Banning Feds From DefCon Is Self Defeating. Here’s Why.

Posted on 11 July 2013 by


If you’re not familiar with DefCon, the hacker confab that has been meeting in Vegas for more than 20 years, you’re not paying attention to hacking.

DefCon (and the accompanying conferences like BlackHat and BSides) makes Vegas the nerdiest place in the universe during July. You don’t want to use an ATM, connect to a wireless hotspot, plug your phone into or call … well, anything, or in any way interact with electronics while you’re there.

Why? Because the hackers have fun, that’s why.

Part of the fun for as long as I can remember is the generally good-natured, “Spot the Fed” activity, during which feds try to (PAH!) blend in, and hackers try to out them.

Yesterday an extraordinary message was sent from Dark Tangent (aka Jeff Moss) on the Defcon Website, asking feds to stay away from DEFCON this year:

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

That doesn’t sound like a ban, but rather a request, but it’s being seen by some as a ban, so I’ll call it that – this in no way detracts from the decent way Jeff worded the request.

Regardless: I think this is a monumentally bad idea[1], and this post sets forth (a) why I think it’s a bad idea; and (b) a bibliography of reference materials  to both support my position and also to give those in the law enforcement and hacking communities some references to signals intelligence (SIGINT), surveillance and its history.

But to my main point:

Who in the hacking community or around it would not have understood and known about the activities engaged in by the signals intelligence community? Who among the hackers can say that they have not legitimately attempted to do everything in their power to understand what the SIGINT crowd does if only to use some of those wicked-awesome tactics, techniques and procedures themselves?

If you’re a hacker and trying to understand how to perform reconnaissance, how could you not have researched what the SIGINT community was doing? When you consider the very phrase “Operational Security” are you unaware that this phrase and this discipline itself has been perfected and documented by professionals within the government (who share this in open sources)? The concept of “tradecraft”, too, has been advanced and turned to art form by the government.

In fact, some of the world’s best hackers work within, or were trained in, the SIGINT, Intelligence and/or law enforcement communities. The list of luminaries in the information security and hacking community who are SIGINT and Intelligence community alumni is….well it’s a long one.

And if you work for a vendor in the IT security community, your marketing flack makes the absolute most they can of these connections – often demonstrating a lack of knowledge about the SIGINT and Intelligence communities that is unintentionally hilarious (reason number 654 why I love reading IT security marketing).

It is crucial to continue the excellent relationship that is simultaneously collaborative and competitive and wary and aggressively distrustful that has been the status quo for two decades. The relationship between hackers and feds is symbiotic. To deny this is shortsighted, wrong and panders to a constituency that is irrelevant to our shared goals. It also defies the concept that, “Our community operates in the spirit of openness, verified trust, and mutual respect.”

To the main point, about the “recent revelations”, below I list a whole boatload of links that demonstrate that watchdogs, whistleblowers, lawyers, privacy professionals and security professionals including me have long been discussing the issues raised and even many of the specifics discussed – and informed people have been reading about – all the “recent revelations” since 2005.

Click the links below and you will see that almost all the evidence of what was recently “whistle-blown” had already been a part of a lawsuit brought by the Electronic Frontier Foundation in 2008.

Just because people haven’t been paying attention up until now does not make this stuff “recently revealed.” 

It’s also hypocritical. I have been positively gobsmacked to see people I know to be intelligent claiming to be stunned that people in the SIGINT community look at signals for the purpose of gleaning intelligence?

You’re shocked that the intelligence and SIGINT communities act offensively as well as defensively?

These “revelations” are “recent“??

In what manner can this be surprising to anyone unembarrassed to claim the title of “geek”, let alone “hacker”?

Isn’t one of the primary skills required for this community the ability to parse open sources for information and perform inferential analysis? Aren’t we proud of our “doxing” cred, and isn’t doxing at its heart the act of using open source intelligence tactics, techniques and procedures to glean information on a target?

