Hacker News new | past | comments | ask | show | jobs | submit login
The US Secret Service mistook a cyberpunk RPG for a hacker's handbook (dicebreaker.com)
237 points by molecule 2 days ago | hide | past | web | favorite | 76 comments

This is a charming time capsule from a more innocent age, when us geeks could chortle smugly at how clueless government security agencies were about technology.

Since then, with the advent of the likes of Stuxnet, the NSA's ubiquitous surveillance apartus, and the Great Firewall of China, we've been taught a hard lesson that governments are perfectly capable of developing technology expertise or contracting it out, if need be.

It's even a truism now that computer defence against a well funded nation state is hopeless. This was not the case back in the old Steve Jackson Games days, when it seemed that the entirety of computer power rested in the hands of a relatively small number of idealist academics.

Rember John Perry Barlow's A Declaration of the Independence of Cyberspace?

"Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather."

What once sounded almost like prophecy has come to sound more like a sad, deluded joke.

> Since then, with the advent of the likes of Stuxnet, the NSA's ubiquitous surveillance apartus, and the Great Firewall of China, we've been taught a hard lesson that governments are perfectly capable of developing technology expertise or contracting it out, if need be.

Unfortunately it can still be both at the same time. The NSA can hire some smart hackers at the same time as OPM gets breached and legislators pass laws putting all of everybody's data into the hands of the likes of Equifax which then also gets breached.

His next line was:

>It's even a truism now that computer defence against a well funded nation state is hopeless.

Which definitely agrees with your example. The pentagon officially operates on a doctrine that says "We may be able to have a whelming advantage in cyberspace, but we will never be able to operate with the overwhelming advantage that we enjoy in the physical space"

Your point stands, but the OPM breach was done by the Chinese government: https://www.fedsmith.com/2018/09/21/bolton-confirms-china-be....

It seems like governments have gotten good at cyber attacks but not so good at cyber defense.

The Chinese government did it but the public information about the attack does not show any advanced techniques or resources which would limit it to a nation state.

> It's even a truism now that computer defence against a well funded nation state is hopeless.

This was arguably true (in the case of targeted attacks) even back then. That some civilian law enforcement agencies (and apparently the Secret Service) were clueless about SIGINT back then, doesn't mean that the same was ever really true for major spy agencies.

Here is 1945's Stuxnet, for example: https://en.wikipedia.org/wiki/The_Thing_(listening_device)

> It's even a truism now that computer defence against a well funded nation state is hopeless.

It's interesting how many of those same early hackers [1] went on to working for those same governments or selling them exploits/offensive tools to make sure this stay true. None of that could have been accomplished by any gov without real legitimate talent joining on. Especially in the early days.

Largely because the governments of the world decided they were far, far more interested in the offensive side because of the mountains of intelligence they were getting. Which then filtered down to industry to where all the money, fun, and very importantly, how much easier it is to break something than to protect it. Or maybe it was a side-effect of all the vast majority of talent/money going into the intelligence community and defence contractors instead of just the "government" in general. Probably a combination of both.

The talent that did end up working on the defensive side (that was actually useful) was, and is, usually some super complicated and expensive systems that only big companies could afford. And/or you have a major budget to hire, or pay consultancies, with equal/superior talent than the adversary. Which leaves out the vast majority of companies and almost all civilians with useless or negative utility anti-virus software, or nothing at all besides the odd operating system, software, and public crypto progress.

That's not to say great strides haven't been made on the civilian side in recent years, since the public has caught on to the true scale of the surveillance/offensive stuff and the implications that has given the general weakness of the technology we use everyday.

The significance of WhatsApp adopting Signal's E2E, Telegrams popularity, and people moving to iMessage and other encrypted non-SMS text, emailing properly adopting transit encryption, and the Google TLS charts [2] reaching ~90% from around 40-60% only 7yrs ago is a really, really big deal IMO.

[1] https://www.wired.com/story/cult-of-the-dead-cow-at-stake-ha...

[2] https://transparencyreport.google.com/https/overview?hl=en

This is also a consequence of how much technology knowledge was easily obtainable by anyone interested in it.

Even black hats were eager to spread their knowledge around, from 2600 and Phrack to the thousands of filez on BBS's and the early internet.

That in turn was a consequence of both the open hacker ethos, born in the cradle of academia, and of "information wants to be free".

As a result, those in the security and surveillance parts of the government who had an interest could easily learn pretty much whatever they wanted from the mouths of the very people they wanted to survey.

