cDc paramedia: text #384
| | \
__ | |\ \ __
_____________ _/_/ | | \ \ _/_/ _____________
| ___________ _/_/ | | \ \ _/_/ ___________ |
| | _/_/_____ | | > > _/_/_____ | |
| | /________/ | | / / /________/ | |
| | | | / / | |
| | | |/ / | |
| | | | / | |
| | | / | |
| | |_/ | |
| | | |
| | c o m m u n i c a t i o n s | |
| |________________________________________________________________| |
...presents... Hacktivism, From Here to There
by Oxblood Ruffin
__//////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\__
Est. 1984 \\\\\\/ cDc paramedia: text #384-06/03/2004 \////// Est. 1984
___ _ _ ___ _ _ ___ _ _ ___ _ _ __
[The following paper was presented March 28, 2004 at Yale Law School as part
of the CyberCrime and Digital Law Enforcement Conference.]
"cDc. Show and prove."
I've never thought there was a lot of debate about the meaning of hacktivism.
It's a word that was coined by Omega - a longstanding member of the
CULT OF THE DEAD COW (cDc) - in 1996. He used hacktivism to describe hacking
for political purposes. Originally it was more of a quip or a joke. But
from the first moment I heard Omega use it I knew that it would have profound
meaning, not just for the cDc, but for millions of people across the Internet.
Almost immediately "hacktivism" spread like wildfire. The word sounded so
cool everyone wanted to use it - the trendier-than-thou digerati, on-line
news editors, and especially washed-up activists who had just discovered
email. Suddenly, everyone became a "hacktivist." No one had a clue what it
meant, but it sounded cool.
Soon thereafter cDc members started registering hacktivism top-level domains.
Reid Fleming set up hacktivism.org and ran it for a few years, Count Zero
grabbed hacktivism.net, and I reserved - but never ended up taking -
hacktivism.com. It is currently available from a domain name broker for
$2000. You can also pick up terminatorseeds.com from the same place for a
grand. Buy both and you'll probably get a deal.
The people in the CULT OF THE DEAD COW who were most interested in hacktivism
were Omega, Reid Fleming, Count Zero, Nightstalker, Tweety Fish and myself.
We discussed it on our listserv, in private emails and at hacker conventions,
one of the few places we would ever physically meet. I always liked
hacktivism as a word but thought the definition needed to be tightened up.
Cyberwar had a fairly similar connotation; two big brains from RAND
Corporation coined that in 1993. No, we needed something unique, something
that had never quite existed in quite the same way before. It was Reid
Fleming who brought in the hook.
Reid set up hacktivism.org that featured a quote from the United Nations
Universal Declaration of Human Rights (UNDHR). It was Article 19 and it read,
"Everyone has the right to freedom of opinion and expression; this right
includes freedom to hold opinions without interference and to seek, receive
and impart information and ideas through any media and regardless of
frontiers." The first time I read that I felt like my head had gone to
heaven. That was it. We would link technology with human rights. But it took
some more time to get there. In the meantime I had been corresponding with
Cindy Cohn, then in private practice but now Legal Director of the Electronic
Frontier Foundation (EFF).
Cindy explained that the UNDHR was a declaration. Although inspirational and
a very important document in its own right, it had no binding power. It was
not a law. The International Covenant on Civil and Political Rights (ICCPR)
was another matter. It was intended to have binding power and had at least a
few teeth. And coincidentally, Article 19 of the ICCPR - another United
Nations document - said essentially the same thing as Article 19 of the
UNDHR. It reads, in part, "Everyone shall have the right to freedom of
expression; this right shall include freedom to seek, receive and impart
information and ideas of all kinds, regardless of frontiers, either orally,
in writing or in print, in the form of art, or through any other media of his
The more time I spent with these two documents the closer I got to
hacktivism, at least as a noun. And in fairly short order I defined
hacktivism to mean "using technology to improve human rights across
electronic media." I also came up with the cDc tagline, "We put the hack into
hacktivism." But that was mostly as a response to the leftovers that stuck an
"h" in front of activism and thought they could transpose the same ball game
they'd been playing since the industrial revolution onto the Internet. One
thing they didn't understand was that it doesn't take a lot of people to
change anything. It only takes one good programmer.
The Internet was beginning to percolate with a new kind of activism, much of
it as a result of an interview I did with Blondie Wong in July 1998. It was
published as a cDc textfile and recycled across the Net. Blondie was a truly
inspirational fellow. Chinese dissident, charismatic, movie star looks,
monk-like tendencies, and loads of money. He ran a group of hackers called
the Hong Kong Blondes. They grew to about forty members and did a lot of
hacking into Chinese networks. The interview got a lot of Western hackers
thinking about politically motivated hacking. Then one group got too inspired
and went past the mark.
There was an American hacker group called Legions of the Underground (LoU)
that had been around for seven years. They had twenty or so members, some
kind of flakey, but others with truly superior skills. One in particular had
been trained with the US military and knew network security backwards. So LoU
made a public announcement that they had declared Cyberwar against Iraq and
China, mostly for human rights abuses. At first insiders thought it was a
publicity stunt. Then we found out the action was for real. LoU was probing
primitive inter-networks in Iraq and getting ready to throw the switch.
That's when the international hacker hierarchy decided that enough was too
much. Hacking for human rights was one thing. But we had to establish some
ground rules for engagement.
A coalition of hacker groups issued a statement within a few days of LoU's
declaration of war. Included were (from America) the CULT OF THE DEAD COW,
the L0pht, Phrack, and (from Europe) the Chaos Computer Club, Hispahack,
Pulhas, Toxyn and several Dutch hackers including the cryptography expert Rop
Gonggrijp. While identifying with LoU's anger towards Iraq and China we
pointed out that, "One cannot legitimately hope to improve a nation's free
access to information by working to disable its data networks." LoU's members
took our criticism to heart and wisely called off their campaign. And just to
make a further point. LoU could easily have done significant damage,
especially in China, had they followed through. The fact that an
international coalition of hackers appealed to LoU's reason and managed to
avert what could easily have blown into an international incident is
commendable, even if I do say so myself.
It was largely as a result of this experience and some email exchanges with
Frank Rieger of Germany's Chaos Computer Club, and chats with Reid Fleming,
that I began to formulate some hard and fast rules for hacktivist tactics.
First, no Web defacements. If groups or individuals are lawfully entitled to
publish content on the Web, any violation of their right to distribute
information is an abridgement of their First Amendment [freedom of
expression] rights. The same goes for Denial of Service (DoS) attacks. There
isn't a whole lot of difference between disabling a Web server's ability to
provide information - even if that information is distasteful - and shouting
down someone in a town hall meeting. Although this example is more uncivil
than unlawful, DoSing is clearly a computer crime. Still, civility is not a
bad virtue to practice.
Increasingly I spent time speaking with reporters and academics about
hacktivism, commenting on a series of Web defacements and DoS attacks. The
press was awash with articles about "hacktivists" who weren't much more than
low-rent computer criminals. It just smelled like the same cheap hacks were
being elevated to political protest when, in my opinion, they weren't any
more than script kiddy antics in drag. It became increasingly important for
me to define hacktivism, mostly because I believed, and continue to believe,
that there were very definite tactics that were acceptable for hacktivists.
If someone wanted to call his or her actions digital disobedience, or cyber
sit-ins, or anything else, that was fine with me. But invoking the term
hacktivism was not OK.
At the same time I was acting as the cDc's chief evangelist for hacktivism I
began to joke that we had a noun longing to become a verb. It was one thing
to talk about hacktivism. It was another to put it into practice. In the
summer of 1999 the CULT OF THE DEAD COW descended upon Las Vegas like the
well-heeled plague of locusts we are. Our mission was to launch BO2K - a
network administration tool - at Defcon. Defcon is The World's Biggest Hacker
Convention(tm). It used to have some grassroots legitimacy but now it's a job
fair for entry-level computer security professionals. Gripes notwithstanding,
I drafted the framework for Hacktivismo at this fifth rate Sodom and
For some time the CULT OF THE DEAD COW had been aware of what has become
known as "the Great Firewall of China." This is a system of DNS and desktop
filtering used to control its citizens. American companies like Cisco and
Websense had made the firewall available to the dot Commies. When you run a
business from the beacon of freedom, exporting censorship is allowed
especially if it feeds quarterly earnings. Since the cDc reasoned that access
to information was a basic human right we started bouncing ideas around for
piercing China's digital defenses. The first conversations I had were with
Reid Fleming and AJ Effin Reznor in the Suite of the Elite, the cDc's
high-roller digs at the Alexis Park, Defcon's hotel site. With a few possible
development solutions in hand I began looking for the right mix of people to
execute them. The first three hackers I approached agreed immediately.
