It is nearly three o’clock in the morning on the fourth day of the camp. By this time, I’ve pretty much given up sleeping, there are so many people to talk to.
Under the glow of lanterns hung among the birch trees, several of us are eating a late dinner. Sitting at one communal table in the near dark, two men in their early thirties are speaking to each other in Italian. Italians! So they’re here.
A big scandal involving Italian hackers broke only a few weeks ago. HackingTeam (whose members Harry Halpin called “scumbags”) was a group of Milan-based hackers who allegedly sold their surveillance software to some of the worst authoritarian regimes on the planet. Numerous hacker, civil society, and university-based groups, including Reporters Without Borders, Privacy International,1 Human Rights Watch,2 and the Citizen Lab3 at the University of Toronto, wrote reports or open letters denouncing them.
Then someone hacked HackingTeam and exfiltrated all its stuff through torrents, posting the 420 gigabyte file on HackingTeam’s own Twitter feed with the file name “Hacked Team.”4
The colpo di grazia in this cause célèbre had become the talk of the camp. Who had managed to pull off this admirable hack? The mystery was generating a lot of cheerful speculation.
Sacha van Geffen had told me a bit about the Italian hacker scene. Of the internet policy groups in Europe, at least two were Italian—the NEXA Center for Internet and Society in Turin and the European University Institute in Florence. German hacker meetings had good organization, but the Italian ones, apparently, had better food.
A friendly “Siete Italiani?” draws me immediately into a warm, familial conversation with these two men at the next table, one heavily bearded and looking like an early explorer and the other clean-shaven. There is a large Italian contingent at the camp, they tell me—forty-five citizens and tonight thirty or more hangers-on. It’s a party.
This is Matteo’s first time at the camp. He points at the dark-bearded Corrado—“He convinced me to come”—and they smile fraternally at each other. “It’s amazing. In three days here, you learn so much. You realize that you learned more technical stuff than you did in a year. You learn that you can learn. That’s why everyone talks about the hacker mindset—because it is a mindset.”
“We study each other as well,” Corrado chuckles. “You see a lot of people here who you think would not be party people, and then you see how they party!”
The two met each other in Chile as startup entrepreneurs. Harry has told me about the Latin Americans wanting to participate in internet governance and the digital economy, but a Chilean Silicon Valley? It seems unlikely.
“The Chilean government offers you money if you’re willing to come to Chile and develop your stuff there,” Corrado explains. “There’s a review on the merit of your application, but you’re not asked to bring funding. They want you to do something to build entrepreneurial culture, whether it’s workshops or events. They had a dictatorship until the 1990s with Pinochet and a lack of entrepreneurial culture. So they started this program. At the beginning, they had mostly foreigners, but now they have more and more Chileans. They accept three hundred startups each year, and they take applications based on very early ideas.”
How would he describe the experience in Chile?
“Awesome. You’re working in a room with a hundred other people. They’re great people. You can ask them questions, talk about ideas.
Corrado interjects, “But we feel more at home here.”
“Because it was very business-oriented there.” Matteo shrugs. “You had to think of a business plan and marketing and communication. Here, you can focus on tech only, and that’s really more our skill set. I’ve been back for a year in my hometown. I miss the working environment in Chile, waking up and looking forward to that room with a hundred people. Then you come home to your parents’ house. The great thing about Start-Up Chile was the community.”
Corrado tells me three main hacker camps take place in Italy. The first and oldest is the Hack Meeting. It usually takes place in an abandoned or empty space, which the meeting occupies or squats in. People are told only a few weeks before the meeting takes place, which gives the organizers just long enough for the event to happen before the police catch on and get an eviction order. Generally, between two hundred to three hundred hackers attend, and these are “really, really left wing to the point that if you show empathy for someone who is not left wing, they’ll say you’re a fascist and you’re out of there.”
The second camp takes place near Venice and is called the End Summer Camp. There are workshops, but attendees spend a lot of time socializing.
