Johnny’s Happy Hour. Friday the 5th at 5:00pm. (Let’s be honest, you’re done with talks by then.) Congregate at my table in the contest area. If you don’t know where that is, hit me on twitter. Free tees if you mention that you know / follow me, while supplies last. BYOB unless you want a shot of shitty vodka.
Be there or be cool.
So a tweet yesterday by @diami03 about non-career-advancing moves got me thinking. Now that many of you know my real identity, and that Johnny is 90% fictional, is it detrimental to me to continue pretending to be him? It’s no secret – I just did a talk on him. Even the FBI knows I pretended to be Johnny.
But if I continue with the off color tweets, the drug references, the jokes about mental health, the bravado – how will that reflect on the real me? It may not be obvious that Johnny is fake unless you’ve followed him; I think we’ve proven that many people will take him at face value – or close to it.
Hypothetically, if Johnny’s alter ego (the “real me”) were going to start looking for a new job, something doing cutting edge tech with a fair amount of responsibility, potentially anywhere in the U.S. or the world, how much of a liability is Johnny? Would he prevent me from getting a clearance (if he does, that’s lame, and I figure it’s the govt’s loss.) Lose me an offer? Or worst, decrease the salary I can justify? 🙂
So, your opinion: If you interviewed the real me and found I had outstanding technical, business and communication skills, which I like to think I do, but then found Johnny stuff online, would you hire me? Or am I gonna have to go work for Ligatt if I get bored of my real job?
The whole concept of “Anonymous” does focus attention on a long-running debate about the Internet. How much anonymity should users be permitted? Some people think that everything you do online should be easily traceable to a real person, even by other users. The theory, I guess, is that people will be more polite if they can be held accountable for their online actions in their offline life. A less stringent version is that someone’s real identity should at least be available via legal action, whether that be law enforcement or a court order in a civil case (or areas where the line between the two is blurry, such as copyright infringement.)
Anonymous, the “group”, obviously takes the opposite stance – that no action should be able to be traced to an individual. Indeed, this seems to almost be a basic tenet of the hacker subculture – certainly you’d think so by the love that is pored on Tor and similar tools at hacker cons. It seems that accountability in any way is just something the “business folks” force on the technologists… a necessary evil, at best.
However, both of these positions are, regardless of their ideological merits, technologically infeasible. If someone makes even a token effort to disguise their identity online, it becomes cost prohibitive to track them down in many cases. On the flip side, given sufficient resources, it becomes possible to track down almost anyone eventually. If you saw my recent talk, you’ll know that it requires almost inhuman self-discipline to keep your identity secret from nation-state level adversaries.
So what’s left? Pseudonymity. (Did you see that coming?) Allowing people to adopt online personas that can be penetrated if necessary (e.g., kiddie porn; terrorists) but that give people the ability to interact without worrying overly much about consequences in real life for their opinions.
The other advantage to pseudonymity is that a single real person can adopt more than one online persona and switch between them. This ability can be educational, therapeutic, or detrimental, depending on the person. Conversely, multiple real people can run a single pseudonym.
Pseudonyms have become very common online, especially in completely public forums (as opposed to semi-public spaces like Facebook). Some forums have specific rules that forbid users from posting real names, etc., while others have a sort of “gentleman’s agreement” not to unmask other users or contact them inappropriately. Many leave it up to the users to police themselves.
Why Pseudonymous? It’s not a statement on whether total anonymity or total accountability are right or wrong, nor a belief that pseudonyms are the pinnacle of Internet identity. It’s an acknowledgement that this is the way the Internet works today and that, given technology, law and human culture, it’s likely to be the way the Internet works for the foreseeable future.
Given this observation, the basic tenet of Pseudonymous can be stated as “People should have the right to decide for themselves what information they publish”, or to simplify, “Everyone has the right to privacy.”
By everyone, we mean everyone. The members of Anonymous and LulzSec seem to think they have the right to anonymity but that they can publish other people’s secrets freely. While this may be a political statement in some cases (Wikileaks), in other cases they punish innocent individuals for someone else’s actions (Sony’s customers.)
Pseudonymous believes governments have a right to keep some information secret – national security information, delicate political negotiations, etc. Corporations have the right to keep some information secret – trade secrets, R&D, etc. Perhaps most importantly, individuals have the right to keep information secret, including from corporations and governments. We take no stance on where the line should be drawn; we provide the *ability* to keep information private and let society decide how to use it.
We believe that in some cases, you give up your right to privacy. We believe you do not have the right to invade someone else’s privacy.
Our exploits will not be “epic” or “legendary”. They will be covert, even clandestine. We will disavow all knowledge of any incidents which would seem to further our agenda. We will take no credit for tools we release.
We will keep our tongues firmly in our cheeks.
We are Pseudonymous.
If you want to join us, we’ll contact you. We have your IP address.
Darkened hotel room, lit only by the faint glow from an unattended laptop and the occasional flare of a cigarette. The owner of the cigarette paces, covering the length of the room in three strides. The faint glow illuminates his unkempt hair and several days of stubble, reflections from the screen scroll up his face in an unbroken matrix. He stops and puts out the cigarette carefully, until no trace of a coal is left. A keypress makes the laptop, and the room, go pitch dark. Standing to the side of the small window, he pulls the curtain back just enough to peer out. Below him, a dingy street is lit by several neon signs covered in Cyrillic lettering. The only cars look like they’ve been parked there for decades. The only pedestrians appear and walk quickly to a door directly across from the hotel, set back in a concrete block building. There is no obvious signal, but the door opens just as they arrive and closes immediately behind them. The doorman glances around each time. In those brief seconds, the observer can see flashing lights from within and clearly hear the pounding bass of dance music. After the door closes, his eyes wander involuntarily to a bundle of cables running up the side of the concrete walls. Any other observer wouldn’t notice them at all; if they did, they would assume they were standard telephone and electric lines.
Tonight’s observer knows better. Those are expensive cables, carrying terabytes of stolen data to black markets around the world. He also knows that if the doorman looked more closely, he might realize there is a small device attached to the cables that was not there yesterday.
At an unheard noise, the observer steps away from the window and raises one hand to touch a minute earpiece. The call connects.
“Johnny Cocaine”, he answers quietly.
(to be continued)
The story of Johnny Cocaine cannot be told merely with words. Pictures and video add immeasurably to the story: the quick fights in Third World alleys, the stealthy infiltrations and heart-pounding escapes, the clubs and strippers. The cons. His cover as a touring electronic musician begs for a soundtrack and music videos. The information he steals should be visualized – hologram blueprints, multimedia dossiers, source code to malware.
Johnny exists in a shadowy world between our everyday universe and Hollywood’s most outrageous creations. The fiction is out there.
I assume it’s been obvious from the beginning that Johnny Cocaine was a quasi-fictional persona. No one’s last name is really Cocaine, is it? Certainly I’ve regularly mentioned the fact that I lie sometimes, in various ways, in order to spread disinformation, make it harder to recognize me, or just get more followers (thanks for the praise, but I really am male and don’t have nice cleavage.)
I “invented” Johnny for a few reasons. I wanted access to the “hacker underground” – web sites, IRC channels, private trackers, etc., in order to gather intelligence. I wanted to do a bit of a social experiment a la Robin Sage. I wanted a place to be un-censored, without it reflecting on my employer or being seen by future employers. And it was damn fun. Plus, though I didn’t know it at the time, I was going to meet a lot of cool people.
The truth is I haven’t done illegal drugs in a long time; even cigarettes are only an occasional vice. (I do however enjoy fine wines, craft beers and expensive liquors.) I’ve never really committed any crimes other than past drug use; I’ve never even been arrested, let alone done time. I rarely make it out to nightclubs or rowdy concerts these days; I wish I had more time to do so.
Much of my real personality and a lot of my real interests did come through. I’m opinionated, sarcastic, distrustful of authority and unthinking obedience, generally libertarian and interested in many of the stereotypical geek hobbies. I have been involved in hacking, both as a culture and activity, for many years; I cut my teeth downloading cracked games from BBS’s for my Commodore 128. By this you can tell that I’m closer to age 40 than 20, although I’m often told i don’t act it. I don’t consider that a bad thing.
I really am an infosec professional; I do pen testing, security assesments, and yes even compliance stuff, as well as security architecture and engineering. My salary gets paid by tax dollars; I won’t say publicly who I work for. I’m not a cop or a spy, although I work regularly with LEOs and counterintelligence groups and have been known to prepare briefings for people whose titles include the words “White House” or “Secretary”.
