker developments of the 21st century, but also very indicative of today's push towards radical transparency. Hackers could play a key role in guarding the integrity of information, while exposing misconduct.

6. How has the response to the project been so far?

We've just started out in January 2021, so it's all very fresh still. We've been in contact with various people both at the candidate and the employer sides in a number of countries, and the comments we have heard are positive and encouraging. If you like what you see @ Greenbridge, we strongly encourage you to get in touch, particularly if you are an aspiring infosec geek who hasn't managed to penetrate into our embarassingly walled-up industry.

We try to keep a minimalist, grassroots approach on Greenbridge. We do everything ourselves on an next-to-zero budget. This means that web design, graphics, templates, legal, web development, communication, networking, SEO, assessment methodologies, research, writeups, accounting, promotion, recommended curricula, procedures and everything in between are all done by a handful of people in a DIY and rather primitive manner. We believe in doing things slowly and organically in order to build foundation at the beginning of most projects, including this one.

7. What is the future of the Industry?

There's so much going on right now it's very hard to make any predictions at all, let alone long-term predictions.

Our view is that Information Security will likely make up an integral part in various industries which traditionally have considered us irrelevant.

The Decentralised Finance space as well as the new blockcain related technlogies is a good example. Right now, the DeFi space is somewhat notorious as it has been hijacked mostly by idiots who are looking for a get-rich-quick scheme. Altcoins are not used as payments, but mostly as an alternative investment, and the marketplace is extremely volatile and premature. But the potential is undeniable; the dust will settle at some point soon, and the companies leading this space will be need to thoroughly look into their modus operandi. Our understanding is that there have not been any serious reviews into the security implications decentralised finance may have. As this industry is heavily dependent on encryption algorighms and mathematics, many of the information security tools of the trade would be very relevant here.

There is also enormous potential in transforming the (now broken) media sector. Right now, the media is bloated, messy and entirely untrustworthy, as there is no reliable way of verifying whether a piece of news is true or false. Fake news spreads much faster than real news. The public is disoriented, agitated, in disbelief. Again, information security techniques could come in very handy to check the integrity of news stories, verify sources, and eventually create a more reliable and accountable industry.

Lastly, we expect that Artificial Intelligence and Task Automation are forces that will profoundly transform not just the Information Security Industry but the entire edifice of human civilisation.

8. Closing thoughts.

这次采访是假的。