Tuesday, April 14, 2015

What if Jesus was a hacker?

It's interesting the ways faith and security intersect. This weekend I attended an information security conference in which one speaker talked about the often-strained relationship between hackers / researchers and reporters. Author / blogger / journalist Violet Blue (warning: in many cases very much NSFW) gave a talk entitled "Everything They Don't Tell You: When Hackers Talk to the Press" that was quite eye-opening. A key point was that so many (not all, but a significant majority of) reporters think career first, and are more interested in being *first* with a story than in being *right* with a story. Interviewees may be manipulated into giving statements that fit the story the reporter is trying to tell, by reporters that don't really understand the technologies and security threats they are writing about. The end result is that hackers need to be very careful in whom they talk with.

I use the term "hacker" relatively broadly. I mean researchers looking for flaws in software and devices, that they can report privately and perhaps earn a "bug bounty," a cash payment from the developer. I mean digital detectives, investigating criminal activity in order to stop or prosecute such crimes. I mean analysts and consultants looking for intruders misusing their corporate networks. And yes, I mean criminal hackers using the Internet as their own private ATM.

There are many reasons a hacker might want to remain anonymous, and many of us maintain alter egos, anonymous pseudonyms by which we are known to other, also anonymous, hackers. For the criminal actor, the reasons are obvious. For the rest of us though, the reasons are varied. The law enforcement investigator doesn't want his investigation to be discovered. The corporate analyst doesn't want what she says to be publicly associated with her employer. The bounty hunter doesn't want to be prosecuted for well-intentioned research. Laws vary from jurisdiction to jurisdiction, and even from judge to judge. When typical middle school shenanigans that a decade ago would have meant an unpleasant visit with the principal, now result in felony charges, it's no wonder those lost in the shades of grey that make up the Infosec community would want to remain unknown.

Violet Blue went into numerous reasons security folks have become reluctant to talk with reporters. She gave specific examples of journalists and editors ignoring the personal safety of their sources - publishing photographs with obvious landmarks or geolocation metadata (hidden GPS data attached to a photo by many cameras), or naming sources that had spoken on the condition of anonymity. Some of these cases have resulted in arrests or even physical harm to these sources.

She also gave reasons that resonate with me - reasons in line with why I write. Security is a complex field with complicated technologies to understand. No one is an expert in every aspect of security - and few in the mainstream media are expert in any aspect. That is not to say they are dumb. Everyone has their own area of competency, a domain at which they are the expert. You don't want me pulling your teeth or performing open-heart surgery on you. But then, I don't (usually) write about medicine. I write about a field I have spent 15 years learning.

Why do journalists get infosec reporting so wrong? Here are a few reasons, courtesy of @violetblue #ISSW2015

The result is that hackers are reluctant to speak with the press. Instead of going to the largest or most widely-read media, researchers have to be very careful whom they open up to. There are a handful of writers and journalists that have established themselves as credible, and that respect the culture and safety concerns of security researchers. These esteemed few tend to have a technology background, and they take the time to research and understand a topic before writing about it. But even they are niche reporters with an audience of tens of thousands, an audience that consists in no small part of others in technology-related fields. The largest mainstream publications - the ones that reach mom and dad, Joe plumber and Jane orthodontist - have a readership in the millions.

I was struck by the similarity between this and Jesus' calling of His inner circle. My Bible study class has been reading "12 Ordinary Men," a book by pastor and author John MacArthur. In the book he looks at each of the men that have for two millenia been known as The Apostles.

Jesus came with a world-changing message. Whether or not you take Him at face value, the things He said and did were bold. Supernatural events surrounded Him - water became wine, the lame and ill became well, the dead returned to life, thousands were fed from the contents of a lunchbox. Ultimately He made the audacious claim to be God in the flesh, to be the singular only way to life in the hereafter, a claim He backed up by going to the grave, and then returning a few days later to spend nearly 6 more weeks walking the Earth. He lived with no intent whatsoever to go quietly into the night.

And yet He didn't give His history-changing message to the great leaders, mega preachers, or famous journalists of His time. He didn't approach the political power or the religious elite. He didn't recruit a celebrity spokesperson. He didn't deliver His story to someone that already had an audience. Instead, He entrusted His Word to 12 ordinary tradesmen, men that would spend the next few years with Him getting to know His message intimately, and would then spend the rest of their lives accurately spreading His story, rather than their own.

Just as modern hackers eschew mainstream media in favor of a trusted ally, Jesus eschewed the celebrities of His time and instead cultivated a small but trusted circle of people that would eventually give up their lives because they passionately believed in their mission.

So was Jesus a hacker? A hacker is a problem solver, someone that goes outside the obvious uses for something to see what is possible. I would consider Jesus to be the original hacker: He solved a problem that no one else could possibly solve!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen