Interview with Richard Thieme
In the field of information security, there are many useful occupations: firewall engineer, policy analyst, auditor and security architect all are popular choices. But what about information technology philosopher? There's plenty of value in describing the intersections between technology and the human experience, but I know of only one person who makes a living doing so--Richard Thieme.
Richard is an institution on the hacker convention circuit, and he is much in demand as a public speaker, business consultant and writer. He and I recently had a wide-ranging conversation about hacker culture, computer security, competitive intelligence, homeland security and Richard's singular career.
If you find this chat as fascinating as I did, and I think you will, be sure to check out Thieme's new book, Islands in the Clickstream, which I review in the February 2005 issue of Linux Journal.
Linux Journal: Your theological and ministerial background has made an obvious impact on your speaking and writing, but how technology entered into it is less obvious. When and how did you start moving in geek circles?
Richard Thieme: I began writing about the impact of technology on religious organizations and institutions, images and ideas and, inevitably, human identity in the 1980s. I intuitively realized the scope and scale of the transformational engine we now call the digital world while playing interactive fiction games from Infocom with my oldest son. Because my previous work--teaching literature and writing at the University of Illinois-Chicago, as well as sixteen years of ministry--had taught me how printed text works, hermeneutics (how meaning is derived from text) and how we are framed by the experience of reading text, I could see by contrast that interacting with text on computers created a different experience, shifted how we thought about our possibilities, our work, meaning, ourselves--everything.
I literally followed my 12-year-old son into the world of bulletin boards, on-line life (an Apple 2, Ascii Express and a 300 baud modem) and continued to explore both the technological machinery as it came on-line through the 1980s and 90s. I offered to do a keynote for Def Con 4 and have been at Def Con and Black Hat every year since.
I also had started speaking about different things--change, leadership, diversity--when I left the ministry and it became clear that all of it derived from technological change. It was natural to follow that up. Literally, I followed the dots into new learning. I joke that I made sure I always was the dumbest one on the room so I always could be learning from the conferences I attended and usually spoke at, but it was true. Hacker cons led to intel people and security professionals, and I learned from every conference and conversation, integrating what I was learning on the cutting edge with ferocious amounts of reading--two-three non-fiction books a week, plus constant on-line learning and attending many seminars and workshops at conferences at which I spoke. My focus always was to translate the implications of what I was hearing about the technologies and what they enabled into human terms. My background and propensities gave me a unique opportunity to do that.
Eleven years later, what with immersion in all that, it began to sound as if I had a clue. Of course, I know better. I am still the dumbest one in the room, and all that wisdom comes to me downhill.
LJ: I was really struck, in your book, by your assertion that computer technology defines our reality in the same ways that language itself does. It led me to the realization that computer security is all about preserving a desired reality--"my system behaves the way I want it to"--against attackers wishing to impose different realities--"j00 ar3 0wn3d!". Is that the sort of train of thought that got you involved with the intelligence and security communities? Or was it the other way around?
RT: As you perceive, it was give and take. Every interaction with these smart, experienced people taught me more. I became a friend to many, and our quiet conversations (never, of course, betraying anything classified) helped me to see exactly what you're describing. I am delighted that you see the implications for security of my ways of thinking. I think I'll quote you!
LJ: You refer to some pretty amazing but credible anecdotes and revelations made by intelligence agency insiders. How do you get those guys to open up to you? Do you ever worry about being used as a conduit of misinformation?
RT: To the last question, I am aware of it but don't worry about it. The implications are the same for all sources of information these days; that is, how much of any of our consensus realities is designed? How much is intentional? How much is off the cuff, and how much simply aligned with the habitual sowing of seeds of malignant design?
I don't think I am that important or a sufficient conduit for anyone to worry about influencing me that way.
To my deep satisfaction, I can't stop being a priest. Leaving the ordained ministry did not change how I learned to relate to people. Of course, I brought that with me into the ministry, but training and practice made it much more likely that I can cultivate relationships I value with the people I love. I have been careful if I ever thought something slipped over the line into confidentiality not to share it or to distort or disguise it. I function as a friend and confidant, in other words, much as I functioned as a priest. I was told by an intelligence-community friend that the evidence was in, after some years, that I handled confidentiality with integrity and could be trusted. My proudest moment came when I was asked to moderate a panel of feds, including the Assistant Secretary of Defense, at Def Con 2000 as they literally feared for their safety when they faced thousands of hackers. I was asked, I was told, because "you're the only one in the room trusted and respected by both hackers and feds."
