Hacktivism: From Here to There

The current controversy regarding WikiLeaks and the attacks against the organizations that have opposed the group has sparked a large and complex conversation about the meanings of free speech, freedom of the press and online activism. As new as all of this may seem to some, this is by no means the first time these issues have been brought to the fore. The term “hacktivism”, which is being thrown around quite a bit in the current discussion, was first coined nearly 15 years ago by a member of the venerable Cult of the Dead Cow hacking think tank. Oxblood Ruffin, one of the cDc’s members, presented the following paper on the origins of hacktivism and what it is and is not at Yale Law School in 2004. It holds a lot of lessons that apply in the current climate of hyperbole and rhetoric.

The current controversy regarding WikiLeaks and the attacks against the organizations that have opposed the group has sparked a large and complex conversation about the meanings of free speech, freedom of the press and online activism. As new as all of this may seem to some, this is by no means the first time these issues have been brought to the fore. The term “hacktivism”, which is being thrown around quite a bit in the current discussion, was first coined nearly 15 years ago by a member of the venerable Cult of the Dead Cow hacking think tank. Oxblood Ruffin, one of the cDc’s members, presented the following paper on the origins of hacktivism and what it is and is not at Yale Law School in 2004. It holds a lot of lessons that apply in the current climate of hyperbole and rhetoric.

I’ve never thought there was a lot of debate about the meaning of hacktivism. It’s a word that was coined by Omega – a longstanding member of the CULT OF THE DEAD COW (cDc) – in 1996. He used hacktivism to describe hacking for political purposes. Originally it was more of a quip or a joke. But from the first moment I heard Omega use it I knew that it would have profound meaning, not just for the cDc, but for millions of people across the Internet.

Almost immediately “hacktivism” spread like wildfire. The word sounded so cool everyone wanted to use it – the trendier-than-thou digerati, on-line news editors, and especially washed-up activists who had just discovered email. Suddenly, everyone became a “hacktivist.” No one had a clue what it meant, but it sounded cool.

Soon thereafter cDc members started registering hacktivism top-level domains. Reid Fleming set up hacktivism.org and ran it for a few years, Count Zero grabbed hacktivism.net, and I reserved – but never ended up taking -hacktivism.com. It is currently available from a domain name broker for $2000. You can also pick up terminatorseeds.com from the same place for a grand. Buy both and you’ll probably get a deal.

The people in the CULT OF THE DEAD COW who were most interested in hacktivism were Omega, Reid Fleming, Count Zero, Nightstalker, Tweety Fish and myself. We discussed it on our listserv, in private emails and at hacker conventions, one of the few places we would ever physically meet. I always liked hacktivism as a word but thought the definition needed to be tightened up. Cyberwar had a fairly similar connotation; two big brains from RAND Corporation coined that in 1993. No, we needed something unique, something that had never quite existed in quite the same way before. It was Reid Fleming who brought in the hook.

Reid set up hacktivism.org that featured a quote from the United Nations Universal Declaration of Human Rights (UNDHR). It was Article 19 and it read, “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” The first time I read that I felt like my head had gone to heaven. That was it. We would link technology with human rights. But it took some more time to get there. In the meantime I had been corresponding with Cindy Cohn, then in private practice but now Legal Director of the Electronic Frontier Foundation (EFF).

Cindy explained that the UNDHR was a declaration. Although inspirational and a very important document in its own right, it had no binding power. It was not a law. The International Covenant on Civil and Political Rights (ICCPR) was another matter. It was intended to have binding power and had at least a few teeth. And coincidentally, Article 19 of the ICCPR – another United Nations document – said essentially the same thing as Article 19 of the UNDHR. It reads, in part, “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.”

The more time I spent with these two documents the closer I got to hacktivism, at least as a noun. And in fairly short order I defined hacktivism to mean “using technology to improve human rights across electronic media.” I also came up with the cDc tagline, “We put the hack into hacktivism.” But that was mostly as a response to the leftovers that stuck an “h” in front of activism and thought they could transpose the same ball game they’d been playing since the industrial revolution onto the Internet. One thing they didn’t understand was that it doesn’t take a lot of people to change anything. It only takes one good programmer.