If you haven’t guessed it already, I’m based on Pittsburgh but travel regularly; this fact will do little to help you find out who I work for. If you do figure it out, more power to you; in fact, contact me, maybe I can get you a job. 🙂
I’m killing off Johnny because I want to live as myself again. I’ll still be at security and hacker cons regularly; I’m just putting the finishing touches on a paper I intend to submit for Shmoocon under my own name.
I don’t want to lose touch with you all, but I’m also not quite ready to publish my full name or employer to the whole world. I’ll probably re-follow a lot of you from my “real” twitter account, which is much more boring. If you want to keep in touch, DM me or email me at johnnycocaine -at- gawab.com and give me some kind of contact info; if you’re in the industry I’ll probably be willing to connect on Linked In. It’s not a disaster if my real identity becomes known, but I’d rather not have people google my real name and find Johnny in the first few results.
I hope you’ve had half as much fun following me as I’ve had making shit up and reading your tweets. I’m going to do a final Follow Friday and try hard to include all the twitterers who have made this experiment such a blast.
So long, and thanks for all the sploits.
/me plunges a wakizasha into his virtual belly
from CNN.com:
Legendary computer hacker Johnny Cocaine was reported missing this morning after a series of unusual events the previous evening. He was last seen in his girlfriend’s condo in downtown ———. His girlfriend, who goes only by the handle @razor_girl, claims he was sitting beside her on the bed using his laptop when she fell asleep.
“When I woke up this morning, the laptop was still open on the bed, but he was gone. So was his Heat bag. That’s his travel bag, so he’s ready to go in 30 seconds. The laptop had frozen, but I could still see part of an email that read ‘could be a threat to the very fabric of the Internet.’ I rebooted it but Firefox couldn’t recover.”
Police say they questioned the girlfriend, but she is not suspected of any wrongdoing. “She didn’t kill him,” reports Det. Lopez, “but she might if he doesn’t call her soon.”
A neighbor, John Hegendorf, claims he saw several black SUVs parked in front of the building yesterday afternoon, but didn’t notice anything else unusual except the sound of helicopters overhead in the middle of the night.
“I hope he’s okay. He always throws the best parties. Maybe he posted something online about where he went. He’s always disappearing, anyway. Are you sure you’re from CNN?”
So I have an idea for a new web show about infosec but it might require me to reveal my identity. I think a lot of y’all might really like it, although I don’t want to spoil the surprise yet. However, it would require the cooperation of “suits” – or at least real people who work for real companies. It would not be possible to entirely anonymize them. So I think it’s unlikely they’ll be willing to work with “Johnny Cocaine”, especially if they take all my tweets as literally true. I mean security vendors, Valley startups, tech and entertainments companies – they’re less risk averse than, say, Chase, but I’m not sure they want to share screen time with me. The word cocaine elicits some strong responses.
On the other hand, I think the videos would be more entertaining with a colorful personality using a controversial moniker. Who wants to watch a video about “Arnold McFadden”? (Sure it’s my real name. Go on, Google it.) It would be like going to see a concert by Brian Warner instead of Marilyn Manson.
So: I could attempt to do it as Johnny, hope enough people / organizations will cooperate, and try to stay anonymous as always. Or I could do it under another pseudonym, which people would quickly realize was Johnny from seeing the vids, but which would at least not be blatantly associated with Johnny.
Or I could do it under my real name and hope that infamy helps my career a la Kevin Mitnick. I’m reasonably sure I haven’t left any damning evidence laying around. Unfortunately a lot of people in the infosec industry don’t have much of a sense of humor. Present company excluded, of course. Of course, if I did that Johnny would probably disappear in to the hazy mist of hacker lore.
What to do, what to do….?
poweron at 08:58:13 10/18/2010
running Power On Self Test
CPU diagnostic check: scanning 1xE11 processor cores
98% passed
WARNING: 2% failed – alcohol errors detected
Checking memory…. hazy.
Memory segments 00000000 to Day 9,131 fragmented
Initializing kernel… last updated at Age 16.