So my vocation, commitments and deeper intentions--although outside the lines of how conventional people color--have remained intact.
That same guy said last year that after nine years of hearing me, he realized what it was I did when I spoke: "You articulate things we all know in our bones are true but don't know how to say." That thrilled me, of course. Because that, as you know, is the essence of ministry--to see the subtext and give it voice so people can become more powerful.
LJ: Back in the mid 90s, when Linux was beginning to catch on, you already were talking about open-source software and free software fundamentally changing the software market paradigm. You asserted that [the change in the paradigm] and the Internet, which makes it so fast and easy to distribute code, would make the notion of intellectual property obsolete. But the powers-that-be still have a strong vested interest in intellectual property--do you still think IP's days are numbered?
RT: A good question. In the short term, we always overstate the effects of new technologies. But in the long run, we always understate them. In addition, new info-technologies do not so much eliminate as recontextualize what has come before. I could go on and on about that. An example is MS making available more source code than ever before as a result of the influence of open source. A case could be made that MS would never have done that, absent that influence.
But, there are problems with open source: many eyes make for many exploits as well as few bugs or more secure code, some people have a disproportionate influence on decisions, and there is no customer orientation because programmers work on what they like without regard to customer input. Yet, as Linux migrates into the commercial space, it comes to share many properties of commercial software. The marketplace shapes the forms we can and do bring into it. So maybe right now we can see the dialogue between different models and vectors of energy pointing to possible scenarios for the future. But we can't say which will win out.
LJ: The open-source software development model, in which sometimes large numbers of coders contribute their efforts with minimal centralized coordination, always has reminded me of Bakuninist anarchy. (Yes, my friends usually tell me to get a life when I say that!) Do you see the same or different precedents, or is the OSS phenomenon fundamentally new?
RT: Ken Coar and I spoke at Los Alamos, and I also keynoted Apache Con, and I paid close attention to what he said were problems, some already mentioned above. Developers work on scratching itches they have, not what the marketplace demands. As the e-mail conversation goes around the world, early contributors have a disproportionate influence on decisions, and by the time it reaches the land of the rising sun, the die is cast. Linux has what, more than 30,000,000 lines of code, and a recent study said Linux was the focus of more discrete attacks than MS server software. The same problems due to complexity, inscrutability and unforeseen interaction with applications and appliances from third parties apply as much as to Linux as they do to Windows.
Linux is not inherently more secure, nor does the process by which it is evolving inherently generate more secure coding practices. The cry for secure coding at the outset of applications and OS applies to all domains, and Microsoft does respond to what customers want. Say what you will, they have an immense efficient machine for soliciting and responding to customer feedback. Bloatware was a response to a demand for more features and indifference to security. Greater security is a response to that demand from government, corporate and individual users. The context does determine the content, as I am fond of saying.
The factors that ultimately determine success or failure of technological processes are complex and ambiguous until hindsight enables us to say what happened. Chains of causality are clear only in retrospect, and then we make the mistake of thinking that [specific] historical trajectory was the only one that could have happened instead of one of many that happened to occur as a result of choices, accidents and unknown factors. That fine study The Closed World, about the mindspace that emerged from cybernetics and AI and DARPA and generated the simulated worlds we inhabit today, does a great job of illuminating that process.
LJ: You've talked about video games being mediated realities, with the potential to become the ultimate interactive art medium. But it seems like a huge percentage of the most popular commercial games are mindless and nihilistic. Do you think the game-developing community is living up to its potential?
RT: Absolutely not. Not yet. It will take time, and I don't know the ultimate form. I used to think it was interactive fiction, then MOOs and MUSHES, and now it's vast multiplayer global game spaces. What has happened for sure is that those spaces profoundly influence how we think about and formulate responses to everything. The convergence of technologies often is invisible soon after it happens, and the interlocking of television, music, radio, hard-drive platforms for downloading (for example, Tivo) television programs and software programs--and then saying, "wait, they're all the same"--that becomes the ubiquitous context that people cease to see or understand. It takes a McLuhan to illuminate how the medium is the message and what the medium, now invisible, in fact is.
That said, hey, it's early yet. Also true is the extraordinary speed with which these things have happened as compared to prior technologies. The demographics determine the content of the marketplace, and one true thing is that more niches are enabled in the digital world than ever before. More exploration takes place, more new art and music and sound and interactive gamespace is generated, and it is seldom what current media spotlights, such as HALO 2, that ultimately are the important determinants of the future.
