 Hi everyone. Welcome to today's event. I am going to start my presentation. Okay. So welcome. My name is Gabriella Coleman. I'm actually a professor newly minted professor at Harvard University and anthropology department as well as an associate faculty associate at the Berkman Center. Today what we're going to be doing is kind of giving you an overview cursory overview of wearing many hats the rise of the professional security hacker a 41,000 word reports co-authored by Matt Gorsen and I. I'm going to start with a brief overview. I'm going to turn it over to Matt Gorsen from data and society, a researcher there who will talk about a technical method that was innovated by hackers. And then I'm going to turn it over to myself to talk about a short section that I worked on. And then we will have Brian Friedberg, who is a researcher at the shore steam center lead with a Q&A. So, to start, I'm actually in a, you know, this data and society report which is coming out this week. I'm going to start with a video to set the mood and the tone of the 1990s when hackers were transitioning to the security field. This is window Schneider, a very respected security researcher and former hacker who's talking about the 1990s. Let me play this. And I fell in with a group of, let's say computer security hobbyists in Boston. This is a voluntary cis admins. This space where they're at the time there wasn't, there wasn't a set of books I couldn't go, you know, join a program and take a class in any of this stuff. So we built our own tools we came up with our own systems for figuring this stuff out for identifying vulnerability for building resilience. And it eventually turned into an industry because other people found value in this work. So, here is Schneider talking about the fact that during the 1990s these so called hobbyist AK hackers were basically in the know when it came to security. It was not an academic field, it was very hard to learn this knowledge, and it was hackers who who had acquired the knowledge in the security field often by getting their hands on elicit documentation and then she sort of talks about how they were just sort of valuable and accepted to the security field. But in fact, a lot had to happen for hackers to be kind of accepted into security, the nascent security industry. And so while they were experts, part of the problem was that they lacked credibility, they were hackers, we know that hackers were branded negatively in the media. There were so many of them as they started to transition from the hacker underground into the security industry they wanted to retain the hacker label, and this is important. You know it'd been much easier if they just wanted to shed it. And then finally, another problem as they were entering into the security field was that there were some experts, academics, journalists who are like do not touch these so called experts with a 10 foot pole. They just give you a taste of that to give you a sense of how hard it was to kind of maybe convince the public that these were the people that you should hire. So there was a group of hackers who created a security firm in the 1990s concept in the early 90s, and that company failed. And there was a journalist who wrote about it. And you know, would I hire a safe cracker to be a security guy at my bank. Right, so a lot of people were saying no, these people are not trustworthy. Here is another example of that. So this is from the Association of computer machinery, and it is recounting what Jean Spafford, a very respected academic at Purdue was relaying about these, you know so called hackers who are entering the security field. And basically he was saying, you know, hiring one of these individuals is like having an arsonist install a fire alarm. Spafford insists just you know because he can start a fire doesn't mean he knows how to extinguish one. So this is basically the milieu that these hackers found themselves in, whereby they had to establish their credibility, their legitimacy, even though they had expert knowledge, they didn't write this book, I just thought it was handy to note that they had to do this. And they had to do it. When they were both proposing very controversial methods for exposing security. And that is what Matt Gorsen is going to talk about with full disclosure. And as they were calling the BS of Microsoft, in particular, and other software vendors who are claiming that there was no security problems so they're building their credibility as their reputation was already under threats, and as they were doing controversial things. So now I'm going to turn it over to Matt Gorsen who will talk about full disclosure. Hi everyone I'm just going to get my presentation going here. All right, so yeah my name is Matt Gorsen I'm a researcher at data society and bella was my master's thesis advisor and Brian's old colleague of mine at data society so this is really a treat to be here for this event. And bella mentioned I'm going to talk about a practice called full disclosure, and particularly I'm going to talk about how manifested on a mailing list a controversial mailing list called bug track. In the early 1990s that you know existed for a couple of decades after that. All right, so first I'm going to talk about a few precursors to to to the full disclosure movement so beginning in the 1970s. The freaks the phone freaks the precursor to the hackers that we know today, started sharing information about how to exploit the US telecom system. So one of the one kind of zine associated with that was called the use international party line. And it would, you know, share techniques and also technical documents. And then the 1980s, you had the emergence of some hacker focus periodicals. One was called 2600 magazine. There's actually a print magazine that eventually could be found at Barnes and Noble. And another hugely influential electronic magazine was called track, which you can see on the right there the first issue that and both of these zines were kind of devoted to initially some of the freaking techniques that were talked about in the youth international