Interview with Arnau Gàmez i Montolio: “We support that hacking is not a criminal activity at all”

Why did you decide to create the association Hacking Lliure?

We -the four founding partners- are 3rd year students of the dual degree in Mathematics and Computer Engineering, and were curious about computer security. We thought there is a general void regarding this subject in the Catalan academic field.

We think there is not much university training in this area, there is not a single course on computer security in this degree actually, although we know some work is being made in order to change this situation; and this is not an exception but a general rule. Also, there are a couple of three public master degrees in Spain related to computer security.  

Therefore we thought it was necessary to create an association with the aim of providing the community -and ourselves- with a proper debating space and a place to show the need of awareness and training in all levels: informative, academic and professional, in this field.

What are the main objectives?

Our main objectives are, firstly, to raise awareness on computer security and its role among people, offering training (internal and external) in the different related fields.
Also, we want to promote the use and creation of a free software and open source. It is very important to start worrying about the kinds of software we use. For instance, we would hardly eat something we do not know about, or something we cannot see or smell. However, we are using software which we do not know about, or donʼt know about what it does or to which interests it gives responses, and at the same time, people who are interested in it and try to understand how it works (usually in reverse engineering) are punished; to try to find out “what we eat”.

Moreover, we understand it is essential to promote free and equal access to technology. We need to fight the different barriers (status, nation, gender, etc.) we find when accessing technology. The most common example might be the case of gender, in which the social construction of the patriarchal hegemonic discourse regarding the division of work and tasks according to gender has punished us with a tone in which technology-related spaces in general, and in particular in hacking and computer security, are usually hyper-masculinized atmospheres.

Also, we want to de-stigmatize all the hacking-related terminology and hackers, since are suffering from a negative connotation in the media, communication and society in general. We want to put emphasis on ethic hacking, which is the one we do. We defend that hacking is not a criminal act at all by itself.
From our perspective, a hacker is someone who is interested in knowing how a computer system works, tries to understand it and works on it beyond its basic functions. In this journey, an essential part is the search for vulnerabilities (in logic, techniques, planning…) which can negatively affect (or uncontrolledly) the system.

Is hacking a similar concept to free software?
They can be related but they do not belong to the same category. It is clear there is a non-void intersection between the fields of hacking and free software. However, neither is totally subject to the other. It is common to find hacking communities or people who take part in the development of free software, but there is the opposite case in which there is an exclusive software to cover common functions related to computer security and hacking.  
 

How would you define ethic hacking?
Ethical hacking was not invented by us. It is an abstract term that is not limited or which was stuck to a specific ethical code regulated by any institution or body. It has to do in the fact that putting emphasis on a hacking that considers the ethical aspects behind what computer security involves.
It is not trivial at all to try to define and limit the meaning of ethical hacking and a deep reflection would be necessary so that we can get a glimpse of its “meaning”, if it has any, and it would be partial anyway so there could not be a valid definition for all the “community”; it would only be a local agreement.
Anyway, ethic hacking is understood as that which does not harm systems for personal or private uses, but that which aims to widen the security of computer systems and infrastructures (and technological systems in general) with which we live daily and which we constantly depend on.

Could you be a new hacking group?
Not exactly. Our aim is not to become a group of people who work on hacking for computer systems, but to create debating and training spaces around computer security and free access to technology.  
However, within the previously described objectives, we thought about dynamising a more or less stable group dedicated to hacking, under the image of a team in CTF competitions (Capture The Flag) for example. This would be another way to channel the goals of the association.  

What do we mean by computer security?
Computer security is related to all those infrastructures, computer systems and practices that have to do with data integrity, availability and privacy. We can say, generally speaking, that a computer system is “safe” as long as it can guarantee the mentioned basic pillars. However, as it is commonly said, there is not a single 100% safe computer system.

Action plans and mechanisms depend on each system and a specific and more or less technical analysis would be necessary for each case.
With all this, we have to be aware than whenever you are connected to a network which is linked to other devices (the most common example is the Internet), you are under a certain degree of exposure.

In fact, it has always been said that he weakest part of a computer system is the user: the one who uses it. Therefore, regardless of how safe a system is, if a user receives an email and opens a file containing a virus, this will enter the system. This has been recently proved with the ramsonware massive attack, where this system entrance has occurred at a user level. Awareness and training, therefore, have to cover a range from the basic user to the highest charges in the system itself.

What activities do you organize?
As an association, we plan lectures, workshops and courses in the education and professional fields, at a technical level and disseminating too.
For example, when we presented the association (in the Faculty of Mathematics and Computer Science), we showed some simple vulnerabilities using some devices such as printers or webcams, which were on the internet with default credentials or without any protection. In lots of occasions the users are not aware that default users and passwords in these devices are out in the public domain.

Moreover, we made an audit workshop on Wi-Fi networks in which we analysed the lack of security in most Wi-Fi devices, especially wireless routers, and created direct attacks in the different possible situations.  

Also, we propose that people take part in conferences about hacking and computer security in order to be updated with new technologies and methodologies related to these topics. We are also starting to establish contact between people and collectives that have similar goals so that we can create synergies.

In general, do you think we are aware of the use that is given to our data?
Sadly, the truth is that we are not much aware of what happens with our data. There are many services and apps that are offered as free, which would have been paid for before, and now we pay for them by providing them with our data, without even knowing about it: Google and Facebook might be the best example. They trade our data and these are used to create political, health, personal profiles, etc. All of this to satisfy the private lucrative service of a minority and the systematic control of our lives.

Our colleagues in Críptica summarized it very well: “You not having anything to hide does not mean your condition (working, ideological, media, gender conditions…) is free of any threat”. And I would also add that it does not take our rights, as individuals and society, to privacy; to not being stalked.
To fight this, the first step is to be aware of it and to have access to a basic training. In this sense, in Hacking Lliure we will help in the awareness and training task in all possible fields.