Do you classify yourself as a hacker?
Yes, I’m a hacker. At the same time, I’m a security researcher: Companies pay me to help them locate problems and breaches in their security.
You said in a TED talk that hackers are the “immune system” of the Internet.
The world of technology is an ecosystem of which we’re all a part. If we don’t protect ourselves, if we don’t immunize ourselves, we will go on spreading diseases, viruses and problems. People are starting to wake up and grasp that hackers aren’t only a problem – they can be part of the solution.
Do you mean in terms of protecting our privacy?
Secrets and privacy are concepts that belong to the 20th century. Even the notion of “information security” is no longer completely relevant. We are not protecting information now; we have no secrets from Google, Amazon, Facebook, Apple, etc. Most human interactions today are mediated by the technology giants, which hold all the information. There’s a great line: “If you’re not paying for the product, you are the product.” For the wonderful services we get free from Twitter, Facebook and Google, we pay with our privacy, and what we have already given we can’t get back.
So we should start taking the price into account.
We need to start thinking in different time frames. The information we’re giving Google and Facebook will remain with them for many years. And also with advertising companies, data analysis firms, trend-research institutes and others. And with the governments or corporations that control them.
Google’s motto is “Don’t be evil,” and its founders try to abide by that. But what if, in 10 years, they aren’t there anymore, and policy is being set by the shareholders? Google will possess not only almost all human knowledge but also the services we rely on. In recent years, Google bought eight advanced-robotics companies. It’s investing in technology that will allow very-high-speed Internet by means of optical fibers or by something like Internet balloons that will make it possible to connect places that were never hooked up to the Web. It’s investing in laboratories that are totally reinventing technologies. When I worked with Singularity University, in California, I researched the more dangerous aspects of these new technologies: Who will control them? Who will prevent their abuse?
And our dependence on these technology companies is constantly growing.
It’s already past the point of disconnect. I wrote in Wired that in another 25 years, privacy will be a vintage item. Only those with vast resources and connections will be able to preserve privacy – like a billionaire who lives on a private island and uses only a particular satellite hookup.
What exactly is it that we don’t understand when we post our information on the Web?
That it’s no longer ours. It can be copied and preserved and disseminated, almost without time or space limits.
And contrary to what Yair Lapid and others may think, it can’t be deleted.
The Internet doesn’t like to have things removed from it. Thinking that you can do so is fundamentally mistaken. You can’t take the information back and you can’t control what will be done with it.
Let’s say we were to take our picture now and post it on Facebook. I’m wearing a Cyberdog [retail chain] T-shirt. The Facebook algorithm would recognize that logo, and I would start getting advertisements for Cyberdog sales. That’s a routine sort of scenario, nothing fictional about it. Now, let’s say that in 10 years the political climate changes, and people who wear Cyberdog are considered subversives – and are put on a surveillance list.
The cybersecurity expert Mikko Hypponen says that not only are we forgoing our privacy and our rights to information, we are doing it for the sake of those who will control the conglomerates and the governments in another decade or two, and we have no idea what their approach will be.
Our information will still be in their possession. The future Big Brother, which could be a Google-type conglomerate or even some sort of artificial intelligence that will control us all, will have that information. We gave it to them, we can’t have it back. We’re still relying rather blindly on the good will and altruism of these conglomerates.
Is there a difference between information we provide voluntarily, such as a Facebook post, and information we’re not aware that we provide, such as a search history?
We are completely exposed to Google and Facebook, and not only at the corporate level – the people who work there also know everything about us. Google isn’t only a search monopoly, it’s also a monopoly in terms of presenting ads based on the information you searched for. To uphold that status, they are tracking the activity of most people on the Internet in an unprecedented manner, whether by means of cookies, which harbor information about our surfing habits, or by looking at our Internet searches, or by reading our email on Gmail.
Facebook is not just posts. Some people use it to find services such as Airbnb. It’s now been revealed, for example, that Uber has something called the “God mode,” which allows them to see everything their users have done. Whom they rode with, where they went, how long they were there.
Good luck to us all.
It’s a matter of awareness and choice. You need to give information in the knowledge that you might have a problem a few years down the line. Today a 15-year-old girl posts a photo of herself doing piercing. Ten years from now, when she comes for a job interview, part of the process will be to examine her social-networking profile. A third of all employers already check that profile before hiring someone.
What about governments? I read somewhere that the United States treats the Internet like one of its colonies. So it’s not illogical to think that the government will read our emails.
For sure, and especially with the United States, because that’s where the Internet started and also because most of the major Internet companies are American. Everyone in the world who uses Internet services – buying a book on Amazon, tweeting on Twitter or posting on Facebook – should know that the U.S. government can know almost anything it wants to know about them.
What about the government of Israel?
The government of Israel has other privileges. When you connect to the Internet here you do so through one of five providers, all of which, in the end, pass through the cable or the undersea cables that connect Israel to the Internet field. The authorities can demand – via a court order in liberal democracies, or by means of in-built technology in the case of Egypt or Syria – that these service providers monitor all the Internet activity of the country’s citizens and of visitors to the country.
So, if I want to plan a terrorist act I’d be better off not working with Gmail.
When the former director of the U.S. National Security Agency, Gen. Keith Alexander, was asked to justify the scale of the NSA’s espionage, he claimed that their program to penetrate Facebook alone had prevented a double-digit number of terrorist events. If you’re planning a crime, it will be very hard for you to do it without using any of the services or communications means that are state-monitored. People who want a safe society will say that’s not a bad thing; people who want a free society will object.
Let’s consider your argument that hackers aren’t a problem, and in fact can be part of the solution.
People perceive hackers as criminals and thieves. But I see a hacker as someone who doesn’t accept the world as a “Read Only” file, but is always trying to change something and ask more questions. Hackers are people who are driven by curiosity, and in the face of any problem they encounter, will always try to dismantle and reassemble the system, or make it do something else completely. Steve Jobs and Steve Wozniak, for example, started as telephone hackers. Their first product, the “blue box,” was a kind of synthesizer that allowed people to make phone calls without paying.
Mark Zuckerberg was actually a hacker, too.
He was the genuine article. When he created Facebook, he took all the internal information from student groups. Only some of the pages were open, so he wrote a kind of program that scanned the sites, bypassed the protections and collected all the information. To this day, if you want to visit Facebook’s offices, the GPS address is “No. 1 Hacker Way.”
Maybe, then, we should distinguish between hackers who are motivated by ideology or curiosity, and criminals.
Yes. There are many cybercriminals, but I’m not talking about them. And even that is amenable to interpretation. How, for example, shall we classify the people who wrote Stuxnet [the computer program that sabotaged Iranian centrifuges]? We in Israel think it’s genius, but for the Iranians, whoever wrote it is a criminal and a terrorist.
The question is, not whether you’re on the side that was damaged from hacking or gained from it, but what the hacker’s purpose is.
To make money from hacking is criminal, there’s no question. But in the 21st century, hackers are part of everyone’s reality. Every private individual is affected by what they do. The technologies are becoming ever more sophisticated, meaning that hackers will acquire far more power. The question I ask in my research is how we can create more motivation and models in which that power helps solve problems, make progress, protect ourselves.
If there are no secrets and there’s no privacy, what are we trying to protect?
The modern way of life: cars, electrical systems, energy, health maintenance organizations, the financial system. A modern society can’t exist without all these technologies, which we rely on every hour of every day. It’s not just a matter of credit-card theft. There is also car hacking and illegal access to medical instruments, such as pacemakers. Using the analogy of the watershed, we can say that in about 2010, we crossed the cybershed. We stopped talking about information security and started talking about protecting society itself. Protecting the infrastructures, the technology, the control and communications systems. We are no longer in the world of Web servers; these are problems of an entirely different order – it’s our life. I’m talking about the possibility of entering a truck remotely and making it crash, or of damaging energy systems, or even breaking into our homes by remotely opening the locks.
The technology allows one person to strike at a maximum number of people or maximum infrastructures.
And part of the problem is that even the companies who manufacture the technologies don’t want to talk about their problematic aspects, if they are even aware of them. Companies that manufacture pacemakers that can be breached remotely don’t think of themselves as cyber firms. Most of the serious problems in this area, which are related to human life, are revealed only because hackers expose and demonstrate them. All the major automakers have learned, some the hard way, that they have to work with hackers. It’s best if we grasp the enormous power these people possess and find ways to work with them, learn from them, cooperate with them. But instead, they are demonized and criminalized.
But is the struggle here who will control the Internet? Companies, conglomerates and governments, or hackers?
I don’t see hackers ever controlling the Internet, nor is that what they want. The hackers I know aren’t after control. They want to expose what isn’t exposed, to share, to create new things. There are governments and corporations that are trying to control the Internet, some of them quite successfully. The only people who somehow can represent the interests of the private individual are the hackers. It may sound counter-intuitive, but it’s the reality.
Like when hackers display political involvement, such as Telecomix during the unrest in Egypt.
You’re referring to “hacktivism.” In 2011, when Mubarak tried to disconnect Egypt from the Internet, the Telecomix hackers helped the protesters in Egypt to connect. A year later, they helped in Syria. Telecomix is very active politically. They were also involved in Operation Protective Edge, with “rooster cam,” a rooster that wandered through Gaza courtyards with a webcam on it, and a dialogue developed over whether it would survive the shelling.
The best-known movement of hacktivists is Anonymous.
Anonymous also engages in nonpolitical activity. They came out against Scientology and attacked child pornography.
Via darknet – can you explain what that is?
Darknet refers to pages that cannot be accessed in the regular way. They cannot be searched for in Google or placed in the browser window. You need a direct link, and to connect to that link you have to use a program called Tor. Ironically, even though it’s claimed that only criminals and hackers use darknet, Tor was actually invented by the U.S. Navy in order to allow secret messages to be transmitted via the Internet. In principle, everyone can use darknet and Tor.
But you don’t go into darknet to look for recipes.
Right. It has content that you won’t find on the regular Internet, such as child pornography. Anonymous has been able to attack many of those sites. For example, they planted an announcement in a child-pornography site that allowed them to discover users’ IP addresses and identities, and then conveyed the information to the FBI. Anonymous also fights Scientology, the cult or corporation that has hundreds of lawyers and the power of Hollywood behind it. They’re the only ones who dare to do battle against them.
Actually, only the hackers are still able to take on such powerful organizations.
Oscar Wilde said, “Give [a person] a mask, and he will tell you the truth.”
Technology has deprived the individual of power. We are helpless.
Anonymous has succeeded in using the absence of individuality and the phenomenon of the mass as strength. They haven’t dismantled Scientology and haven’t stopped child pornography, but they have been able to make those people understand that they are not protected. If we continue to live in a society that rests on information as a public commodity, then the question of the reliability of that information and its control becomes very basic, relating to power and influence. And again, the only people who are capable of taking part in these relations of power, the only ones who somehow hold any cards in the face of the conglomerates and the governments, are hackers. That’s why we need them on our side.
So information is no longer power; on the contrary, information that’s inaccessible is power.
Information is no longer power, access to information is power. The real power is the ability to control the access to information, or to deny access to information, including our own information. It’s not a question of freedom of information. The information doesn’t want to be free, we are the ones with aspirations to be free. When we release [information] without taking that into account, we are threatening our future freedom.