party line but also over time techniques for gaining access to computer systems and that sort of thing. So this wasn't known as as full disclosure at that time but it was really like a subculture that was devoted to sharing techniques for, you know, manipulating and explaining technology, often to gain access or to allow exploration or to allow conversation with with other techniques. So here's a couple from the original youth international party line one is a, you know, a technical diagram for creating a tool that would allow you to perfect your ability to whistle at the precise 2600 Hertz frequency that allow you to control the phone system, and another, you know, more low tech hack of how to send mail and recover the stamp later on. In the 1980s, bbs has started emerging. And so this is a screenshot from the demon roach underground which was hosted by one of the founders of the cult of the dead cow, notorious hacking and text file group. And so bbs has became a way that people would share text files and exploits and ways to gain access to things. This was kind of the backdrop of how this type of knowledge was shared in the 1970s and 1980s. And towards the end of the 1980s, one really significant event occurred which was Robert Tapp and Morris invented the first like truly significant computer worm and it's read across the early internet and caused a significant amount of cleanup costs and so the US and some mechanic partners established cert the convert computer emergency response team at Carnegie Mellon. And also in the 1990s on the heel of legislation called the computer fraud and abuse act that emerged in the mid 1980s hackers associated with the Legion of doom and a variety of other groups were subject to law enforcement crackdown. And as, as bella mentioned, in the early 1990s on the heels of this some, some hackers started to try and go more legitimate, including Legion of doom members who created a company called Comsec, which was a devoted to, you know, offering security services, like penetration testing and auditing and things like that was extremely controversial upon its founding. And the hackers accused them of using their kind of institutional legitimacy to, to out compete rivals or to snoop on them and business didn't trust them thinking that they were, you know, just going to gain access back in access to their their systems to exfiltrate data. And so Comsec folded in 1993. And one of the founders of former LOD members Scott Jason, who's known as doc holiday created a mailing list called bug track. And bug track was really like a core platform for what became known as full disclosure. So it was the, the practice of disclosing information about computer vulnerabilities and also methods for exploiting them in a completely, you know, no hold bars kind of capacity and this was a also extremely controversial practice. CERT had filled this sort of role as a clearinghouse for vulnerabilities in the 1980s but a lot of hackers but also representatives from industry and you know systems administrators tasked with protecting computer networks and things of this nature. And so it was kind of dissatisfied with how CERT would often reveal only the most, you know, the only the smallest amount of information of vulnerabilities and there'd be long leg times between vulnerabilities being submitted to CERT and being disclosed to the public sometimes they were never disclosed to the public at all. And so bug track, even though it was founded by a hacker, it attracted a wide range of participants. So when you're early on, you had people sending in posts about track from organizations like the MITRE Corporation, the University of Florida, people from NASA, you could see all of these, you know, these, these domains where these emails were originating. And of course there were also people writing in from early hacker led ISPs like Mindbox and Panics and participants from early hacker groups like the loft heavy industries and so on. And eventually over time, bug track became moderated I think in 1996 by Elias Aleph one levy, who was also at in the same year, wrote an extremely influential article for for frack called smashing the stack for fun and profit, which offered a very general technique for buffer overflows which was a very potent exploitation technique that's still in some instances persist today. So kind of this, this, this association between institutional actors and hackers and kind of more independent systems administrators all oriented towards sharing vulnerabilities function as a trading zone for kind of a you know an extra institutional extra establishment group of people to discuss practical techniques for discovering and perhaps dealing with vulnerabilities in a different way in different ways. But bug track was also controversial because not only did it attract, you know, participants who had the positive, you know, project of improving security in mind. And also, there was a lot of suspicion that some of the hackers that were involved in the mailing list were, you know, taking the vulnerabilities that they would find there and using them to engage in unauthorized computer access or criminal hacking or things like this. And so this really, you know, set some of the ground for the discussions that would emerge around you know white hat hacking, black hat hacking and later gray hat hacking which I think be all is going to talk about subsequently. But at this time, it's really important to note that there was some computer security researchers like Dan Farmer started developing tools like one of the most notorious ones was called Satan. And I think it's called the security assessment. I don't remember the acronym right now but the point is it was it was controversial not only because that because of the name, but also because it automated a lot of these vulnerability detections techniques into a tool that someone could run on a, on a potential target to discover ways that it could be exploited. Of course it could also be used by systems administrator to audit their own, their own networks and figure out ways to patch it. All of these vulnerabilities were kind of going into this building this pool of knowledge that could be used to a range of different ends and so it was extremely controversial. Some people who defended full disclosure argued that it would increase pressure on vendors like Microsoft to more quickly address security issues and something be able to talk about as well. Also that could facilitate the education of people into the field of security more generally. Again, this was a time when there wasn't a lot of academic classes being taught on the subject of security so people who want to learn about vulnerabilities often had to, you know, either engage hands on on their own or learn from these kinds of packer and periodicals. It could also empower systems administrators to, you know, patch or disable software on their own networks that was allowing people to get in. And in the long term, all of these things to contribute. It was thought to the security of the broad user community. Of course, there was also detractors. One of the main critiques was that I can empower a class of hacker known as the strip kitty, which was someone who could just take, you know, the exploit code posted on bug track, and deploy it to to break into a system without even necessarily understanding the, the technical, you know, backdrop on which they're operating. Later on there was criticism that this kind of disclosure of vulnerabilities created market incentives. And a lot of in the mid 90s a lot of like security firms were starting to come out. So the argument was that by by making vulnerabilities more public publicly available and incentivizing script kitties. And also creating a market incentive where these, these companies that were often staffed by the same people making the disclosures to profit by offering solutions to those issues. And in the short term, you know, the basic idea that it could endanger users. And so that clashed from the digital underground hacker underground, who saw the disclosure vulnerabilities and the resulting efforts made to patch them as a threat to their own kind of power or also just ability to play and explore networks. So it was controversial not only from establishment actors but also from the underground figures themselves in some cases. Full disclosure, and particularly as site on bug track had some very concrete outcomes and it put hackers in dialogue with respective mainstream technologists, allowed them to gain mutual trust. And at the end of the 1990s, vulnerability disclosures by hackers who are using their real names rather than their handles were increasingly serving as kind of line entries on CDs. So people looking to find employment on emerging security firms could you know point to a vulnerability that they disclosed. And also, you know the vulnerabilities themselves could in some instances serve as products as a kind of market immersion there really 2000s for selling vulnerabilities. But it also this created a lot of tension with the hacker underground because sometimes the people disclosing vulnerabilities hadn't necessarily been the ones who discovered it and instead had found out about these vulnerabilities through underground kind of trust networks and then they were able to claim ownership in a way that would enhance their professional career, and more generally full disclosure move the security industry into a model premised on awareness and vigilance. So instead of a security by security approach where security was achieved by hoping that that these vulnerabilities would never be discovered. So it was a security model where discovery and quickly addressing and, and, you know, relying on security firms able to provide services to help audit networks and so on, really became the standard. So this created a ambient kind of background throughout the 1990s where you know vendors had to be more responsive, and there was more public awareness of security risks, and hackers were able to leverage, you know, that general backdrop in their own interest and to enhance their own legitimacy and that's something that's available now, pick up talking about and takes your time. All right, so I'm going to pick up. Let me just move these forward. So basically, as full disclosure was developing as this you know very robust but controversial practice hackers individually and as groups started to do a lot of reputational work. And that entailed educating journalists, they were courting business opportunities. And, you know, they were still like I had mentioned very very invested in retaining the kind of hacker label and relationships to the hacker community. And as the security industry was, you know, interested in courting hackers, a very stark binary started to grow. There was black hats, and there were white hats and this is one way the corporations were trying to kind of control the message. And actually in the late 1990s, what is really interesting is that just at the moment where it seemed like the black and the white was really being sedimented. The loft, which is a group that was based out of Boston, basically came up with a linguistic innovation, which ran parallel to really intensive media efforts. And this was the coining of the term gray hats. So this is a quote from Chris Weisepal, the blue one, which notes that the commercial world was trying to adopt the techniques and capabilities of the underground but wanting to draw clear lines. We didn't want to do that they wanted to learn from us and take the information and commercialize it leaving the tainted researcher behind. We were non white hat we wanted to be the researcher to be accepted as the authority and get them jobs. And so the gray hat term allowed them to do some of that work which was pushed against this stark moral binary, and also convey that they had sounded intentions but they were also very much willing to rock the boat. And indeed, in the late 90s, they were willing to rock the boat through publishing vulnerabilities but also going really aggressively after the software vendors, especially Microsoft which you know basically had a monopoly in the late 1990s. Now