The Internet was beginning to percolate with a new kind of activism, much of it as a result of an interview I did with Blondie Wong in July 1998. It was published as a cDc textfile and recycled across the Net. Blondie was a truly inspirational fellow. Chinese dissident, charismatic, movie star looks, monk-like tendencies, and loads of money. He ran a group of hackers called the Hong Kong Blondes. They grew to about forty members and did a lot of hacking into Chinese networks. The interview got a lot of Western hackers thinking about politically motivated hacking. Then one group got too inspired and went past the mark.

There was an American hacker group called Legions of the Underground (LoU) that had been around for seven years. They had twenty or so members, some kind of flakey, but others with truly superior skills. One in particular had been trained with the US military and knew network security backwards. So LoU made a public announcement that they had declared Cyberwar against Iraq and China, mostly for human rights abuses. At first insiders thought it was a publicity stunt. Then we found out the action was for real. LoU was probing primitive inter-networks in Iraq and getting ready to throw the switch. That’s when the international hacker hierarchy decided that enough was too much. Hacking for human rights was one thing. But we had to establish some ground rules for engagement.

A coalition of hacker groups issued a statement within a few days of LoU’s declaration of war. Included were (from America) the CULT OF THE DEAD COW, the L0pht, Phrack, and (from Europe) the Chaos Computer Club, Hispahack, Pulhas, Toxyn and several Dutch hackers including the cryptography expert Rop Gonggrijp. While identifying with LoU’s anger towards Iraq and China we pointed out that, “One cannot legitimately hope to improve a nation’s free access to information by working to disable its data networks.” LoU’s members took our criticism to heart and wisely called off their campaign. And just to make a further point. LoU could easily have done significant damage, especially in China, had they followed through. The fact that an international coalition of hackers appealed to LoU’s reason and managed to avert what could easily have blown into an international incident is commendable, even if I do say so myself.

It was largely as a result of this experience and some email exchanges with Frank Rieger of Germany’s Chaos Computer Club, and chats with Reid Fleming, that I began to formulate some hard and fast rules for hacktivist tactics. First, no Web defacements. If groups or individuals are lawfully entitled to publish content on the Web, any violation of their right to distribute information is an abridgement of their First Amendment [freedom of expression] rights. The same goes for Denial of Service (DoS) attacks. There isn’t a whole lot of difference between disabling a Web server’s ability to provide information – even if that information is distasteful – and shouting down someone in a town hall meeting. Although this example is more uncivil than unlawful, DoSing is clearly a computer crime. Still, civility is not a bad virtue to practice.

Increasingly I spent time speaking with reporters and academics about hacktivism, commenting on a series of Web defacements and DoS attacks. The press was awash with articles about “hacktivists” who weren’t much more than low-rent computer criminals. It just smelled like the same cheap hacks were being elevated to political protest when, in my opinion, they weren’t any more than script kiddy antics in drag. It became increasingly important for me to define hacktivism, mostly because I believed, and continue to believe,
that there were very definite tactics that were acceptable for hacktivists. If someone wanted to call his or her actions digital disobedience, or cyber sit-ins, or anything else, that was fine with me. But invoking the term hacktivism was not OK.

At the same time I was acting as the cDc’s chief evangelist for hacktivism I began to joke that we had a noun longing to become a verb. It was one thing to talk about hacktivism. It was another to put it into practice. In the summer of 1999 the CULT OF THE DEAD COW descended upon Las Vegas like the well-heeled plague of locusts we are. Our mission was to launch BO2K – a network administration tool – at Defcon. Defcon is The World’s Biggest Hacker Convention(tm). It used to have some grassroots legitimacy but now it’s a job fair for entry-level computer security professionals. Gripes notwithstanding, I drafted the framework for Hacktivismo at this fifth rate Sodom and Gomorrah.