Recommend upgrade behavior immediately
Testing primary storage:
Reiserfs detected: Quarantined to prevent homicidal behavior
Testing secondary storage:
WARNING: Unknown eigenvalue, please observe
Quantum computer activated
Loading modules:
lsmod: CRITICAL ERROR: caffeine.ko not found
Please insmod caffeine immediately!
Running cleanup routine…
cat /var/log/memories/last_night
File not found!
Replaying journal
Illicit activity detected.
Copying all logs to /dev/null
Testing I/O:
Audio: Industrial music detected. [OK]
Visual: Screen resolution no longer blurry. [OK]
Olfactory: Freshly lit cigarette detected. [OK]
Taste: Mmmmm, donuts. [OK]
Touch: [REDACTED] [OK]
Loading external data feeds
RSS…
Twitter…
Email…
IRC…
RFC 1149…
Loading output filter insert_random_swear_words.py
Boot sequence complete
Welcome to HumanOS version 0.999
johnnycocaine login:
Infosec is an interesting industry. It’s a common assumption that to be a good security practitioner you have to be conversant with the methods an adversary might use against you. Or to overly simplify, the “good guys” have to learn some of the same skills as the “bad guys”. This is only true to a degree. Certainly a security analyst should be able to look at a code fragment like perl -e ‘{print “A”x”255”}’ and recognize that it’s probably a buffer overflow. However, in many cases, analyzing malware and creating signatures is outsourced to A/V or IDS companies; analysts only have to recognize an attempted intrusion, determine if it was successful and maybe do forensics.
This need for the white hats / defenders to learn offensive skills must bother some people because ethical standards seem to have a more prominent place in the industry than in many others. There’s the Certified *Ethical* Hacker credential, a strong ethical component to the CISSP, etc. Obviously some other professions have these: doctors, lawyers, CPAs, etc. There are, however, many more that do not, even if their particular circumstances or skill set could be used for unethical behavior. Your phone guy could be tapping dozens of phones a day for example. Your mechanic could be (and probably is) sabotaging your car so you have to get it fixed more often. Don’t even get me started on politicians, the entertainment industry, or so called “business leaders”.
Why this focus in infosec? My hypothesis is because non-techies are scared of what “hackers” (of any color hat) can do. The security pros, therefore, voluntarily adopted these codes of conduct primarily for PR reasons, as they have little punitive force against anyone who is willing to violate them in the first place. It’s like the wizards in certain fantasy books who have taken strong oaths so the general public won’t resent / fear / lynch them. The fact that “wizard” has often been used to describe someone who is very computer savvy is, I’m sure, a coincidence.
Why do I say this? It’s pretty obvious, huh? There are “black hats”, who try to break in to systems, and “white hats” who are the defenders. It’s like the Alamo (with approximately the same odds, but hopefully a better outcome for the defenders.) The only gray area are those misleadingly named “penetration testers”, who are sort of like undercover cops without the corresponding oversight. (This is not a judgment, just an observation.)
What I’m interested in is people’s opinions on other “gray” areas. I’m not saying whether I have or have not done any of these things, nor am I defending any of my own actions (which are, of course, always above reproach.) I’m just curious what people think about them. Think of it as a game of infosec “Scruples”. Remember the question is, Is it (or can it be) ethical? Not, Is it legal? which isn’t the same question in most moral systems.
– Can an intelligence agency break in to other countries’ computers for general intel gathering?
– Can they break in to computers if they believe the information is vital to national defense?
– Is offensive cyberwar as part of a physical conflict acceptable (i.e., hack comms systems.)?
– How about corporate espionage?
– Should local laws and mores be taken in to account?
– Can undercover cops hack machines of suspected criminals? Can they hack to prove themselves to criminals (similar to doing drugs in front of a drug dealer to prove you’re not a cop.)?
– Are “hacktivists” who break in to computers of suspected criminals like child porn dealers acting ethically?
– What if they break in to third party computers to catch the criminals?
– What if it’s not criminals at all but people or organizations that they believe are “wrong”)? Like if PETA was to hack in to a Japanese whaling company’s servers.
– What if it’s a person who is harassing / stalking / threatening / inciting hate against someone else?
– What if the someone else is a friend or family member you want to help?
– Is it ethical to help a friend access their spouse’s email if they suspect adultery?
– What are other gray area you can think of?
Johnny Cocaine: Internet Cowboy 