the loft was just one group, the cult of the dead cow was another group that kind of went after Microsoft this was not kind of coordinated between groups and individuals it kind of happened organically but as in 1990s March on it did become more aggressive. Microsoft and their problems with their security came up in talks and mailing lists posts and advisories, but the most kind of rhetorically powerful way that Microsoft was put on the hot seat was through tools that cracked Microsoft products. And, you know, I'll get to the tools in a moment but just I want to make it clear that, you know, for years for years the response from Microsoft was that you know there is nothing wrong with our products. There are really kind of malicious actors that that is the problem right and this is one quote from Microsoft I'm not going to read it you can read it up there that conveys what their stance was stonewalling stonewalling and stonewalling. Again, there was lots of groups and individuals who were participating in this pushback against Microsoft. Again, in a moment where these tackers are also trying to rehabilitate their image, and the two most visible groups were the cult of the dead cow, and the loft heavy industries and some shared membership between the two, but called to the dead cow was the kind of slightly bigger, more diffuse fruit. And so the two tools that they created were loft crack, which was a password recovery and auditing tool, and then back or fists, which had two versions. The remote administration tool allowing for stealth remote control of Microsoft window 9598 machines with or without a user's knowing consent. Now what's interesting about the tools is that they have some similar functionality some differences as well, but the groups behind the tools and the ways that the tools were presented to the public and the hacker public and the nascent security world was quite different. And so I like this quote from our report, which really captures some of these differences between the groups so where the law sought to present an image of the underground hacker as a Renaissance figure, the cult of the dead cow frequently played into the stereotypes of like the hacker menace in an ironic manner laughing at the media's willingness to play up the hacker menace. Fittingly another CDC tagline read, you know, hyperbole is our business. And indeed, when they released back or fists for the first time at DEF CON, a very famous hacker conference, you know they went up full on theatrical this was full on spectacle. So back orifice is technical presentation at DEF CON was preceded by CDC co founder Kevin Grandmaster rats you can see him. He's pacing back and forth on a conference table wearing leather chaps, a thick chain necklace and two holstered fake pistols demanding of the crowd when I say dead you say cow. Another CDC member that encouraged members of the audience to use tools like back orifice and service of a particular goal. Hacktivism he said, what we have here is a concept in a series of tools and a whole methodology that takes the slacker ethic out of all you people, we're making it easy enough that an eight year old can make a difference can fuck shit up a little bit for the cult of the dead cow. Right, so this was really, really kind of stirring the pot of controversy they were kind of playing up the bad boy image. And, you know, Microsoft really kind of again stonewalled, they said no these are the bad hackers. And then the CDC would issue press releases that kind of flip the moral narrative, journalists would write about it. They were the most kind of theatrical in this hyperbolic mode, but at the very same time that they were doing this, the loft again, using a little bit more buttoned up approach was still quite aggressive against Microsoft. And then in the late 1990s 1998. They were invited to testify in front of four senators which you can see here. And even though this is a different type of theatrics. Nevertheless, it was quite theatrical in its presentation and this kind of catapulted them into the limelight there was a New York Times magazine feature article about them where they can also explain gray hats, and their hands on methodology. Basically, you know between the loft, which is kind of good cop, CDC, the bad cop. You basically have a period of time where these hackers are able to kind of interface with journalists, and also convey security by spectacle, which we define as the following. The assessment of security by making both technical instances of insecurity and also the negligent practices not only public, but also really unignorable, the CDC's back office can be seen to epitomize the process for the way that it stage a mediatic of the hackers and a powerful corporation, ultimately nominating both technical design decisions, and corporate governance questions for public debate, they set the agenda in a very kind of powerful way. There are other kind of mechanisms and factors but by 2002 Bill Gates had declared security under the guise of trustworthy computing. As the company's highest priority, and they proceeded to kind of hire former enemies hackers to help lead the way and in fact window Schneider who I started my presentation would was hired at this time. And she invited, you know, many hackers under the blue hat security conference. And although there were many changes subsequent to this period that were toned down the kind of adversarial nature of the late 1990s politics enacted by these hackers. This was really, really central in changing security and putting it on. So I'm just going to leave it at that and turn it over to Brian who will now kind of proceed with a Q&A period. Yeah, I'm looking forward to getting a little bit deeper on some specific questions. First of all, thank you for the report. After getting to read it. It not only filled in a lot of sort of gaps in the history of how a lot of this stuff came to be but also serves as an excellent prelude to a lot of your other work Dr. Coleman. I know that this is a representation of a much larger body of research that the both of you have been undertaking for quite some time. I'm wondering if you can talk a little bit about both sort of like the joys and the challenges of putting together internet history research. What kind of materials you were using how journalism may have helped or made that process harder and some of the interviews you've done. Do you want to start Matt? Sure. Yeah, I mean, yeah, so I mean data and society funded us to do this work starting, I guess, like three years ago or so. And it's been a really interesting time. I think like one of the most interesting things is that we, because of the, you know, it's about 30 years out from kind of the start of where we were looking. And that allowed us to have a really interesting methodological approach where we simultaneously were really deeply engaged in archival material. And a lot of which is still available online but like is literally vanishing day by day by day, you know, I was just, I was just looking through our final proof and found a link to the original announcement of the bug track mailing list. That was hosted on Google groups because it was a use that posting. And it's not it's not there as of, you know, six months ago or whatever. And also, of course, because all the people that we're talking about for the most part are still alive and maybe a bit more open to talking honestly about what was going on. We were also able to complement that archival research by talking to the people and triangulating between those two things. In some cases correcting the memories of people who have forgotten things and in some cases, having people tell us things that at the time were contentious or speculated on and confirming things it was it was really really fruitful and interesting. Yeah, I'm going to just add one more thing you put it beautifully. You know I'm thinking about this methodologically is living histories of the internet. When you're doing research on the present, you could absolutely and you should absolutely document document document and you know start theorizing, but actually not enough time, sometimes like passes for you to really understand inflection points, or the significance of things. And I feel like once 2030 years passes you can you can do that right and being able to complement archival work with with interviews is beautiful, precisely because you can juxtapose them and do like a lot of fact checking. And so I think it's a really fruitful method for kind of internet history. And so while we have very particular arguments around the security industry. I think in some ways, hopefully one day we'll we'll write up something about the kind of methods that we went through that would be a value to other researchers. In the report you talk in great detail about how hackers trained the media to write about them, both through specialized access but then also forms of punishment, when the story wasn't quite right. Going back through, you know them as primary materials for what you're doing as well as sort of talking to some of the individuals involved did you get any sense about how that style of engagement with the media. How they, how they learn to do that. I mean the loft was especially good at that. And, you know, they had press packets. They had cultivated special relationships with specific journalists that they gave special access to. And I think it was also just very much a iterative organic process as well, where, you know, they would do an interview and then they would go out to dinner and have some beers, and like basically talk about what happened right. And in some ways, you know probably like their tech methodology was applied to how they dealt with the press as well. And I think with the CDC, you know they had a very different method, which was, let's, you know, be a little bit crazy, right, in order to kind of court the attention and then be able to throw some other kind of grenade out there so they're almost in some ways, kind of symmetrically opposed right, one was very like finessed and curated. The other one was like a little bit, you know, more freewheeling but both were kind of very very effective and very central to them being able to kind of control the agenda. And I think that's totally right and also it's interesting because the CDC really had a, you know, their, their initial tagline was global domination through media saturation. And they really had a relationship with the media quite early on because you know, like, as early as, you know, beginning in the 1980s and certainly in earnest in the 1990s. When the media wrote about hackers it was as this kind of like spectral, you know, Tourette, right and so CDC are early on, you know, under the, the guidance of their Minister of propaganda, death veggie death vegetable. So they would actually kind of like I guess what we recognize today as like trolling really where they would actually court media controversy, not so much to like improve the security agenda, or even to rehabilitate the nature of hackers, or the image of hackers, but more to like parody or to point to the absurdity of some of those things. So I think, I think death veggie published a text file on like how to make a bomb in the early 1990s or the mid 1990s and it was just completely absurd. But of course, you know, the media, it got some media coverage and then he was able to use that as leverage to like turn the tables and shame the media for their bleeding headlines kind of approach to things and so I think by through those kinds of more like playful, prankish, puckish kind of engagements that also offered a template for the type of work the loft was doing and using that same kind of leveraging that same kind of spectacle to actually change the conversation around security. I wanted to touch a little bit deeper on sort of motivations that this this era of hackers engaged in from what I was able to gather the term hack to this as we know it today that didn't really come into use until the late 90s so the tail end of the period of time you were looking at. So thinking about the interplay between ideological motivation, economic motivation, and then a third sort of murkier bucket for some it seems to be play other seems to be the thrill of exploration. If you could talk about if those categories are sufficient, but if not what other sort of motivations did you see bubble up. Briefly say something that kind of helps set the scene, I mean, obviously, like, for example the loft had a business plan, we quote from it, we're very lucky to get it. They were trying to court business if some people, I think, you know, retroactively impute on them like, oh, they just wanted to make a buttload of money and many did, you know, but actually I think reading I read the biography of one member of the loft. Right, as we're writing this which was super helpful because it made me realize how much the loft was struggling to actually court business, like they really just wanted to be able to like make a salary and work on this full time, you know. They just mentioned this because yes they wanted to kind of make some money, but I don't think that the kind of gold rush, which definitely came about later was something that was obvious to most. And so, from my perspective, it was mostly about doing the right thing technically from a narrow security perspective. And yes, let's make a solid middle class living from this. And then, you know, as the industry really takes off. I mean, wow, there is so much money to be made and then that just kind of changes everything. So that's all I'll say around that but Matt, I think you probably have more to say. I think I mean, I think that is like conveys like the, you know, a big part of the approach to professionalizing. But I think like the bigger question of like, you know, activism among hackers or like Paul like Mason political sensibilities among hackers I think like, you know, obviously the couple of the images I showed were from like the youth political party line which was associated with like the Yippies in the 1970s. So there's always like this kind of, you know, politics that were a part of the, the, the formation of the hacker scene and I think in throughout the like period that we look at the late 1980s and 1990s a lot of that politics manifested as like a, like the struggle to gain access. So, you know, either whether it's like, you know, act like being able to access this new technological infrastructure and not be be written out of it to gain access compromise, and also to be able to secure oneself. So, you know, they're one of the biggest hacker politicized hackers struggles. Before hacktivism was around encryption. So like in the early 1990s there's what's called be called the crypto wars, where there was a real struggle over whether the public would be able to have access to like, you know, government level encryption, which was being being classified as munitions because of its military applications. So there's a lot of hacker, really hacker activism around that but and also like, you know, a lot of the text files had kind of like a libertarian like anti corporate anti government. Not necessarily both one of the one of the two kind of tendency to it. And so actually one of the things we're looking at now is like, I think those that kind of hacker politicization can be understood. And so the idea of like a, what Chris Calty is called a recursive public like basically activism to secure your, your access to technology your integrity as a community. And what we're really interested in looking at now and the subsequent work in part is how one once professionalization and some of those issues around access will be resolved in the 1990s. A lot of the hackers that didn't have the same technical skills or didn't have the ability to professionalize because they had criminal histories or had a very strong commitment to a type of politics that was outside of, you know, beyond just simply securing like corporate property or securing technology or securing users, they started to go in different directions right where they started applying and applying hacking techniques to political ends right and so that's when you start to see the more contemporary manifestation of hacktivism in a variety of different directions. So this kind of leads into what I'd like to talk about next, which is the one of one of the, there's two really excellent contributions and definitions in this report the security by spectacle, and then the bottom up securitization, which again, I'm just more to be said about that in the next report as well, but sort of the long tail of this security by spectacle sort of the practices, the media engagement, the institutional impact that these groups had those that toolkit was passed on to other communities and even if originally, maybe these weren't done for what we would call ideological reasons, they became sort of the deep lore of the next era of, you know, sort of political hacktivist ideology so maybe sort of transitioning more from the next era so it made early to mid 2000s like what what do you see is sort of the long tail of this practice. Should I go first. Yeah, I mean I think, like, you know, in many ways, this report and the related work is like a prelude to be always work on anonymous and other hacktivist groups. I think like, you know, I think I think you could think of it like similar to how the calls of the dead cow and they're kind of more prank or a strict tree kind of like media play gave way to like these more like these techniques that could be used to set the agenda around this kind of idea of bottom up securization. I think like it's still the case that, you know, similar techniques like these could be, and to some extent are being used today to challenge the what security means so I mean in the most direct way. If you see the hack to this that kind of grew out of our word inspired by these communities, like anonymous that were using kind of hacker techniques and also media, you know, manipulation techniques to really challenge the idea that like we're really to confront the security, what you know they would call the security intelligence or complex right like so you know drawing attention to the emergence of like private security firms that were developing tools that could be used by governments to crack down on activists or to to surveil their citizens. So actually like making an argument that insecurity could be used to, you know, could like exploiting security vulnerabilities could actually be used to draw attention to other types of security concerns right. And today we're also of course having seeing a lot of discussion about security on social media security of algorithmic systems and so on and so it's interesting to think about how similar techniques of like bottom up securitization and media agenda setting could be used to shape those kinds of conversations and expand the circle of what we consider to be computer security and what types of people should be involved in those conversations. In the 90s it took the inclusion of these kind of hacker outsiders, what types of figures need to be in the room today to elevate our understanding of what the security risks facing us are and how they can be addressed. What do you think they are. Yeah yeah I mean, I'm just going to add maybe two things one's a point of emphasis on something you said and something slightly different. I mean it's interesting because the security industry as it formed was very technically oriented attend to serve kind of corporate and nation state and interests. There wasn't even like a kind of pro bono arm for most firms to do kind of civil society security work that came with groups like the citizen lab. It was very narrow, but also there was like a very unethical place to that the security industry went with groups like NSO and hacking team so that security was used to like basically hunt down dissidents and activists and I mentioned one of the questions kind of gets to that. And it's interesting to see how like the kind of different era of hack the vest use spectacle and a different sense of security to put that on the map, you know, but the people we kind of looked at and studied didn't quite foresee some of the like most unethical uses of security in the security industry. The other thing to just very briefly and then we can get to the audience questions is, you know, the era that we looked at there wasn't really social media, right. So you really had to kind of court your spectacle to be threaded through establishment journalism. And today the game has changed right with social media with social movements coming out of the image boards. So there's both more opportunity for spectacle bypassing initially the media you always kind of need them at the end, you know, but it's also like there's so much noise out there as well. That I think it's really hard to kind of create sustained conversations over time and the way that I think happened in the late 90s, everyone was kind of on the same page over these security issues because you had less noise. So do you want to look through the, the Q&A. Should we turn to audience. Let's do it. Sure. There's a lot of great question. I mean I'll start with the first one very briefly and maybe Matt you could look at one to follow up with like Kent Louis, melacon, could you please elaborate as to why the spectacle was necessary in the first place wire companies like Microsoft's overlapped into vulnerabilities in their systems. I mean, I think just back at the time, it was a combination of, first of all, no one likes to point, you know, point out that you have dirty laundry, right. And that's never kind of an easy thing. Second was like, again, when people were building software there weren't kind of security minded protocols for the building of software. It wasn't necessarily obvious to people. And third, you know, there was a long period on the internet where, you know, there weren't malicious actors, right. And so in some ways, it really wasn't seen as a problem because it wasn't as much of a problem. So all of these kind of, you know, converged to create this situation where there was clearly a problem but people in charge were denying it, right. And so you really really really really had to rattle the boat to make that that obvious. Matt, do you want to answer a question. Yeah, sure. I think I mean there's a bunch of interesting questions here I think a lot of them can be kind of answered by reading our report and I'll just mention the report I mean well one of the, one of the questions is, sorry. One of the questions is where is the report posted so it's actually going to be posted in the next hopefully sometime this week it'll be on the data and society website so that's data society dot net. And yeah I just, you know, some of the group, some of the questions are like elaborating on on certain things we've discussed like the hat terminology for example and that's something we cover in depth in the report. I think I will, you know, I'll, I'll take a crack at answering a question from shotgun the glutton, because it's so they ask, can you say more about the articulation of the politics of hacking the broader socio economic context of this period, and the publicized role played by techno libertarianism in the tech world today. So I think, I mean this is a big question, but it's something that we're, we, we explore a little bit in this first report and that we want to tackle more head on and subsequent work. Like, you know I earlier I mentioned kind of the recursive public approach to hacker activism and like the effort to secure access to information access to encryption access to infrastructure and so on. And so I think like, after professionalization occurred around like the year 2000 you start to see a couple different things I mean I think. Yeah, I think like the, the defining computer security and cybersecurity on such technical on such technically focused terms was a way to kind of obviate politics for a lot of hackers in some way because it allowed them to kind of like focus on this, I think that that they care about which was improving security solely on kind of like technical terms, and kind of sidelining the question of what the politics of that engagement was right like securing a software so that its user user can't have their credit card information stolen I mean that seems like good to most people right and so what you see in the backlash that which is something we're going to talk about in our next report is basically challenging that idea and challenging. The idea of whether you know securing products that are being pushed by big corporations are securing infrastructure that is being used by governments and not necessarily being made to serve the interests of particular communities is necessarily what security should be about. And so that's kind of where where hacktivism takes things. I think the, you know the techno libertarianism extends from from that idea that if you can just focus on solving these technical problems. Then that's all you need to do right and maybe from one kind of very liberal perspective that's that's the case you know this kind of like societal progress in step with technical progress of like patch patching all of these issues. But I'm really interested in grappling with these bigger challenges to that approach to security which is saying you know what is this, what are these software actually being used for what sort of infrastructure is not in place that should be there. What infrastructure do communities use how do they have control over that infrastructure how do they define what security means for themselves, you know and I think there was, you know, people in the in the early hacker world that care about those questions and you see them. You see those questions come to front stage in the in the kind of way, wake of this hacker professionalization that we talked about in the first report so hopefully we'll be able to answer that question a little bit more head on in the near future. Do you have any other questions to jump out of your bill. Yeah, I mean, I will take john's question. And, you know, I'm just going to read the last part of it. So the terms of black and white hat seem to break down outside of a simple case. What about NSA group is it fair to say white black hat is a language that mostly has mostly to do with brand image on the part of the second industry and governments based on the above this gray hat open a space for those who want to reject the framing of the world as a game of cops versus robbers. I just, I think that's a really good question I mean first of all it's interesting to note that you know a lot of hackers today will be like that terminology is a bit lame and outdated. You know it served its purpose. It's also interesting, you know we do in our report address issues of race and gender and harassment. And even in the security world there's been a reckoning around language. The hat one was not one that was taken up too much. But nevertheless I think it's one that in some ways people are leaving behind both because it's it's done its purpose is outdated but also some of the kind of racial connotations. But that said, I mean, I do think that it's useful to not have like stark binaries. And I think the thing that I always did appreciate about the gray hat mentality and labeling and kind of ethic especially in the late 1990s is that you do need to rock the boat you need to rock the boat you need to rock the boat you need to push against things, even in your own kind of like corner or industry. It's really really hard that's really hard to do if you are working in that industry so what do you need you always need kind of outsiders for example, you need watchdogs. You need those who are willing to kind of call out the problems the process is you know perpetual and constant. I think that there's something about like the gray hat framing that that kind of allows for thinking about those types of politics that are so central to, you know, anything where you have to be constantly pushing on groups and corporations to do the right thing. Matt, do you want to take a last question since we have just a couple more minutes. Sure. Well, I can just build off that a little bit because I think there's two questions that are asking kind of about the incentives. They're like economics incentives related to security. One about, you know, what how much resources Microsoft had to throw at the problem. Yeah, and one about one about how, you know, how socioeconomics played into it. I mean, I think like, you know, there's a concept of like security economics that some people have talked about starting in the early 2000s. And I think there's basically the idea that, you know, part of the reason Microsoft responded to these issues in the first place is because they threatened their their bottom line right a lot of what the CDC and the other people were doing were, you know, jeopardizing Microsoft's ability to defend its, its products. And I think also feeding into some of the anti monopoly stuff going on at that time. So, I think the idea of like yet attaching economic incentives or disincentives to security activity is really compelling and was super important at this time. And actually Microsoft when it did start taking on these issues. More pointedly, some of that was based on economic incentives as well I think there was actually a moment around 2003, when they started adopting the security development or the software development lifecycle, where they actually started making advances for software developers software engineers to the security outcomes of their technologies. So again I mean this is, you know, something that enhanced security and so far as we can equate security to securing software, but I think Microsoft had a lot of success with with taking an economic approach. Okay, it looks like we're done so I'm just going to say that this report's almost 50,000 words. That's long. So there's a lot there but please give us comments and feedback. There's a secondary report and we hope to turn this into a book and there are missing pieces like, you know we couldn't interview that many Microsoft people and some of the questions today kind of like reminds me oh wow we should do that. I just want to thank Berkman Center, Brian, Matt and everyone who made this possible, and just reach out to any one of us if you can't find the report and otherwise have a great day.