Not that I'd have it any other way, being a fan of the free flow of information, but it's interesting to see what unintended consequences this has.

Of course, this information flow was mostly one way.

It's interesting how many of those same early hackers [1] went on to working for those same governments or selling them exploits/offensive tools to make sure this stay true.

Every man’s got a price.

It sounds cynical, but I think it is just being pragmatic. Once you recognize that the state holds a overwhelimng resources and only one mistake can land you in a world of hurt, joining a state hacking team seems like less annoying option.

You do sell your soul, but.. you get to test your black hat skills with the backing of state resources and immunities afforded to it all the while learning how to really not make that one mistake. Steady paycheck is just a bonus.

It is a price and a high one, but I can understand the motivations behind it.

There are many things I know I could do, that most people would find distasteful even if they are perfectly legal. Like working in the ad industry. I would prefer not to do them - but for the right price, why not? It'd better be damn high, because I can't easily see myself accepting. Still I can envision that in theory.

But working for a government? I can't. I put that on the same ethical scale as murder.

No. Never. For no price whatsoever.

It comes full circle I guess. Most of the technology we use today came from military research first. SV, for all of its recent boom, really has contributed the boring bits to make it all work. Things like GPS, cellular tech, the internet, Wi-Fi, AI, crypto, all stem from government research. Was the tech sector ever really in the control of the idealistic academics or was that all just an illusion?

If that's an interesting question to you, I'd recommend the book "The Entrepreneurial State"


The author has a good talk at the Long Now Foundation, as well.


> It's even a truism now that computer defence against a well funded nation state is hopeless.

For some, it is still worthwhile to harden defenses against nation-state threat actors. Raising the cost for those nation-states is sufficient justification on its own.

For example, opaque binary distributions are more easily compromised than either source code distributions or verifiable reproducible builds. As an industry we should migrate away from opaque binaries, and major open source organizations should bear that in mind while designing their processes.

> against a well funded nation state

Why do people specifically state 'nation state' in these circumstances? What do you think makes a nation state a particularly notable adversary relative to countries which aren't nation states like the UK or the US, which seem to have more capability in this area not less?

"nation state" in the infosec industry means "sovereign government". Yes, it's wrong and it's very unfortunate, but it seems it's too late to change, though Maciej Cegłowski has been trying for about a year [1].

1 - https://twitter.com/Pinboard/status/1121893376557633537

It isn’t what nation state has traditionally meant because of the differing definition of nation, true.. but it has some reason for existing... Nation here means national (as in internationally sovereign) and state means the government of that nation (or state :-) — these words can all be synonyms in English) specifically. It concretely means “national government” as you basically mention but with fewer syllables (3) vs (5 or 6) and it’s shorter to type.

Do you have any creative alternatives that don’t step on the traditional use?

When people say country, they mean the whole decentralised group of people, and the physical area, and a bunch of other stuff.

When they say nation state, the mean a government.

> When they say nation state, the mean a government.

That's not what 'nation state' means at all - a nation state is an international state that is also a nation. So pretty much orthogonal as to whether they're a competent cyber force or not.

Why don't they just say 'a government', then? The only other rationale I can think of is that 'nation state' sounds much cooler and cyberpunk.

Because cities, provinces, and states (as in one of the 50 comprising the United States) all have governments, and most of them do not have the resources for an international cyber-attack. Nation-states are by definition country-level governments.

No, nation states are states which are also nations. For example Japan is a nation state but the UK is not.

Specifically, nation states set their own foreign policy and have their own military. Usually APTs are associated with military or intelligence agencies, which only nation states have, though some (e.g. the Bears in Russia) aren't formally tied to the government (as much as being allowed to make money on the side.)

I favor APTs as a term, since it denotes any actor with lots of technical means and a political/strategic rather than financial agenda. Many APTs belong to nation states, but that's not always true!

The confusion seems to come from most people seeing nation and country as synonyms. The older traditional definition of nation has mostly faded except in the context of the modern use of the word nationalism, but even that has been perverted to mostly mean extremists.

The reason that it's usually used in this context is that a nation state has a monopoly on violence within its borders. It's a natural extension in "cyberpunk" circles to apply this to digital violence.

> a nation state has a monopoly on violence within its borders

But this isn’t unique to nation states.

Yeah, I'd prefer the bike shed to be painted green.

"Nation state" is more of a verbal tic from people who need to distinguish that they don't mean US state, than a statement about ethno nationalism.

Why are those not nations? For further clarification, are the ROC or Israel nation states?

> Why are those not nations?

They are, as the term is usually used; the United Kingdom and U.S. are nations. In the former case, it is sometimes argued that the constituent countries of the UK are nations rather than the UK itself; they certainly are historically nations and may be so presently, but nationhood isn't exclusive; the UK definitely has a national identity whether or not England, Scotland, Wales, and/or Northern Ireland also do.

The US is a more clear case of a Nation with a strong national identity and without anything even arguably competing the way the constituent countries of the UK do; yes, it's people have many ancestral nationalities (which is true in many nation-states), but that's hardly relevant to whether it's a nation-state. Since the advent of the idea of nation-states as a general norm, many polities have built national identities to form nations that coincided with the State and displaced ancestral nationalities as the locus of attachment for subjects of the state, often as deliberate projects.

It sounds reasonable to me to call the US a nation state, and the UK maybe a nation state if they feel like it today.

However, what I was responding to seemed to imply that they weren't under some self-consistent definition that everyone really should use.

The UK is four nations (four nations united into one kingdom, hence the name), and the US is a mix of people from many nationalities. Israel is probably a nation state. I don't know much about Chinese cultural identity.

This may be your opinion, but I'm not sure it implies a clear general rule that you could even hope to have people accept.

I'm sure a lot of people from the UK would pedantically insist on the multiple nations point, based on my past experience on the internet. On the other hand, in the US, people declare it to be "one nation..." and so saying it is not a nation suggests that the determination is made more from an outside vantage point than a traditional American one.

The Wikipedia page on Taiwan has some information on how people there view themselves. It seems that basically, people may be largely divided between those who came from mainland China after WWII, those who came in earlier waves of immigration, like the 19th century, and "aborigines" who came much longer ago (but it seems there were people from China on the island even before them) These may not seem like large differences, but it seems like they are tied up with the overarching question of the status of the ROC as being separate from China or not, of whether people are Chinese, Taiwanese, or both. And the question remains, do people determine for themselves if they are a nation, or do outsiders do it "objectively"?

A definition can be stated without it being practical to use.

The whole country has been made criminal by over policing and security theatre. https://www.amazon.com/Three-Felonies-Day-Target-Innocent-eb... comes to mind.

aka: Operation Sundevil - https://en.wikipedia.org/wiki/Operation_Sundevil

which was actually a multi-year hacker crackdown in the early 1990's.

-pours one out for all the homies-

The EFF claims that the SJG raid was unrelated to Operation Sundevil.

They were definitely interesting times. Ripe for a documentary on all of the ridiculousness.

To a large extent, it never really ended.

Great book, but I was more thinking along the lines of all the absolutely insane nightly news clips and TV stuff talking about how hackers can basically destroy the world if they’re even allowed to touch a computer etc.

The media were absolutely rabid through most of the 80s and early 90s. I distinctly remember them acting like hackers were worse than terrorists, worse than anything humanity had ever had to deal with.

Looking back, it’s almost funny, except many lives were ruined and hackers raided and/or imprisoned because of media hype and fear.

Show Hackers to kids these days, then tell them essentially all the law enforcement stuff was true. (To say nothing of the unrelated Hackers 2)


> This raid is often wrongly attributed to Operation Sundevil, a nationwide crackdown on illegal computer hacking activities that was occurring about this time.

The SJG raid had nothing to do with Sundevil. Totally different crew. The LOD raids (which SJG got caught up in) were driven by an ambitious district attorney from Chicago.

Not really on topic, but Steve Jackson has made great games for years: http://www.sjgames.com/

I've been digging into GURPS Vehicles for worldbuilding. What a great system.

It's kind of funny how outsider's looked on RPGs. On the one hand in this example law enforcement saw a computer/hacker themed game and thought it was a real pathway to that activity.

Then on the other end of the RPG spectrum, Fantasy based RPGs that dealt with magic, supernatural, demons, etc were similarly taken seriously by some in the religious community as actual guides to such activity.

Are there any RPG topics I'm missing here that had the same type of treatment from their respective antogonists believing the RPG content authentic material?

Then on the other end of the RPG spectrum, Fantasy based "RPGs that dealt with magic, supernatural, demons, etc were similarly taken seriously by some in the religious community as actual guides to such activity."

But there is a transition in both areas from just RPG to reality. People playing cyberpunk hackers often want to be able to hack and crack in the real world. And some games did at least teach some basic concepts about hacking.

