The director of our netwars documentary visited Las Vegas to gather some material. Marcel Kolvenbach attended two hacker conferences, Black Hat USA and Defcon. We spoke with him about his impressions:
How does it feel to be among these dangerous guys? Actually – are there only guys?
Yes, unfortunately there are almost no girls. I love dangerous girls! The guys – to me – didn’t look dangerous at all. I had the feeling that the place had been hijacked by government officials and company representatives to find new talent. It has been hard to spot the few hardcore hackers among the audience. I guess the reaction to the speech of the NSA boss was symptomatic: there was only one outspoken voice of protest. 99% of the audience would just applaud.
Did you take any personal precautions to prevent being hacked?
I don’t use smartphones, even in normal life. There were a number of presentations proving smart phones to be a very vulnerable target. I didn’t have any important personal data on my travel laptop. I tried to run the laptop only with a Ubuntu system, loaded from an USB stick. After the visit I will format all my media that have been exposed to online use. I didn’t use the WLAN, just the cables at the press center – as recommended. I still feel I might have been hacked, some time ago, during a Skype conference with one of the most famous US hackers. He sent me a PDF file and – I clicked on it before thinking about it. Stupid.
Did you feel personally threatened at any point?
No, not really. I feel threatened by the fact that press freedom doesn’t seem to apply any more, if you consider the things that happened in London [when the "Guardian" had to destroy material provided by NSA leaker Edward Snowden]. Feels like my work as a journalist is not protected anymore. That’s much more threatening than hackers or even cybercriminals.
Why do you think do these hackers even talk to journalists about their trade?
Journalists are important amplifiers for their message. Most hackers I met believe in an open and free society, they believe in public domain, they share what they know, to educate and inspire others, to take that knowledge and go ahead, to the next step. It is the opposite attitude to secrecy and protecting your work or your code with force, guns and courts. Really, Journalists and these Hackers are rather similar in one sense: I strongly believe in press freedom, and that journalists have to be protected against interference by the state or other powerful interests. And these guys strongly believe that the net should not be controlled by corporate or national interest, but rather by a free spirit of creativity.
What was the scariest demo hack you saw?
I would not call it “scary”, rather eye-opening or revealing. There has been a number of presentations, demonstrating that everything we use in IT can be manipulated and most likely is – including a piece of hardware. A fake charger can be used to take control of your smart phone and spy on everything you do, from online banking to all your contacts. This is done in seconds. The most impressive demo was the presentation “Out of Control” by Brian Meixell and Eric Former. They demonstrated how a SCADA device on an oil-platform or any other industrial can be exploited, creating serious damage with huge environmental effects. According to their demonstration, it is pretty easy to enter to control of these installations and blow up pipelines and other vulnerable parts. Since their daily work is to install these systems in the field, they really know, what they are talking about.
If you want to analyze the risks, you could say: it’s a combination of old technology still in use for profit reasons combined with today’s connectivity. If you have a local device with a very old protocol, that is easy to read and to change without much IT knowledge and connect this device to a public IP address, that anybody can access via internet, you’re installation is pretty much out of control. This is what has happened in the industrial world. Pumps, vaults, motors, engines, all are run by these SCADA devices, but to save costs, to avoid people having to go out in the field – sometimes in difficult to reach locations or hazardous environments – the companies decide to access these primitive controllers via Internet. It saves huge amounts of money, but comes with a very, very high risk.
Black Hat Conference in Las Vegas, USA
Is there a way to translate these potential threats and vulnerabilities into film?
Of course, such a story has potential to great drama. Like on of these 70′s disaster movies from Hollywood. An airplane out of control or an nuclear plant, the gas and water pipes in a town. These are all potential targets. What we are trying to do in the netwars / out of CTRL documentary is to simulate, to tell the story of such a drama, what could happen if a person with malicious intent gets control? How easy is it to actually access these devices and what would be the “worst case scenario” if you combine these efforts of hacking with the effort of protecting the systems on the other side. You get a race, a race between good and evil, between white and black hat, between an aggressor and a defender. This is great stuff for any film – fiction or factual.
Do you trust the hackers you met to do the right thing and not harm anybody?
I feel people like Brian Meixell and Eric Former who work for the industry would never reveal their findings if they would suspect any harm. This would be their last day in the job. The risks are there and the people with criminal intent know it already. Now it is time to mobilize big and small corporations to take these threats seriously, to wake up stakeholders so they demand security measures, and make any employee or citizen aware of the fact that – as much all the apps and gadgets make our world more entertaining – the web and all these mobile online applications come with a very high risk.
You can compare the situation to let’s say the invention of the automobile: When there were only few around, you could do what you want, you could build your own vehicle the way you liked. Later came more and more safety regulations from the seat belt to shock-absorbing crumple zones. There are tough rules and regulations of automobile traffic today, people have to pass tests and vehicles are tested to be allowed on the road, you’ll see similar certificates, laws and restrictions for devices being connected to the Internet traffic in the future. I feel we need these traffic rules for the net to protect the freedom of movement and information. Otherwise, you’ll have too many accidents.
Would these people blow up a factory in a conflict, say, for the US Army?
Jason Healy, the director of the Cyber Statecraft Initiative of the Atlantic Council has made a clear point: cyber warfare is and will be part of any future conflict. But it will just be one tool, one type of weapon. The answer is “Yes” – any side might blow up any facility at any point, if this is part of a war strategy, if it makes sense. But any serious party in a war will not just blow up stuff because it is technically possibly. I feel, this is the big mistake when we talk about “cyber war”. People like Jason Healy are very careful, talking about “cyber war”. I had similar talks and comments when I interviewed people for the film in Israel. Many strategical analysts doubt that there is such a thing as “cyber war”. There is cyber weapons and possibly cyber warfare. Cyber is an aspect of war, like radio communications, satellite images and so on It will be used, no question. But there has to be a war first and a reason for that war before people are engaging in cyber attacks. And they will never come alone, if it is to be a “real” war. You will have troops on the ground, even if only a bunch of special forces. You’ll have air and sea based and then – in addition – cyber based weapons.
What’s your next shot for the film after Las Vegas?
A group of hackers and a utility in Germany. We’re going to film a simulated attack while the security guys at the utility try to defend themselves.
About Marcel Kolvenbach
Marcel Kolvenbach is a documentary film maker who won several international awards and has currently been nominated for the German Grimme Prize. For 20 years he has been filming documentaries for German TV stations like WDR, ZDF and arte. Kolvenbach lived in New York, Brussels and Kampala where he experienced blackouts lasting for days or weeks. The work for “netwars” challenged the author and director to portray an invisible war in pictures and sounds. For that, Kolvenbach, who studied design, used his camera to document empty rooms and how human beings and humanity disappear in them. In his eyes the real threat is the dissolution of the analogue world into the binary system. For him, “cyberwar” is the logical consequence of our world’s virtualisation.