“The hacker community needs more mutual support, empathy, and forgiveness. The cattiness and paranoia serves no one but those with the most resilient egos.”
This quote was sent to me just five days ago by an old friend. The conversation we were having was one of reconciliation, and I had half-jokingly blamed being part of the hacker community as the reason why I can be so abrasive sometimes. But there was no humour in what she answered. That quote was exactly true.
There are sometimes a couple of blog posts, a couple of discussions on some social, behavioural issues we may have in hacker culture.
But there haven’t been discussions as to why young hackers, especially those striving towards new methods of sociopolitical change, are killing themselves. And there was no discussion as to whether the hacker community itself might have something to do with it.
I cannot speak for Aaron Swartz. I knew Aaron only briefly and distantly. But Aaron Swartz wasn’t the first. There were other suicides: Ilya Zhitomirskiy, the co-founder of Diaspora. Len Sassaman, the renowned cryptographer. They are united with Aaron Swartz via their goals, their methods, their drive and their youth.
The hacker community is plagued, and our plague is a plague of ruthlessness, of a lack of mutual reinforcement. A plague of keeping up appearances. A plague that has managed to convince us that seeing people and their efforts in black and white is alright. A plague that makes us believe that personal attacks are valid against hackers, programmers and entrepreneurs we don’t agree with, that defamation and harassment are valid weapons when our online personas are attacked, when there’s a project we don’t like or that we feel somehow threatens us. And the harassment can be ugly. It can be pervasive, as if those committing it see their target as part of a video game that they just know they can beat. It can involve race, sex, and intense gas-lighting and demoralization. It’s a plague that makes us all busy in regular part-time, making each other feel like failures. Criticize ideas, not people.
Hackers are unique in that for some, federal subpoenas are a fact of daily life. Handling zero-days that can bankrupt corporations may happen weekly, amongst many other surreal, Hollywood scenario problems.
On top of this, the community is not supportive, but jealous. Not empathetic, but insecure. Not forgiving, but spiteful. Hackers, all together facing the same surreal problems that alienate them permanently from the rest of natural society, find themselves stuck in a bubble of self-destruction and self-deprecation. This is what drives young hackers to kill themselves. This may not have been what drove Aaron Swartz specifically, but it is a contributing factor and a serious problem in our community.
Criticize ideas, not people. Stop it with all the lip service. Public discourse of the most difficult issues has largely only been elevating the jealousy, insecurity and spite. Endless discussions without any reconciliation as our community so slowly falls apart.
Chris Soghoian is a well-respected privacy expert. He has written excellent articles and critiques, including an excellent critique of Skype in which he concludes:
“We need transparency. Until it is more transparent, Skype should be assumed to be insecure, and not safe for those whose physical safety depends upon confidentiality of their calls.”
Chris has also covered my own work, in asking those reporting on my research to be more inquisitive and patient, allowing security research to be audited before declaring it secure. For this and for his position on Skype, he is to be lauded. Chris has also been helpful in introducing me to experts such as Matthew Green and has expressed interest in getting my research audited.
It is therefore baffling when Soghoian, who has built a well-deserved reputation for himself as a privacy, security and transparency advocate, ignores the principles of security by design and transparency specifically and possibly uniquely in the case of Silent Circle, a competitor to Skype that claims to encrypt all phone communications. I have serious problems with Silent Circle, whence I concluded that due to the project’s closed nature:
”…there exists no method of verifying the effective security properties of Silent Circle, or to verify if, at all, the application does anything more or less than what it says it does. [...] Silent Circle stands in the same area as Skype: both promise encryption and yet offer no method to verify the security, integrity and reliability of their claims.”
I’ve made a big deal of my disappointment with Silent Circle in public, to the point where eventually Silent Circle began releasing some of their source code — an exciting and promising move. However, their source code remains released only in incomplete chunks and definitely is lacking.
The difference between security by policy and security by design
Soghoian’s patronage of Silent Circle is baffling because he goes to great lengths to defend a project that can so far only be defended by its policies and not by its design. This is an important difference, one that an expert such as Soghoian must be aware of: Silent Circle can adopt policies of accountability, security and transparency, but those policies depend on trust and do not promise a software design that is open source and that can be peer-reviewed for transparency. While Chris has lauded Silent Circle with praise for their (good) policies, he does not address the woefully lacking design front.
Seeing as Chris had previously written about Skype demanding more transparency and even had written about my own work demanding more peer review, one would expect him to cast a similar view on Silent Circle. However, in the wake of some analysis of Silent Circle’s protocol this morning, Chris immediately responded by tweeting a policy-based defence of the same protocol.
A few weeks ago, I emailed Chris asking him why, while he had written extensively on transparency requirements for Skype and peer review requirements for my own research, he had chosen to cast a blind eye on Silent Circle. His response was to publish my emails to him publicly and falsely accuse me of soliciting for a “hit piece.” This was especially unacceptable behaviour. Soghoian is endangering his claim of independence. Chris accused me of seeing Silent Circle as a competitor to Cryptocat — Cryptocat is a free web instant messaging service whereas Silent Circle is a smartphone app for voice communication. I believe Skype to be a more proper competitor to Silent Circle.
I do not believe that any project should be immune from the requirement for open code review, no matter its policies or the personal reputation (or connections) of its creators. Just as security experts have asked for transparency and peer review from Skype, they should ask for the same from Silent Circle instead of focusing solely on the project’s policies. For me, this is a matter of ideology for the cryptography community, one that I believe is necessary to maintain an atmosphere of open, transparent cryptography software development.
The dangers of ignoring security by design
Silent Circle has continued to target activists without having its complete source code open for public review. In that article Silent Circle claims:
“Users don’t even have to be worried about Silent Circle being coerced into doing wiretapping, [...] [No one] will have the ability to decrypt your communications across our network – ever.”
Without openly reviewable security by design, we cannot know that these claims are true. My own project, Cryptocat, recently fixed critical security bugs that were only discovered due to the project being openly reviewable by design. Had we followed Silent Circle’s design philosophy, open-source volunteers would have been unable to publicly review our work and discover the critical flaws that we later fixed. And as such, Cryptocat would have remained carrying dangerous vulnerabilities.
Silent Circle cannot be defended until it addresses security by design in the same excellent fashion in which it addresses security by policy.