And from the fantasy area lots of people got into real paganism, witchcraft, occultism. (even though no one did succesfully invocated a major demon as far as I know ...)

"(even though no one did succesfully invocated a major demon as far as I know ...) "

There's a Trump joke in there somewhere. :)

Well ... possible, but do you know Illuminatus! from Shea and Wilson?

Well, in that book(from 1975), there is an old demon trapped in the pentagon. And when terrorists blew a hole in the pentagon, he came out ... so, 9/11? And the ever lasting war on terror that followed? In other words Trump would be just a minor puppet of the grand demon behind ...

This was obviously an overreaction, and 30 years on, the Secret Service looks laughably incompetent, but it isn't that outlandish in context. Blankenship was in Legion of Doom, which was deeply inside critical computer systems for most of the 80s, including banks, military facilities, telcos, and other vital infrastructure. They published and disseminated how-to guides for infiltrating systems, and they were active on underground BBS systems. Blankenship may have moved away from illicit activities, but he still communicated with the same people, and SJG's BBS was swarming with elite hackers.

Yeah, the Secret Service should have been savvy enough to figure out that it was a harmless game, but they were still playing catch-up. Given Blankenship's history and the cross-section of criminal hackers and the SJG BBS, it doesn't surprise me that they raided them.

During the glory days of 80s hacking, groups like LoD and a handful of others had access to things that would scare the hell out of the public today. Imagine what a huge news story it would be today if it was announced that a single group of hackers had access to systems that control power grids, telcos, credit bureaus, banks, military bases, and all manner of other corporate and government entities. That's really what it was like back then; a bunch of teenagers infiltrating everything plugged in.

Most hackers back then were just exploring and learning. I'm not suggesting that Blankenship or LoD did anything all that nefarious; they certainly weren't out to bring the system down, and they didn't take advantage of their access for any financial gain that I'm aware of (discounting theft of services to the tune of a few hundred thousand dollars worth of phreaked phone calls).

It's a funny story about an interesting time. I'm inclined to cut the gov't a little slack for overreacting because the potential for harm (from hackers) was high, even if few of them harmed anything. If Blankenship had been a known criminal in meatspace, and was hanging out with his criminal buddies at their social club, you might not be surprised if the feds raided them once in a while.

> SJG's BBS was swarming with elite hackers.

Untrue. The BBS the hackers all hung out on was the one I ran called the Phoenix Project. There may have been a couple of people who were also gamers that hung out on IO, but they were there for the dice.

Source: Hi, I'm Loyd.

Hi Loyd! I didn't mean that imply that IO itself was a hotbed of hacker activity, but rather that there was a large number of hackers on it, due to the intersection of hackers and tabletop gamers. My comment does come off as hyperbolic.

I'm not sure if you and I ever interacted back in the 80s, but it's possible. I was active on lutz, QSD, and a bunch of more closed systems/BBSen whose names escape me. I wasn't a member of any group, but ended up deep into that scene and others related to NYC's 2600 scene (MoD and other affiliates).

Right around when SJG was raided, the home of our tabletop gaming group's GM was raided, primarily for more pedestrian phreaking and wardialing activity. I managed to avoid ever getting into any legal trouble myself, although I don't know how.

It was a fun time to be a hacker. Ultimately, despite thinking of myself as a badass cyberpunk cowboy, I was just in it for the Unix. Between the availability of GNU/Linux (obviating the need to break into other systems for a Unix fix), the spread of Internet availability (obviating the need to phreak and hack into X.25/Internet gateways), other legal venues, and being busy in college, I got out of the scene in the early 90s.

A discussion with Steve Jackson on the 20th anniversary of the raid: http://www.sjgames.com/SS/

Things were different before the internet was a big thing.

Did anyone else find a BBS file or get passed a disk copy of Jolly Rogers Cookbook back in the day? Something that seemed so innocent at the time has got people locked up for terrorism offences recently.

As documented (among other events) in Bruce Sterling's The Hacker Crackdown. The book is online here in various formats: https://github.com/bdesham/the-hacker-crackdown

I’ve noticed that Cyberpunk games REALLY lean on the mainframe, “hack the Gibson” model, and it turned out to not be how it all turned out. A few recent cpunk RPGs (Carbon 2185 comes to mind) basically ignore deckers/netrunners. I’ve been noodling some ideas but everything is off in terms of balance or fun at the table.