Bronc Buster and The Pull from the United States, and The Mixter from
Germany - who was then working as a security consultant in Israel - jumped on
board. All brought different skills to the table and each was highly
motivated. What is quite interesting is that we all knew each other by
reputation but had never met in person. And over time ideas and code started
to flow from one to the other to the point where we had our first prototype:
a distributed network application called Peekabooty. It would allow users to
bypass firewalls, national or corporate, and access the free side of the Web
from a host computer. Part of our plan was to publicize state-sponsored
censorship of the Internet and raise as much awareness as possible.
Some of the best advice I got in marketing hacktivism as an issue and a brand
came from Grandmaster Ratte', the founder and resident communications guru of
the cDc. He continually upbraided me for attempting to make hacktivism too
respectable, too much of, as he put it, "a wine and cheese party." G. Ratte'
advised me to make it sexy, sweaty, and dangerous. That's what would get
hackers interested. They were the ones who were going to sit down and hack
the code together for long hours and at no pay; not, with all due respect,
the human rights establishment. They were just getting used to Web browsers.
I decided to stick hacktivism in everyone's face with a product name that was
impossible to ignore. Peekabooty came, innocently enough, from an experience
I had in Harlem. I was standing in front of Grandmaster Ratte's apartment
building waiting for him. I spied a little girl sneaking a peek at me from
behind her mother's enormous, spandex-encased backside. And the name
Peekabooty jumped into my mind. It seemed so perfect and so playful, no
matter how sassy most people thought it was. And from that moment Peekabooty
became synonymous with Internet censorship. It worked even better as a meme
than a technology. Everyone started talking about it, from journalists to
policy makers to Congressional leaders. Finally people were starting to wake
up to Internet censorship because hackers with blue hair and funny sounding
handles said it was important.
Hacktivismo grew into a truly international organization. Most people were
technical; others were lawyers, human rights workers, and artists. Our team
came from the Americas, Europe, Russia, Israel, Iran, India, Australia,
Taiwan, and the Peoples Republic of China. As the group started to grow I
thought it was important for us to publish something like a mission
statement. Having spent so much time poring through United Nations
documentation it seemed appropriate to publish a declaration. In June 2000 I
was staying at Grandmaster Ratte's place in Harlem and drafted what was to
become the Hacktivismo Declaration in one sitting. It took ten more months of
painstaking revisions, but finally I posted it to the cDc listserv for
extensive critiquing. Eventually it made its way to Fred von Lohmann at the
EFF who made it tighter. Cindy Cohn also was helpful in many ways. The
Hacktivismo Declaration was published on July 4th, 2001. It has since been
translated into ten languages.
The declaration reads in part, "That full respect for human rights and
fundamental freedoms includes the liberty of fair and reasonable access to
information, whether by shortwave radio, air mail, simple telephony, the
global Internet, or other media," and, "That state sponsored censorship of
the Internet erodes peaceful and civilized coexistence, affects the exercise
of democracy, and endangers the socioeconomic development of nations."
Hackers may wear different clothes and have odd interests, but we know what
important values are.
At the same time we were trying to get the message "out," we were also trying
to get it "in." The cDc invited the distinguished human rights activist
Dr. Patrick Ball to speak at Defcon to a room full of hackers. The place was
packed and Patrick made a huge impression. His presence at Defcon did not go
unnoticed by Slobodan Milosevic when Patrick was brought in to testify
against him at Milosevic's war crimes trial in The Hague. When Milosevic
cross-examined Patrick, one of the first questions he asked him was, "So, Dr.
Ball. Vaht can you tell me about these Dead Cow Cult?" I have no idea how
Patrick managed to keep a straight face.
Hacktivismo progressed as a group but encountered a serious hiccup when the
lead developer for Peekabooty rewrote the entire code base and decided to
hijack the project and leave the group. It's amazing what some people will do
when they figure they aren't getting enough press. When it was first
announced on our listserv there were several days of chaos and rage. Some
members wanted to crucify our little fame seeker, but it seemed best to let
him go. He had been a disruptive force in Hacktivismo for months and things
weren't getting any better. Plus when his code was reviewed it left our
security experts dumbfounded. Peekabooty had been rewritten to conform to
design specs that been rejected a year before as grossly insecure. You could
hear the baby Jesus crying in Shanghai.
Within weeks Hacktivismo bounced back and the ideas started to fly again. The
Pull came up with a really sweet hack that made a lot of sense. Since most
Web censorship is based on DNS filtering, why not play against expectations?
The Pull reasoned that we could have people post content that would be
censored in China, and other fire-walled countries, right in plain view. DNS
and desktop filtering scans for Web requests related to human rights,
critical political commentary, women's issues, and a range of other topics
that dictators feel uncomfortable with. But this filtering does not look for,
"pictures of Disneyland, my trip to the grocery store," and other banal
topics. So we would hide censored content in palatable Web sites through the
process of steganography.
Steganography is a kind of encryption that allows one to bury digital content
in a digital content base. Think of a Web page displaying a picture of the
Mona Lisa. Steganography would allow you to hide a copy of the Declaration of
Independence, an MP3, or any other piece of content digitally rendered in Da
Vinci's masterpiece. No wonder the old girl's smiling. Within the space of a
weekend The Pull had hacked together a working copy of the program. He then
spent the next few months tightening it up. Hacktivismo released the
steganography app at H2K2, a biannual hacker con in New York City. It was
widely deployed. We heard from a lot of expat hackers from Iran, China, and
the United Arab Emirates living in the West who were using it with their
friends back home. The application was called Camera/Shy.
Our next project was called The Six/Four System. It is a complex and
intuitive work of genius invented by The Mixter. Six/Four (a reference to
June 4th, or the Tiananmen Square massacre) is an inaugural technology. It
enables hackers to cobble together applications and drop them on top of any
Internet protocol. It's not what you'd call a "user friendly" technology.
The code is a bit ugly but it does enable extraordinary possibilities. Beyond
the compelling achievement of this work in progress, two extraordinary things
happened. The first lovechild is both significant and amusing.
I was concerned about Six/Four's firepower. Although Hacktivismo is an
international organization, we are mindful of American law. Given that the
United States Department of Commerce (DOC) regulates cryptography as an
export and that Six/Four includes cryptographic components, I didn't want to
place American members of Hacktivismo at risk. Better to have the American
government on board than working against us. So we had our attorney,
Eric Grimm, apply to the DOC for a ruling on the exportability of our
technology. What is normally a one-month process took nearly four months. I'm
not sure that the DOC has ever had a request from a Canadian, me, and a
German, The Mixter. And I'm almost positive they’ve never had a request
emanating from an organization that included Cult, Dead, and Cow in its
corporate identity. But come it did, and the Six/Four System was finally
approved and became synonymous with American policy. It was a relief to have
the U.S., especially the Bush administration, act as a facilitator of greater
freedom rather than as an oppressor and regulator.
And now for lovechild number two. A few months before releasing Six/Four,
The Mixter mentioned that he'd like to license his work under anything other
than the General Public License (GPL). My ears pricked up. The GPL is a
tergiversation in intellectual property (IP) law, conceived by the
extraordinary Richard Stallman and codified by the eminent Eben Moglen. It
postulates that code is "transparent," available for peer-review,
customizable, and can be shared without charge, given that certain other
requirements are adhered to. The GPL is widely considered as the Holy Grail
of IP law in the digital age. It creates tumescence in the Electronic
Frontier Foundation, the god-like Lawrence Lessig, and a host of lesser
luminaries. It's a huge deal. But is it all that?
As important as the GPL is, it only seeks to do certain things. Namely, to
create "freedom" to invent and to share. It assumes, as most hippy
philosophies do - and I use that term with affection that we live in a
world of ideals; where all it takes is the "right" idea to find its way to
the top and prevail in a marketplace of intellectual substance. And that the
"idea" will be protected. That's a great worldview if you live in America or
any of the other liberal democracies. But we don't. At least those of us in
Hacktivismo don't. We live in a brutish and uncompromising world of thugs,
Internet censors and life forms beyond the borders of civilized discourse.
Hacktivismo stares down, just for starters, the government of China. They
could win a prize for Most Inconscient Life Form In A Political Body(tm).
This is a government that would not have put Ghandi or Martin Luther King in
jail for the weekend. Beijing would have blasted a bullet into the backs of
their heads and charged their next of kin for the cartridges the morning
No. Hacktivismo wanted to release its software under something a little less
free than the GPL. The greater girdle we could put on the Internet's worst
oppressors, the better. And so it was with this modest ambition that
Eric Grimm, The Mixter, and myself began drafting what came to be called the
Hacktivismo Enhanced Source Software License Agreement (HESSLA). The license
enables both Hacktivismo and its end-users to go to court if someone tries to
use the software in a malicious manner, or to introduce harmful changes in the
software. It also contains more robust language than has previously been used
to maximize enforcement against governments around the world.
The HESSLA explicitly prohibits anybody from introducing spy-ware,
surveillance technology, or other undesirable code into modified versions of
HESSLA-licensed programs. Additionally, the license prohibits any use of the
software by any government that has any policy or practice of violating human
rights. The most novel innovation in the license distributes enforcement
power instead of concentrating it in Hacktivismo’s hands. If it is discovered
that any government has violated the terms of the license, the HESSLA then
empowers end-users to act as enforcers too.
This, we think, is a pretty novel "legal hack," and we are optimistic that it
just might work when our "code" is finally "executed" in the U.S. legal
system. So far, this part of the HESSLA has received little attention, but
since we are here at Yale, perhaps it is worth discussing the origins of the
idea of end-user enforcement, and what we are trying to accomplish.
Most of the provisions of the HESSLA (which build on the idea of "copyleft")
explicitly credit the Yochai Benklers, Eben Moglens, and Lawrence Lessigs of
the world for their inspiration. The end-user enforcement provisions, in
contrast, draw more inspiration from the work of Harold Koh, James Silk, and
the Lowenstein International Human Rights Clinic, here at Yale.
As many of you know, for well over a decade, the Yale Law School and some of
its distinguished faculty have been at the forefront of developments in
international human rights law especially the implementation of human
rights norms through civil lawsuits in U.S. courts, against (to borrow a
phrase from George W. Bush) human rights "evil-doers." A little over two
decades ago, the Second Circuit, in a case called Filartiga v. Pena-Irala,
revived a 1789 statute called the Alien Tort Claims Act, and said that some
victims of human rights abuses could sue some abusers, in U.S. courts, for
certain violations of international law.
Remember -- some, not all, victims can sue; some, not all evil-doers, can be
sued; and not all human rights abuses trigger legal remedies. In the
intervening time, the ATCA (and additional legislation such as the Torture
Victim Protection Act), have been used to great effect in civil litigation in
the U.S. courts to bring some abusers of human rights to justice, as well as
to compensate certain victims. Yale faculty have been directly involved in
some of the key developments -- such as Professor Koh's role in the landmark
Kadic v. Karadzic case, which was brought by one or more victims of sexual
abuse against Bosnian Serb leader Radovan Karadzic.
While the human rights community has enjoyed many victories over the years,
using various strategies to secure U.S. jurisdiction against foreign bad
actors, legislative and court-established limitations still remain as
obstacles to enforcement activity by the human rights community. Depending on
the party occupying the Presidency, the Executive Branch of the United States
government on occasion during the past two decades has often been openly
hostile to the idea of vindicating human rights in U.S. courts, while, at
other times, the Executive has been open to some limited progress in this
The jurisdiction, immunity, and end-user enforcement provisions of the HESSLA
cannot compare, in importance, with the legal victories won over the past two
decades in the human rights field. But we have sought to make a very modest
contribution -- in the sense of adding one more arrow to the quiver of legal
strategies that Professor Koh and other pioneers in the field of human rights
law may be able to use to seek justice for victims of human rights abuses.
The more tools that human rights workers and plaintiffs can employ in these
cases, we believe, the better. And, in light of continued restrictions on
statutory causes of action (as well as the current administration's hostility
to many aspects of the limited human rights laws we have), we believe that
the HESSLA may yet prove useful.
Of course, in order for these provisions of the HESSLA to be invoked, a human
rights defendant has to have used or modified the software. But this
threshold issue is important, too, because we are quite happy if governmental
and other abusers of human rights voluntarily decline to use our software on
account of the in terrorem effect of the possibility of triggering a lawsuit.
Even if it turns out that all the "bad guys" in the world are avoiding the
software, and cannot be sued using this provisions of the license, that also
means they are actively depriving themselves of the tools that we have
created, while the "good guys" can use these tools.
Whether or not the HESSLA ever makes its way to court, we think that the mere
existence of the HESSLA can have important, beneficial effects. The GPL still
hasn't been tested in court, yet, regardless of the many claims made for it.
But the positive social impact from the GPL certainly is not measured solely
in terms of the frequency and nature of lawsuits involving the GPL.
We do know that many developers around the world are starting to use the
HESSLA to license their works. Regardless of the occasional sniping from some
free software fanatics, we are optimistic that the HESSLA, including the most
critical parts of it, at the end of the day, are quite likely to be found to
be enforceable against all or most defendants, including non-U.S.
governments, in the U.S. court system. So long as the U.S. courts follow the
letter of the Foreign Sovereign Immunities Act, the HESSLA has been drafted
to maximize enforceability when the time comes to invoke it in court. Then
again, we certainly do not have a monopoly on clever and novel legal or
licensing ideas, so anyone in the audience (or at this law school), who has
ideas on how to make the HESSLA even more effective, or more enforceable, is
certainly welcome to communicate those suggestions to us or to our lawyer.
Returning to the critics of the license, we note that the primary criticism
is simply that the HESSLA is not the GPL. Quite right. It isn't. Then
again, many of these same skeptics also have, from time to time, voiced
concern (typically prefaced with the disclaimer "IANAL") about whether the GPL
itself is enforceable. Some day, those tests may arise. But until that time,
we think it is worth asking whether the uncertainty of a license not
previously tested in court nevertheless remains a factor that benefits or
helps Hacktivismo's objectives. Among our objectives is to deter at least
some of the "evil-doers" from using our software.
This room is full of lawyers and future lawyers. Ask yourselves: If you were
advising some person or entity that viewed itself as a likely defendant in
some future HESSLA enforcement action by Hacktivismo or by some end-user --
would you be so confident of your client's chances (if caught violating the
license) of prevailing in court -- that your client should go ahead and
openly start using the software, without any concern about risking the
consequences of losing?
Eben Moglen has, for years, been inviting all the skeptics of the GPL to call
his "bluff" (which, in our view, is no bluff at all), and take the Free
Software Foundation to court. The mere fact that nobody has done so serves as
a powerful argument that the GPL-skeptics are not very confident of their
legal argument. I can't say that I'm looking forward to testing the HESSLA in
the courts. That would suggest that yet another human rights violation has
occurred. But I am proud of attempting to provide even an untested remedy
when the alternatives remain far from perfect. When Hacktivismo started
germinating in Las Vegas I had no idea I'd end up speaking at Yale Law School.
But when you roll the dice, you never know where you'll land.
.-. _ _ .-.
/ \ .-. ((___)) .-. / \
/.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \
/lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\
\ / `-' (U) `-' \ /
`-' the original e-zine `-' _
Oooo eastside westside / ) __
/)(\ ( \ WORLDWIDE / ( / \
\__/ ) / Copyright (c) 2004 cDc communications and the author. \ ) \)(/
(_/ CULT OF THE DEAD COW is a registered trademark of oooO
cDc communications, 1369 Madison Ave. #423, NY, NY 10128, USA _
oooO All rights left. Edited by Myles Long. __ ( \
/ ) /)(\ / \ ) \
\ ( \__/ Save yourself! Go outside! Do something! \)(/ ( /
\_) xXx BOW to the COW xXx Oooo