The fastest growing online segment is seniors. Their games are bridge and hearts and checkers. But the chat rooms that accompany their games fuel the popularity, the social interaction. Sure, young testosterone-driven males dominate the public media coverage, but get the statistics on romance novels versus shoot-em-up games, and I bet you'd be surprised which is higher.
Time, it takes time.
LJ: Are you still a gamer? What games do you confess to having on your hard drive?
RT: I usually cycle through games looking for how new tendencies might affect the kinds of things we have been discussing. I particularly am interested in narratives, poetic images and text, new ways of addressing human complexity. Games I have played with from that point of view include Republic: The Revolution, Syberia, BladeRunner, many of the MYST series, checking out how the SIMs have evolved. I observe the XBox and PlayStation games my kids play, kids of all ages. I played with Everquest but found the time demands to be too great for me to invest. I look at games such as Quake, Doom, HALO and Grand Theft Auto to see how they're evolving. I still go back frequently to the world of interactive fiction, which is a thriving small niche. I think INFOCOM games, including Trinity, The Hitchhiker's Guide to the Galaxy and A Mind Forever Voyaging are spectacular works of interactive literature and will last. Creative people still explore that genre and do some fascinating things with it. I continue to follow the work of Michael Joyce, who pioneered Afternoon and other hypertext fiction, a medium that has not figured out yet how to provide boundaries or bounded narrative space to contain possibilities. I also have learned a ton from my son Aaron Ximm (quietamerican.org), who has won awards for his "found sound", another medium that would not exist absent digital tools.
LJ: You are a fixture at Def Con and have been for most of the last decade. What brought you there, and what keeps you coming back?
RT: You cannot overstate the way Jeff Moss, a.k.a. Dark Tangent, has built that space. Yes, he had a lot of help from willing collaborators, but the vision and ability to execute it with flexibility and canny awareness have made Def Con unique in the world of cons. I went to Def Con 4 to do a keynote because he created that opportunity. For me as for many, he said "Yes" instead of "No". That's the most powerful word in the language, as James Joyce said. I perceived that the real hackers in that space would be the thought leaders of the next decade; my first talk was "Hacking as Practice for Trans-planetary Life in the 21st Century", which stands as validated by what is emerging now. I went there to learn from mentors who were one third my age, and it became clear that only if I provided something of real value to them as well would the reciprocity be genuine. I think the main attendees intuitively get that my respect and admiration for them is absolute. I have learned so much about how they have been socialized by interacting with networks and how that frames the way they hold themselves in the world as possibilities for meaningful action.
Over the years, I developed close friendships with hackers and evolving technocrats and people from the worlds of law enforcement and intelligence. As you know, they're hard to distinguish now, right? I spoke at the Pentagon recently, and about one third of the people in the room were Def Con friends but with different haircuts and uniforms. They still play Spot the Fed at DC, but someone suggested, only half-kidding, that they ought to play Spot the Hacker. The worlds interpenetrate so much now and hacking, not cracking, has become so mainstream that was inevitable.
Now, the crossing of those streams at Def Con was not an accident. It's a unique and still-fertile space, because Jeff straddled multiple worlds so well and realized from the beginning that the con would grow only if he continued to include everybody. That pragmatic approach reminds me of how I did ministry, really. Only if you included all the players in the process and minimized doctrines and dogmas that always excluded some and included others could you build a genuinely diverse community. But to do that, you had to have a tolerance of ambiguity and complexity that is irritating to purists on either side, whether hard-core hackers or law enforcement professionals.
I kept coming back because it really did become a kind of psychic home, where a lot of us understood one another's unconventional and creative approaches to life straight up, whereas out here we often have to explain ourselves or just shut up and walk away a lot. Properly understood, hacking is a mindset that transcends any particular technology. It's evident at Def Con to a large degree, although it has changed and evolved over the years. Every year a lot of us think, well, maybe this is the last year. And maybe it is. But so far it keeps coming back and so do we.
LJ: In 1996, if not earlier, you already were describing hacking correctly as being about truth and knowledge and not about breaking into other people's computers. This was way before the mainstream media had begun to get even a clue on that point--they still don't, really. Do you think hackers are doomed to be misunderstood? Is that an inevitable result of knowing how things really work?