I haven't kept up to date with recent RPG:s, but I played Cyberpunk 2020, GURPS Cyberpunk and a few local non English equivalents back in the day quite a bit. The main problem with deckers/netrunners wasn't how (un)realistic they were - but that they were simply... boring. It's an enforced split party model where one player has a very limited role and virtually no interaction with others.

I can see why modern games (hopefully wise from the mistakes of their predecessors) ignore that part.

I was thinking about that while playing that recent Shadowrun cRPGs: you’re right on with the boredom factor. It added a separate combat system which was both obviously not how it’d really work and not more fun than the primary system.

I disagree a little on the split-party aspect but that requires careful DMing: it can be an interesting goal to synchronize real-world activities or need to protect someone who is completely exposed while they work. If you don’t overuse that and have a good mechanic for why the hacker needs to be in the combat zone it can work, but it’s easy to fall short.

> ate jelly beans off someone's desk.

Bush might have been President but this was Reagan-era stuff.

Yeah, anyone remember this book about it? https://en.wikipedia.org/wiki/The_Hacker_Crackdown

Hah! This is what originally got me interested in learning to program at 12 or 13.

They put out a game called Hackers[1] that was inspired by the raid. Its a pretty fun game, but it does inspire some ribbing and directly adversarial moves. The currently ahead player is called the "Net Ninja". Our group called the currently losing player "Net Poser" (thanks Tom). That set the correct attitude at the table.

1) http://www.sjgames.com/hacker/deluxe/

I can't be the only one who finds it disturbing to abbreviate the Secret Service as the SS.

Considering this is a description of a raid conducted by government agents in order to damage innocent peoples’ property and livelihood and strike terror into others, that abbreviation may be intentional.

Ironically enough they're probably the branch of federal law enforcement that has that comparison made the least frequently.

Compared to ATF, FBI, DHS, ICE, etc, the Secret Service seems to run a pretty tight ship. When you hear about them doing dumb things it's usually just unprofessional shenanigans as opposed to completely neglecting to do their jobs properly and killing or imprisoning people in the process which is what the others are known for.

Note that the a Secret Service, ATF and ICE are all sub-departments within DHS, although there was talk as recently as this month to move Secret Service back to Treasury Dept. It does seem clear that some of these departments have lesser tarnished reputations than, say, CBP (which generally struggles to recruit anyone literate, let alone the standards of the FBI or Secret Service).

SS has long been used to mean "Super Sport" by GM.

I feel like it didn't used to have bad associations for virtually anybody, but like an unwanted immune reaction, first someone says it makes them uncomfortable, and then another person who is antagonized by everything being attacked as racist or fascist declares that they think it's fine, and then a third, possibly just a troublemaker, defends the person who thinks it's ok and associates it with fascism as if that should be positive.

Off-topic to the off-topic, but I cringe slightly whenever someone is discussing a technical problem and talks about their "final solution." That term is forever tainted for me, kind of like "SS" as an acronym.

I never say anything though, because really it's the correct term for what they're describing.

If you want to be further meta-disturbed, the literal meaning of "Schutzstaffel" (protection squad/unit/whatnot) describes the best-known part of the Secret Service's job better than it describes that of the Nazi SS.

Rick Cook's book Wizardry Quested (2002) depicted a fictionalized version of this raid/resulting lawsuit — I had no idea it was so closely based on a true story!

> The Secret Service agents ... ate jelly beans off someone's desk.

I would sue the government for the unlawful acquisition of jelly beans.

They also put a quarter-million copies through the crazy expensive (at the time) laser jet printer that I'd just bought a few months prior, paying over $3,000. They kept it for 4 years, 364 days, the longest they could legally hold on to it without charging me with anything.

Use the government's math - don't just charge them the cost of the jellybeans, charge them for the jar, the desk, and add in the hours you spent buying them multiplied by your wage.

I ran an online multiplayer drug dealing game in the 90s similar to dope wars. The DEA contacted me to let me know they spent a month investigating me, and that it was probably not smart for me to do something like that, but that a lot of the agents were playing the game and enjoying it and I was cleared.

I read about something the other day where someone had a bag labeled "big bag of drugs" or something like that, and it was in fact full of drugs. But it was actually a commercial product intended to be ironic.

This is why the police are always going to seem dumb and literal, because if something is "obviously" a joke, it can be used as cover, and even if most criminals are more conventional, it will look particularly bad if they ignore something obvious when it was real.

Old news

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact