24.06.2022

TRUTH AND INTEGRITY

***

In the film Locke (2013), construction manager Ivan Locke learns that a colleague with whom he had a one-night stand a few months before, and which resulted in her becoming pregnant, has gone into premature labour the evening before he must supervise a massive concrete pour in Birmingham. Despite his job responsibilities and although his wife and sons are eagerly awaiting his arrival home, Locke decides to drive to London to be present during childbirth. Over the course of the one and a half-hour drive from Birmingham to London, Locke calls many different people; during these calls, he is fired from his job, he coaches his assistant through preparing the pour despite some major setbacks, and is banned from his house by his wife. He also has several imaginary conversations with his dead father, whom he reprimands for abandoning them, while vowing that he will not repeat that mistake.

Locke’s story, on the surface, seems to revolve around a bizarre, catastrophic decision relating to an insignificant affair; but when examined more in detail, it reveals a strong, captivating element of character integrity. Integrity is one of the most important, yet puzzling human virtues. There are several things that people tend to relate with integrity: it can often be used synonymously with morality, although it is perfectly possible to act with integrity while acting immorally. Integrity is sometimes used as completeness (of character, work, or vision) and sometimes used as standing for something important. In Ivan Locke’s context, it means commitment to one’s decision, or, unchangeability no matter the cost.

A more thorough examination of this unchangeability attribute reveals several different components, including, amongst others, honesty, reliability and accountability. Honesty is mostly self explanatory, and includes straightforwardness of conduct, along with the absence of lying. Reliability and accountability refer, essentially, to the same quality, the difference being that reliability is needed in neutral or positive scenarios, whereas accountability is needed when dealing with negative outcomes and crises.

***

In the domain of information security, integrity equals unchangeability. Integrity is one of the three core elements in the CIA -Confidentiality, Integrity, Availability- triad, and, as such, it is an extremely important concept in the field. There are many data integrity mechanisms and technologies available, all of them striving to achieve the same goal: ensure that our data is consistent, accurate and reliable throughout its entire lifecycle.

Data integrity can be damaged accidentally or deliberately. As a general rule, accidental damage tends to be related to technical failures (electromechanical faults, power outages, material fatigue, corrosion) or environmental hazards (natural disasters, ionizing radiation, extreme temperatures, pressures) while deliberate damage tends to be related to misbehaving humans. Humans are sometimes responsible for accidental damage too; but thankfully, as we haven’t reached Skynet levels of artificial general intelligence yet, machines cannot cause deliberate damage to our data. And while there are various methods to defend data from being accidentally damaged (Uninterrupted Power Supply mechanisms, redundancy, backups, error-checking features in modern filesystems), it is much, much harder to protect data from a determined and skilled malicious actor.

In many senses, the entire edifice of Information Security is an attempt to defend against misbehaving users.

For the purposes of this essay, let us consider a single defence mechanism that can comprise a very solid baseline in protecting data integrity from human threat actors: ensuring that the human users who process data are, like Ivan Locke, characterised by integrity. We tend to rely on two sources of temporal information to verify character integrity: the past and the present. The past, in this context, means inspecting the individual’s track record. We do this via background checks, referral letters, and due diligence investigations. If an individual has been honest, reliable and accountable in the past, chances are that they will tend to behave in a similar manner in the future. Of course, track records themselves need to be reliable for this method to work. The present as a source of information means that we try to infer whether people are characterised by integrity, based on their words and body language. Body language interpretation, in particular, is an extremely interesting field, and many intelligent people have put significant effort in decoding these signals. Understandably, this method, tοο, is far from infallible, as it is subject to emotional, cultural and situational distortion, both on the side of the observer and the observed.

Once our defences are in place, verification of data integrity is a straightforward business: produce a message digest of the data at an early stage, (when one is certain that the data is intact), and another message digest at a later time. If the digests are identical, we can be reasonably certain that the data has not been altered. The simpler form of this digest, typically used to protect data against accidental alteration, is a checksum, while the more advanced form, designed to protect against malicious tampering, is a Cryptographic Hash Function, such as SHA-512.

Let us explain the phrase “reasonably certain”. The underlying algorithms used by cryptographic hash functions are open standards, which is to say they are subject to public scrutiny. More importantly, cryptographic hash functions are, essentially, mathematical algorithms. They do one job -map data of an arbitrary size to a bit array of a fixed size- and they are very good at doing it. Unless there are three-letter agencies out there which have planted backdoors into these algorithms, perfected quantum cryptanalysis or have otherwise subverted our reality beyond our wildest imagination, we can trust these algorithms when they tell us that our data has not been altered.

***

Once we have completed, to the best of our ability, our work in ensuring its integrity, we can use our data confidently as part of our engagement with more important tasks. Increasingly, human activities use digital information as input to produce results. If the data these activities use is reliable and intact, so will be their output. This is extremely important for institutions whose foundation is based on the pursuit of truth, both as their compass and criterion of success. Journalism, Law, Science, are all doomed to failure if the data they use is incomplete, tampered or otherwise unreliable.

To state the obvious: data integrity does not guarantee the discovery of truth. Our best efforts in many human enterprises throughout millenia have taught us that the truth -whatever we mean by this word- is a moving target; we can only get glimpses of it, and need to stay on our toes and alert to keep it within reach. But we can be fairly sure that, when our data -and our people- are reliable and intact, they can be worthy allies in the pursuit of truth. When amidst complex scenarios with many parameters, unknown elements and overall uncertainty and unpredictability, integrity -of humans and data- can be seen as a constant which is on our side when trying to decide how to make sense of what we are working with. And even when it does not help, we can at least be certain that the integrity attribute will be a neutral factor, one that will not be generating additional distortions to worry about.

The philosophically minded may be tempted to ask at this point: why the fixation on Truth? How did it end up enjoying such undisputed reverence in our value systems? And what would happen if we were to use a different compass? Let us refrain from entering this hazardous territory and leave this question open for a different essay.

***

30.04.2022

THE CRANE KICK SYNDROME

***

In the film Karate Kid (1984), Daniel LaRousso moves to California with his mum but soon finds himself the target of a group of bullies who study karate at the Cobra Kai dojo. Daniel befriends Mr. Miyagi, a serene man who turns out to be a martial arts master. Miyagi takes Daniel under his wing, teaching him a peaceful, introspective style of karate and preparing him to compete against Cobra Kai at a local tournament. Daniel completes his training, and, against all odds, reaches the tournament finals. During the last part of the fight, and while struggling with a severe leg injury, Daniel assumes a heroic crane kick stance and executes a front kick to his antagonist’s face, scoring the tournament-winning point and becoming the new champion.

Although this is a story about karate, the template used is very powerful and highly configurable: as long as the script contains a relatable central character, a fascinating skill set, and an emotional, heroic finale (the love story is optional), the allure becomes irresistible. For the purposes of our conversation, we’d need to replace karate with computer hacking, Daniel LaRousso with a hacker hero who types frantically in assembly and breaks into everything in a matter of seconds, and the crane kick with an 0-day exploit. The result is a formula that can cast a spell on myriads of people.

But there is another subtle, almost invisible element not just to this narrative, but to every contemporary consumer seduction scene: the blistering pace at which everything must happen. The problem is not that people want to be hackers. It is that they want to be hackers right now. Upon reflection, in an era characterised by limited attention spans and instant gratification expectations, this should hardly come as a surprise. Everybody seems to be in a rush, all the time. The constant supply of seemingly effortless success stories that the internet provides leads to the false expectation that no one, ever has to wait for anything anymore. Quality is sacrificed on the altar of speed, and knowledge is substituted with information.

When it comes to the domain of cyber security, there are countless courses, bootcamps, hacking platforms, micro-degrees and combinations of the above, all promising to turn people into fearless hackers as quickly as possible. Impatient students rush to these 1-click-buy courses and try to complete them in a frenzy. The most persistent of these students jump hurriedly into the job seeking arena and sometimes manage to get hired by gullible, desperate employers who also are under the speed spell. The end result is stressed out workers with very patchy knowledge of the security domain, executing crane kicks with zero sense of balance while in a constant state of cortisol and adrenaline overload. It’s no wonder that they often end up breaking their neck.

The essence and the main symptom of the crane kick syndrome, then, can be described as follows: the patient wishes to teleport themselves directly to the final, accomplished state of whatever it is they are dreaming of being on a given day -hacker hero, karate champion, marathon runner, mt. Everest climber- while consciously skipping all interim stages. It is a dishonorable shortcut; a victory without a fight, a destination without journey, an orgasm without sex.

***

But all is not lost, dear reader. Although the crane kick syndrome is a serious disorder affecting millions, diagnosis is easy, and treatment is fortunately possible with the assistance of the humble Miyagi method, bundled with the Greenbridge Curriculum for aspiring hackers.

The Miyagi method has its roots in a very prominent, real karate style called Gōjū-ryū. The manner in which the training is done in the Karate kid film is fictional and unorthodox, but has some very real merits. The technique revolves around assigning various repetitive, tedious tasks that a student must complete without receiving a justification from his mentor. While doing these chores and without realising the connection to karate, the student develops several types of muscle memory which, he later finds out, can be used as defensive karate moves. But, besides the physical training, there’s a powerful character building element to the Miyagi method. While waxing cars, painting fences and sanding floors, the student experiences the meaning of discipline, commitment and patience.

There are many virtues that can be useful to aspiring hackers. Fortitude -one of the four cardinal virtues- is a very useful trait to have when you try to tailgate someone, or when you try to, directly and unabashedly, social engineer somebody during a face-to-face conversation. Truthfulness is very important when you report on critical security issues, even though these often come bundled with awkward, emotional conversations, and occasional sleepless nights. Humility is essential, too, as it helps you realise that you are not smarter than software engineers or systems administrators, and reminds you that you should try putting yourself in their shoes when presenting your work to them. Temperance is very handy when you must, against your most fervent desires, move onto the next test case of a penetration test or, god forbid, the dreaded reporting phase.

But discipline, commitment and patience are at the top of the list when it comes to character traits a hacker should have. (Curiosity is up there too, but we won’t cover it in this essay).

For starters, before you can try to be a hacker, you need to have a foundation in two areas which are not relevant to information security: English and Computer Science. Much of the studying in these two areas is not glamorous at all. There’s not much excitement in learning English grammar and phrasal verbs (assuming you are not a native speaker), or in understanding compilers, relational databases and recursion. But this knowledge is essential if you are serious in your quest. If you are not disciplined, committed and patient, you run the risk of abandoning the entire project before you are anywhere near the information security domain.

Furthermore, when you give yourself enough time -in the form of a committed and patient study plan- to educate yourself on computer security, you’ll have the chance to properly reflect on why you got attracted to it in the first place. The breaks you take between your study sessions will sometimes be more valuable than the actual studying as you’ll get to internalise your work and learn in depth. You will also have the chance to ask yourself some important questions. Are you genuinely interested in the field or were you perhaps impressed by its shine? Do you enjoy taking things apart to figure out what’s inside or were you simply looking for comfortable working conditions and near-zero unemployment rates? Are you fascinated by intellectual challenges and difficult puzzles, or were you merely impressed by the average salaries in the field?

When you eventually reach the point of studying information security and ethical hacking, you will find these three virtues extremely useful in a more contained manner, typically in the context of security-related tasks you have taken on. Much of the work in security is frustratingly complex, and many of the subtasks may be haunting you for weeks. Oftentimes you will be chasing chimaeras, in the sense that many security challenges are unsolvable, or at least they cannot be solved in the circumstances (time, budget, limitations) you have been asked to work with. And sometimes, you will have no other option but to wait. For an interesting maintenance window, a mark who's out-of-office to return to her duties or a massive UDP scan to come to a close.

Neither the Myiagi method nor the Greenbridge curriculum are panaceas. They are mostly tested, and mostly reliable, but they are clearly not the only path to learning information security. There are many bright people who have broken into the field in various personalised, imaginative ways. You are encouraged, in true hacker spirit, to carve your own path, make adjustments, and always be critical of the content that’s thrown at you, including this article.

Hackers of the world: the Cyber security industry desperately needs people. Show it what you’ve got. We have just one favor to ask: would you kindly slow down a little?

***

24.04.2022

The Greenbridge Interviews #7: alex

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

My name is Alex, I'm a founder of Cyber Hermes - cyber crisis management company aimed at helping our customers to prepare and respond to a security breach, even if the worst-case scenario has already happened. I'm coming from a technical background, having worked in such domains as reverse engineering, malware analysis, penetration testing, product security and lately - security strategy.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

Seamless security by default for the end users, and increased awareness of policymakers about the security issues that helps to prioritize security efforts in organizations.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

There are many, but I'd like to highlight two:

a. The fact that SQL injections and many other decade-plus-old problems are still a thing.

b. The fact that many of us still see ourselves as glorious paladins rather than an integral part of the overall business process.

3. Can you name some people you look up to in the world of IT Security? Why?

Again, there are many but if I have to think of two, that would be Phil Venables and Richard Seiersen. Both are prominent security leaders who look at information security as an economic problem, and help to quantify and better communicate risks to the key stakeholders for a more efficient holistic approach.

4. Which subfields of IT Security are the most exciting to work in right now?

There is no universal answer to this question - it all depends on what one likes more, be it security architecture, forensics or threat intelligence. Personally, I find risk quantification a very interesting and potentially game-changing trend, as it brings more clarity to the question "why" doing something and not something else.

5. What does it take to be a hacker in 2022?

I believe the answer is dependent on your definition of a "hacker". If we talk about a classical one, the answer is unchanged - curiosity and persistence. Nevertheless, if we are talking about organized cybercrime (e.g. ransomware groups), there are multiple roles similar to regular jobs, with their own managers, HR, coders and so on. I'd advocate for the first definition though :)

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

That's a tough one. I generally like the idea, but I imagine it takes certain maturity, and incorrect implementation might bring more harm and open a door for potentially unexpected abuses.

7. Can you make some predictions for the future of the Industry?

I think the stakes (both impacts and investments) in security will continue to grow, and we will see new ways of monetizing poor security by the cyber criminals.

8. Closing thoughts.

Remember that everything is connected, and sometimes the best ideas in one industry are coming from another, unexpected end. Do not limit yourself to just security and train new mental models for a more colourful (and efficient) life in all senses.

***

19.04.2022

The Greenbridge Interviews #6: christos

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

My name is Chris and I have been in InfoSec world for about 10 years now. Currently I am working on product and device security projects that cover the entire tech-stack of embedded devices. My past experience covers many technical aspects of security including network penetration testing, application security, product security and security architecture.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

Given that the scientific foundations have been established decades before the industry got established and that I consider InfoSec primarily an engineering field rather than scientific, the main achievement I observe is the fast pace with which testing tools develop in order to enable more and more testers to efficiently join the industry with a quick learning curve.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

Clearly the failure to balance managerial bureaucracy suppressing the technical evolution and technological integration. That creates considerable overhead which diverts the focus to counterproductive routine procedures.

3. Can you name some people you look up to in the world of IT Security? Why?

I highly respect people who work on business development and/or executives who have strong technical background and due to that they define the right priorities and objects. I could name multiple people, Andrew Case and grugq are two of the first to come in mind.

4. Which subfields of IT Security are the most exciting to work in right now?

Detection Evasion and Forensics because both are on the edge of attack and defense.

5. What does it take to be a hacker in 2022?

Curiosity, perseverance and patience.

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

To be honest I'm not quite familiar with the concept. A quick look, though, suggests a direction that I consider futile (at least for critical and sensitive intellectual property rights). This is in the sense that the necessary regulation would only be put forward and get adopted by the very societies that are more vulnerable to technological espionage, while obscurity would be further emboldened in non-open countries and societies. However, when it comes to corporate decision making this is a completely sensible approach forward.