Pescara, the third camp, is organized every four years, like the Dutch and Chaos Computer Club camps, by Oligrafix, a hacker group that has a “strong female presence,” which is unusual. These hackers care about technology and society. This is the biggest event, it takes place in central Italy, but with all these events you never know if they are actually going to happen. Unlike in Germany, hacker culture in Italy is not well known or understood, so hackers can’t just ask to use a big venue like the Chaos Computer Club does and expect to get it.
In Sicily, there is a strong hacker group called Freaknet. It does not organize events but operates the Museum of Working Computer Machines that has machines from years ago that have been kept in working order. Anyone can access and operate them, some of them online. In Sicily, one hacker meeting a few years back was held in a place that had been owned by the mafia and then confiscated by the police to become state property. The state tries to use these properties in useful ways, so the hackers were able to use it when they asked for it. As an organizer, to ask for a place like that is a little dangerous. “You expose yourself,” Corrado says.
Do they consider themselves hackers or entrepreneurs?
“Neither,” Corrado says without hesitation. “We’re just enjoying the environment at the CCC camp.”
“If I had to choose,” Matteo says, “I’d say hacker, but in hacker culture you never define yourself as a hacker. Others do.”
“You might call yourself an artist,” Corrado offers.
“It’s like being cool. It’s lame if you say you’re cool.”
“Between 2005 and now, this event has changed,” Corrado says. At the beginning, it was about how you use your computer. “Now, on the agenda you see stuff on making a rocket, on physics, on how to make cheese, which I don’t care so much about. But so what? A few years ago, there was a proposal to work on having hackers in space because with the way things are going on earth, we may need to be in space.”
Is this the origin of the distinctive Chaos Computer Club rocket mascot and logo, I wonder.
“The idea was, ‘No one else is doing it, so let us do it, and in ten years we will be closer to the goal of having a rocket ship for travel in outer space.’”
I ask if they have heard about the HackingTeam scandal that broke a few weeks ago in the news.
Have they heard about the HackingTeam story?! “Usually, we call ourselves the Italian Hacker Embassy. This year we’re calling ourselves the Italian Hackéd Embassy.” He pronounces the “éd” in “Hacked” as an extra syllable and with a strong Italian accent. He shows me the T-shirt they had printed for that night. Their organizers have brought several kegs of special grappa all the way from Italy just to celebrate the event.
We head off cheerfully into the dark to go and drink some, and when we arrive at the large, brightly lit “Embassy” tent, a big, happy party is already well under way.
Next afternoon at the “Italian Hacker Embassy,” Gianluca Gilardi and Andrea Ghirardini greet me warmly and lead me across the recently jumping dance floor to grab some chairs and go outside. Corrado and Matteo set up this meeting and have brought me here to make the introduction.
Gianluca and Andrea are going to tell me the inside story of the HackingTeam hack—as much as they know, at any rate. But first, they are going to tell me about their own group, which was created three years ago. I want to learn more about how entrepreneurial culture both meshes and clashes with progressive hacker culture. (Our conversation will also lead me to an epiphany about computer security that tech insiders might find hard to believe, although many ordinary users will not.)
We sit in some dappled shade behind the big tent. Green windfall apples are everywhere underfoot. A nearby tree has been dropping its fruit onto campers, tents, and partygoers all week long. For the Italians, this does not seem to be a nuisance. They work around it.
Gianluca and Andrea tell me the decision to call their group “Hermes” was a collective one. Yes, the name is the same as that of a well-known luxury-goods company, but they wanted to call it Hermes anyway, after the Greek god of communication and intuition. Hermes is a center for research, digital rights, and online freedom. They, themselves, are not personally activists but support the organization’s activities. Actually, they say, the group is really an umbrella for people who may not be able to claim that they are activists in their everyday jobs. Gianluca and Andrea have a way of revising their script as they go.
