 the French text but as soon as you start reading the second word it's it's over and you just start laughing so at any rate where we welcome to the talk hacker ethics many things are hacked from for reasons of activism fun or just pure curiosity and you keep having to ask yourself how far can I go what's okay what isn't yes that person is crap but can I publish the info of everyone who has ever used their services but someone in the audience has an opinion on that already there are many cases where it isn't clear how to proceed it's not like Hollywood where we have white hats and black hat hackers the good and the bad we are very often in a gray area and we have to consider what we do and there's that's where hacker ethics come in that's been a topic for a long time and today we get an introduction by Frank he has been a speaker at the CCC for years and he has been active in the CCC for years and I am very glad to have him here today and even for myself to just get a reintroduction to hacker ethics so let's welcome him with a heartfelt round of applause yeah well thanks so hacker ethics hacker ethics as used by the CCC is not the youngest anymore it was originally formulated or sketched out by an American journalist Steven Beal he wrote a book on hacker culture in the 80s and that was put out in 1984 fittingly and many of those rules and points that we using the CCC hacker ethics come from there really all of them some of these values that we that we hold high we've adapted or Val Holland did back then from there and that's what I want to talk about today why why do we need something called hacker ethics what's the point can't you just do what you want you know just fun with devices no more thinking required well our impulse here is that power creates responsibility as we look around who moves in hacker circles it's people who no more can do more than average who have more energy even though it doesn't always look that way have this impulse to research things this this curiosity this endless patience for finding out how things work and making things that look like magic from the outside techno magicians and resulting from that we have the possibility to do things that aren't that great who are better bad and where we can do wrong to people and abuse them and make them have worse lives and we try to stop that and prevent that and this idea that power creates responsibility is not as popular as it used to be in current society we have this tendency to move away from the values of the enlightenment and towards division and separation and towards this this idea of at least I myself can live my life and I don't care what these others do us here at this contrast especially believe that this is the wrong path and that we should value the values of enlightenment and fact-based communication and that we shouldn't go towards wishful thinking but based on what is and one of the first rules of hacker ethics is that the access to computers and everything that can show you how this world works should be unlimited and complete we had this value from enlightenment that the accessibility of knowledge this the availability of scientific results and including documenting your source code yes I know that this is a core of our being the availability of information was a problem for a long time let's remember 1984 I can remember during the mid 80s when I wanted information on how to use computers and how it worked I have to pirate handbooks from the East German Republic as a person from the West it was very difficult to get information in the mid 80s remember information was was was not easy to get at that time and accessibility and availability was not as free as today if you wanted to have information on a microprocessor from the East German Republic you'd have to look for a long time today you just take a smartphone out of your pocket and then you just look it up online in a search machine of your choice and you'd have the information but still the question of getting the information is still a question of political activism today because we now have the problem that information is being paid for by giving away information for example when you look on search on Google or when you look at publishers that sell information related to scientific publishing that is also not free so access to information is still a very important question and topic radical way on formulating this is to say that all information must be free for some time I don't know if you remember it on the ad decays communication congress we showed network statistics and we had a nice graph on that showed that we uploaded more data then we downloaded there was those were good congresses there's also the flip of the coin all information well pretty much all information dealing with all information we have to have the following rule we need to protect private data and public data must be useful that's a good rule so that nobody is forced to allow access to his personal information it's not normal that other people have access to your personal information it's not normal that when you use a messenger all your contacts gets uploaded to another server from people that haven't to who didn't understand that their private data might have a value which might affect their personal possibilities and the choices that they can make and what they can do this yes remember we're talking about 1984 here here saying public data public data that benefits us all knowing how traffic flows for example when is it possible to take the train like simple data like like schedules for trains there are talks at the congress about these topics this is never growing old the state and the big companies sit on this these huge public data which can improve our future and allow us to have a better time but our private data where we were with whom what we like what we