7. Can you make some predictions for the future of the Industry?

There are two fields that will redefine the field of technology, education and training: these are quantum computing and AI. The former can introduce the need for radically fast reintegration on ominously deployed infrastructure and redefine the required properties of security. The latter will require from the professionals of the field to reinvent their dexterities really fast in order to maintain their expertise.

8. Closing thoughts.

Just like this initiative suggests, we are in the data-driven era and data is treated as a priceless commodity. But, more data means more information, but not necessarily correct information. It could rather mean that more info suggests more noise. If that aspect is not seriously taken, InfoSec could easily end up being NoiseSec.

***

16.04.2022

The Greenbridge Interviews #5: yiannis

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

Hi all! I am Yiannis and I have been in the IT Security world for about 10 years now. Currently I am working on different projects that cover the Appsec, InfoSec and Counter Abuse pillars. While pursuing an ISO27001 certification might sound dull and stiff, it actually gives you a good overview of what holistic security means and how complex the mission is to make an organisation secure enough to meet certain standards. At the same time, projects such as building a Threat Intelligence information exchange service or detecting and chasing out of your platform abusers that share illegal material, give me the right amount of excitement and keep me hooked with the technical side of IT security.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

First thing that comes to mind is the encryption algorithms that have made it possible to exchange sensitive information while retaining confidentiality and integrity of the information over public networks. This has allowed us to develop different solutions such as electronic payments, digitalisation of civil services etc.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

I don't have something specific in mind but I think the Security industry has failed so far to draw the attention from the public audience about fundamental elements on how anyone can protect themselves online. Secure practices and concepts such as phishing, impersonation and safe browsing should be taught in schools as basic education. The Security Industry has been isolated, introverted and promotes a niche and blurry profile that keeps the general population out of it. It is our duty to share the knowledge and push for changes that will help our societies to protect against the emerging digital threats.

3. Can you name some people you look up to in the world of IT Security? Why?

I have high respect for all the whistleblowers like Snowden who sacrificed a part of themselves to expose unethical, immoral and undemocratic practices. It takes a lot of courage, altruism and a high sense of social responsibility to do something like that. While I do not believe that individual acts alone can make a real difference, exposing such information can activate people and trigger the formation of organised movements against the threats that (state) adversaries pose in the cyberspace.

4. Which subfields of IT Security are the most exciting to work in right now?

I would go for data protection and threat intelligence.

Data protection because the personal data that we provide online defines who we are, where we have access and in general how we can live in our digital life which has become very closely attached to our physical life. Take China for example with the 'social credit' system. This is an Orwellian scenario that has become reality. We need to act against such systems that control and "automate" our life without our consent. Technology needs to serve people's needs and not to be used as an oppression mechanism.

Threat intelligence is an exciting world because apart from discovering all the new threats being used in the wild, you can take this knowledge and build networks and collaborations that by sharing this information help individuals and organisations to protect themselves and make the internet a safer space.

5. What does it take to be a hacker in 2022?

Curiosity and persistence.

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

This is a tricky one! While in principle I believe that transparency should be applied and exercised in all cases, there are indeed certain circumstances that dictate a level of secrecy. Revealing details of plans of highly sensitive projects and missions can be proven to be catastrophic. In any case, even if secrecy is needed, there have to be mechanisms in place that will ensure accountability for the decisions made under closed doors.

7. Can you make some predictions for the future of the Industry?

It's difficult to make predictions in such a dynamic environment but I believe that when quantum computing is established, our Industry will be redefined. Encryption algorithms and secure protocols that are the backbone of our industry as we know it now will become obsolete. This will spark a big cycle of new research and redefinition not only of the Security industry but the digital world in general.

8. Closing thoughts.

I am really happy to see initiatives like Greenbridge, keep fighting the good fight and try harder!

***

03.04.2022

The Greenbridge Interviews #4: gjoko

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

My name is Gjoko Krstikj (Djoko Krstic) and I am the founder of Zero Science Lab, a Macedonian information security research and development laboratory. Unfortunatelly I cannot speak about my current projects but some of the previous ones relate to Building Automation Systems (BAS) / Building Management Systems (BMS), Digital Signage Systems and Smart Home Automation Systems including Smart Cities (IIoT/IoT).

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

Information Security Industry's crowning achievements... I really do not know how to answer this question. SSDLC, bug bounties and expeditious focus on awareness?

2. What about some of our most embarrassing failures as an Industry? How can we address these?

Ransomware and social engineering. The weakest link will always be there and security breaches and incidents will happen. Addressing these would include training, technical hardening and adapting defense-in-depth strategy on all layers of the rapidly evolving information superhighway. Another embarrassing failure is the 'forgotten development consoles' or backdoors in various types of products and solutions. Developers need to be aware that these are almost always discovered.

3. Can you name some people you look up to in the world of IT Security? Why?

Gynvael Coldwind, str0ke, Jericho, Josh, Todd, Phil Zimmermann and Bruce Schneier just to name a few. These people found their element and contributed to the community enormously by doing what they are/were doing and sharing ideas that improved the 'industry' as we know it to this day.

4. Which subfields of IT Security are the most exciting to work in right now?

For me, anything is exiting when it comes to infosec. But as always, I would say ICS, SCADA, IoT. Cloud is the least exiting 'thing' for me :)

5. What does it take to be a hacker in 2022?

It is a bit dificult for me to say what it takes to be a hacker in 2022... Hacking in the 90s and 00s was different, and as education and technology changed, so did people and 'hacker mindsets'. It takes balls, to be fearless, curious and with good intentions. Doing CTFs and bug bounties looks like an entirely new 'hacker culture', write-ups, shameless swag promotions, it is just not that exiting going forward.

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

In their own right, everyone has the right to be or not to be transparent. Working for the greater good, I would agree that companies need to be more transparent in terms of their processes and protocols regarding secops and devops. Trust is weakness, and this will be the never-ending discussion between corporations and the community. For ease of mind, some things are better left unsaid...;)

7. Can you make some predictions for the future of the Industry?

It's becoming more and more demanding as more people jump into the sphere of IT. Hopefully, this is going towards the right direction, and the hacking scene will continue to be inspiring. No proxy, no problem.

8. Closing thoughts.

At a different time, these answers would of course have been different. Everything depends on the mood and availability, and I would have prefered a face-2-face interview. Nevertheless, thank you for the intriguing questions Stelios!

Cheers, Gjoko.

***

14.03.2022

The Greenbridge Interviews #3: pedro

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

I am Pedro, I am an auditor, specifically in the PCI area, I have been working in this area since 2012. My current projects all have to do with this theme, and specifically with compliance towards the credit card security standards.

This may seem a little restrictive, but it is the multitude of subjects that need to comply, with such different environments, that in the end brings the challenge to this activity. I certainly cannot name customers, but they have ranged from the very normal payment service providers, to hotels, train stations, police cars, museums, supermarkets, travelling industry, to name a few. I have also been involved in awareness projects to customers, and this has been a very fulfilling task, being able to clarify directly to entities/users, where the security problems may be present, what to do to address them and as time goes by, verifying that results start to appear.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

I am old enough in this industry that I remember what it was like 10, 15, 20 years ago in terms of awareness of information security, and how far we have come since then. It is undeniable that many attack techniques have evolved, but it is also true that the everyday users are nowadays taking some precautions which were not present in the past. Terms like “ransomware”, “phishing”, etc. are nowadays household names. And as they say, the weak link of security is usually the human factor. But it is true that the bad guys have not stopped either and they are usually one step ahead, so there is always work to do, knowledge to improve...

2. What about some of our most embarrassing failures as an Industry? How can we address these?

I believe that unfortunately the security areas of the companies continue to be considered expensive areas and areas in which the budgets do not have any return, and so this usually means that the budgets are, sometimes severely, undercut. This usually has the perverse effect that security is usually unable to fulfil its goals, and when successful attacks happen, the fact that the security areas were unable to deter them will help to continue to undermine their activity.

3. Can you name some people you look up to in the world of IT Security? Why?

There are way too many people to be looked up to in the industry, to be able to name them all. Still, I would like to mention Bruce Schneier, for the ability to convey information, concepts and news in a way that the general public can understand. For us in the industry, most of the security concepts are easily graspable, but for the general public, they are not. And it takes a special way of presenting the information which, at the same time, is exact and able to be consumed by the general public.

Bruce Schneier has that gift.

4. Which subfields of IT Security are the most exciting to work in right now?

This is an area that is expanding in many different directions.

To name but a few, the cloud is nowadays a certainty of the future, which will grow in complexity and resources, mostly to entice the needs of the users, but which will bring new security challenges of its own. Another is the growth in image capture devices - from general CCTV to home owner devices - which are capable of not only obtaining information (image, but also sound and even physical characteristics) which are then available for use by official entities (sometimes not so official) and hackers. The use of this data brings a whole multitude of privacy problems that we are only scratching the surface of.

The third is almost a specification of the previous one - drones have their capabilities growing, and the legislation and control of these components is far from ideal. From simple situations in which the neighbour spies the other neighbour in the pool, to drones that appear in airport runways, potentially causing dangerous incidents, to the already proven military ability to make drone attacks. This autonomous vehicle is in the process of growing in intelligence and in the future, potentially make decisions without human intervention.

Which leads to the last one, the evolution of AI, which began by a simple concept but which now has the potential of defeating humans in so many diverse areas, and to a point that decisions critical for humans can begin to be taken by algorithms.

5. What does it take to be a hacker in 2022?

Unfortunately, not much. Some IT capabilities, the knowledge about the easily obtainable attack tools and the will to gain some advantage from that situation.

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

Radical transparency conveys a lot of information which, if in the wrong hands, gives the ability to gain important advantages. So, no, I do not think this is something to implement blindly (!).

7. Can you make some predictions for the future of the Industry?

The future is rarely what we can predict. However, I would dare to predict that innovation will continue to be paramount and security will continue to be considered a "nice to have”. So, I would say that this industry of information security has a lot of growth to attain in the future...

8. Closing thoughts.

I think mankind is more and more involved in the virtual world, delighted by all its potentials and forgetting that there is also a real world out here (just as big as the virtual one). We are all animals after all, and the capability to interact, share experiences, touch each other, is slowly being taken to a secondary position. I believe we have a lot to lose if we let technology run our lives instead of using it to improve our lives.

We should be the smart ones, right? ;-)

***

27.02.2022

Letters to a Young Mentee

***

Dear mentee:

In your last letter you questioned the usefulness of having a mentor at all. A mentor, you said, is a burden to wild, spontaneous, unpredictable personal development due to the fact that they create structure, and set the stage very early on in someone's journey in a new realm. In this unique moment of personal "big bang", you said, it is a terrible idea to have a source of authority right behind you, no matter how discreet or compatible, having opinions about what you should be doing, choreographing you and directing you, both in a cinematic and mentoring sense. You then argued that even the most flexible mentors - those who fully adapt to the style and quirks of each personal mentee - are harmful, as their very presence creates a "shadow of authority" which may prove damaging to a creative, unconventional individual.

You mentioned that the _concept_ of a mentor is useful, but it is much more useful to be your own mentor. To achieve this, you said, you should train yourself to be able to take a step back and examine your own work from a distance. This detachment, you said, is very useful not just to rate your own progress in a certain topic, but can also come in handy in many other scenarios, particularly when these are emotionally charged. Alternatively to the self-mentorship solution, you said, there is always the obvious solution of using the myriads of voices on the internet as a "distributed mentor". Why stick to one human mentor, you said, when one can tap into the organic wisdom of the crowd, which is available 24/7, evolving constantly, and free of charge?

What exactly is it, you asked, that a mentor may be offering, that is irreplaceable? The most obvious answer to this question is consistency. A human mentor can be expected to be more consistent than a crowd. There are two problems to this approach, you said. The first one is that mentors are not guaranteed to be consistent. The second is that you doubt the fact that consistency is essential for progress. Even if consistency is essential, you continued, why not consider a “fluid consistency”, i.e a type of consistency that is aligned with the organic nature of the internet?

Another potential benefit about having a mentor, you mentioned, may be that a mentor, being experienced in the field, will save you time. But this view is flawed too, as the shortcuts the mentor will be offering you will prove detrimental if used without being fully understood, and without the student having been through the essential stage of personal discovery via trial and error. You finally argued that the main benefit of having a mentor is much more shallow, bitter and disillusioning than any aspiring mentee would like to admit: that they will help you find a job via their network. In which case, a mentor is, essentially, a referee at best, or a sponsor at worst.

Your arguments are impressive, dear mentee. I find it very hard to refute them. The only retort I can offer is this: I'd like to think that at least a few bits of your polemic have emerged as a result of our conversations over the past few years. If this is so, you have, in a somewhat quantum fashion, simultaneously dethroned and confirmed the role of the mentor and the value of mentorships.

Best,

Your mentor.

***

11.01.2022

The Greenbridge Interviews #2: klaus

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

My name is Klaus Agnoletti, aged 46. I have been an infosec professional since 2004. I reside in Copenhagen, Denmark with my wife and two cats. Recently my professional career changed direction and I started my first job in marketing. For many years my big passion has been the infosec community where I have been arranging meetings in our local OWASP chapter and co-founding our local Security BSides conference. Some time ago I decided to pursue that - even though no job seemed to be available for that in Denmark - because that’s what makes me happy. And apparently working with the infosec community is marketing so here I am now.

Since August I have been Head of Community at a small startup called CrowdSec where we facilitate the development of an open source security tool that enables users to share intelligence about the cyberattacks they’re seeing, thereby helping each other protect against cyber criminals - all for free. Basically my job is to help the community grow; the bigger the community of users is the better and more intelligence is being collected and shared - and the better CrowdSec works.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

I’ll throw in a controversial opinion here: The rising demand of infosec products and professionals has nothing to do with what we as an Industry have done. On the contrary it’s what all the cyber criminals have done and keep doing that has made the biggest impact. The only good thing that has ever come out of ransomware is the attention on infosec from laymen meaning that everybody is so scared of getting hit by ransomware that that fear motivates them into allocating resources. But honestly, people don’t get motivated the right way by fear. They should simply have a good level of security because it makes sense and because it’s the right thing to do. I don’t think that will ever happen, though.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

I honestly think that one of the most embarrassing and unbearable failures of all industries is the state of security of the IT systems that’s supposed to be their bread and butter. That so many board of directors and CEOs for so many years have ignored their well-meaning CISO (if they even had one) and their tireless efforts to get the attention of the management so they could fix all those critical vulnerabilities that they have been reminded about daily for years and years. And that the only reason why so many companies have finally started to wake up is the fact that they’re scared shitless about being a victim of ransomware. And once they wake up the only thing that they do about it (since everyone else is doing the same) is to throw money at the problems.

Don’t get me wrong: If you don’t allocate the right amount of resources and mandate to your security organization you will never achieve any kind or reasonable level of security. But on the other hand there’s a limit to how much money you can throw at a problem before it starts to lose its effect; that the level of security stops increasing significantly at some point no matter the size of your infosec budget. There’s a number of reasons for this. One is that there is a shortage of qualified people out there - that in some parts of the world salaries in infosec have risen to a level where it’s getting ridiculous. This attracts greedy, incompetent people who are just there for the money and don’t know what they’re doing. Another reason that I’ll address a bit more thoroughly is the fact that we’re looking at the problem in the wrong way.

In spite of what many think, the lack of a proper level of infosec within companies is not a complicated problem. Solutions to complicated problems are what comes out of big thinkers like Socrates and Einstein. Instead this is a complex problem like e.g. sending people to the moon or building something very complex and large. There are so many things that need to be done perfectly over and over for you to succeed. Complex problems can be solved by large teams that work together as one entity.

So why don’t we start treating this as a complex problem and work together to fix it? Well, one reason is that people don’t know that it’s a possibility and that people are used to fixing problems by throwing money at them. It just so happens that the approach is wrong and we have to do something else. That’s one of the reasons why CrowdSec was founded. It’s open-source software that builds a large CTI (Cyber Threat intelligence) network that allows users to work together to fight cyber criminals. Let me explain how: CrowdSec blocks bad traffic by parsing logs and sharing data on the attacks that it sees in an anonymous way. It only collects ip of the attacker, metadata on the attack and a timestamp. Once an attack is detected, traffic is blocked, either on firewall level or directly in a given application and the data on the attack is shared...

We truly believe that by creating a large, autonomous CTI network which can block the bad guys’ IPs every single time they start their dirty business, it is possible to prevent them from operating - or at least make it really, really hard. And that is the ultimate goal: Making the world a better place by shutting them down.

3. Can you name some people you look up to in the world of IT Security? Why?

Yes, I look up to the good folks at Black Hills Information Security. They have big hearts and think of the community and everyone else a lot. They firmly believe that good things come to those who do good. And I respect that deeply. In particular I look up to their community manager Jason Blanchard because he inspired me to get started in my new career path (which is one of the best things that has happened to me professionally in my entire career).

4. Which subfields of IT Security are the most exciting to work in right now?

Obviously I think it’s my own. I genuinely think that the way most infosec companies are doing sales and marketing is wrong. Everybody hates annoying salespeople. So why do companies keep hiring them and why do those sales people keep on bugging everyone with a bit of decision power to buy their stuff? Clearly it’s a situation everyone in it hates; the sales person hates to be forced to be pushy to reach a certain quota and the person in the other end hates it to because there’s a bunch of sales people knowing nothing about infosec and constantly trying to get in touch with them every single day to sell them whatever products that they probably don’t even need. Also, marketing is usually completely cut off from any real technical knowledge and any genuine wish to help customers solve their problems - unless they can be solved with whatever product they happen to market.

So how do we fix this? We need to start thinking differently about marketing, target user communities more efficiently and do sales completely differently. I simply don’t believe that it’s sustainable to have infosec marketing and sales that are so immensely annoying and unpleasant to be in for everyone involved. Community focused content marketing and relation selling are the keys here; where you understand your users and provide them value so they’ll genuinely want to buy your products or work with you because they think what you’re doing is cool. That’s how we do marketing at CrowdSec. First of all by giving away a lot of stuff for free, secondly by addressing the community directly by writing articles on new features in a language they understand and thirdly by making the community such a paramount part of our strategy that we simply won’t have anything if it wasn’t for the community that uses the software and reports attacks.

Another great example is Black Hills Information Security in the US. Everyone in the industry knows who John Strand is. And they don’t spend a dime on traditional marketing. Instead they run so-called ‘Pay what you want’ courses of a very high quality, they hold webcasts and other events with very clever people and give away their IR training card game ‘Backdoors & Breaches’ for free. All of this is directly focused towards the infosec community. And as I said before, almost everyone in the industry knows them even though they’re a relatively small infosec consultancy in the US and don’t sell their services outside the US. They even have their own merchandise store where they sell various logo t-shirts. 40% of those t-shirts are being sold in the EU where they - as I said before - don’t have any business.

5. What does it take to be a hacker in 2022?

It all depends on how you define the word ‘hacker’. To me that is not necessarily a cyber criminal breaking into other people’s stuff. To me a hacker is a general term of a person that always seeks to find novel ways to modify their surroundings so that their surroundings serve their own purpose and not the other way round. The most important part of that is definitely critical thinking. So to me that is the most important property of a hacker in 2022 :-)

As an example I chose to hack my way to a new career path earlier this year when I wanted a job that didn’t seem to exist. After I had created a presentation outlining what I wanted to do, I talked to all relevant infosec consultancies in Copenhagen and when that didn’t turn out, I started looking more internationally and ended up with my dream job as one of the two employees of CrowdSec not in France. To me there’s an important lesson there: Go with what makes you happy and hack your next job if that’s the only way (or just the most fun one).

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

Not really. I am a firm believer of straight talk and saying things like they are. I think people should focus more on solving problems rather than trying to punish those who speak about those problems.

7. Can you make some predictions for the future of the Industry?

I think (and fear) that we’ve just seen the beginning of ransomware. As we keep putting more and more stuff on the internet without thinking about securing them, we are simply asking criminals to ransom it. I believe that everything that can be ransomed will at some point be ransomed. And it doesn’t matter whether it’s your car, your house, your identity or maybe even an entire country.

8. Closing thoughts.

Thanks for allowing me to speak about what I find important in our field!

***

04.01.2022

The Greenbridge Interviews #1: p@tsman

***

0. Please introduce yourself and your current project(s) to the Greenbridge crowd.

I’ve been in the infosec industry for almost 20 years and I’m currently working at one of the world’s largest public cloud providers. Throughout my career, I have been dealing with digital risk challenges of large organizations in Europe, Middle East and Africa and some interesting (...) research in the fields of incident response, topological vulnerability assessment, and formal security policy grammars.

1. What are, in your opinion, some of the Information Security Industry's crowning achievements?

Until recently, I think this was literally one of the hardest questions to answer, as there was too much noise in our industry, and achievements were crowned within our community only (…mostly as buzzwords or extreme marketing terms for the upper segment of enterprises).

However, I think we’re -at last- witnessing democratization of security (mostly through cloud providers, where even small companies can have enterprise-grade security), while also watching digital risk conversations become the norm in board meetings.

2. What about some of our most embarrassing failures as an Industry? How can we address these?

I think we haven’t managed to secure authentication (at all fronts): passwords simply don’t cut it, certificates are way too complex to understand & use, while biometrics are not universally accepted. Having said this, secure authentication protocols and standards are also not embraced by the development community and I’m afraid we’ll have to continue dealing with these issues for the foreseeable future (hoping to be proven wrong here).

We’ve also fallen victim to our own fallacies, shifting amazing amounts of time, money and energy into proxy-fied threats such as the auditors; ticking compliance boxes was -and still is in so many cases- the Mount Olympus of the business people. To me, this is not right; compliance is a by-product of good security, not its destination. I do not want to downplay the importance of compliance here, but information security is different; the auditor is not a threat actor (at least in the majority of the cases).

3. Can you name some people you look up to in the world of IT Security? Why?

There are a number of people that I greatly respect, and follow on an almost daily (or at least weekly) basis. Apart from the infosec “founding fathers” (Cory Doctorow, Gene Spafford, Steven Bellovin, Bruce Schneier, etc.), I particularly enjoy tweets from thought-leaders like Phil Venables, Anton Chuvakin, Joshua Corman and others.

I also follow some NPOs, collectives, bug-bounty hunters, “hackers”, industry and manufacturing experts, artists, etc. trying to aggregate, digest and think on as many different perspectives as possible.

4. Which subfields of IT Security are the most exciting to work in right now?

To me, cloud security is super exciting. As we’re seeing organizations of all sizes exploring and harnessing the benefits of the cloud (the pandemic has acted as a catalyst here) we also see many security principles heavily revisited; The shared responsibility model sets a new security paradigm, as there’s a level of abstraction to what the provider and what the users are responsible for. Furthermore, cloud-native apps are providing a totally different attack surface where traditional security controls (e.g. firewalls, IPS, etc.) are of little or no use. Finally, with the cloud serving as an innovation platform, Development, Operations and Security functions are frequently blended, calling for a different security approach.

5. What does it take to be a hacker in 2022?

Same as it was back in the 00’s, or even before: mindset, curiosity, persistence and luck (in this particular order).

6. How do you feel about the concept of radical transparency? Are there, perhaps, some things that are better left unsaid in all circumstances?

To me, there’s no silver bullet here; while transparency can help a lot (public algorithms, facilitate responsible disclosure, etc.) there are cases where this approach might have the opposite outcomes (e.g. disclosing competitive info, intellectual property etc.).

I believe that radical transparency has to do a lot with bias (mostly unconscious and particularly confirmation, survivorship, causal reductionism and emergence) as well as fallacies (like bandwagon, red herring, hasty generalizations, etc.), therefore it may also lead to enantiodromia.

7. Can you make some predictions for the future of the Industry?

I think we are in a pretty interesting phase for our industry, as we’re just passing the phase of being an after-market nice-to-have (same as seat belts back in the 70’s and airbags in the 80’s or 90’s). I don’t believe we’re yet into the stage of “by-default” or “by-design” but we’re seeing more security baked-in than ever before. On a macro-level, security startups are acquired by large IT companies and cloud providers, to be included in their core-offering. This is good news for our industry.

I also believe that our industry will continue to play an important role in digital transformation, and even become pivotal in geopolitical and regulatory issues. If someone’s looking for a career change, I can’t think of a better time investigating information security, as there’s a huge gap of talent to cover today’s demand, and an even bigger gap projected for the demands of the future (IoT, 5G, AI, Metaverse, etc.)

8. Closing thoughts.

Wishing everyone a Happy New Year, hoping to break information security stereotypes; I will start from “the users are the weakest link”, thinking of so many organizations refusing to enable SPF, DKIM and DMARC while taking a month (..) to install security updates. We’re all in this together!

***

11.12.2021

Interview with the anonymous publishing house multitudes

***

0. Please introduce yourself and your project to our readers.

Hi! My name is Melanie. I am a member of the multitudes anonymous publishing house. We are a small team from different backgrounds: translators, linux geeks, journalists, science fiction fans, all sharing our love for the written word. We started our operations in 2016, mostly publishing pamphlets and various short essays. About a year ago, we've started taking the project more seriously and have published three books.

The purpose of the multitudes project is twofold: primarily, we want to support talented writers who express controversial, quirky ideas. We feel that it is important to support uncompromising, sometimes dangerous freedom of thought and expression in our current landscape that often suppresses fringe views. The second objective is related to anonymity: we want to create a truly anonymous publishing machine, in which noone knows the real identiy of the person they are working with; yet work is done, text is translated to English if need be, edited and proofread, and a professional-looking publication is produced.

1. Why anonymous publishing?

People have different reasons for not wanting to reveal their identity. The most obvious reason is that many authors come from oppressive backgrounds, either countries or families, which would give them a hard time about their work. Others like to change identities, and adopt different personas depending on what they are doing. Some people do it for fun.

From our side, we like the idea of focusing on what is being said, rather than who is talking.

2. Tell us about the books you've published.

ΨΤΜ - Mirror

This is the first book we published and, for most of us @ multitudes, a personal favourite. It is a very original experiment on direct democracy. The authors explore the concept of an apolitical party which, when voted into parliament, will function as a direct democracy vehicle for the party's members.

They describe a detailed architecture for the web portal which is used for all matters related to the party. They propose the use of a web of trust architecture combined with heuristic methods and even bits of artificial intelligence in the mix, in order to verify that all registered members of the portal are unique humans (rather than groups of people or bots), permanent residents of the country in question, and over 16 years of age, without worrying about their real identity. They also explain the concept of the orators: a group of users who take on the task of explaining the content and intent of laws to the members of the platform, each time a vote is scheduled to take place.

Overall, it's an extremely interesting take on injecting direct democracy into parliamentary democracy.

Th0r - Uncanny Connections

In this very current book, Th0r describes an reverse ecosystem for the new globally connected, remote work economy. Rather than having employers from rich countries look for labour in cheap(er) countries, Th0r's platform incentivizes workers from rich countries to offer their skills and employment to cheap(er) countries. He does that by providing a rewards system, backed by an altcoin, which makes up for the money lost via wage differences.

Th0r has done impressive research here. He presents historical examples of similar initiatives, and discusses why each one of these initiatives did not realise its full potential. In his own solution, he groups countries in five tiers, according to the average wage paid to a number of different professions that can be conducted remotely. In cases of more than one "hop", the altcoin rewards are bigger.

The idea Th0r presents is not particularly controversial, but an important one nevertheless. We sincerely hope someone picks this up and transforms it into a real project.

SM - Clonedown

This is a cyberpunk porn novel. It's the story of a woman and her adventures with her partner and three of his clones. Besides the (very graphical) sex acts described, there are large parts of insanely technical narrative related to information security, politics, drugs and genetics.

3. How can one get hold of these books?

All three books are available in the dark web in digital format, using a CC BY creative commons licence. As far as we know, at least one of them has leaked into the surface web. Part of the multitudes project is to provide not just a book product, but a tinge of mystery, and a rare opportunity for the interested reader/seeker to do some research.

We have also printed 50 hard copies of each book, which we sent out to the authors so that they can hopefully make a bit of cash via their work. Readers interested in getting hold of hard copies are welcome to drop us a line; or simply contact the authors directly after tracking down these books.

4. What are your book publishing criteria?

We are very interested in original, provocative work that pushes boundaries. We ask that the material is no less than 25000 words - that is about 60 pages, and written in one of the 6 languages that we can work in: English, Greek, Spanish, French, Indonesian & Mandarin Chinese. We commit to replying to every single submission we get. Hit us up!

5. How do you deal with disturbing material? Where do you draw the line?

We only accept submissions via e-mail and we filter out all images, which takes care of a large portion of disturbing submissions (as well as tons of junk). As far as text submissions are concerned, we have only once received material that we considered publishing but eventually rejected because it was shocking. It was not only the extreme nature of the subject matter; the draft also contained many disturbing references to real people, the veracity of which we had no way of independently checking.

6. Where does the multitudes team stand, politically speaking?

Great question. Perhaps I can start by saying that we can't even agree on definitions of what is left and right within our team. We come from a bunch of different cultures; what is considered left for some is considered center for others. And what is considered right today even for those in adjacent cultures may be rebranded tomorrow.

My personal opinion is that the conversation about the left/right political spectrum is both outdated and irrelevant. As mentioned earlier in this interview, we all value freedom of speech and are willing to take some bullets, so to speak, for publishing controversial, provocative content. We are all influenced by the principles of Open Source Software, we strive to treat all human and non-human creatures with respect, and tread lightly on our planet. What does all that make us? I am not sure. If I were to put a tag onto our team, it would probably be social libertarian.

7. What is in the multitudes pipeline?

We are currently working on an insane book written by Baru Fajr, a trans Indonesian woman, entitled "zero trust secure encounters". The author is introducing the concept of a no-tech casual hookup network, whose target is that invidivuals have "intimate encounters", to use her own term, with others, without compromising their identity even to the person they are meeting with. She proposes the use of dark rooms, as well as anonymous vouching by existing members of the ztse network. She mentions many different, bizarre ideas, including "free" and "scripted" encounters, verification of objects used during these sessions, and many other things.

Publishing this book is extremely interesting and very challenging for us. Translating from Indonesian is one thing; there is also the difficulty of doing sanity and technical checks on her work, as many of the concepts she discusses are tangled and, as written right now, borderline unreadable.

8. Closing Thoughts.

We hope that when the pandemic is finally over, humanity will be a tad wiser. Let us hope that by 2030, every person on earth will have access to Universal Health Coverage, universal basic income, and unrestricted access to the internet.
Ini adalah wawancara palsu.

***

05.08.2021

Interview with the hacker group LUMINISCENCIA.
Originally conducted in Spanish.

***

0. Please introduce yourself and your crew to our readers.

Hi Greenbridge people. This is ^stalemate^. I am part of the LUMINISCENCIA hacktivist crew. Our crew formed spontaneously in the midst of 2019. Our members are based in various countries but we operate predominantly in Latin America. Mostly Colombia and Brazil at the moment.

We are animal welfare hacktivists. We try to make Latin American people aware of the realities of eating meat and contribute towards a world which treats animals better. But we are not extremists. We are just trying to put our computer skills to use in order to bring about changes to our environment which most people would welcome if only they took a minute to think.

1. What have you done so far?

In the second half of 2019, we targeted two large meat producers, one in São Paolo (BR) and one in Medellin (CO). We scanned their ranges for low-hanging fruit and within a few hours were spoilt for choice on how we would get inside.

As you would imagine, the meat industry has very poor information security practices. Both targets managed their own infrastructure, with shitloads of RDP listeners open to the internet, OWAs with poor password policies, account reuse, publicly exposed shares and a bunch of other things. If I were to guess, I’d imagine looking into their network security hadn’t even crossed their mind, because they considered that no one would have serious reasons to target them, when they can target the banks.

We went into their networks quietly and spent the following couple of weeks doing passive information gathering. We followed different approaches with these two targets, but the core idea was the same: Identify embarrassing secrets and threaten to publish unless the mark meets your demands.

For the Brazilian target we went for their CEO’s inbox. As expected, we found ample incriminating material in his corporate inbox, of a very, very personal nature. We took evidence and screenshots and left their network as quietly as we went in. Then we gave it a month or so of waiting time.

At some point, the CEO received a message from us including a sample from our loot, in which we were explaining that we had accessed his inbox and that we would leak the material if he did not agree to our terms. We asked him to publish a blog post in his company’s social media, signed personally by him, explaining that he encourages people to consume less meat and try out lab-grown meat, citing environmental, ethical and health reasons. We’d actually composed the post for him in a fairly light-hearted tone, as if he’d had some sort of “spiritual” revelation; he’d only need to agree to publish it.

And publish he did, the very next day. The post became viral, and gathered over 100K views within a few days. It’s difficult to measure the exact impact this incident had from an animal welfare perspective. I know for a fact two things: that many, many people in Brazil took a minute to think about their eating habits, and that, as I type this, a huge meat producer in Brazil has committed to introducing lab-grown meat to their menu.

2. Would you actually dox him if he didn’t publish your message?

I am not sure, it’s an area of disagreement within our crew. Personally, I don’t see the point of doxing someone in this scenario. I don’t see how it can help the animals. Other members in our crew feel that this kind of direct action would draw attention and show the world that we are serious about our work. And that it would help animals indirectly, in the long run, provided that we wrote a strong statement to go with it which would explain our rationale for doing this. All I can say now is I am glad we didn’t have to push in this case, as the guy cooperated right away.

I don’t think that causing extreme distress to anyone is justified, ever. Exposing someone so mercilessly from our position of absolute, asymmetrical power would not be right, in my opinion. This particular guy, as you’d expect from a CEO, is a middle-aged, rich, obnoxious man who represents most of the things we stand against. But he actually worked with us; and we honored our agreement.

After the incident, I think he sounds different, when on TV. The differences are subtle, but noticeable. He just sounds more concerned, perhaps more human.

3. What about the other target?

For the Colombian target, we used a similar approach as before, scanning their networks and finding more than one, easy way in. In this case we found very disturbing material in one of their shares related to their work practices. I don’t want to go into the details here; suffice to say that there were many, many very sick animals in their factories.

We decided to send the material to the press. But as the story entered the mainstream domain and got dressed in formal language, it lost its punch and momentum. Yes, there was a minor scandal, and supposedly an investigation was launched into the conditions animals were kept in in this meat producer’s premises. But as the meat lobby is extremely powerful, one can assume that the inspectors got some cash, some gentle warnings were given, and a half-assed report about working on animal welfare that nobody would ever read, was produced.

This was a lost opportunity and a wakeup call for us that we’d have to change strategy.

4. Change strategy how?

We decided that we’d focus on the consumers, not the producers.

Through OSINT and simple social engineering tricks, we got hold of a massive mailing list containing tens of thousands of e-mail addresses belonging to meat lovers around the continent.

We had some long discussions about how we could put this list to use. As we were not planning to hack into these people’s personal accounts, we had to come up with a strategy that would bring results differently, without exposing secrets or otherwise doxing them. We agreed on one thing: In this particular target group, most people don’t give two shits about the environment or animal welfare, but they do care about their own health and well-being.

We composed a serious-looking message, supposedly coming from one of latin america’s largest steakhouse chain restaurants and explained, citing a nonexistent research paper, that frequent meat consumption, particularly red meat, was now clearly linked with reduced sperm count and erectile dysfunction in men, and fertility problems in women. We went on explaining that, although this piece of news is very concerning to meat lovers and damaging to our own business, our consumers’ health is top priority, and closed the message with a recommendation for radical reduction of meat consumption.

This message made the headlines multiple times and made quite an incredible furore. Once again, we have no practical means of measuring the results, but the overall feeling is that the message struck a nerve with many people, made a strong impact, and ultimately spared many animal lives.

This was in the mid 20s, right at the epicenter of the covid-19 pandemic. As you may have heard, most cities in Brazil did not enforce lockdown policies no matter how high the bodies were piling up; restaurants were mostly open. People kept eating picanhas. And we were kept busy with our hacktivist project.

From that point onwards, we have launched several campaigns, always targeting the consumers, using various approaches. We have used fake websites, social media accounts, impersonation, fake rewards, fake research, fake news, culture jamming techniques and many combinations of the above. The objective always being to discourage people from binging on meat or otherwise abusing animals.

We do not intend to stop any time soon.

5. What are your secops like?

As we are geographically and temporally distributed all over the world, we split the work in units, each of which can be undertaken by a single member. Besides, that, we have a few hard rules that we try to stick to at all times:

6. What’s the crew like? What’s the recruitment process like?

We are a fairly small team, less than ten people. I only know personally two or three people, but have worked with pretty much everybody in LUMINISCENCIA. Our recruitment process is fairly simple: Anyone of the older (=more than a year of membership) members can bring someone new in. The rule is that the recruiter is responsible for the new joiner and vouches for them.

We prefer joiners who have the right character and disposition as well as a genuine desire to help the animals. Technical skills are important but there is nothing that cannot be learnt given time and commitment. Character flaws such as greed and vanity, on the other hand, are not only extremely hard to control, they can be fatal to a structure like ours.

7. How do you feel as a female hacker?

Actually, my gender is irrelevant as far as LUMINESCENCIA is concerned. Besides a couple of members who know me personally, most of my peers don’t even know that I am a woman.

It’s quite interesting when I meet people in person though. I don’t look at all like a hacker stereotype, as portrayed by the media: no blue hair, fishnet tights or nine inch black nails. I don’t even look geeky. Just a female nobody. In this context, people get _very_ surprised when conversations get technical, and I often find myself at the center of unsolicited romantic attention.

Which is a damn shame, as I am only interested in women.

8. Closing Thoughts.

Love is the only force capable of destroying the universe.
Esta entrevista es falsa.

***

18.04.2021

Greenbrige interview originally published in the 6th issue of the 空运行 (="Dry Run") hacker fanzine.

空运行 ("DRY RUN") ZINE
P.O. BOX 62
SHEN BAO BUILDING
118 RONG HUA ROAD,
FUTIAN FREE TRADE ZONE,
SHENZHEN,GUANGDONG
GUANGDONG PROVINCE
CHINA

***

0. What is the problem with the IT Security Industry?

The Information Security Industry emerged towards the end of the 20th century as a response to a fast-paced digitisation trend and evolved from that point as an organic concoction of very diverse -and often contradictory- tendencies. It has not had the opportunity, or the luxury, to properly define itself or align itself with its (hastily) stated purpose. It lacks formalisation, a central philosophy, a code of conduct and a consensus on metrics. The COVID-19 pandemic has only made matters worse; the industry keeps growing exponentially without even pretending to make an effort, take a step back and re-examine its core principles and assumptions.

In essence, the industry is a hack, and a pretty basic one at that.

The rates most companies charge for information security services are extortionate, which, in turn, makes these services accessible only to a few select clients, typically in the financial sector. There's an uneasy affinity between the Cybersecurity Industry and the Banks: besides being the only sector that can actually afford us, the financial sector is probably the only other industry that is equally elitist, greedy and short-sighted. While the banks are spending fortunes on specialised assessments such as red team attack simulations, there are entire sectors and populations which are lacking even the most fundamental training and support in relation to information security.

The irony of the matter is that at the core of this industry are a bunch of geeks who swear by open source software, information sharing and playing with computers. It's quite astonishing how the industry somehow socially engineered us into pursuing careers and paychecks we don't need, and, ultimately, into supporting a rich elite maintain its status. From a distance, the whole thing looks like an unnaturally acted farce.

We are standing at a crucial crossroads. With the Internet currently being our only means of connection, and hunderds of millions entirely exposed to the (digital) elements, it is borderline criminal negligence on behalf of those of us who work in Information Security to just stand on the sidelines and let this rotten state of affairs perpetuate.

1. What can we do to change things, then?

We can start by trying to create a more accessible industry. Amongst other things, more accessible means helping outsiders get in the industry (this is one of the core objectives we have as Greenbridge). It also means that we must provide our services (much) cheaper to anyone who needs them. To do this, we can, and probably should, take a hard look at ourselves. Do we need these scandalous salaries? Most genuine geeks have a shaky relationship with money, and in most cases tend to see money as a distraction. Sure, we need some of it to buy gear, beer and coffee, but other than that, most of us realise that money creates complications and obligations which we would rather avoid. And what about all these performance reviews, and career paths, and all that crap our companies have signed us up for? What have we got to prove, and to whom?

It only takes a moment of clarity to realise that we are the ones driving this industry forward, and we've got the power to change it radically, from the inside.

2. How did you get interested in Animal Welfare?

Some people in our team have a strong connection to the 90s punk and hardcore scenes. There were many bands -Earth Crisis is a good example- who were very vocal in their vegetarian/vegan stance at the time. Even though we did not take this message particularly seriously back then, this is when we somehow got introduced to the concepts of Animal Welfare and Animal Rights. Over time, we started getting more interested in the subject and also met various bright people who are actively involved in the Animal Rights movement.

The way we treat nonhuman animals is probably the greatest pitfall of our era. Humans like to debate fiercely on whether the death penalty is appropriate for anyone at all, even for the worst criminals, and usually -rightly- conclude that it is never justified. At the same time, we kill over 72 billion land animals -over 1 trillion animals if you take into account aquatic life- per year for food we don't technically need, and yet manage to keep a straight face. And why? Because it tastes good on the palate. You don't have to be a hardcore utilitarian to see the problem here.

3. Why should one take your preaching seriously when you are not even vegetarians?

Most of us prefer to skip meat whenever possible, but will eat meat when in the company of meat eaters. This is known as flexitarianism.

It's difficult to keep the balance in these matters. Greece is a country where meat eating is deeply engrained into the social fabric, particularly in the countryside. By assuming a hardline stance and refusing to eat meat at all, or even dairy, you risk being dismissed as a weirdo with fringe views. To paraphrase Peter Singer, we feel that the main point is not personal purity, but reducing animal abuse to the extent possible, while adjusting to the environment and one's one weaknesses.

In a more general sense, one can support a cause either by funding it, propagating it or living it. Of these three, the last one has the smallest effect when it comes to absolute numbers of reducing animal suffering. Smaller perhaps, but not negligible. At the end of the day, we are flawed humans making an effort, no question about this.

4. What does it take to be a hacker in 2021?

Assuming that one satisfies the core prerequisites -physical & mental health, and uncensored access to the internet-, it primarily takes an open mind and a desire to learn.

We have noticed that many of the most talented hackers do not come from typical Computer Science & engineering backgrounds. A foundation in Computer Science and a familiarity with basic security concepts are essential but besides that, it takes a creative, analytical mind willing to explore unchartered territory. Social engineering is a huge part of hacking in our era. While software and hardware get tighter, more layered and more robust protection mechanisms year after year, the human element is still very much subject to manipulation and will continue being so for a long time.

One of Greenbridge's side projects is a physical artist space in Trikala, central Greece. We hope to have the space up and running by spring 2022, by which time the pandemic should be mostly under control. When ready, the space will be able to house small, analog performances with up to 40 spectators. Our vision is to use this space as an incubator where people interested in information security and people with a creative arts background can meet. We see tremendous potential in introducing these two communities. We've done something similar, at a much smaller scale, in the past.

5. What should a (new) hacker ethic comprise?

The hacker manifesto was written 35 years ago, but its core concepts of curiosity, community, the pursuit of truth and non-discrimination are more valid and relevant than ever. What has, perhaps, changed a bit is the scope of hacking, which has definitely expanded beyond the confines of computers into a much more diverse array of domains.

Furthermore, if one were to consider the traditional triad of Confidentiality, Integrity and Availability as a basis for the conversation, the focus has probably geared towards integrity rather than confidentiality, which was the case a couple of decades ago. We do have strong encryption and anonymity tools that work today, but unless there are truly serious reasons to hide one's identity, the effort it takes to use these tools consistently and diligently usually outweighs the benefits of anonymity. Edward Snowden's revelations and the wikileaks project are not just two of the most important hacker developments of the 21st century, but also very indicative of today's push towards radical transparency. Hackers could play a key role in guarding the integrity of information, while exposing misconduct.

6. How has the response to the project been so far?

We've just started out in January 2021, so it's all very fresh still. We've been in contact with various people both at the candidate and the employer sides in a number of countries, and the comments we have heard are positive and encouraging. If you like what you see @ Greenbridge, we strongly encourage you to get in touch, particularly if you are an aspiring infosec geek who hasn't managed to penetrate into our embarassingly walled-up industry.

We try to keep a minimalist, grassroots approach on Greenbridge. We do everything ourselves on an next-to-zero budget. This means that web design, graphics, templates, legal, web development, communication, networking, SEO, assessment methodologies, research, writeups, accounting, promotion, recommended curricula, procedures and everything in between are all done by a handful of people in a DIY and rather primitive manner. We believe in doing things slowly and organically in order to build foundation at the beginning of most projects, including this one.

7. What is the future of the Industry?

There's so much going on right now it's very hard to make any predictions at all, let alone long-term predictions.

Our view is that Information Security will likely make up an integral part in various industries which traditionally have considered us irrelevant.

The Decentralised Finance space as well as the new blockcain related technlogies is a good example. Right now, the DeFi space is somewhat notorious as it has been hijacked mostly by idiots who are looking for a get-rich-quick scheme. Altcoins are not used as payments, but mostly as an alternative investment, and the marketplace is extremely volatile and premature. But the potential is undeniable; the dust will settle at some point soon, and the companies leading this space will be need to thoroughly look into their modus operandi. Our understanding is that there have not been any serious reviews into the security implications decentralised finance may have. As this industry is heavily dependent on encryption algorighms and mathematics, many of the information security tools of the trade would be very relevant here.

There is also enormous potential in transforming the (now broken) media sector. Right now, the media is bloated, messy and entirely untrustworthy, as there is no reliable way of verifying whether a piece of news is true or false. Fake news spreads much faster than real news. The public is disoriented, agitated, in disbelief. Again, information security techniques could come in very handy to check the integrity of news stories, verify sources, and eventually create a more reliable and accountable industry.

Lastly, we expect that Artificial Intelligence and Task Automation are forces that will profoundly transform not just the Information Security Industry but the entire edifice of human civilisation.

8. Closing thoughts.

这次采访是假的。