RT: Yes. Unconventional thinkers who work across the boundaries of fixed disciplines do not fit in the molds or models of prior ways of thinking. First, they sound crazy. Then, they sound funny. Then, people attack them. Then, everybody believes that they always agreed with them all along. That's when you know their way of seeing things has become the core of a new consensus reality, and already new truths that contradict that are arriving on the edges. That's why I say that the truth, once everybody believes it, has become a lie, and new truths are out there on the edges. It's also a way of saying that thought leaders who see the implications of the present describe the present as they experience it, not the future. But for those living in the past, it sounds like the future, and we sound like futurists. We're not. We're simply seeing the inevitable implications of what's already there but which most people, because of habitual thinking or work that does not require them to make these connections, don't see yet. Nietzsche said originality is merely seeing a little ahead of others what's coming over the horizon and giving it a name. Same idea.
LJ: Based on your contact with the intelligence community, what do you think about the current state of homeland security in the US?
RT: Honestly, that's like a blind man describing an elephant; the subject has come to mean so many different things. Has a lot been done to prevent or disrupt attacks? Yes. Can any single attack succeed? Yes. Do I believe the gloves are off, and we have stopped some very serious events? Yes. Are we still vulnerable? Of course.
LJ: What I actually had in mind was this: I recently met a federal agent who rolled his eyes when someone mentioned the Department of Homeland Security. I get the impression that many professionals consider the DHS to be window dressing.
RT: Oh, the Department. I agree with that. It required a person who could do little and be content with that. But in all of the many areas where people take it seriously, a lot of things have been done. You can't confuse political rhetoric meant for perception management and public consumption for the real policies and actions taking place. Anyway, we all know there's a big difference between making people feel safer so society does not implode and actually generating more security.
LJ: Exactly, just because DHS is window dressing doesn't mean it can't be useful window dressing.
RT: Perception management is absolutely necessary, right? It's easy to snipe from the sidelines, but when you have responsibilities that impact society--we all read from the same script.
LJ: Your speech at Def Con 10, in which you basically chucked your speaker's notes and riffed on the importance of hackers carrying on in the face of 9/11, the Patriot Act, John Ashcroft and so on, really was moving--it was the only standing ovation I've ever seen at Def Con. Do you see any improvement in the US's prospects for civil liberties now, especially given the most recent election?
RT: The convergence of enabling technologies of intrusion, interception, and panoptic reach, combined with a sense of urgency about doing counter-terror and a clear mandate from the White House to do everything possible and seek forgiveness afterward rather than permission in advance has created a dire but often invisible set of threatening conditions. I asked an intelligence veteran recently if he thought we would ever get back the Bill of Rights. He said probably not; only if there is some explosive revelation, a la Watergate, that overwhelms the denial of the population, because they see what's at stake and the consequences of what already has been done. It has been built into the framework of our bureaucracies that will relinquish those new ground rules reluctantly and only under great duress.
LJ: What's really scary to me about that statement is the feeling that Watergate could happen again, but the American public still might not reassert its rights. We seem to have lost our ability to become outraged by much of anything that happens in Washington. Nobody's suffered any consequences, for example, for the politically motivated blowing of CIA operative Valerie Plame's cover. What does that say about us? Is that defeatism, naivete, cynicism or what?
RT: I agree. I spoke recently with a veteran journalist about a serious thing I was told. I asked him how we could get it into the public domain, and he said it would not do any good even if we did. We discussed, for example, Gary Webb and the CIA, Contras and crack. Gary lost his career and told me that could be expected, because when things are made public they are quickly managed, eclipsed, distorted and so on. As a friend who does cover and deception [work] said, "illusion, misdirection and ridicule are the methods, and they are done expertly at all levels of the game". But, and this is a big but, there is a conscience in this country still, and a hopeful or idealistic heart would respond to something sufficiently egregious, I think. Watergate took a long time to ripen, and only when Nixon was directly implicated did the government fall. Remember the Pentagon Papers: it takes a whistleblower, someone whose conscience can't stand it another minute, to document the data for us. It's cumulative, yes?
LJ: Yes, it's whether it culminates into something that matters.
RT: Yes, and what would it take, today? I don't know what that would look like. Watergate was a wholesale appropriation of the law enforcement and intelligence worlds to commit crimes--it took a lot.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- New Container Image Standard Promises More Portable Apps
- The Humble Hacker?
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- The US Government and Open-Source Software
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide