Info Sec and Self-Righteous Indignation
With the Hacking Team compromise in the news, we’ve all had a chance to see some of the worst of us at work. While the Hacking Team was certainly aiding and abetting horrible regimes and organizations around the world, their guilt and our innocence aren’t so cut-and-dry.
First, let me state that I completely agree with Patrick Gray’s sentiments and outrage over the Hacking Team’s activities. On a recent episode of Risky Business, he offered to buy a beer for the person or persons involved in the outing Hacking Team. I’m in on that as well.
But we’re all part of a machine. This machine is not a virtuous one. The machine builds arms that kill innocents, pollutes, perpetuates vice, and prey on the weak and the poor. In Info Sec, most of us work for an employer directly or indirectly that has its hands dirty. Just how dirty? Well, that depends I guess. At least by association, we’re guilty to some extent. Some of us know our hands are dirty and we know we’ll have to atone for our sins. Others simply think it’s all in a day’s work. We can call it greed and that’s fine. But in some cases, it’s simply moral ambivalence or worse.
As I look past our industry and peer into the collective actions of humanity, I see the same thing. We’re all guilty. We’re either guilty by our actions or our inactions. I’ve come to believe that simply doing no direct harm isn’t really enough. Moxie Marlinspike wrote about this years ago and it has stayed with me since. If you haven’t read his piece, you should. For my part, my general inaction in the face of immorality and injustice is my crime. Moxie writes, “Don’t just vote or petition.” I’m just voting and petitioning. It’s not enough.
It’s fine for us in Info Sec to delight in the outing of the Hacking Team. We do so because we see them as charlatans and immoral actors. We see them selling tools that aid oppression or worse. I suggest we all look at our own actions, inactions, and dealings before we feel too righteous.