Here’s an example: I read somewhere that it is possible, you know, for some time, to intercept and examine packets being transmitted over wireless access points. I got hold of one of the dozen or so programs that lets me do that, and sat in front of a coffee shop and “sniffed” the “traffic” and lo and behold! I found that people were sending their user names and passwords to things like Facebook, Twitter and their email. Wow!

Who would have thought that the government would do such a thing? They’re not supposed to do it without a warrant, but the idea that it would be shocking to find that secret courts have issued secret rulings that allow secret groups within the government to perform this kind of secret surveillance is preposterous – if the technical capability is there and a need to do it is established, I can (and vigorously do!) argue that they SHOULDN’T do it, but am I surprised that it is done?


When we look at the Snowden “revelations,” in what possible manner can these be considered by anyone in the community to be “recent“? Five Eyes? UKUSA? Have you been reading? Even if we only do recent open source stuff, it’s not as if this stuff is secret – UKUSA and Five Eyes and domestic surveillance by the NSA and call data records and metadata mapping, etc etc, has been around for, you know, a while now.

Like, since 1946.

How did I get this groundbreaking intelligence? I went to fucking Wikipedia:

The United Kingdom – United States of America Agreement is a multilateral agreement for cooperation in signals intelligence among the United Kingdom, the United States, Canada, Australia, and New Zealand. The alliance of intelligence operations is also known as Five Eyes. It was first signed in March 1946 by the United Kingdom and the United States and later extended to encompass the three Commonwealth realms of Canada, Australia and New Zealand. The UKUSA Agreement was a follow-up of the 1943 BRUSA Agreement, the World War II agreement on cooperation over intelligence matters.This was a secret treaty, allegedly so secret that it was kept secret from the Australian Prime Ministers until 1973.

The agreement established an alliance of five English-speaking countries for the purpose of sharing intelligence, especially signals intelligence. It formalized the intelligence sharing agreement in the Atlantic Charter, signed in 1941, before the entry of the U.S. into the conflict.

That there’s some groundbreaking stuff. Where else can we find such bombshell material? Lots of places.

Like on the website of the National Security Agency, which said,

The UKUSA agreement, first called the BRUSA Agreement, was signed in March 1946 and continues to serve as the foundation for cooperation in signals intelligence between the two nations. The agreement was later extended to encompass former British Dominions: Canada (1948), Australia and New Zealand (1956). Collaboration in various areas of critical intelligence between each of the five partner-nations continues to the present day.

OK, so it’s not exactly a secret that these nations share SIGINT, but we didn’t know details, right? Right?

Not so much. James Cox wrote a pretty darn great overview paper last year, in which he has charts of who within the Five Eyes community does what, and how it all gets done; it also has a two page bibliography comprising open sources that you can read that will explain a lot more about it.

Too busy to read a PDF? How about a blog? Mark Collins wrote one a while back called What “Five Eyes” Intelligence is All About; if you get a chance you can read up – there are some links to other information there as well.

There are those who believe that Five Eyes is not big enough, and that more countries that consider themselves to have skin in the game should be added.

Now that is some sensitive information. I read it in Reuters[2], on its blog, in a post entitled, India-U.S: Advancing a Transformed Relationship.

So far it’s very obscure stuff, I know[3], and some could argue that this information has been, historically – at last until the Guardian stories – hard to find. To them I would say that there’s this wonderful group called the Electronic Frontier Foundation (to whom I give money each year for their excellent work). The EFF has been considering the impact of domestic surveillance by the NSA for some time.

They have written about it on their website, and they made it especially easy to find: it’s called, NSA Spying On Americans.

The US government, with assistance from major telecommunications carriers including AT&T, has engaged in a massive program of illegal dragnet surveillance of domestic communications and communications records of millions of ordinary Americans since at least 2001.

News reports in December 2005 first revealed that the National Security Agency (NSA) has been intercepting Americans’ phone calls and Internet communications. Those news reports, combined with a USA Today story in May 2006 and the statements of several members of Congress, revealed that the NSA is also receiving wholesale copies of American’s telephone and other communications records. All of these surveillance activities are in violation of the privacy safeguards established by Congress and the US Constitution

Sounds very much like the “recent revelations”, don’t it?

But, gosh… if only we had more information, of the kind that Snowden stole, in order to back up these claims. If only the EFF would come up with some kind of, I don;’t know, compendium, maybe something called, NSA Spying: How It Works.

Oh, wait. They did. EFF lists how things work:

…[T]he government convinced the major telecommunications companies in the US, including AT&T, MCI, and Sprint, to hand over the “call-detail records” of their customers. According to an investigation by USA Today, this included “customers’ names, street addresses, and other personal information.” In addition, the government received “detailed records of calls they made—across town or across the country—to family members, co-workers, business contacts and others.” A person familiar with the matter told USA Today that the agency’s goal was “to create a database of every call ever made” within the nation’s borders. All of this was done without a warrant or any judicial oversight.

Wow. And that was almost ten years ago, nine years before the “recent revelations” that the government was getting call detail records from the carriers and trying to create a database of all the calls in America.

EFF was thoughtful enough to provide a one-page PDF document that includes the street address of where the evil equipment is, for those unwilling to read all the words in that long EFF post or in that long (snigger) article in USA Today (a paper known for its lengthy diatribes).

AT&T’s internet traffic in San Francisco runs through fiber-optic cables at an AT&T facility located at 611 Folsom Street in San Francisco. Using a device called a “splitter” a complete copy of the internet traffic that AT&T receives – email, web browsing requests, and other electronic communications sent to or from the customers of AT&T’s WorldNet Internet service from people who use another internet service provider – is diverted onto a separate fiber-optic cable which is connected to a room, known as the SG-3 room, which is controlled by the NSA. The other copy of the traffic continues onto the internet to its destination.

When the NSA’s spying program was first exposed by the New York Times in 2005, President Bush admitted to a small aspect of the program—what the administration labeled the “Terrorist Surveillance Program”—in which the NSA monitored, without warrants, the communications of between 500-1000 people inside the US with suspected connections to Al Qaeda.But other aspects of the Program were aimed not just at targeted individuals, but perhaps millions of innocent Americans never suspected of a crime.

Did you see that? The EFF says that the NYT broke the NSA’s domestic spying program in 2005. Back then it came out that the NSA was placing equipment within telecom carriers to get information about call data records. Does this sound familiar? Maybe it’s familiar because, years before Snowden stole PowerPoints and showboated around Asia and Russia, the EFF was busy actually doing something useful about this – they were suing: In 2008, the EFF filed Jewel v NSA, EFF brought suit against NSA and other government agencies on behalf of AT&T customers to stop the illegal unconstitutional and ongoing dragnet surveillance of their communications and communications records.

This next paragraph is pretty important:

It also includes declarations from three NSA whistleblowers along with a mountain of other evidence, including secret government documents recently published in the Guardian and Washington Post that confirm our allegations. Two of the most critical documents directly reference the “upstream” collection of communications from fiber optic cables and the domestic telephone records collection program, which was subsequently confirmed by the government in June, 2013.

Again, EFF and thousands of others have been talking – and informed people have been reading about – all the “recent revelations” since 2005.

NY Times reporters James Risen and Eric Lichtblau received Pulitzer Prizes for their 2005 reporting on the fact that Bush Lets U.S. Spy on Callers Without Court – Secret Order to Widen Domestic Monitoring.

In 2006, USA Today reported that NSA has massive database of Americans’ phone calls.

Buried in the Wall Street Journal’s front page in 2010 was a story about how the NSA planned to place sensors into private computer networks to detect cyber attacks, in a story entitled, U.S. Plans Cyber Shield for Utilities, Companies. This NSA move into private networks was in fact documented in lots of places, albiet with obscure titles like, NSA Launching “Perfect Citizen” Surveillance Program to Monitor Private Networks for Cyber Attacks.

Those who voted for change based on candidate Obama’s statements about domestic spying seemed to lose interest, even when stories surfaced, like this one in 2012, that NSA Domestic Spying Continues Under Obama, and fringe outlets like Slate reported even this year on similar stories, with obscure and hard-to-parse titles like, Details Revealed on Secret U.S. “Ragtime” Domestic Surveillance Program

Then there are the books. Hackers and people with an interest in intelligence tend to read voraciously, and there have been a number of books on the subject of SIGINT, the NSA and members of Five Eyes, such as the UK’s GCHQ. Here’s a partial reading list that pretty much comprise table stakes for anyone wishing to discuss intelligently anything to do with electronic surveillance, code monitoring or SIGINT. Let’s start with The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, Simon Singh’s wonderful book about just what the title says it is about. Let’s quickly move on to James Bamford’s absolutely essential guides to the NSA, which are about as much as someone with no clearance can get on the agencies without breaking the law. These include Body of Secrets: Anatomy of the Ultra-Secret National Security Agency, The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America and the groundbreaking The Puzzle Palace: Inside America’s Most Secret Intelligence Organization. Published in 1983, “James Bamford exposes the inner workings of America’s largest, most secretive, and arguably most intrusive intelligence agency.” It…

Wait a minute. NINETEEN EIGHTY THREE? That’s right, bitches. This is not a news flash.

Another must-have, read-now is the stunningly excellent and incredibly readable GCHQ: The Uncensored Story of Britain’s Most Secret Intelligence Agency by Richard J. Aldrich.

While you’re at it, get a gander at Franklin D. Kramer, Stuart H. Starr and Larry Wentz’ Cyberpower and National Security, from the National Defense University press; Matthew M. Aid’s 2010 The Secret Sentry: The Untold History of the National Security Agency, Richard Clarke’s Cyber War: The Next Threat to National Security and What to Do About It or Jeff Carr’s Inside Cyber Warfare: Mapping the Cyber Underworld.

And for information about contractors, among whom we can count at least one weasly shitbird, read Deep State: Inside the Government Secrecy Industry by Marc Ambinder and D.B. Grady and/or Spies for Hire: The Secret World of Intelligence Outsourcing by Tim Shorrock.

The point of all this is not to diminish the importance – by which I mean the impact – of the Guardian’s reporting of Snowden’s stolen secret documents. I suppose that Snowden is in fact a whistleblower, not in the sense that he revealed anything particularly new or particularly illegal (it wasn’t and it isn’t), but in the sense that it was done in such a way (mainly by the Guardian) that people are finally paying attention.

Getting Back To The Point

The point of this post is to appeal to the DefCon organizers not to cave to popular sentiment and “fuck the pigs” mentality, but rather to understand that in this industry – the computer and network security field that includes hacking, cyber, cyber-crime, vulnerability research, exploit research, investigation and incident response – there is a delicately balanced ecosystem of bad guys, good guys and cops. Many wearing one label do things typically associated with another. But there has been a balance struck. Banning feds from the industry’s most productive important annual conferences[4] isn’t smart.

It’s self-defeating.


[1] this is not sour grapes, either – frankly I don’t care one way or the other, because it doesn’t affect me: I’m a cop, not a fed, but I’m also in the industry as a commercial incident responder and in any event I can’t attend this year. 
[2] This is about as ninja in the OSINT world as was Hans Gruber’s demand that the feds free the nine members of the Asian Dawn movement from their captors. Asian Dawn Movement? “I read about them,” said Gruber, “in Time Magazine.”
[3] This is sarcasm. It’s intended to highlight the head-thwacking ease of finding this stuff. 
[4] Taken to task by several including @andrewsmhay and @daviottenheimer on the twitters for calling this “most productive”. My intent was to describe this as important for the theoretical and practical work demonstrated and discussed in addition to the social networking and business meetings that take place here. That was silly and less well-considered than the rest of what I had to say.