For some time the CULT OF THE DEAD COW had been aware of what has become known as “the Great Firewall of China.” This is a system of DNS and desktop filtering used to control its citizens. American companies like Cisco and Websense had made the firewall available to the dot Commies. When you run a business from the beacon of freedom, exporting censorship is allowed especially if it feeds quarterly earnings. Since the cDc reasoned that access to information was a basic human right we started bouncing ideas around for piercing China’s digital defenses. The first conversations I had were with Reid Fleming and AJ Effin Reznor in the Suite of the Elite, the cDc’s high-roller digs at the Alexis Park, Defcon’s hotel site. With a few possible development solutions in hand I began looking for the right mix of people to execute them. The first three hackers I approached agreed immediately.

Bronc Buster and The Pull from the United States, and The Mixter from Germany – who was then working as a security consultant in Israel – jumped on board. All brought different skills to the table and each was highly motivated. What is quite interesting is that we all knew each other by reputation but had never met in person. And over time ideas and code started to flow from one to the other to the point where we had our first prototype: a distributed network application called Peekabooty. It would allow users to bypass firewalls, national or corporate, and access the free side of the Web from a host computer. Part of our plan was to publicize state-sponsored censorship of the Internet and raise as much awareness as possible.

Some of the best advice I got in marketing hacktivism as an issue and a brand came from Grandmaster Ratte’, the founder and resident communications guru of the cDc. He continually upbraided me for attempting to make hacktivism too respectable, too much of, as he put it, “a wine and cheese party.” G. Ratte’ advised me to make it sexy, sweaty, and dangerous. That’s what would get hackers interested. They were the ones who were going to sit down and hack the code together for long hours and at no pay; not, with all due respect, the human rights establishment. They were just getting used to Web browsers.

I decided to stick hacktivism in everyone’s face with a product name that was impossible to ignore. Peekabooty came, innocently enough, from an experience I had in Harlem. I was standing in front of Grandmaster Ratte’s apartment building waiting for him. I spied a little girl sneaking a peek at me from behind her mother’s enormous, spandex-encased backside. And the name Peekabooty jumped into my mind. It seemed so perfect and so playful, no matter how sassy most people thought it was. And from that moment Peekabooty became synonymous with Internet censorship. It worked even better as a meme than a technology. Everyone started talking about it, from journalists to policy makers to Congressional leaders. Finally people were starting to wake up to Internet censorship because hackers with blue hair and funny sounding handles said it was important.

Hacktivismo grew into a truly international organization. Most people were technical; others were lawyers, human rights workers, and artists. Our team came from the Americas, Europe, Russia, Israel, Iran, India, Australia, Taiwan, and the Peoples Republic of China. As the group started to grow I thought it was important for us to publish something like a mission statement. Having spent so much time poring through United Nations documentation it seemed appropriate to publish a declaration. In June 2000 I was staying at Grandmaster Ratte’s place in Harlem and drafted what was to become the Hacktivismo Declaration in one sitting. It took ten more months of painstaking revisions, but finally I posted it to the cDc listserv for extensive critiquing. Eventually it made its way to Fred von Lohmann at the EFF who made it tighter. Cindy Cohn also was helpful in many ways. The Hacktivismo Declaration was published on July 4th, 2001. It has since been translated into ten languages.

The declaration reads in part, “That full respect for human rights and fundamental freedoms includes the liberty of fair and reasonable access to information, whether by shortwave radio, air mail, simple telephony, the global Internet, or other media,” and, “That state sponsored censorship of the Internet erodes peaceful and civilized coexistence, affects the exercise of democracy, and endangers the socioeconomic development of nations.” Hackers may wear different clothes and have odd interests, but we know what important values are.

At the same time we were trying to get the message “out,” we were also trying to get it “in.” The cDc invited the distinguished human rights activist Dr. Patrick Ball to speak at Defcon to a room full of hackers. The place was packed and Patrick made a huge impression. His presence at Defcon did not go unnoticed by Slobodan Milosevic when Patrick was brought in to testify against him at Milosevic’s war crimes trial in The Hague. When Milosevic cross-examined Patrick, one of the first questions he asked him was, “So, Dr. Ball. Vaht can you tell me about these Dead Cow Cult?” I have no idea how Patrick managed to keep a straight face.

Hacktivismo progressed as a group but encountered a serious hiccup when the lead developer for Peekabooty rewrote the entire code base and decided to hijack the project and leave the group. It’s amazing what some people will do when they figure they aren’t getting enough press. When it was first announced on our listserv there were several days of chaos and rage. Some members wanted to crucify our little fame seeker, but it seemed best to let him go. He had been a disruptive force in Hacktivismo for months and things weren’t getting any better. Plus when his code was reviewed it left our security experts dumbfounded. Peekabooty had been rewritten to conform to design specs that been rejected a year before as grossly insecure. You could hear the baby Jesus crying in Shanghai.

Within weeks Hacktivismo bounced back and the ideas started to fly again. The Pull came up with a really sweet hack that made a lot of sense. Since most Web censorship is based on DNS filtering, why not play against expectations? The Pull reasoned that we could have people post content that would be censored in China, and other fire-walled countries, right in plain view. DNS and desktop filtering scans for Web requests related to human rights, critical political commentary, women’s issues, and a range of other topics that dictators feel uncomfortable with. But this filtering does not look for, “pictures of Disneyland, my trip to the grocery store,” and other banal topics. So we would hide censored content in palatable Web sites through the process of steganography.

Steganography is a kind of encryption that allows one to bury digital content in a digital content base. Think of a Web page displaying a picture of the Mona Lisa. Steganography would allow you to hide a copy of the Declaration of Independence, an MP3, or any other piece of content digitally rendered in Da Vinci’s masterpiece. No wonder the old girl’s smiling. Within the space of a weekend The Pull had hacked together a working copy of the program. He then spent the next few months tightening it up. Hacktivismo released the steganography app at H2K2, a biannual hacker con in New York City. It was widely deployed. We heard from a lot of expat hackers from Iran, China, and the United Arab Emirates living in the West who were using it with their friends back home. The application was called Camera/Shy.

Our next project was called The Six/Four System. It is a complex and intuitive work of genius invented by The Mixter. Six/Four (a reference to June 4th, or the Tiananmen Square massacre) is an inaugural technology. It enables hackers to cobble together applications and drop them on top of any Internet protocol. It’s not what you’d call a “user friendly” technology. The code is a bit ugly but it does enable extraordinary possibilities. Beyond the compelling achievement of this work in progress, two extraordinary things happened. The first lovechild is both significant and amusing.

I was concerned about Six/Four’s firepower. Although Hacktivismo is an international organization, we are mindful of American law. Given that the United States Department of Commerce (DOC) regulates cryptography as an export and that Six/Four includes cryptographic components, I didn’t want to place American members of Hacktivismo at risk. Better to have the American government on board than working against us. So we had our attorney, Eric Grimm, apply to the DOC for a ruling on the exportability of our technology. What is normally a one-month process took nearly four months. I’m not sure that the DOC has ever had a request from a Canadian, me, and a German, The Mixter. And I’m almost positive they’ve never had a request emanating from an organization that included Cult, Dead, and Cow in its corporate identity. But come it did, and the Six/Four System was finally approved and became synonymous with American policy. It was a relief to have the U.S., especially the Bush administration, act as a facilitator of greater freedom rather than as an oppressor and regulator.

This paper was reprinted with the permission of the author and is licensed under the Creative Commons 3.0 license. The paper was edited for length. The full version is available here.

Suggested articles

Discussion

  • Anthony M. Freed on

    Operation Payback Spokesman Leaves Name in Press Release Meta Data

    The rogue hacker group Anonymous, which has been making headlines for their repeated DDoS attacks dubbed Operation Payback, issued a press release. The most interesting piece of information int the release, though, was the name of the text's author, which was present in the PDF's meta data...

    https://www.infosecisland.com/blogview/10196-Operation-Payback-Spokesman-Leaves-Name-in-PR-Meta-Data.html

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.