Rebuttal: Rafal Los + Sam Bowne Wonder Twins Activate!

(form of: noob)

Wed Feb 1 19:38:35 CST 2012

jericho

This is a rebuttal piece to comments made today by Rafal Los (@Wh1t3Rabbit) and Sam Bowne (@sambowne), primarily on Twitter.

There are several issues here, loosely related, so this is only a single rebuttal because it's barely worth the time to reply. In my personal experience, Rafal Los has been receptive to constructive feedback. Sam Bowne, on the other hand, is a naive blowhard who seems to be a few vodka shots from choking out a Thai hooker to get first hand experience of what evil feels like.

I want to qualify that I feel both individuals live in a heady world that is a mix of academia and naievety. In the case of Los, this becomes apparent after his Twitter conversations the last few days on computer crime and law, in which he asked some very basic questions that suggest he is not familiar with practical application of computer crime laws on any level. For Bowne, it's more a case of this demented reality he lives in where he is some knight in shining armor, who wraps himself up in the scorn of everyone else that he pigeon holes into blackhats and criminals. For this rant, the subject is their comments and thoughts on the hacktivist group Anonymous and ethics.

Disclaimer: I am not a member of Anonymous. I am, however, a co-author on a series of articles that point out the good and bad of Anonymous.

Bowne's first tweet, in which he states that he equates the severity of hacking with murder, is patently stupid. I cannot begin to describe how deluded, how buried in a fucked up academic life he must be, to make such a statement. Disagree with me? For argument's sake, let me hack your crappy desktop and access your browser history or illicit chat logs. Then let me shoot you in the fucking face. After that, let's debate the point again. Oh wait. Yes, I saw his qualification of "especially .mil and .gov". Again, compare the tens of thousands of compromises of government and military computers with the deaths of over 100,000 people in the Iraq war. How many of those .gov / .mil data compromises lead to how many of those deaths?

Next, Bowne goes on to ascribe a single view to a group that defines diversity. He believes that Anonymous, the entire group (note: he did not say "some in Anonymous), are "cyber terrorists", have no principles, have no rules, and are going to start using guns and bombs to "kill people directly" at some point. Using Bowne's logic of applying sweeping statements to an entire group of people, we can use this teacher to label Bowne, a teacher himself. The very small percent of bad teachers, that make the news without exception, are not a representation of all teachers. This is common sense. Anonymous has some bad apples, and anyone can claim to be a member (a weakness of their model that we address in our articles on the group), but it does not mean they represent the entire group, or everyone affiliated with the group.

Perhaps this is due to Twitter and the 140 character limit, or perhaps Bowne isn't bright enough to notice the meaning of his words, or perhaps Bowne is engaging in his own social manipulation. When he says that "Anonymous has definitely increased the risk of physical harm to police informants and officers' families", he is right. However, he doesn't qualify this statement at all. Some people that affiliate themselves with Anonymous have hacked and leaked emails and information that put informants and officers at greater risk. That has happened a few times, and affects informants/officers at specific departments or regions. It does not affect a majority of law enforcement, for example, and many others that affiliate with Anonymous disagree with that activity completely. Rather than consider these points and write something that examines the issue in the right context, Bowne would rather release Twitter sound bites that demonize and villify without care or consideration. Basically the same thing he calls Anonymous evil over.

His last tweet in this screenshot (not so) cleverly mixes very different activities, and tries to brand them with equal severity. First, consider what danger means; liability or exposure to harm or injury; risk; peril. Juggling tasers is dangerous. Driving at night without headlights is dangerous. Hurting an animal in my presence is dangerous. If your credit card is dumped, is it dangerous to you? No, it is an annoyance at best 99% of the time. Is dumping passwords or emails dangerous to you? Not usually. There are some cases where it can present danger, such as confidential informant identities being published. In the grand scheme of things, those cases are very rare, and dumping email or passwords doesn't present a danger to anyone. If it is dangerous, then why does Bowne himself consistently link to password dumps, some of which even thank an Anonymous affiliated account. If such activity is 'dangerous' and those actions are part of why he brands Anonymous 'cyber terrorists', then why does Bowne do the same thing? Beacuse he is a fucking hypocrite and unethical himself.

This is just one of many examples where Bowne is extremely biased on a given topic, and worse, does not realize that his own actions have branded him as unethical in the eyes of many security professionals for over a year now. On top of his hypocritical and unethical actions, Bowne's naievety should be criminal. For a college professor, he is a disgrace.

Rafal Los, Enterprise & Cloud Security Strategist or Security Evangelist at his employer (depending where you read) decided to "take a break from clouds" and "wax philosophically with" Twitter, before writing a blog on the subject. First, don't get me wrong, some debates are fun, productive, and great to keep us aware of bigger issues in security. On the other hand, some debates have been lit on fire, run into the ground, and buried, only to be dug up every few weeks. As such, they aren't fun or productive; they waste time rehashing every possible point that was covered years ago. In this case, the 'debate' Rafal wanted to engage in was about computer crime law and ethics.

Several people, myself included, contributed to the debate on Twitter. I answered several of his questions about where the law stands, and based on his replies I believe they were educational to him. Good for him. Although, if he had done some reading and research beforehand, it may have been a more productive debate. Given the history of the security industry and passionate debating about topics that will never be resolved, the least that can be done is understand the issues and try to evolve the debate. Anyway, others chimed in and it was mostly good and helpful (to him at least). The one thing that he did wrong, as do all of us (myself included), is attempt to debate complex issues on a medium that restricts you to 140 characters at a time. We're all morons for doing it. This time was no exception, as 140 characters quickly began to make points too simplified, and too easy to read several different ways. In this case, Krypt3ia (who I personally know to have a better handle on computer crime law than Rafal) ran into this. Rafal's points were not very clear, Krypt3ia replied, and showed 'passion' as well as frustration.

Krypt3ia ended up providing a link to more information, and then agreed with someone that computer crime laws have not caught up to modern times. That statement is not only correct, it has been correct every year since computer crime laws were written. They have always been behind the times. Up until this point, all is well in the land of pointless Twitter debates. When Rafal moved to direct messages, he crossed a line. First, he implies Krypt3ia sounds like "the Anons", and quickly disclaims "absolutely no accusations". What the fuck? The last time I told someone, "You sound like $GROUP/$PERSON", I did not feel the need to qualify it. "Josh, careful, you sound like an academic... absolutely no accusations!" That qualification makes it sound accusatory when it wouldn't have otherwise.

Worse, what exactly have "the Anons" said about computer crime law that is so wrong or bad? Even after researching and reading a considerable amount for a seven-part article on the group, nothing comes to my mind where they have collectively made a definitive statement on computer crime that was irrational, illogical, or "wrong" in any way. What does Rafal mean by this? Can he cite a source to put it in context, and explain why Krypt3ia (or anyone else) doesn't want to sound like them when debating the law? This absurd statement reminds of me of debates with academics, who are nose-deep in books and theory, and have jack-shit for real world experience. That theory and those lofty ideals only go so far outside of a classroom or library.

In short, if you are going to debate on Twitter, you are doomed to misunderstand each other at some point. Knowing that, don't degrade into even more pointless comments that are equally (or more) loaded than the first.