Gianluca is a lawyer, a large man who speaks with wry, tolerant amusement about the world. His curly, boyish hair is graying. Andrea, more intense, is a digital forensic expert. Their work for Hermes is their passion, if not currently their nine-to-five job.
One of Hermes’s best-known projects is GlobaLeaks—software that allows people to make anonymous submissions. Unlike WikiLeaks, GlobaLeaks does not publish leaked information, and it does not sell a service or host a central platform. Instead, it gives clients software and knowledge about how to use it. On its website, Hermes has a list of all the entities using the GlobaLeaks technology and other leaker technologies. They are proud that several media outlets are now using the GlobaLeaks tools.
GlobaLeaks has an administrator who configures the software for the client but is not able to see the documents that are submitted. These are sent from the submitter to the receiver and encrypted on the server. Only the receiver, who is the owner of the private key, can decrypt them.
Fabio Pietrosanti and Matteo Flora are two of the founders of Hermes. The group consists of about twenty people, including civil and criminal lawyers, programmers, entrepreneurs, hackers, and Unix system administrators. It was quite a feat in the beginning to get all this interdisciplinary talent to come together, Gianluca tells me. Hermes has other tech projects, but GlobaLeaks is its best known. And many regard it as the best leaking platform among the numerous leaking platforms inspired by WikiLeaks that have proliferated over the last few years. These vary wildly in quality. The list includes BaltiLeaks, BritiLeaks, BrusselsLeaks, CrowdLeaks, GreenLeaks, JumboLeaks, Murdoch Leaks, QuebecLeaks, and TradeLeaks. In 2011, the Wall Street Journal started a leak portal called WSJ SafeHouse that used weak SSL encryption and was incompatible with Tor, even though the site suggested that submitters should use Tor. Some use PGP but not Tor and so fail to hide the identity of the leaker. Some offer no encryption or onion router at all. Al Jazeera’s portal even planted a tracking cookie on the leaker’s browser.5
Gianluca and Andrea do not like the word “dominant.” They expect to be the “first” major player in the leak field—the first to balance privacy and secrecy with ease of use. They are confident that GlobaLeaks is the best software currently available. Other software may be more paranoid and hypersecure, but it is not easy to use.
“For example,” Gianluca says, describing the shortcomings of their competitors, “just to get the information: you can’t see it, so you have to write it on a USB stick and take it to another computer that is air-gapped, that’s never been used, and then you have to decrypt it, and it’s not easy to get the key, and you can’t manipulate or send it.” He waves his hand dismissively: “It’s a mess.”
One week before the hack of HackingTeam, Hermes was at an event called “ePrivacy” at the Italian Parliament to advocate against government use of Trojan technology. HackingTeam had used Trojan technology to develop something called its “Remote Control System,” which the group sold to law enforcement and security agencies around the world. It had recently been granted a global export authorization by the Italian government in place of earlier export restrictions that had been placed on it.6
Although HackingTeam repeatedly denied that its client list included regimes that were known for repressing civil rights and that used its tools to target citizens, journalists, human rights defenders, and pro-democracy activists domestically and abroad, investigations by the Citizen Lab at the University of Toronto suggested otherwise.7 Reporters Without Borders called HackingTeam “a digital mercenary” and one of the “corporate enemies of the Internet.”8
As soon as Trojan technology is inserted into a computer, Gianluca tells me, it allows the person who controls it to track and even control what happens on the computer. Hermes told the Italian Parliament that it was not a good idea for government to adopt it because buyers have to trust the private company that sells it to them.
Four days later, HackingTeam was hacked by an unknown entity, and the information that came out proved Hermes’s point. Whoever hacked HackingTeam released everything—4 terabytes of data that included all of HackingTeam’s source code, several years of emails, and all their documents. The material went out through torrents and was published in a searchable format by WikiLeaks. Now it is public, although only cognoscenti like members of the Hermes group might be able to understand it all, and they were currently working their way through it. The documents, if authentic, showed that HackingTeam’s clients included Azerbaijan, Kazakhstan, Russia, and Uzbekistan; Bahrain, Egypt, Saudi Arabia, and the United Arab Emirates; Ethiopia and Sudan; as well as US agencies including the Federal Bureau of Investigation and the Drug Enforcement Administration.9 The group received huge sums of money for its work.10 Alarmingly, the documents confirmed that in 2014, HackingTeam developed a hack for the Linux “kernel.”
Recall that the Linux kernel has been so widely adopted for its superior reliability and flexibility of use that it now runs most of the internet’s servers, the New York Stock Exchange, nearly all of the world’s supercomputers, medical equipment, sensitive databases, vehicles from cars to drones to warships, most of the Internet of Things, and most of the tech platforms that dominate the current US economy, including Amazon, Facebook, and Google.11 But the kernel’s superior performance qualities have been achieved, in part, by trading off security—a matter that has become a source of friction between some Linux contributors and its original developer, Linus Torvalds.12 Ironically, HackingTeam targeted the Linux kernel in the only user-controlled phone system available on the market, Google’s Android, turning it into a spying device that could track Android users, record their conversations, search their files, and even snap photographs of them.13
In a story that sounds like a Manichean struggle for the soul of free software, the security flaw had first been reported by a teenage hacker and contributor to Linux named Pinkie Pie, before being exploited by the “white-” or “gray-hat” hacker, Geohot. He created an app called Towelroot, which provided root access to the Verizon and AT&T versions of the Samsung Galaxy S5, allowing users of those phones to have “system administrator” control over their devices (Geohot was also the first person to “jailbreak” the iPhone).14 Then, the definitely “black-hat” HackingTeam seems to have exploited this breach to develop a virtual “skeleton key”15 for Android phones with the intent of selling their hack to clients—until HackingTeam itself was definitively “owned” by a mysterious “white-hat” hacker, and evidence of the group’s perfidy was unmasked for everyone to see on WikiLeaks (widely viewed as “white hat” despite some of its questionable decisions). In one email about the key they were developing, a HackingTeam member smirks to another, “It works”). The reply comes back, “Good job, thanks!”16
But this is digression. Gianluca is explaining the point Hermes made to the Italian government: “If you are a law enforcement agency and you are using a black box [proprietary, nontransparent code], you have to trust that it works the way the maker says.” HackingTeam claimed it did not have any back door in its products. But two days after being hacked, HackingTeam moved to shut down all the Trojan systems it had sold to governments around the world. The public rationale given by HackingTeam and the governments involved was that now that the systems were hacked, others could see their source code and seize control of them.
Gianluca says, “This is off the record, but the suspicion is that HackingTeam did have a back door to its products. How else could it have shut them down so fast without involving clients?”
I ask why it is off the record when anyone could infer it logically.17
Gianluca replies, “Well, there is logic, and then there is code. People are studying the code now and may find the back door, and that would be final evidence. But yes, one could suspect logically that HackingTeam had a back door that allowed them to shut down the systems and may also be the real reason they wanted to shut down the systems as soon as they were hacked.”
Three companies have developed Trojan technology so far, Gianluca says: Gamma Group, from Germany, which was hacked last year; HackingTeam, from Italy, which was hacked on July 6, 2015; and NSO Group Technologies, from Israel, which has not been hacked—yet.