did what we pay for what we what we buy what we wish for these highly private data those those are being privatized and sold to the highest bidder especially Facebook and Google and some other companies have gathered in huge amounts private data and sold it and and that shows that this field is still current and still relevant and as we are being creative and critical with technology we quite often run into these conflict areas just today somebody sent me a mail having found a database with data of thousands of people highly private data and he asked me what do I do now what do I do should I make it public should I try talking to the service provider should I ignore it should I send a mail to all of them and tell them hey look your data is freely available on the internet that's an easy choice you've got a great power there you can do a lot of crap there and it's going to affect a lot of people's lives very negatively and handling this responsibility is not always easy at past congresses on my phone number we had the hacker ethics hotline we where we said if you coincidentally stumbled across things where you think that might be dangerous call us and almost always the calls we got were about data that was badly protected and we were always in this kind of bind there our advice was always do the least amount of harm that still ensures that this bad situation is fixed and typically that men talking to the provider of these systems if you are in such a situation come to us will help you how to do that it's usually a lot easier if your call is hi I'm Frank Riegel from the chaos community computer club I'd like to talk to your technical manager typically I get through immediately versus if you try hello I'm John Doe I have your data that usually doesn't work out so well hi's a security does something similar there so we're not the only ones but I mean we try to help promote others who and help others who can handle these cases in a qualified manner and the next question is of course do these companies really have a sense of wrong and right do they even care do they just ignore it and so what we encounter here is often this embracing strategy oh how wonderful that you call it's great that you want to help us but we're gonna take half a year to do that and yeah if that's a real issue and they play it for time and they they waste time and during that time the data is typically still unprotected in the internet which is not acceptable at all so fixing these these bad situation has to be highest priority the question how we can make the public data also public which is the the lesser version of all of information must be public we have that example of of the publication of all the law file of all the laws in Germany that are made public and you usually think that we have this is this is common but actually we see now well it isn't big because so that was really quick and then the Justice Minister announced that all laws will be available for free in the future so you see it works and this and this prospect that your own activism can change something that you're doing can actually do something the knowledge that you can change something that's what it's about in hacker ethics it's not true that nothing will change out there if you don't do the right thing at the rain time a very important point to make since the beginning of the chaos computer club is that we do not want to judge hackers and female hackers or just hackers in general on how they look or where they come from or how old they are the only important thing is what they know what they can do and what is their goal and you always have to remember that that's a very radical kind of way to think we're meritocracy we don't want to judge people on any based on any other criterion than what they can do and what they do and that's something that for example conservatives are against they say well a high status has to account for something or people they're not that different after all and you always have to remember 1984 there was a time where nerds in classrooms they were being stuck into trash cans or toilets for example where if you were good at math you were not the popular kid in school and if you were a person that was interested in computer science and computers you're not usually not the the popular person in your class and the cast computer club has always been a home for such people most of us got there because that was the first time where we met people who had the same interest as us and the prevailing feeling when you arrive at the congress is you're at home finally finally you're with people who also value what I value and who are also interested in the things that I do and I'm interested in the things that other people do here at congress and this dogma that everyone is equal is something that we will not change next essential thing is distrust authorities and make decentralization stronger because one of because some circuits of course are more active than others in the chaos computer club but there is no headquarters or something like that and if you look at how the congress is organized there's a huge number of teams of people who do it in their free time and we're looking simply for a task or a goal and say all we want to make this this part or this goal the best and and we put all our energy into that and this is how the chaos computer club works on the whole so you won't define any big structure laid out or the big association that's organized like a pyramid but it's rather think for yourself what you what you can do and and do it and and get to people that are also doing it and don't wait for anyone to to say to tell you all that's the direction to go so if you're looking for for this thinking of of leadership and leadership deciding in which direction things go then that's not the place we have members and they are they are they are running around and doing things and and from that stuff emerges of course this does have this disadvantages like a strategy that's long time planned and you run into the situation where something simply doesn't happen which can have two two reasons like either there's no consents or no one is interested in it the opportunities that we get from that they complement each other well with other and NGOs who are more long-term focused but yeah we don't have that we don't have that send that headquarters deciding now we do that we have people who think oh we have to do that now and who have who like doing this we have fun that and and then do it and just think of it the the whole thing is 17000 people and they're all doing that in their free time in general authority leads to structures settling and we want to not do that if possible next part Karina had that earlier with blackhead described that earlier with whitehead and blackhead is the following there's a there's a call in right now which translators can't hear but the speaker is now apologizing and now you can see the benefits of mistrust authority and decentralized because the authority in this room is now correcting your own talk okay let's move on the question is now what do you do when you've hacked the system and now you have access to a database or for example you have the power to do things that you were not allowed to do or you couldn't do before that's a question that's as old as this club what do you do after you've hacked the system first I want to define the word hacking hacking is a more creative and also a more critical way of dealing with technological systems and the question is now what do you do and that question is not easy to answer in general when we deal with such questions we don't have a fixed set of answers instead we try to ask our own questions and the most important question is and where do now what's how do you want to continue surprisingly most people don't ask themselves this question you only think about and then I will publish this data and I'll make a press announcement and that's all it's gonna be great but in general that's not going to work out well live people move on live goes on and then nothing of change will have happened we have this responsibility that comes with the skill to intrude into other people systems or to manipulate systems and at this point in at a factor of scale that we considered impossible in previous times last Congress somebody came to me and they built a botnet well just by accident really yeah for real yeah they found an bug in the popular IoT device and they well they built a bot that sort of spreads and they thought well you know that'd be kind of fun if we could check other devices for the same bug in the same network and I mean the bot didn't do anything it just spread and looked around and spread and phoned home and said here I am and well then they kind of sat there with the little six-figure number of infected devices IoT devices and thought hmm well now now what what do we do and usually you get complications there in a perfect world Hollywood scenario you say well then you use that to fix that bug and delete itself and once you're done with that then you tell the supplier turns out you can't do that without doing damage in some of the cases with certain firmware hardware versions it would have happened that these devices would be broken afterwards well it's not great but on the other hand you can say well I mean somebody else might find it and then just use it to build a DDoS network so would that be better well as it turns out it resolved fairly easily because the manufacturer noticed and and on their own initiative patched it out and fixed it and I mean there's still a couple thousand vulnerable devices but that's not the same dimensions anymore so it will be interesting to just think through this scenario because we have this scenario where we really have a vulnerability and it's not a question of opening one server with the devices and the bandwidth we have we can find all the servers with a certain vulnerability and there's plenty of machines and if you build your patterns that are used to look for vulnerable devices well enough you can find you can almost find all the devices there and then suddenly you have tens of thousands hundreds of thousands millions of devices and it's not impossible it's not unlikely that you could find that many devices and there are cases where you prefer not to look I I found a vulnerability and I'm not going to check for it in any of these in this lookup patterns because I don't even want to know it's kind of irresponsible because you're not going to fix the issue that way but it's understandable so so far we've been talking about opening up systems and finding things and but a lot of us are busy building systems however so making sure that we that our computers work that databases work and aside from the obvious responsibility that our systems are at least somewhat safe as far as things can be there is a responsibility to towards what these systems do as well and we have this problem of scale on the other side as well building a system today let's say a dating portal then in this dating portal we will get a lot of data a lot of very private data do we want this data do we want to store this data in this way can we risk that these will fall victim to some vulnerability that they are used in some criminal way or do we want to build systems that improve lives in the sense that they encrypt that data that they don't even gather that data that the people who use the systems are not left in the dark about what happens to their data and as I look around every year there is this map of companies that work in the ad space thousands of companies companies that do nothing but when you go to a call to your website the data from the cookies or whatever other identifying identifiers you have are distributed as fast as possible and that people are able to bid upon what ads they want to show you and I keep thinking there must be people who program this shit there must be people who sit down and do nothing else their day that the these pictures of dramatically lit tubes of toothpaste arrive in my browser more quickly and they know that peppermint is better than strawberry for me is that really a life goal do you feel good while doing it does anybody here work no hands do you know somebody who works there do they feel good and I think hacker ethics also means thinking about what you do with your time alive what you use your time for what are the things you leave behind what are the things you set in motion the trends you create and I think we should all think about that a bit more I mean I don't judge anyone who works in this field because everybody has to pay their rent but maybe we should try and work on things that create a positive change a lot of us do but some of us and then it's okay to to say I work in a more shady field of IT but in return I get more free time and in my free time I do good things but it's worth thinking about it's worth thinking about the systems we build the things we do and whether they align with our interests and improve the world and it's occasionally a good idea to sit down and think about these topics it doesn't matter whether you build systems or whether you hack systems a good question or a good thing to say is that the goal doesn't make the way you do things good what would for example happen when someone does the same thing that you do except you were the target of course you can make this hypothesis more beautiful but one question or one question is for example what do you do when you have a political enemy what do you do would you feel the same way if instead of hacking a political enemy it would be happen to your friend you could for example say well maybe I should have thought about this a little bit more one variant of this is do we shoot birds with cannons for example look I've opened this online shop the system was a little bit older and I've hacked the system so I found two and a half thousand two thousand six hundred people who buy chocolate cakes is that relevant does your is this very exciting to you well then you have to say well then you'll just have to talk to the owner of this online shop you'll have to update his PHP and then it will be fixed but is that a big deal that's a question we don't have to really make a press announcement yeah for example chocolate cakes online dot-com that's a fictional address is that doesn't really matter if something like that happens important when you deal with very sensitive data maybe data that was stored in a very very amateur way in such cases it could happen that we make a press announcement one of the most beautiful parts of hacker ethics is that you can create art and beautiful things with a computer to most of us this is very obvious because most art you experience comes from a computer for example animations and movies when you go down to the assembly area and you look at what people do with their computers how beautiful it is how much aesthetic aesthetics are in there the charm it's obvious and the interesting thing is back in the day it wasn't that way computers were technical machines and if you really really really abuse the systems you could have maybe a graph for example a fractal Mandelbrot graph or something like that you could print it out maybe and put it on a wall remember the year 1984 still one of the things that impacts me which I feel good about is when computers make art the last point and hacker ethics is one of the most controversial especially if you're coming from the field of IT security for example when you wake up on Monday morning and you read news and then you think and you read the news IT security news when you think maybe I should have not gone into this field of work maybe I should have raised pigs or sheep IT security is a field in which you always have the feeling of nothing it's always getting worse nothing is getting better but don't be so cynical we shouldn't be so cynical it is a truth that in general computers make lives of people better I sometimes go around at Congress and ask people how have computers changed their life for the better their people with disabilities who are older who can't orient themselves and they have computers that help them in dealing with their daily life most of us wouldn't even know how to live their life without any kind of computer or smartphone we wouldn't really know how to get information without a computing device well let's have a look yeah who was in a library in the last four weeks so you see a few people have raised their hands we're not lost after the zombie apocalypse anyway the realities are that not only information retrieval but also communication all the things where you have to orient yourself navigation for example for example Wikipedia in your pocket things where you can download or access so that you can go on holiday without the need for books these are things that computers do that we have built and these are also things that we can extend and make better all the negative aspects we've talked about they're also very interesting think about the hate and so at social media the division in society because facts don't matter anymore these are true but they shouldn't they shouldn't disparage us nobody will die when Facebook is shut down tomorrow for example but we shouldn't make the mistakes of saying oh all these computers are all bad so if someone is working with wood or if they're soldering which is great but this sentence still retains its viability so in this sense thank you for this listening and have fun with your divide