The HackingTeam story is important because it was the first time the entrails of a private surveillance company have been exposed so thoroughly. This industry’s growth in recent years, which has coincided with rapid advances in technology, has prompted gossip and speculation about its activities, but the industry has managed to keep much of its work in the shadows. There has been at least one attempt (in the United States) to ban trade in surveillance technology to repressive regimes, but it failed.18
“If one sells sandwiches to Sudan, he is not subject, as far as my knowledge goes, to the law,” one HackingTeam lawyer wrote in a leaked internal email. “HackingTeam should be treated like a sandwich vendor.”19
The Chaos Computer Club has challenged the use of Trojan technology in Germany. The German government’s procurement of the technology was leaked by WikiLeaks early on, in 2008. The Federal Constitutional Court of Germany ruled that police could use this kind of “source wiretapping” technology only for internet telephony because internet telephony typically encrypts data as soon as it leaves the computer, making source wiretapping the only effective option. However, when the CCC did an analysis of the Staatstrojaner software being used by the German government, it found that its Trojan program had all kinds of extra functionality built into it: it could control a targeted computer, take screenshots, and fetch and run code. This was a violation of the constitutional court’s ruling. CCC found numerous security problems with the software also. It could be controlled over the internet by German state agencies, but the commands were sent unencrypted and so were vulnerable to third-party attacks. The screenshots and data the software exfiltrated were encrypted by it, but so incompetently as to not be effective. And the data was sent through a proxy server in the United States and so potentially was subject to US surveillance.20
The Chaos Computer Club’s findings, published in October 2011, were widely reported in the German press. CCC went on to testify several times before the German Parliament on legislation proposed to govern the technology’s use.21 The legislation that was ultimately passed ended up expanding the permissible use of the technology to searches of a computer’s content in addition to “wiretapping” its communications. On July 6, 2015 (by coincidence, the day HackingTeam was hacked), the Staatstrojaner technology was again challenged constitutionally, and the Chaos Computer Club was asked to give an advisory opinion to the court.22
A bicyclist pushing a slender-framed racing bike toward us through the fallen apples stops to join our group in the shade. I’m not sure who he is, but his simple dark biking suit, trim goatee, and round black-framed glasses are eccentrically nineteenth-century-looking.
Gianluca is saying Hermes does a lot of advocacy work with governments and international forums. Advocacy can involve installing platforms, he says, including on behalf of governments.
“Yes,” the bicyclist quips, “we send Fabio to them. Fabio will fit in a normal envelope without a surcharge.”
As he jokes with Gianluca and Andrea, I ask him if he has ever met the HackingTeam people. “It’s very hard not to have met HackingTeam at some point if one is a hacker in Italy because it’s a small scene,” he replies. “In fact, I went to university with two of the HackingTeam members, so I know them.”
He introduces himself as Matteo Flora, one of Hermes’s founders, along with Fabio Pietrosanti and others. Ten years ago, Matteo Flora worked as a forensic computer expert for government. Now he is a hired gun.
How do Italian hackers view HackingTeam, aside from the fact they have become a national joke?
“I don’t think any Italians feel they’re a joke right now,” Matteo says, suddenly serious. “It’s an exorcism, in fact—like the Mexican ritual, Day of the Dead. By laughing at death itself, we exorcise darkness. Laughing at serious matters is something the internet has been doing since the beginning. 4chan has been doing this, laughing at dreadful things I’m sure they do not agree with, but you have to incorporate this stuff into your reality.”
“We’re laughing to try to understand what’s happened,” Andrea offers.
“To understand how a leak like this could happen,” Matteo continues. “Losing so much information—4 terabytes—and so sensitive, in such a short time: it doesn’t add up. I’m not saying you need a conspiracy theory, but it doesn’t add up. HackingTeam knew they were the preferred target of activists around the world online. Activists even entered their offices. There’s something that doesn’t match up: you do security, but you are so losing control of security within yourself. The affair raises important questions. Can we really think a world without states using this kind of Trojan technology is possible? Can we enforce a world without it? Or at least limit the technology?”
Andrea adds, “Can a government develop this technology without a private company being involved?”
“There’s no doubt that HackingTeam fuckéd up,” says Matteo. He pronounces the “ed” as a second syllable, and we all giggle uncontrollably. “We can’t answer these questions, but sometimes a good question is an answer in itself. “
“Now you’re getting philosophical,” Andrea teases.
“It’s our responsibility to ask the right questions,” Matteo says. “Yes, it is. I’m fairly sure it is.”
Where will all this lead?
“Laughing is an exorcism,” Matteo repeats. “But I don’t think that people are yet fully ready to understand what’s going on. Who is the bad guy—the guy creating the gun or shooting the gun? Right now, we’re missing the bad guy. The one who’s using the tool is also the bad guy. The complete lack of legislation on how the state behaves is a problem. That is what is enraging the community—the fact that you need to draw the line on what you do and governments and HackingTeam have crossed the line.”
“Many times,” Andrea says, emphatically.
Is HackingTeam finished?
Andrea lightens. “This is a very good question.”
“I suppose the company is finished,” offers Matteo.
“The Italian government dumped them,” says Gianluca, “but the individuals are going to be in a HackingTeam business under a different brand.”
“I don’t know if all the people in HackingTeam knew of the bad things they were doing,” Matteo says.
“Silence is also evil,” says Andrea. “If you don’t agree, you can resign. Many of us have done this.”
Matteo shrugs. “It’s hard.”
“Yes, but many of us have done this,” repeats Andrea. “One strange thing: a journalist from The Verge says in two different articles that he tried to contact the guy who stole HackingTeam’s Twitter account. When he reached him, the guy said, ‘I remember you,’ and sent the journalist a Twitter message from Gamma [the German security company that was hacked earlier]. So the suspicion is the same guy hacked both Gamma and HackingTeam.”
“The person who hacked HackingTeam knew a lot about Italian culture,” adds Matteo. “On Twitter, he posted screen shots from a popular Italian TV show to shame HackingTeam’s system administrator.”
“The irony is that HackingTeam was likely hacked by a Trojan technology like the one it sells because the hackers gained control of the HackingTeam network. The information was supposedly exfiltrated through their system administrator’s machine. If you compromise this, you have access to everything.”
“A system administrator is the most similar thing to God,” Andrea explains for my benefit.
“There was a text file on the desktop of Pozzi, the system administrator, that contained most of the HackingTeam passwords for their internal and external client machines … in plain text.”
“That’s so fucking wrong, you know!” says Matteo, wagging his hands in the prayer position, and we’re all giggling uncontrollably again.
“You can look for ‘Christian Pozzi sucks’ on Twitter to see this,” says Andrea. “It means, ‘You are a fucking idiot.’”
Matteo twinkles: “No, it means you’re being just a little bit naïve.”
Gianluca shrugs with that bemused air he has, and Matteo leaves us for another appointment. Hermes has offered to help the Italian government, Gianluca tells me, “but government treats us as not reliable. They say, ‘You don’t have anything to gain.’ It would be easier if Hermes were a private company.”
I ask him how he manages his own computer security as a lawyer for Hermes. He tells me he took a week to prepare his own electronic security for the camp, longer than he took to pack. “This is a hostile environment,” he says, looking around to indicate the entire camp.
When I admit I have used the open net connection at the camp, both he and Andrea shake their heads. Among the multitude of Italian gestures they’ve used that afternoon, this one clearly means, “Well, you’re fucked.”
“If they found you,” Andrea tells me, “then they can see everything. If they put a Trojan on your computer, then they will see everything going forward, even if you change your passwords.”
“You mean, put one on remotely?” Now I am getting worried, as the full meaning of Trojan begins to penetrate my denial.
Gianluca looks at me. “You should buy a new computer and start over.”
If I import my old files to a new computer, will the Trojan be imported too?
Andrea shrugs. Yes, this is possible.
Wouldn’t it be less expensive and time consuming to get a forensic expert to look for the Trojan?
Andrea replies, “Yes, possibly, if he’s good.” But he doesn’t look too certain.
Brought down to earth by my own security problem, I feel more daunted than ever. Finally, I have grasped that security is a challenge shot through with uncertainty even at the most expert level. The “electronic frontier” that John Perry Barlow poeticized is as wild as it has ever been and more hostile than I ever imagined.