Skip navigation

Category Archives: Uncategorized

The election season is upon us for The Open Organisation Of Lockpickers and there are three Board of Directors seats that come open in this cycle.  The five person Board consists of individuals serving two-year terms.  Two seats are generally up for election during odd-numbered years, and the other three seats are up for election during even-numbered years.  In practice, however, this has tended to result in a maximum of two folk ever joining or leaving the Board in any election because of the fact that I have stood as an incumbent candidate successfully for my own seat for… quite some time.

And that time is coming to its conclusion.

The US division of TOOOL officially formed in late 2006, after Barry Wels (the founder and then-President of the original Netherland-based TOOOL) felt confidence in the individuals whom he saw giving talks and running lockpicking events here in North America for several years.  I joined the Board of Directors of TOOOL in February of 2008.  I have seen the org develop, grow, and succeed in ways that many would have never imagined in those early days.

Having served for over fourteen years at this point — massively longer than the average Boardmember’s tenure — I recognize that it would be appropriate to hand the reins to others, given how capable and mature the whole community has become.  To say nothing of the fact that I now run several successful businesses which require more and more of my attention every day, hah.  But, in truth, even if I were semi-retired from the security community… it would likely still be recognizable as appropriate for me to push back from the table and allow unique voices and fresh faces to bring new life and diverse perspectives to TOOOL.  I have often worried that my staying put for so many years set the possibly unhealthy precedent that this kind of extra-long tenure is something we expect out of everybody, which might result in hesitancy for new faces and new candidates down the road.  Think of the other charities and public organizations in your life (I think of internet regulatory bodies, advocacy/lobbying groups in the firearms community, philanthropic/artistic funding groups/etc) and ask yourself: are the healthiest ones likely to have new faces and new voices or are they the orgs where the entire Board consists of cis straight geriatric white folk who have held their seats for decades?

I have privately announced to the membership that I will not be seeking re-election in this cycle and I’m similarly stating this now to all of you here.  It’s also my supreme joy to express how filled with confidence I am as we see a field of outstanding candidates, whom I’d like to introduce to you now.

These are the individuals who are standing for election in this year’s Boardmember cycle…

 

Nite Owl – The only incumbent Boardmember to be running for their seat this term, Nite Owl joined the TOOOL Board in 2020, although it certainly feels as though he has held that post for much longer, so central to our operations and leadership structure, is he.  Of course, this is because Nite Owl has been serving in other leadership roles for many years prior… overseeing affairs in his native New York City where TOOOL maintains not only a chapter but also a key presence at notable conferences.  No stranger to media appearances and public speaking, Nite Owl brings his real-world experience as a professional, trading locksmith as well as his hacker community roots and humor with him to the microphone or camera whenever communicating about locksport and TOOOL to the wider world.

I hold the firm belief that Nite Owl’s near-religious dedication to the orderliness of our regular meetings and his guidance in keeping TOOOL’s adherence to our annual planning calendar is the glue that has held our org together through these recent trying times and that his presence on the Board will be essential to TOOOL’s successful re-emergence post-pandemic as things start to open up.  We are so very fortunate to have him on the Board of Directors.

 

Amélie Koran – While no stranger to the private sector, Amélie (@webjedi on the Internet) has worked in public service for ages now, and that is a refreshing contrast to the rest of our Board who — other than Jack when he held a seat — tend to mostly have salary jobs at private firms or be business owners ourselves.  Amélie has worked in cybersecurity in leadership roles up to and including serving as the CTO and Deputy CIO for the US Department of Health and Human Services, Office of the Inspector General.  She has also worked with the Department of the Interior and the US Treasury and played a key role in the development of the US Digital Service (USDS) program.

So, yes, in short… one of the main benefits that Amélie would bring to an organisation such as TOOOL is gravitas.  But her life has not been one of detachment from people on the ground or folk who are outsiders, hackers, and students.  Amélie is a mainstay at numerous cons and events every year including ShmooCon, DEF CON, and multiple BSides conferences, where she has leadership duties.

TOOOL has succeeded and sustained itself for ages by harnessing the enthusiasm and talent of the hackers and lockpickers who come to meetings and staff our Villages, but to truly grow and evolve into a nonprofit befitting our prestige and lineage, I believe that our Board should consist of a mix of both “I’ve lived nothing but locks and pins and picks my whole life” type people as well as “I appreciate and enjoy lockpicking but also have broad connections at higher levels of the landscape” type people.

Amélie’s dedication and connection to the lockpicking community and the hacker world will keep us focused on serving that community while her education and experience make her well suited to offering guidance that steers TOOOL into new waters, as well, ensuring that as our org grows that we can meet new challenges and remain capable of serving increasing membership and new events as the world continues to open up.

Also, her service with us would encourage our leadership team as well as our members as a whole to broaden and diversify their minds and skill sets by learning how to properly type a letter “e” with an accent character on both laptop as well as mobile keyboards. 😉

Links to bios and other bona fides here…

https://www.actiac.org/bio/amelie-e-koran

https://www.cyberscoop.com/top-women-in-cybersecurity-amelie-koran

https://webjedi.net/#about-me

https://www.youtube.com/watch?v=HBFVcxBvEVs

 

James Plastine – James has been an active participant with TOOOL from its very earliest days forward here in America.  While taking a brief hiatus from the hacker world to focus on career and life developments for a time, James has since re-emerged and become an active participant in the slack and eager to be more hands-on at our events when feasible in future, as well.

James is level-headed, mature, and would have the dedication both to bring energy about Lockport to his activities but also more importantly to bring sensibility and dedication to the more mundane tasks that are so important to our organisation such as drafting reports, ensuring that we are compliant on filing paperwork, and the like.

He is based in Delaware and has significant work and peer group connections to Northern Virginia, and would be in a position to visit the new Sterling, VA office from time to time, as needed.

 

Chris Fedson – An active member from our Des Moines chapter, Chris brings energy and dedication not just to local meetings (when we still held those… and which we look forward to resuming again soon, hopefully) but also to his career in Infosec.  I hope that we get to see more of Chris at DEFCON and other larger events in the community now that it appears feasible to resume such affairs in 2022.

 

Kataze – While we’ve never had a wild animal on the Board of Directors, Kataze the Skunk (@kataze on the internet) has submitted their candidacy and we’re all happy to see that.  Kataze has been active with TOOOL for some time now, and not merely as a member.  Much of our virtual content scheduling and speaker wrangling has fallen upon him — especially during the COVID pandemic — and it’s quite certain that TOOOL’s presence at conferences during these past rocky years would have been almost non-existent without his efforts.

A dedicated volunteer and helpful creator, Kataze is active not only with TOOOL but also his local hacker/maker space in the Bay Area.  Young, exuberant energy would be a fine addition to our Board of Directors.

 

I wish all of the candidates the best in this upcoming election cycle and would also like to take a moment to offer my thanks to Lonnie Bates (a.k.a. @JimyLongs) who is the other current Boardmember that is not standing for re-election this year.  He and all of the previous TOOOL members who have held leadership positions are what brought this little nonprofit to where it is today and I am honored to have worked with and served side-by-side with each and every one of them.

TOOOL will soon be publishing official ballots via your registered email and there will also be official messaging from TOOOL with candidate bios and brief videos wherein they speak about themselves and their vision for our future.  The election is managed using an instant-runoff “transferable vote” system with the voting window open Monday March 14 – Monday April 4.  Best regards to all and don’t forget to vote if you’re an active TOOOL member!

There’s an old adage, often used in the context of court verdicts or mediation decisions, that effectively states, “If neither side is particularly happy with the ultimate outcome, there’s a chance that the result was fair and feasible.”

Now, most assuredly, there are many circumstances where a middle-of-the-road approach is inappropriate.  When seeking justice in matters of violent crime, for example, there is no appropriate “both sides” standard where the public interest is served by splitting the difference between what the Prosecution the Defense wants.  The accused is either determined to be guilty or not.  (Although this doesn’t stop District Attorneys’ offices from the laughable practice of stacking indictments of manslaughter, murder, and more all together in the hopes of hedging their bets if a jury won’t convict on Murder 1 but may assent to a guilty determination for Man 2.)  But when the matter at stake isn’t one individual’s culpability but rather it’s a question of broad policy being debated, sometimes King Solomon can split the baby in the search for a practical solution.

 

As people on all sides of the issue of gun violence start clearing their throats across the country in anticipation of shouting past one another for a week given the recent shooting at Saugus High School, I felt like penning this brief blog post which is likely to please no one and will probably generate some disapproving clucks in the comments section of my YouTube channel or on Twitter or whatnot.  But remember, hey… if your idea appears “infeasible” to most folk, just call it an “innovative solution” to a “unique challenge” and hope no one notices.

 

Where the Discussion Typically Goes

 

I’m not going to do a deep dive into any of the following solutions, other than to describe in a few sentences why they are practically or politically worthless ideas and can gain no traction at the present time:

 

Banning Specific Guns – This is political death to any politician or party foolish enough to try.  The most popular firearms in America are the most maligned.  The AR-platform is the most popular rifle in this country.  The Glock 19 is the most popular pistol in this country.  The last massive ban in the 90s sent loads of centrists running toward the GOP, the effects of which we are still feeling and which in many ways led to the emergence of entrenched fascism in America today.

Restricting Magazine Capacity – Noncompliance and lack of efficacy are both points here, take your pick.  The only political way to even remotely imagine such a measure passing across the USA would include grandfathering existing magazines.  And magazines do not typically have serial numbers or date stamps.  Not only will the bulk of gun owners not comply, but fast reloading of smaller-capacity magazines results in the same capability in all modern firearms.

Buybacks – Whether mandatory or not, the Freakonomics researchers captured the statistical reality here with blistering perfection: “People are confused with respect to how dangerous a particular gun is… the typical gun buyback program I would guess saves approximately maybe 0.0001 lives.  And I think that’s being optimistic about the size of the effect.”  The audio of the episode is in the above link or you can read the full transcript here.  Humans are generally awful at risk assessment.

Licensing or Restrictions on Ownership – More on this below, because while it’s not a policy I would remotely support, it’s what I would predict as a tactic in the distant future that could, in theory, slowly reduce the overall numbers of guns in circulation and eventually more and more groups are going to jump on this as “the right approach” to America’s gun violence problem.

 

New Ways of Thinking

 

So, having offered my opinion regarding how and why most typical proposals which are ostensibly geared toward “reducing gun violence” are doomed to total inefficacy, what “new and innovative” (read: “probably infeasible but nonetheless interesting to talk about”) solutions would I choose to discuss today?  I have two, in fact…

 

Stop Rewarding Shooters – While the bulk of homicides involving firearms in this country are low-profile and often barely covered on the news (violent street crime at an individual level or intimate partner violence) it is undeniable that acts of domestic terrorism and other “mass shootings” (most particularly, school shootings) are sensationalized in the media and capture widespread national attention.  Indeed, it is often the explicit aim of many of these horrendous perpetrators to garner infamy and have their name and their image plastered across the news in the wake of their heinous actions.  Other nations (New Zealand, for example) have a policy of explicitly not granting this deeply-sought power to the monsters who want to write their names upon our history books in blood.  Now, here in the United States, a consequence of our First Amendment (the importance of which is paramount) is that legislative solutions to this issue would be unconstitutional.  That does not mean that it wouldn’t be a laudable goal for our society to try, however.  Journalists are not legally obligated to check facts or protect off-the-record sources, but on the whole our media landscape consists of professionals who respect such norms.  While it would be hard (and there is also the importance of striking a balance that also allows for learned commentary and analysis of what drove a particular act of violence) I believe that it would at least be feasible to experiment with keeping terrorists and mass shooters from achieving the fame that they so explicitly seek.

 

The Question of Background Checks – Many column inches are devoted to commentary that asserts overwhelmingly high public support for “universal” background checks for firearm purchases.  However, there’s a great dearth of specificity regarding how such a policy would be defined.  The bulk of resistance to background checks is often voiced by individuals who see them as a backdoor attempt to create widespread gun ownership registries, which across the globe throughout history have always become a tool to oppress law-abiding citizens and deny people (often under-represented minorities and people without significant political power) from the free exercise of the right of self-defense.  What most people really mean when talking about preventing firearm homicides, however, and what most people on all sides of the debate support could be worded as “preventing known violent criminals from acquiring firearms.”  And I do think that there is some room for progress and innovation here with regard to background checks.

Before I unpack my thoughts here, I should very clearly and unequivocally state that many of our current background check solutions are imperfect.  Not only are some individuals in our society improperly classified as prohibited persons (for reasons as silly of conviction of victimless crimes or as bigoted as being gender non-conforming) but the databases and lists used to determine firearm eligibility are horrifically opaque.  The proposal some time ago of “adding people from the no-fly list to the firearm prohibited persons lists” was among the worst schemes I’d seen in a while which would have only further undermined the whole matter.  In general, I only support prohibition of firearm ownership on the basis of either (a) criminal conviction in a court of law for a violent crime or (b) credible evidence entered into the public record of terroristic threats or a pattern of escalating unstable behavior and clear indicators of a propensity for violence toward others.

So, even if we agree that no list of prohibited persons is ever going to be perfect, I would hope that for the purposes of this discussion we can explore the idea that some form of disqualifying criteria could exist, that we could agree on it (more-or-less) as a society, and that there is no real defensible reason why such a list of prohibited persons should make use of “secret” information or be otherwise beyond review and straightforward correction if someone finds themselves improperly prohibited from exercising their constitutional rights.

 

OK, so let’s imagine society will make a stab at saying “these persons are known and established by evidence to be violent and should not own firearms.”  What happens next?  How is such a prohibition enforced?

Well, at present, in almost all circumstances, these prohibitions are enforced at time of sale.  All gun owners are likely quite familiar with filling out the BATFE Form 4473 and waiting while their FFL dealer either places a phone call or uses the web-based echeck system (in place since 1998) in order to perform what is known as a NICS check while the customer waits there in the shop, hoping to complete their transaction.  Each NICS check process results in the return of a status of Approved, Denied, or Pending and the generation of a hash code which is also returned to the dealer and which can be used for auditing purposes after the fact.  I (and many other gun rights advocates) find various faults with this process.  To list a few…

 

Time – It is not possible to “pre-check” oneself before attempting a firearm purchase.  The NICS system is only for FFL dealers who must go through a registration and fingerprinting process and have a certificate sent to them.  Their certificate lasts 12 months and their account must be used at least once in 30 days or it is automatically locked.  Furthermore, an FFL dealer can only perform a check on a completed Form 4473.  Dealers input their registration number into the system when running NICS checks.  All of this means that there is effectively no mechanism by which the average citizen may check their own name against the prohibited persons list.  Every gun sale introduces the concern that a database error or change of address may result in a denial (for opaque reasons) and oblige a citizen to put off their purchase, make further trips back to the store later, etc.

Cost – By law, it is unlawful to charge for a FBI NICS check.  However, FFL dealers almost always charge the public a “transfer fee” for any firearm ownership transferal.  And, as we saw above, dealers are only permitted to perform a NICS check on a completed Form 4473, during a firearm transaction.  Also, many states require dealers to use a State Police check system (for which there often is a fee) as opposed to the FBI’s national system.  Therefore, whether or not a check results in an instant Approval, customers are effectively always reaching for their wallets.  Beyond that, if an interstate purchase is being facilitated (from an internet auction site, for example) typically the item itself has also already been paid for and shipped to the dealer at the customer’s expense.  If the background check presents a problem, now a fully paid-for firearm sits in limbo, in the dealer’s shop, while the customer must figure out their next steps, possibly involving re-selling it (often at a loss) through this exact dealer.

Redress – As mentioned above, a rejection result from the NICS system affords very little information to the customer (or even to the dealer) and removing oneself from the list of prohibited persons if you are not, in fact, a criminal is not a clear process.  (A customer does have the right, however, to get a copy of the completed Form 4473 for their records — regardless of the NICS check result — which would include documentation of the echeck transaction hash.)

Records – And now we come to the biggest pain point of all, as far as firearm ownership rights are concerned.  By tying the background check process exclusively to transactions and transfers of firearms, the NICS system can be leveraged by government as something of a de facto firearm ownership registry.  While such records are not supposed to be maintained, staunch believers in civil liberties (myself included) are strongly opposed to affording the government any further means of building lists of gun owners (or likely gun owners) and this is what drives a considerable amount of the friction when expanded background checks are suggested.

 

So what would I propose?  Treat establishments that sell firearms much like establishments that sell alcohol or cannabis.

If an American walks into a bar and looks young, chances are high that they will be carded, either by a door bouncer or by the bartender.  After showing ID and establishing that they are 21 (a process that, in my view, should never involve anything saved in a database) then that person is considered acceptable to be in the establishment… whether or not they are actually consuming alcohol or cannabis.  It is not the government’s business to know if such a person is making one purchase, ten purchases, or zero purchases.

I would strongly support such a solution for firearm owner background checks… at gun stores, gun shows, and gun ranges:  establish that persons entering the premises are not violent criminals by means of a quick and free background check, unrelated to any Form 4733, at the main entrance and then leave them alone because society’s interests are already fully-served at this point.

Would this approach have some complications?  I won’t deny that the current architecture and layout of any number of gun shops and expo centers don’t lend themselves to easy throttling at the front door and foot traffic restriction of the kind I’m describing.  I also acknowledge that some establishments which sell guns also sell unrestricted items (accessories, hunting outfits, etc) and such a policy could have a business impact.  These and others would be genuine headaches in some instances.  But they are addressable problems in almost all cases.  And the end result would entail:

  • Citizens would be free to run a NICS check on themselves before visiting an establishment where that is a condition of entry.
  • Citizens affecting private transfers between one another would similarly be able to interact with the free and fast echeck system online.
  • This enables genuine accomplishment of the “universal background checks” goal, which removes it as a political cudgel for anti-gun-rights groups to wield
  • The government is actually hampered in any attempts to expand databases of gun ownership (given that, in my ideal world, the Form 4473 would only be kept in an FFL dealer’s records on premises and not tied to any background checks)
  • Very likely, prohibited persons would be increasingly restricted or dissuaded from acquiring guns via the most available channels

 

Again, I want to specifically point out that I recognize how both of my above proposals are imperfect and could still be met with resistance.  But almost any presently-achievable solutions will be imperfect and a challenge to enact.  These two solutions might, at least, serve our societal need to “do something” without being outrageously unconstitutional, harmful, and ineffective in the process.

 

Looking Into the Future

 

Make no mistake… if the United States continues to be an aberration with respect to outsized figures of firearm violence compared to the rest of the developed world, more drastic and far-reaching proposals will continue to be offered up by politicians and these will continue to gain traction with the public.  While older folks who have enjoyed safe and legal gun ownership for decades will hate to hear this, the stark reality of society is that future generations get to dictate the world which they wish to inherit.  Youth today, who are growing up amid saturation media coverage about gun violence and who are seeing statistics that don’t seem to afford fast enough progress in the right direction will continue to support the erosion of gun rights unless we reverse those trends.  The writing is already clearly on the wall.

Do you want my prediction of the most likely way that gun rights could be chipped away in the future?  I predict that today’s youth movements — who want to target modern rifles and modern handguns most of all — may work toward adding self-loading guns as a new regulated/expanded classification under the National Firearms Act.  These folk won’t seek for such weapons to be banned outright, but rather to be treated like, say, machine guns under the NFA: the process for ownership (and, especially, transfer) could become so onerous that fewer and fewer Americans would think it worth the trouble.  Our presently ubiquitous AR-15 rifles and Glock pistols would then mostly change hands only via inheritance as opposed to purchase and sale.  Any firearms not properly registered during a period of amnesty and grandfathering might be owned illegally for quite a while, but concerns about penalty would result in most owners no longer taking such guns to public events (for fear of legal repercussion) and the sporting and competition shooting culture would dwindle rapidly.  If a policy like the one I am describing were to become law a decade from now, by mid-century the landscape of gun ownership in this country would be dramatically and most likely permanently changed.

And I’ll say it again: we don’t get to exercise exclusive control over the world that the next generation is going to inherit.

If we are truly serious about ensuring that firearm rights remain a part of American life well into our own golden years and beyond, we must focus on the very long game by educating and engaging the next generation of gun owners and also by supporting much broader initiatives aimed at deep, societal change in order to combat all kinds of inequality and suffering, of which gun violence is just one symptom.  As I mentioned above, most homicides are not mass shootings.  We know this.  But what the gun community often fails to acknowledge is that many, many murders in the United States are also not gang violence and drug-related killings but are part of a much wider spectrum of fights and arguments, often impacting communities who are already the most devastated by factors of socioeconomic oppression.  Violence and harm of all kinds are broad societal problems, and we as a nation must study and support broad societal interventions.

From programs of targeted intervention so that shootings can be prevented before someone reaches for a gun to increasing the robustness of our social safety nets so that extreme poverty and hopelessness about the future doesn’t continue to define so many communities to criminal justice reform so that hope exists for those who transgress in their youth… we must as a nation afford all people from all backgrounds a path that doesn’t lead simply to poverty or prison if they come from circumstances without abundant opportunity to become productive and healthy members of society.

 

You may think I’m some socialist extremist reading my concluding words there.  I do not think I am, but perhaps my final thoughts have turned off many in the gun community which I value.  “Universal Basic Income” may be as unpalatable a phrase as “Universal Background Checks” among a lot of firearm folk.  But mark my words: if we do not engage with society’s broader problems as we participate in meaningful and feasible new solutions to gun violence, the next generation will do so without our voices in the discussion.  And as much as you may have a distaste for ending cash bail or decriminalizing poverty, you’re going to hate the alternatives a whole lot more.

 

Stay safe out there, everybody.

This week started off with the latest round of news coverage dedicated to a story that just won’t depart the headlines within the hacker community: the disgraced Facebook group known as the IllMob.  The story continues to capture attention, receive column inches, and generate discussion for a couple of reasons:

  1. The key ringleaders of this posse have not apologized to their victims but instead have mostly doubled-down in their efforts to self-aggrandize and downplay any wrongdoing.  This has resulted in cringe-worthy tweets.
  2. As professional fallout continues across the industry, some of the group’s other members have sought to publicly distance themselves from the hateful behavior seen in the widely-shared screenshots.  This has resulted in interviews.

 

This effort to save face or explain-away why many “average nice people” were members of such a Facebook group for far longer than most folk would consider reasonable has ranged from simple hand-waving and dismissiveness (of the “I never really look at Facebook” variety) to more active arguments that could be summarized as “the group was about more than just hate” or “it was a valuable community, and in any community of significant size there will be a few assholes.”

In this vein, many of us saw an article and associated two-part audio interview from Jennifer O’Daniel and Greg Otto of the Securiosity podcast wherein they spoke both to Georgia Weidman (a hacker, author, and business owner whose success has made her one of the IllMob’s targets in the past) and Joshua Marpet (a former long-time member of the IllMob and mainstay at a number of hacker conferences where he volunteers, often in a security role.)

 

Georgia has been one of the principal targets of the ire thrown around by the IllMob’s most vocal members for some time now.  (Full disclosure: in case you’ve been living under a rock or in a server room in Afghanistan, you may not be aware that both my wife and I have also been targeted by the IllMob in the past, for principally the same reasons as Georgia and other prominent individuals in INFOSEC: frustrated men who feel “entitled” to success that they have not worked hard enough to earn will often lash out at individuals whom they feel have ascended to prominence and power without “merit” and they will seek to tear them down.  So, let it be known, I have also had my share of poorly-typed internet insults directed at me from this treehouse of little rascals.)  Despite being a founder of successful INFOSEC enterprises, a noted author, and a widely-sought instructor in our field, Georgia found herself under fire from this peanut gallery over superficial considerations such as choice of attire at conferences or the decision to partake in cocktails while presenting (at a conference which made it a feature of all talks to present speakers with drinks.)

Georgia adeptly points out in her Securiousity interview that much of the criticism directed at her was deeply gendered (men in our industry are seldom criticized for their attire or for drinking alcohol, even at company events) and she did a pretty comprehensive job of summarizing the challenges that many women and other under-represented groups face when one of their ranks begins to achieve success in INFOSEC.  Her whole segment on the above-linked interview is rather on-point and leaves little wiggle room for those who would seek to defend the bad behavior of immature guys lashing out with misogyny and hate.

Georgia offered additional summary of her specific thoughts for inclusion here, as well, and I’m happier letting her speak in her own words…

The DerbyCon shut down post was written in a way that caused the people who had previously pointed out bad behavior to be attacked with a “women ruined our fun” Gamergate-like narrative.  The DerbyCon founders could have simply said they were focusing on other endeavors and moving on; instead they (seemingly purposefully) incited a riot.

I tweeted, as hundreds of people did in response to the shutdown, about my own past DerbyCon experiences.  I, like so many others, was simply commenting on their decision to shut down.  IllMob put me at the center of this conversation, not me.

I was surprised when a journalist from Motherboard asked me to comment upon what was being said regarding the IllMob.  This is not the kind of thing I want for my media highlight reel nor is it the kind of thing that helps me as a consultant, an author, a speaker, a trainer, or a startup founder.

I’ve been attacked by these people before and I’ll undoubtedly be attacked by them again.  But this isn’t really about just one conference shutting down.  When I reach out to new potential business contacts, I sometimes get unsolicited dick pics rather than new business.  I’m still asked to meet potential business partners at night at their hotels (and no I can’t bring my advisor) and if something happens it’ll be my fault because, “What was I doing alone with him?”  These are just some of the many ways there are double standards and barriers holding women back.

It’s not just DerbyCon, it’s not just IllMob, and it’s certainly not just “drama”.

We’ve got to change our industry (and our society).  That we are now talking about these kinds of things publicly instead of hiding them in dark corners is actually progress.  And treating everyone with dignity and respect is just good business.  At the end of the day, we all just want to learn new things and do great work.  We shouldn’t be distracted by the actions of a few bad actors.  But we also shouldn’t tolerate them just because we always did in the past.

IllMob put me at the center of this conversation, not me.  But I won’t shy away from it, I won’t be intimidated, and I won’t be silent.

 

And yet, in a perhaps-misguided effort at innocently attempting to offer “balance” in their reporting, Jen and Greg sought out an additional voice to provide an alternate take on the IllMob, the end of the DerbyCon conference, and how people confront hate among their professional circle of peers.  It is unfortunate that often when journalists strive to air opposing viewpoints they frequently wind up selecting two participants who do not have the same standing… but the resultant media segment portrays a false equivalence.  (How many times have we seen a report on “Climate Change” where one half of the broadcast features a researcher from NOAA with a doctorate in atmospheric science who has read all the peer-reviewed data and the other half consists of a guy in Iowa with a snowplowing business, standing next to one of his trucks saying, “Look at all this snow!  So much for global warming, eh?”)  But search they did… and Securiousity introduced IllMob member Josh Marpet as a voice to provide a counter-point against all of us who have been critical of the hate and harassment which originated in that Facebook group.

Josh was brought on (in a separate segment… he and Georgia did not interact directly, which was probably wise) and he offered a variety of thoughts that, I must say, failed to adequately address the elephant in the room, in my view.  (Full disclosure: Josh and I are both from the Philadelphia region and are both hackers of a certain age, so we came up together in this industry.  We knew each other well and we saw each other regularly at hacker gatherings when I lived back East.  Hell, I attended his wedding.  We have lost touch over time, and recent revelations about his remarks to the IllMob concerning my wife and I have put much greater strain on our friendship… but I still reached out to him and offered him a chance to review what I planned to publish here and am affording him the freedom to offer brief corrections or rebuttals.)

Josh attempted to explain why many people who are otherwise decent and friendly would have remained as members of the IllMob Facebook group in spite of the hatred being thrown around by its most prominent participants.  He offered what has become something of a major talking point these days:  “The group was a resource for interesting information.”

If some of you are seeing unfortunate parallels to the old chestnut, “It’s about ethics in video game journalism,” rest assured, you are not alone in those thoughts.

I would like to counter Josh’s assertion by politely challenging him (and anyone else who has offered this as a defense of their membership) to please provide me evidence of any clear-cut examples when ground-breaking information was available in the private Facebook group that wasn’t being widely-covered and distributed elsewhere.  Please.  If it was so interesting, then this group must have resulted in some of you generating notes/logs/screenshots or something more that you kept because they were germane to projects you were inspired to research.  Someone, anyone, please send me evidence of even one thing that was so earth-shatteringly cool that you saved it.  I personally tend to save over 100 threads per year from the 303 Mailing List where I am a member and participant.  (Full disclosure: does the 303 Community have its share of inappropriate chatter?  Sure.  It tends to be of the “buttlol” comments and “loldongs” replies nature.  And if someone says something that is honestly hurtful or punches down in an attempt to be funny… there are honest, immediate social repercussions.  People have left the 303 list over such disagreements.)

 

Every Village Has An Idiot

Josh admits that this “great informational resource” had a bad element, however.  “Everyone knows at least one idiot in their friend group,” he asserted in his interview segment.  Yes, of course this is true.  My eyebrow does not raise if someone is found to have a less than perfect friend.  My spider sense tingles, however, if people fail to push back against their friends’ idiocy.  Whether your idiot friend is doing something that only has the potential to harm themself (“Dude, don’t try to ride your new unicycle through traffic!”) or they are doing something that can have ramifications for the group as a whole (“Come on, man… juggle your fire stick outside… you’re gonna burn down the house!”) we are all accustomed to having to get someone back in line when they’re being stupid.  Intervening when someone is doing something colossally stupid is the act of a friend.  If you don’t step in, who will?

What I want to know is: where was this type of kind intervention among the IllMob?  There are those who claim that they spoke up against the hate.  Really?  Then why did it continue?  Why was this an ongoing theme of the Facebook group?  Clearly, either they didn’t speak up very fervently, or the people attacking this whole community refused to listen and reflect.  And at that point… the million dollar question: why have them as friends at all?

“Everyone knows an idiot in their friend group,” may be a true assertion that Josh made.  But it’s a significant stretch to turn that into, “Everyone knows an idiot in their friend group who won’t listen to reason and whom you don’t really try to correct because they’re irredeemable but you just keep them around forever anyway.”  Far fewer people could agree that this second sentence is normal or proper.

 

Do I Just Leave?

But let’s assume for a moment that Josh and others in the IllMob did do their level best to correct the deeply antisocial and maladjusted behavior of the worst offenders.  Even if that was the case, clearly it did not have a positive impact.  The hate continued.  “Am I supposed to abandon the group because of a handful of people?” Josh then asked his interview hosts.  My simple answer to this rhetorical question would be: “No.  You aren’t supposed to abandon the group.  The group is supposed to abandon the assholes.”

Unless, of course, the head asshole is literally the head of the group.  Leadership sets tone in all organizations.  I feel almost astonished that this point has been glossed over or ignored in so much of the coverage of this topic.  The “handful of assholes” away from whom the bulk of the “respectable” members have done their best to distance themselves included the founder and admin of the whole group.  It also included a couple of other very prominent voices in INFOSEC.  This wasn’t a couple of no-name bozos with 19 twitter followers between them… the very name of the group was the name of the lead misogynist and internet troll among them.

Or, as I put more succinctly while joking on twitter

Assertion: “Look, all I did was eat my lunch with 500 other workers at this spot down the block where we all hung out to chat. We talked shop. I had no idea folk off in the corners were into dog fighting! I don’t support that!”
Rebuttal: “Dude, your lunch joint was literally named The Michael Vick Bistro.

The interview hosts kept returning to this question repeatedly throughout the interview, never to receive a satisfactory answer.  “That was the absolute edge cases,” Josh repeats.  The host pushes again later, asking, “When someone goes that far, however, then aren’t they no longer part of the group?”  Seemingly making my own argument for me, Josh simply replies, “Why?  Are you the admin [of the group]?”  And that’s the key point, isn’t it?  It wasn’t “some jackass” who was “out on the margins” causing a few problems.  Leadership sets tone.  The founder was the lead voice of harassment.  The call was coming from inside the house.

 

Drama Llama

After that in his interview, Josh made the point with which I take the greatest umbrage.  And not just when he said it… when anyone says this.  “There’s always going to be some kind of drama.”

You know what?  I am goddamn sick of that word.  I’m utterly fucking tired of it.  First of all, I should say that I roundly and wholly reject the argument being made.  I’ve been at loads of fun and awesome events that ran smoothly and I have known communities and families that were well-adjusted and happy basically all the time.  Values of respect and affirmation and tolerance and assumption of good intentions go a long way toward making that happen.  But beyond the logical fallacy of his argument, I am disappointed that Josh is one more person who loves to over-use the word “drama.”

When something awful happens to you or someone you care about: it’s trauma.

But when something awful happens to someone about whom you don’t care: it’s drama.

(All credit and thanks for that phrase go to my marvelous wordsmith of a wife who crafted that rhyme and it stuck with me ever since)

I believe you can use the word “drama” as a barometer for how much the speaker cares about other people.  Labeling something as “drama” packages up a whole litany of dismissiveness into a nice “get lost” cocktail for the party who feels that they have been wronged.  Calling them a “drama queen” not only conveys your distaste and disinterest to the principal party, but it is also a powerful in-group signal.  Slapping the label of “drama” on something serves not just as an insult but also as a warning to the rest of your peer group: “Do not engage with or sympathize with what is being exhibited over there.  We as a group do not value that person and their interests.”  By referring to the women who reported harassment at DerbyCon or the criticisms of anti-LGBTQ hate being thrown around the IllMob as “drama” I fear that Josh is participating in that cycle of dismissing and minimizing others’ concerns.  Bizarrely, Josh also included incidents of over-indulgence with alcohol or people experiencing medical episodes at cons as “drama” when discussing this term during his interview.

Maybe I do not fully grasp what Josh means by the use of this term.  But I certainly know how people who hear it feel: like they shouldn’t intervene even if they want to, and like they should simply go away if they were the one who spoke up in the first place.

 

A Roadmap with No Street Names

“So, looking back at DerbyCon,” asked one of the interview hosts, “do you think there was anything that could have been done to save the conference?”  Josh considered the question.  During the brief silence that followed, I honestly wondered if he would have offered real solutions such as “kick out the harassers” or “set the tone from the top.”  Josh has a background in law enforcement / corrections and he has leadership talent.  He knows about getting people to comply, securing an environment, and commanding others.

“Sure, there are things that could have been done,” he offers.  “Absolutely something could have been done [to keep DerbyCon running],” he asserts.  And then… he proceeds to not name one. single. suggestion.  Go ahead and listen to his interview segment again (jump to 1:09:25) if you don’t believe me.  I’ll wait.  Josh speaks about opportunity costs and calculations.  He imagines DerbyCon continuing to run for years into the future.  But he offers absolutely zero solutions.

The hacker community has been offering solutions for ages. There have been endless talks about this on Twitter and in Slacks and on forums and across blog posts.  Other conferences have tackled these problems as they grew and implemented these solutions.  But Josh, much like DerbyCon as a whole, simply couldn’t seem to find the way to set the right tone from a position of leadership… or bring themselves to cut ties with harassers.

 

Talent Begets Taunting?

To their extreme credit, the interview hosts seemed to become increasingly frustrated with the avoidance and non-answers being offered.  “That’s something of a cop-out, though, isn’t it?” Greg asks at one point.  When pressed for what, deep in the recesses of the most hateful members of the group, could have been driving their horrible behavior, Josh advances the theory that, “highly-skilled and talented people will look down on lesser-skilled people.”  This is, of course, total horseshit.

In my experience, the most fully self-actualized and capable people tend to be happy in their work and eager to do right by the rest of the world.  It is the unsuccessful individuals who wind up causing the bulk of the friction in most social groups, as far as I have seen.

The acclaimed author is a joy to be around.  The jerk who couldn’t get his manuscript published is angry at the world.  The popular artist is a joy at parties.  The failed playwright is rude to the barista at the coffee shop because they look too chipper.  So it was with the IllMob… the bulk of the hateful comments were seen to be coming from middle-class white guys who, while sometimes capable of holding down regular jobs, have never really measured up to others and who by-and-large would deal with their feelings of self-dissatisfaction not by examining what they could do to improve themselves as individuals but rather by attacking “other people” whose success they felt was “undeserved” and not merit-based.

Talented people look down on the untalented?  Maybe in your world, Josh.  But not in the one I’m trying to build.

 

“We Fought the Good Fight”

Individuals who were an active part of the IllMob but who want to distance themselves from the hate being thrown around in that group have taken to acknowledging the bad behavior of its worst members (including their founder) but are quick to remind people that “the rest of us pushed back” against this negativity.  Would you like to know why I believe that neither Josh nor pretty much anyone else in the group offered a full-throated push back against the assholes?  Two simple reasons:

  1. The group didn’t change
  2. Josh and others weren’t kicked out of the group

 

Make no mistake, anyone who has seen a toxic community like this one was knows that those are the only two real outcomes if “good” people are serious about fighting entrenched hatred or misogyny or transphobia.  If a group of people are really deeply dedicated to fixing things, they will either conquer the hate or die trying.  By dint of the fact that Josh as well as the other “500 members” of the IllMob were still enrolled in the group right up until the Motherboard article and mass exodus/great purge… I feel it’s rather clear that none of them “pushed back” against Will and his top cronies very much.

 

Doing Our Part to Make Change

Ostensibly frustrated that they weren’t getting satisfactory or clear answers about the problems with the IllMob, the hosts pivoted slightly and asked Josh about how we can all try to improve our industry as a whole.  After a somewhat meandering start to his answer, Josh focused on the topic of “making availability of knowledge more extensive” so that it is “easier for people to get into this industry” and “grab opportunity.”  His formula for enabling this goal was elaborated with descriptions of supporting local, low-cost events in areas that are accessible to under-represented groups.  Josh specifically identified minorities, students, etc. as people he loves seeing at hacker and INFOSEC cons.  (There was, alas, no discussion of any specific outreach initiatives, grants, special invites, or cost-sharing programs to boost diversity numbers at such events such as the measures that ShmooCon or BlackHoodie trainings have … but I share his enthusiasm for increasing women and minorities con attendance, just the same.)

But let’s say cons are lucky enough to see attendance from the very kinds of under-represented groups that Josh, I, and most other hackers are hoping to attract to our industry which is hurting for diversity in membership.  While it’s great to have them join us at cons, getting people interested in STEM has seldom been as big a problem as retention of these individuals is.  Maybe Josh simply hasn’t done the reading here… but plenty of others have.  Particularly, the many women in tech who have been invited to sit on panel after panel (by events that seldom made another spot open on their talk schedules for said women to present on whatever actual technical work they’ve been doing) have told audiences this for years now.  The drop-out rate for women or people of color or LGBTQ individuals in INFOSEC is bad and has been trending worse.  That doesn’t get fixed with Legos and free pizza lunches at BSides.  This will only get fixed by deep culture shifts and the addressing of toxic assholes in our community.

Perhaps aware of this intellectual disconnect, the hosts again appear to try to steer the conversation back into the matter surrounding the core problem we all must face: “Why do you think discrimination in the industry and the hatred seen in the IllMob exists, though?” they ask.  “Why don’t more people push back?”  Any answer given to this question that doesn’t touch on the theme of privilege is disingenuous to me.  Literally the answer is privilege … brought about by deep, long-standing ties in the community that some assholes have.  If these people had no community connections, there is no way anyone would tolerate their bullshit.  If a brand new person with no experience in the hacker scene and no industry background showed up wanting to make friends and then behaved like the worst of the IllMob, they would be shunned immediately.  So I was hoping the answer to “why do you think the hatred was seen there” would have some acknowledgment of privilege and the free rein that comes with it.

“Some people are just frustrated,” Josh asserted.

“Wow,” I thought, “Are Josh and I actually in agreement with one another?”

“…Where are people supposed to vent?” Josh continued.

Are you bloody kidding me?  Nobody cares about a guy grousing over a pay raise he didn’t get or someone complaining about a conference that didn’t accept their submission.  No one has said they have a problem with people innocuously “venting” about life’s little frustrations.  That’s fine and normal.  But you aren’t supposed to “vent” about hating women, LGBTQ folk, etc.  If that’s someone’s idea of “venting” then they don’t need to be provided with a safe space to do it.  They need to be told to get in the fucking sea.

 

Am I My Brother’s Keeper?

Fundamentally, for me, the arguments surrounding the IllMob, DerbyCon, and many other points of cultural friction in our community of hackers come down to disagreement over who should take responsibility for encouraging antisocial people to change.  If someone is reluctant to correct their behavior, then the choice must be made whether to shift tactics from “encouraging” to “forcing” someone to improve themselves.  And, ultimately, cutting them out of your lives if they will not.  These are the same difficult steps one often has to escalate through if someone you care about is abusive, or if they are grappling with addiction.  It’s a very difficult road and not everybody is up to the task of taking on such a challenge in others.  But here’s the key thing: these hard challenges must be faced.  And it is those who are closest to the individuals among us who need help that have to walk this hard road.

To claim that it’s not your place to speak out when a friend is in the wrong is to surrender away your duty to them.

“My sense of right and wrong is not necessarily somebody else’s sense of right and wrong,” Josh definitively told the host.  “Can I tell you, Jen, that what you do is wrong?” he asked.

Yes.  While there are shades of gray and much nuance in the world, society as a whole does share certain broad norms and values.  We all have the right to act as a helper when someone else’s conscience may be shaky.  Angrily telling others they must select pizza toppings that align with your tastes or demanding they use the text editor you prefer or requiring them to listen to the music that you like makes you insufferable.  But telling others that what they’re doing is wrong when they are actually doing something objectively bad and hurting other people in the process?… That’s the act of a friend.

You were wrong, Josh.  All of you who stood by and watched and did not fight back hard enough against the hate were wrong.

 

 

 

NOTE: after reaching out yesterday to Josh at several email addresses I had for him as well as trying his email address at the business he currently owns, I did not hear back.  If Josh replies to me at some point in future, I will still honor my offer to him:  If he believes that he has been misquoted, misrepresented, or mischaracterized in any way by what I have written, he may contact me with corrections.  Minor one-word or one-sentence tweaks I will try to include as marked edits at his request within the body of the main text.  Additionally, I am willing to include a brief paragraph response to appear below the article as a whole.

Almost every morning, my wife and I have a breakfast that consists of some combination of eggs, a side meat, greek yogurt (we buy Fage full 4% on the road or make our own at home using Fairlife milk in our Instant Pot), and possibly an avocado.  This all makes for a very high-protein, low-carb, zero sugar meal at the start of our day.  She’ll make a pot of her tea and I’ll typically just have water and/or zero-calorie sports drinks.

And this is great.  It’s fast, it’s fulfilling, and we look forward to it every morning.

But every once in a while, the human condition of restlessness kicks in and a desire for change may be felt.  And, I’ll admit, memories of breakfasts with my family when I was little make me pine for piles of pancakes or waffles, toast, or even just cereal.  All of which have been banished from my kitchen for being insanely carb-heavy and often also sugary.

But then recently, at Costco, I spotted this product…

 

 

This product claims to be a paleo-friendly pancake mix.  I’m not officially keeping to any “diet” that involves rules and buzzwords.  But while I don’t identify my dining as “paleo” or “keto” or anything of the sort, I am always interested in food options that are tasty while minimizing carbs in a reasonable way.  This mix, from Birch Benders, makes use of almond flour, coconut flour, cassava, monk fruit, and powdered eggs, hitting a rather effective bingo when it comes to modern “dietary wonder” ingredients that people try when avoiding wheat flour.  The only thing I think I’m not seeing here are ground crickets.  😉

Let me tell you… the results are fucking delicious.

I sweeten the preparation a bit so that we can avoid applying any syrup to the finished product.  The last time we made these (they tend to be a weekend morning specialty for us) I took photos in order to share details with others.  So here you go!

 

1. Set your stovetop to medium and start heating your non-stick pan…

 

 

2. Land a thwack of butter (we love grass-fed, all natural butter) in those pans as they heat as you turn to your mixing bowl…

 

 

3. The official recipe on the Birch Benders bag calls for 3/4 of a cup of their mixture plus 2/3 of a cup of water.  I’ve found that to be ideal.  However, in an effort to avoid use of any syrup during serving, I adjust my mix a bit with about a tablespoon of brown sugar alternative and a drizzle of vanilla…

 

 

4. If your pan is up to temp and the butter is melted, you’re ready to pour in some batter!  I tend to make 4 pancakes with the mix that results from 3/4 cup of powder and 2/3 cup of water.

 

 

5. I’ve found that despite being made from alternative ingredients, these pancakes have a pretty similar cook time to traditional ones.

 

 

6. If you are having trouble keeping the cake from sticking to the pan, or for just about any reason you want, it’s always OK to add a little more butter to the pan by running a dollop around the outer edge on the tip of a knife, letting it melt down.

 

 

7. Keep an eye on the top, and when you start seeing tiny bubbles coming up through, you know you’re at most a minute away from flipping.  Typically, I flip after about 3 or 4 minutes of cooking.

 

 

8. Flip carefully, and hopefully the underside is a perfect golden color.  Once flipped, I let it cook for another 60 to 90 seconds, max.

 

 

9. Plate it with an additional pat of butter resting on top.  No syrup should be needed, hopefully.

 

 

10. We sometimes experiment with fruit.  Tarah likes strawberries.  A couple berries diced up and folded into the batter (along with some red food coloring that we had for another project) made for a nice result, as well.

 

 

11. Note: if you add fruit like this, the water (and likely lower temp) of the fruit will slow the cooking process a bit, so you may want to keep the cake in the pan for a minute or so longer per side, in order to ensure it cooks through completely.

 

 

The results are really delightful, I have to say.  These are delicious and, while not totally carb-free, they are much healthier than going to an IHOP or some such.

 

 

If you’re a Costco shopper, keep an eye out for them.  Maybe you’ll give these a try.  Maybe you’ll like them, too.  Good luck and enjoy!

 

This is a quick one from me, but hopefully it helps you save money if you run any firearm-related events.  In addition to the DEFCON Shoot, I help run other regional shooting events — sometimes at hacker cons, sometimes elsewhere — and one of the things that I feel organizers should try to do is always have a kit of “range essentials” that can help fill in any gaps of amenities and supplies that may be lacking at a venue you’re using.

Just in case you want to build such a kit, here are some bare-bones essentials that just about anyone can put together:

 

You’ll notice that almost everything in the above list has links.  They are links to the particular items that I have liked and trusted and opt to bring with me whenever I’m running an event.  (Other gear shows up at most of my events, too, like service and cleaning supplies, free water, free snacks, etc.  But the above list are the safety essentials.)

One item in the list does not have an amazon link, however.  That’s because chamber flags, bought retail, are very expensive.  At between $2 and $8 apiece, they are not an item that lends itself to cheap and easy purchase en masse if you’re going to set them out in a bin for give-away.  That’s why I opt to make my own homebrew chamber flags for my Gun Range Running kit.

Want to make your own nearly-infinite supply of chamber flags for almost no cost?  Here’s what you acquire:

 

Take the orange tube and cut it into segments roughly 1¼” long (just over 3cm)… the above-linked tube should hopefully produce just over 30 pieces.

 

The next steps should be rather self-evident.  Slip one of these bits of rubber tube over a zip tie…

 

 

Then affix the zip tie to itself.  Be careful to try to not pull it ridiculously tight.  Just enough to make a little “flag” stick out to the side…

 

 

There you are!  Buying one pack of the above zip ties and three of the orange rubber tubes should yield close to 100 of these for a little over $25.  That’s effectively a quarter apiece.

 

 

They work perfectly well in most sizes and actions of firearm…

 

 

And while they may not be as robust and perfect as factory-made chamber flags, these should be more than sufficient for your event attendees to grab a few and utilize them as needed.  If they return them to you, great.  If they walk off with them, meh.  It’s not a huge cost to you, but it can be a major time-saver as your RSOs walk the firing line and visually inspect all the guns on the tables before declaring a range cold.

Making cease-fires easier and faster means the sooner that people get to check and reset targets and therefore the sooner that everyone can go hot again and keep plinking away.

Enjoy!  Stay safe out there!

I keep my Twitter DMs open and my email address is public.  This, plus the fact that I’m a recognizable face at conferences and generally like to answer folks’ questions means that I field a lot of inquiries… particularly about the hacker community and the world of physical security.

While I always want to give each person who reaches out an individual and specific answer unique to them, a recent utter flurry of contacts (due to a bout of mainstream press and wider attention) has made it harder to keep up with my inbox.  Consequently, I’m going to try posting something here.  It will effectively be an amalgam of various answers I’ve written to folk in the past week or more.  Some people have been asking about their own career path and job prospects.  Others have found that my explanation of security flaws hits home for them because they see these vulnerabilities in their own work environments and want to share this news with others.  Other folk simply want to know how to best apply their limited resources in a way that can lead to a more satisfying and interesting vocation or hobby.

 

At the risk of grossly over-simplifying things, I’m going to paraphrase this matter as…

Question: “I think what you do is awesome.  How can I do that sort of thing, too?”

 

Again, while I recognize that a one-size-fits all answer isn’t ideal, this is my best shot at responding to the above.  We’ll call it the “one-size-fits-most” answer.  We are close to Halloween costume shopping season, after all!

 

Answer: Hey!  Thanks for reaching out!  My answer will be 100% honest, but I hope very much that it doesn’t come across as disingenuous or self-serving… it’s a very tricky subject, and far too often companies don’t understand or value this kind of knowledge and skill set properly.

Far and away, the primary answer I have to give folk is one that is simple and also a hurdle at the same time:  training.  I am not one to kneel at the altar of Certifications for their own sake, however if someone has taken the time to successfully complete training courses and pass exams, etc, then that shows current as well as future employers that this individual values professional development and wants to apply their skills.

If you have an employer and you think they can possibly help support your education and would send you to training, that’s great.  If your firm is reluctant, however, or does not exactly understand the value of this kind of knowledge or how to leverage it properly, that’s more difficult.  If you are seeing security flaws in your own office or company facilities and want to report it… I urge caution.  Advice of this nature coming from internal voices sometimes is found to be unwelcome.  It might be best if you were to bring up some of the evidence put forth in perhaps some of my talks…

…and if you get any traction with any of those presentations (don’t overwhelm folk, just see if anyone watches or nods.  You can even queue up a clip in the middle and then let it play, etc) then you can suggest taking training.  If it feels like that may still result in a shrug, then suggest the company pursue advice from outside consultation.  Again, I know this sounds self-serving since this is one feature of my own firm’s work.  Still, if you value this kind of insight and want to see your company’s security posture improved, reaching out to us or to one of the handful of other businesses who are experts in this space may be a solid choice.  Doing so in a way where you serve as a point-of-contact overseeing a consulting task as opposed to the person doing it allows you to get credit for taking the initiative and generating the findings and also insulates you from the risk of being the scapegoat if people don’t like what’s learned during testing.

 

The tongue-in-cheek answer I tend to give during interviews and the like regarding “how did you get your start doing this sort of thing?” has always been, “I had a few of the right friends and a few of the wrong friends.”  It’s a good line.  It’s a snappy, easy delivery and makes for the kind of amusing copy that writers and editors like.  It’s also truthful, albeit an over-simplification.

If I didn’t have friends who were urban explorers and hackers with less respect for official rules and boundaries growing up, I might have not gotten interested in these kinds of skills myself.  From the very beginning I’ve considered Barry Wels (and the other Hippies from Hell) a tremendous inspiration and source of knowledge.  And I have to thank Mike Glasser for being so welcoming and willing to teach me (and for pulling me on stage at an early DEF CON during the single-digit years) when i was just getting a feel for lockpicking.  People who were willing to teach, including teaching things that were often considered forbidden knowledge, was instrumental to me.   Business owners who were willing to give me opportunities to participate in their work or in their training sessions if I would volunteer my time to assist or do other work that needed to be done on the side were also a benefit.  If you’re having trouble determining who among this cast of characters were the “right” versus the “wrong” people to know… you’re on the right track.  In truth, it’s a broad mix of voices from many diverse sources who contributed to me turning out like this.

(I will say that some of the “wrong” people were simply individuals and companies who are just woefully bad at business and folk who wouldn’t do emotional labor… Watching these persons and institutions flounder around as they failed to maintain healthy business relationships was also quite edifying, albeit disappointing.  But it’s a simple truth that if you can’t communicate well with others and aren’t willing to check your ego at the door and satisfy the real needs of those around you — as opposed to what you perceive they should need — then you’re going to have a Bad Time no matter what you try doing, business included.)

My life and current career (10 years in this field, as you see me now) are the product of at least the previous 10 years before that (a decade of unpaid or nearly-unpaid education, volunteering, and self-development while I was working to support myself via other means.)  I have been a student at Black Hat, SANS, Lockmasters, and more.  I double-majored in college when I returned to school later in life and hold a Bachelor of Science.  I hold a range of recognized certifications.  I have spoken over 200 times to audiences who were public, corporate, government, and military.  I have published books in my field.  And I still try to take at least one training course every year, even if it’s only tangentially related to my vocation.

Are all of these above steps necessary for someone to achieve success?  No.  Not a single one of them is a “do this or forever abandon your hopes of this career” point.  But every last one of them has played some part in all of the opportunities I’ve had and continue to have.  Choose from the above list (or see the TL:DR below) and try your best at such forms of self-improvement as you can handle.  That is the path to your own success.  There is no shortcut.  (But there are some poorly-locked doors along the way, and slipping by such obstacles is the kind of thing that Tarah detailed to a great degree in her own book.  Which I strongly recommend, no matter your age, gender, or industry.)

 

So…

For companies: Train your employees, ideally once per year.  Allow them to have a say in what training options they have.  Hire outside experts as needed.

For individuals: Seek out training, either paid by your employer or save up and do it out-of-pocket yourself (tips here include asking if conferences have volunteer programs for reduced or zero tuition and also asking trainers if they ever operate classes direct to the public as opposed to through intermediaries)

 

This may not sound 100% fair, particularly if you already have a significantly developed skill set.  But the world is full of folk with the same hunger and same good personality as you… even if you consider the result of training to be “just a piece of paper” it remains, in the business world, an important designator that can set you apart from many other candidates who are seeking the same opportunities you are seeking.

I have taken professional training just about every other year (sometimes more frequently) throughout the past decade or more via a variety of recognized and established institutions as well as smaller outfits, etc.

The benefit to me: I’ve managed to sharpen existing skills and also acquire new ones.  I’ve improved my own teaching style by learning what to do (and, far more often, what I’m glad I *don’t* do) in front of my own students

The benefit to my employers/clients/etc: They can quickly assess the fact that I most likely know what I’m talking about.  They have a way of sorting me versus other potential folk with whom they might engage.  I don’t begrudge them for using the fastest and most available tools to make these kinds of decisions.  We’re all busy and we want to maximize the impact of our limited resources, that includes time.

 

Make the most of your time… get training where you can and change minds when you can.  Call in outsider help when necessary.

 

Hope that helps, and good luck!

Right off the hop, let’s get this out of the way:  Yes, this is an homage to (or shameless theft of) the speech Colossus makes at the conclusion of the film Deadpool.  Still, there is some poignancy to how I was feeling when this thought occurred and that’s why I wanted to share it here.

This DEF CON was significant for me.  I’ve been attending the con for nearly 20 years now, but this one really seemed to impact me emotionally.  The reason:  it has become apparent that, as a whole, the conference is too large to “see it all” even if someone really, really dedicates themselves to that cause.  I realize that DEF CON has been growing by leaps and bounds.  And long-time veterans can take their pick of the year when it “wasn’t the same anymore” from a list that includes:

  • Outgrowing and leaving the Alexis Park
  • Stretching on the calendar into Thursday
  • Choosing venues that span across multiple hotels
  • Being back on the Strip in a grown-up venue where they don’t take kindly to shenanigans

…and, yes, all of these milestones did indeed change the nature of the con.  But, for me, something truly felt different this year with regard to how many activity areas there were, in the form of Villages, challenges, etc.  While it perhaps hasn’t truly been possible to see all of DEF CON in a single trip for a while now, I feel like this year was the first time that I truly heard a whole lot of voices from folk who weren’t mere observers but true interactive people, seeking to go hands-on with people and ideas and concepts that interested them.  When even those individuals were saying, “man, it’s like it’s not even possible to participate fully in DEF CON anymore,” and that is what made me a little sad.  Because it’s true.

Then I was fortunate to have a bite to eat on Sunday with my wife and one of our friends, Elissa Shevinsky.

As we dined at The Palm (Bruce and Wozzi’s place where head chef Kiko Ojeda does a really fine job creating everything save for the crab and romaine salad) and sipped cocktails, Elissa was quite chipper.  “I had a really successful time this weekend,” she pointed out.  “I had five top priority things to see and do, and I checked each item off that list.”

In that moment (as ridiculous as it may sound, such a vague platitude this is) her words really hit me.  For years, my philosophy at DEF CON has pretty much been “do absolutely everything… and then some.”  I would stop by every Village, try my hand at numerous contests, get to every party for either a brief appearance or stay to close the room down, and on top of all of this I was running multiple contests, events, and often giving talk presentations in Villages and/or on the main stages.  For me, any time I went up to my room at DEF CON, the Fear Of Missing Out™ would kick in almost immediately and I would steel myself with another whiskey and dash back to the elevators, eager to get downstairs again and on to the con floor.

I can’t do that anymore.  None of us can.  DEF CON is simply “too big” now, we admit to ourselves.

But Elissa’s theory works, even for those of us who have a list as long as our leg of stuff we would like to do and see.  The solution?  Prioritize your list… do this well before DEF CON starts.  It’s OK to have a nearly-endless agenda of things you’d like to do at the con, but at this point DEF CON is so massive that your satisfaction should come from successfully achieving your top four or five moments.

Maybe your moments are seeing three talk presentations that looked really interesting to you, spending time in a Village, and then participating in a particular contest.

Maybe your moments are going to a specific party, getting into the SkyTalks room, witnessing Drunk Hacker History, and having two very special dinners with friends you don’t usually get to see anymore.

Maybe your moments are five Goon duty shifts where you feel you’ve made a positive impact on other con-goers’ days.

Whatever your four or five moments are, let that become the standard by which you judge whether your DEF CON was a “success” or not.  None of us can do it all anymore.  It’s ok to still try.  (Just stick with the 3-2-1 rule at all times!)  But don’t let yourself feel down about all that you “missed” because you ran out of time.

If you achieve the four or five moments that you predetermined as your top priorities before you went to Vegas, then that DEF CON can go in the Win column for you.

Well, that’s another year in the books.  I thank absolutely everyone for a terrific and successful DEFCON Shoot!  The staff and RSO volunteers were indispensable and all credit goes to them as well as everybody who so marvelously brought amazing firearms and content to the range for everyone to share.  The cannon made a triumphant return, Joe’s full-auto collection had numerous specimens on site, and plenty of folk got to try a multi-shot rotary drum 40mm grenade launcher!

The theme this year (on badges, decoration elements, etc) was “resistance fighters who fought fascists” and we thought that was quite timely.

So, as always, everybody seemed to have a very good time and it was marvelous to see friends, listen to talks, and watch people compete in challenges like the dueling tree and crypto puzzle (folk are still working on that to see who can win this amazing 80% lower!)

One of the most hilarious moments of the Shoot was when Puking Monkey pulled a “Yo, dawg, I heard you liked cannons… so I shot a cannon out of my cannon!” for everybody.  😀

But one of my favorite parts of this year’s DEFCON Shoot came toward the end of the day.  To tell the story properly, however, we’ll have to reflect upon the conditions at the shoot site when we first arrived.  Many areas of public land which are used for recreational shooting are, as a lot of gun folk will know, subject to awful and unnecessary abuse.  My friend Karl documented as much on InRange TV and plenty of other news reports and anecdotal evidence shows just how thoughtless some firearms folk can be when no one’s looking.

The Indian Springs location (where we shot last year as well as this year) is sadly no exception.  Some bad apples have a long history of going out there and shooting at ridiculously inappropriate targets that make a mess and leave debris everywhere.  This was immediately visible as we arrived and were setting up…

We noticed assorted debris like target backer boards and old metal school lockers.  At least those are either bio-degradable or relatively self-contained and box-shaped items.  Plenty of things were not suited to being targets at all, however.  Mattresses and more, for example…

It’s a shame when folk take old appliances out to the desert because they shatter in so many ways when shot or blown up…

But perhaps the most horrendous offenders are consumer electronics, like TVs.  These not only shatter into loads of bits that will never biodegrade, but they also contain plenty of other materials that are harmful to the environment and require special hazardous disposal protocols for e-Waste when being thrown away properly.

I was very inspired by my attendees and volunteers at the DEFCON Shoot.  Almost right from the start, it was possible to see everyone there taking the time to at the very least police up much of the waste into more organized piles.  (This was as much to aid in the parking of cars as it was simply good practice… and no one had to be asked to do this.  The group of hackers just took it upon themselves without direction.)

In the middle of the day, I looked at the large group of folk (many of whom came from less free states or totally un-free countries) enjoying this public land and getting to shoot guns that they would never otherwise be able to handle… then I looked at the fold of bills in my pocket from individuals who arrived without pre-registering and instead opted to pay cash on-site.

Then I started googling.

There are a number of waste haulage firms in the Las Vegas metropolitan area.  But none of them said they would service a job so far outside of the city, up in a nowheresville like Indian Springs.  Eventually, on the verge of giving up, I asked one fellow very directly, “Look, you said that this job’s distance wouldn’t make it financially feasible… but I fear you may be underestimating this group’s willingness to incentivize you.  Exactly what kind of additional compensation would make this job viable to you?  Tell me a number.”

My jaw dropped when, after some brief consideration and a pause, the owner said it would cost possibly “as much as an additional $150” to come that distance.  I hired him and his crew immediately.

And, sure enough, after the conclusion of the DEFCON Shoot, Dennis and his team lead James and a crew of workers arrived on site and began to police up as much debris and junk as their vehicle could hold.  I told them that I was prepared to pay extra disposal fees for any TVs they could gather and that we’d cover the costs of a full 15 cubic yard truckload.

As the clean up haulers were working, a car from the town arrived and wanted to see what was going on.  (Both years that we’ve come around, locals have showed up during the Shoot itself to say hello and see what we’re about and they seem to generally like us and come to regard the “hacker bunch” as “those people who treat the place well and don’t make a mess” so that makes me very happy.)

But this was a cut above… I hope everyone can be very happy to learn that the locals who arrived offered thanks over and over again for the work being done in the area.  They commented on how much better it looks… and they remarked that they’d never seen anyone go to the effort of cleaning it up before.

Thank you all who came, who shared, who taught, who learned, and who made all this possible.  I’ll see you next summer.  For now, enjoy the rest of DEF CON!

Hey, everybody.  This is just a quick post about something that any one of you can build in order to make a fun and engaging lockpicking contest suitable for running at a bar or other meetup where there’s drinks on the menu.

Some of you have seen the deep and detailed build I did when creating the “Booze Box” which has appeared at hacker cons and been a source of fun and a challenge to those who want a chance to win free drinks.  But, let’s be fair, that was a huge undertaking.  No one else is likely to build something like that.

Here’s a super easy way to make a small, portable version of such a contest!

1. Buy a bottle of Booker’s Bourbon.  It comes in a nice wooden display box.

2. Drill a small hole (3/8″ diameter, i’d recommend) in the top of the box, approximately 1/2″ from the lip, as indicated in this image.

3. If you wish, you can sand the outsides of said box in order to remove the Booker’s logo and marketing silkscreening.  Then, if you want to, feel free to stain the box in whatever color you desire.

4. Either modify the original plexiglass front piece or laser cut your own new replacement piece (so that it is free of any marketing logos, etc) to a size of 12″ x 3⅝”

5. Now you have a box that can contain either a pint glass, a wine bottle, or a whisky bottle, etc.  And the application of a padlock can “secure” that resource until someone liberates it by picking the lock.  If they succeed, they either win the right to fill their glass for free or they can claim the bottle inside, etc. The game lends itself to very fast resets and reloads, and of course can be adapted to whatever degrees of difficulty you wish by simply changing out the padlock.     

Good luck and have fun!

“You can’t write endless laws and expect to prevent every crime.  All it does is reduce liberty without actually stopping criminals.”

“We live in a free society.  Everyday we have opportunities and chances that others can only dream of… and the price we pay is the occasional tragedy.  I and many others accept that price, when the alternative is a nanny state like England or Singapore.”

“Personal responsibility and rugged individualism are the pillars of who we are.  We cannot expect anyone but ourselves to watch out for us or lord over us.”

 

All of these quotes are more-or-less verbatim, and they come from many conversations I’ve had over the years with fellow hackers, friends, and family.  The conversation is sometimes about guns, sometimes about drugs, sometimes about freedom of speech or thought.  I’ve probably advanced something of the above thoughts in various contexts as often as I have heard them from others.

 

The Hackers on Planet Earth conference, from its very beginning, has been a magical place where the line between organizers and attendees has always been blurry.  Sometimes this grey area has stemmed from the way that attendees and bystanders so often pitch in to raise banners, stand up activities, and fix technical glitches.  Other times the “leaderless” nature of HOPE has manifested as a blind eye turned to shenanigans and pranks that would bring quick reprimand at other events.  I have experienced more interesting conversations and made stronger and longer bonds with others at HOPE than perhaps any other event over the years, all-told.

 

This recent weekend in New York City, however, we all experienced the downside of what can happen at a semi-anarchistic event where almost anything goes and where it often feels that there’s no one at the wheel.

 

I expect that almost all of you have by now read the assorted coverage of how the HOPE conference was descended upon by a small but willful cadre of instigators / alt-right / fascist boys whose mission was to infiltrate the event and cause disruption by harassing attendees and attempting to intimidate and stalk some of the speakers.  If you haven’t seen the details there, Unicorn Riot were among the first to report directly from the scene of the event.   That piece is mostly accurate, and additional coverage from Motherboard took a more measured tone but conveyed no less concern over the failings of the organizers, the staff, and the community as a whole at HOPE. There was also a later article up on The Parallax by Seth Rosenblatt.

 

You can take time to read the news if you haven’t yet already.  (Or, if you’re a patron of the terrific Violet Blue you can check a recent Patreon entry in her Cybersecurity News feature for the bullet.)  But what I’m writing here will not be about the incidents of disruption at HOPE this year as much as it will be about what I would have hoped to have seen in response.

 

Love all, Hack all

 

The HOPE conference has adopted a Code of Conduct that, while not the most comprehensive and explicit that I’ve ever seen, is remarkably in-line with their community values and conveys both support for the airing of diverse opinions while also expressing (with near-ironclad language) what is ostensibly a strong commitment to preserving diverse voices and guarding the dignity and safety of individuals in attendance… especially people who may be marginalized or more easily preyed upon or pushed out of mainstream positions of acceptance.

The HOPE CoC urges everyone to “step beyond prejudices, societal norms, and other perspectives that lead to disrespect for people and groups” and expresses explicit support for people of all ethnicities, gender identities, etc.  The CoC states that HOPE does not want “any [attendee] to feel marginalized or intimidated” and calls out a number of specific behaviors that will be considered a violation of the event’s rules, including “stalking, following, harassing photography or recording, disruption of talks or other events, inappropriate physical contact, or unwelcome sexual attention.”

It may be difficult for some to look at a document such as this and square it with the fact that a posse of MAGA-hat-wearing alt-right shitbags could have wandered around the Hotel Pennsylvania with what appeared to be total impunity, at liberty to harass or intimidate conference-goers.  But a closer look at the history of HOPE and the east coast hacker scene (particularly in New York) can shed light on this topic, I believe.

 

The Power Was Inside You All Along

 

To truly know and understand the east coast hacking scene, it is possible that you need to have experienced hacker events in New York, Philadelphia, or Pittsburgh in earlier years.  Better still would be a history of attending the parties or crashing at the spaces and homes of various hacker collectives in the mid-Atlantic region.  I can recall gatherings on the rooftop of the Hacker Halfway House in Brooklyn or PumpCon or even down in DC… occasions when most of the best things happened without explicit authorization because folk simply seized the moment and made coolness happen.  Whether by slipping a maintenance man at a hotel $20 on the side in order to unofficially have a meeting room or by “happening upon” a source of electricity nearby a pool to set up a DJ’s table… many of us were simply accustomed to asking forgiveness instead of permission.

A lot of this mentality still percolates through the hacker scene in NYC.  A classic example of this at HOPE could be seen with regard to the “signage on the floor” near the info booth.  For those unaware, there were some raised eyebrows early-on in the conference regarding a message that was written on the floor using masking tape.

While it encouraged attendees to read published information before asking questions with obvious answers, the brusque delivery of such a message had some folk taken aback.  And one can admit, while the sentiment is something with which most hackers would agree (learning on your own is better than immediately asking for help before you’ve even tried) the manner in which this was being expressed was somewhat uncharitable.

When this was pointed out to the con, their response was a distinct non-response.  What unfolded was very characteristic of HOPE… they didn’t immediately move to address the concern, but at the same time they didn’t stand in the way of others who eventually chose to edit the sign themselves.   When @ystvns & @dbateyko knelt down and rearranged the tape letters to spell out something different and more constructive, they weren’t stopped by security or reprimanded by event staff.  Quite the contrary, the official HOPE twitter account sung the praises of folk who took it upon themselves to remake their environment in a way that better suited them and their needs.

This is part of what makes HOPE special.  They show true support for the hacker ethos of “if this thing isn’t working for me they way I want, I should find out how to change this thing!”  And that’s great… with regard to modifying technical systems, options for cheap food, or how to play your music at a party.  Where this kind of thinking no longer really works at large events has to do with security of the group.  For context, there are many hackers (particularly at HOPE) with deep roots in both the punk and Burning Man communities… such folk are familiar with places where groups self-police from top-to-bottom.

The punk shows of my native Philadelphia in the 80s and 90s serve as an example here.  I can recall being in the basement of the Unitarian Church or the TLA on South Street… when white pride skinheads would show up and try to crash the concert, seldom did the crowd wait for event security to deal with them.  Fists and elbows were thrown in the circle pit until the fascists understood that they weren’t welcome and had to get the hell out.  Scans of some very old photos of mine illustrate this point…


a lead singer admonishes fascists and encourages the crowd to stand up and protect one another.

 


circle pit immediately in the aftermath of a fight.  assholes were forcefully ejected from the venue.

 


group unity and principles of relying on one another to be safe and be strong are reinforced by the band

 


another anti-fascist / anti-racist band reminds everyone that we have to look out for and protect one another

 

 

But the past is the past.  Try that today and what do you think would happen?  I guarantee you it would result in two things:

  1. Both the racists as well as the regular attendees would be ejected and wind up next to one another on the same curb outside
  2. Instead of just taking a punch and going home, the interlopers would call police who will respond and, quite likely, side with the proud boys

 

Burning Man, too, has a strong philosophy of self-reliance and self-policing.  Burners in the hacker world might take a similar view of how to handle intruders.  They value immediate participation and principles such as civic responsibility and communal effort would likely have some folk thinking that the ideal of “if you see a problem, step up and try to fix the problem!” would apply even to security threats, not just faulty art installations or people who need more water.  Indeed, the head of HOPE’s security detail (a venerable member of the Burning Man crowd) expressed such a notion to some of the speakers and attendees who were inquiring why event security wasn’t implementing the Code of Conduct more directly and immediately.   Here, we see Roadie responding to two women who stated that they observed harassment and that reports the community made to staff were not acted upon.  When one event speaker, Gus Andrews, acknowledged aloud that, “There is a need for somebody, hopefully someone with the spoons to handle it, to take point on the Code of Conduct,” Roadie shot back later that day with an exasperated-sounding, “OH MY GAWD! That person should be YOU. Why defer and hope ‘someone’ will do it? If you have better ideas don’t you think you should share them and help the process get better?”

Permit me to assert that, while this is a fine viewpoint to have during the rest of the year, when people are all at their desks and have the time and the spoons to put in such efforts, it is a rather unhelpful comment during the actual event.  Attendees who came to NYC expected to spend their energy, time, and resources participating in the con, not fixing the con or protecting others who needed to stay safe.  I, frankly, do have the energy and willingness to work on this matter (which is why I’m planning to engage with the organizers and staff if they will have my input) but that doesn’t mean I feel great about missing out on more than half of the event because I spent time escorting LGBTQ folk around the con floor or walking speakers to and from their hotel rooms when they were being stalked and harassed.

During the event itself, the organizers and the security team could have done much more to become directly involved in the safety of the participants and speakers instead of waiting for the attendees to make the first move and report problems, urge action, etc.  The HOPE official twitter account announced on Saturday afternoon, “Anyone who’s a nazi, preaching hatred/racism or harassing someone will be booted from @hopeconf.  But you have to let our security team know!”   Again, this illustrates the wildly differing views that the organizers had compared with the expectations of attendees when it came to security proactively engaging with the alt right crowd who crashed the party.

Ask yourself, would you expect this kind of public statement from a major league baseball team if a loud, angry drunk was running amok in the upper deck of their stadium during a game or from a rock concert venue if someone was setting of fireworks in the aisles during songs?  Yes, attendees should report problems to event staff… but the event itself should also have a significant enough presence on site and they should be in direct communication enough with their HQ and Dispatch so that their staff can step in before things get bad enough for attendees to have to complain en masse.

Which leads directly to the next point…

 

Why Speak Up When There’s No One Listening?

 

The other side of the equation of the “attendees need to step up and take responsibility and report problems to the conference so that staff can handle them” argument (which, as mentioned above, isn’t quite the best position to take in the first place) is the (one would think obvious) need for said staff to appear receptive and helpful in the eyes of the attendees.  Yet – as we saw from multiple statements by many of the people at HOPE – a lot of the blue-shirted staff members at the conference reacted to reports of problems by the alt right trolls either by (a) informing people that they had told the “wrong” staff members and directed them elsewhere or (b) by actively shutting down reports of problems with pushback that ranged from “that doesn’t fit the definition of harassment” to “did you do anything to provoke them?”  This, in my view, was the biggest issue where HOPE did not meet the expected standard to which the community was rightfully holding them.

By now (especially if you’ve read any of the above-linked articles or twitter threads from people who were in attendance) you are aware that many individuals described interactions with HOPE staff members that left them shocked over what was seen as gross insensitivity toward victims attempting to report problems or what was interpreted as distinct camaraderie between certain staff members and the very instigators from the alt right who were causing trouble.

I’m not here to complain about the fact that HOPE security forced one German kid to return a MAGA hat which he snatched off of the head of one of the alt right trolls.  Physical actions, unwanted physical contact, and theft of personal property are all bright-line, clear-cut transgressions of any reasonable Code of Conduct and event rules.  I agree that HOPE did the right thing in returning the stolen property.  If this makes you stop reading, feel free.  Please see the cashier in the ticket booth at the top of this page for a full refund of your internet dollars that you spent to browse my blog.

What I and others most certainly are pretty justified in being shocked and appalled about, however, is the fact that many reports have surfaced of HOPE staff members speaking with dismissiveness or outright disdain to the attendees… and HOPE staff members being visibly chummy (or even laughing over drinks off-site) with the individuals who arrived intent on causing problems.  That is not OK.

Any event of this scale should have staff who are trained in even a cursory manner about how to interact with attendees (particularly attendees who appear to be in a crisis situation or who are attempting to solve a problem that’s troubling them) with respect.  Staff should be trained how to see things through a lens of professional detachment and how to avoid the perception of taking sides or being biased.

I have personally listened to the audio recording made by Unicorn Riot reporters while they attempted to describe problems taking place upstairs to staff, only to be hushed and dismissed… and part-way through that conversation Koosh arrives, very loudly hollers at everyone, and proceeds to assert that any iconography (including Nazi apparel) is fine at HOPE, according to him.  This as well as other accounts from different attendees who had similar conversations are going to be hard for HOPE to manage, given this tweet… because I do not think that Koosh or other staff members are personally to blame for such interactions.  They were under tremendous stress and were not equipped with a playbook and guidance from leadership before this event kicked off.

I personally watched Bernie S – a staff member who is older, is a cis het white guy, and is over 6’ tall – aggressively talking down to a near-tears trans woman who was all of 5’4” and weighed maybe 115 lbs soaking wet with rocks in her pockets.  I kept stepping back since I wasn’t directly in that conversation and I was trying to be polite and maintain a respectful distance, but his increasing volume levels resulted in my repeatedly overhearing what was being said.  Bernie is a long-time friend of mine.  He is a terrific hacker and event runner.  But he should definitely not have been put into a position where he was interacting with victims.

Currently I am not aware of any single HOPE staff member (including individuals on the Code of Conduct team) who had any professional training in Incident Management, Crisis Intervention, or Victim Assistance.  Diverse groups – everyone from NOVA to the DOJ – has training programs that are available, often online, for this kind of education.

While most staff members appeared to simply be un-equipped with the right tools to do emotional triaging and take statements in a neutral and supportive manner… there were a minority of HOPE staff (particularly on the security team) who appeared to be outright antagonistic to attendees with concerns.  I have already mentioned above the widely-disseminated photos of HOPE security staff sharing laughs and beers at Hooters with a group of the disruptors.  It doesn’t matter if these people are legitimately your friends in real life… at the con, when you are event staff, you are obliged to adopt a neutral and unbiased posture if you wish to convey to attendees that you have their safety and well-being at heart.

This is to say nothing of the ongoing conversation that was taking place all weekend via IRC / SMS-IRC which was full of HOPE staff members and their associates blatantly speaking ill of the event attendees and speakers.  A small sampling of such chatter includes…

<recoXXXXXX> Who else is in the room with the traitor giving the talk?  [the “traitor” being Chelsea Manning… the invited keynote speaker who reported large men who tried to corner her and who followed her back to her room, only to be told by event security that they would not kick out the individuals who were known to be causing havoc at the conference]

<ch0lXXXXXX> I think I will some wear nationalist t-shirts at defcon this year.

<ch0lXXXXXX> I should have kept my swastika tat.

<licuXXXXXX> maybe some trump challenge coins would be good for the lulz

<lameXXXXXX> Its all the fucking trannies causing shit woth their fucked up hormone levels and frahkle psychiatric state

<recoXXXXXX> Please force add (XXX) XXX-9274 chelseas-dick

<mathXXXXXX> Wow look at all you mofos not helping clean up hope

<recoXXXXXX> Get the coc crew to help

<recoXXXXXX> Since it’s their con according to them

NOTE – I’m redacting the names here because I cannot personally verify a primary source on that IRC chat log dump.  But more than one person who allegedly was participating in (or was force-added to) the chat has acknowledged it took place.  I will let internal HOPE investigations make their own determination of veracity there.

Disrespect for speakers, attendees, or fellow staff members makes an event look disorganized and chaotic.  Again, to be totally clear… I think that everybody has the absolute, unquestioned right to hold whatever views and beliefs they wish in their own head and in their own heart.  My criticism here is not about that.  However, an event most assuredly is not out-of-line if they opt to instruct their staff (especially their security team) that when they are working and representing the conference, they are obliged to maintain a respectful and neutral attitude and decorum.  I mean, can’t you keep hatred and bullshit like this in check for just one bloody weekend?  Anything less than this, the attendee base as a whole begins to question whether the event has everyone’s best interests at heart.

 

The Right to Be Anonymous

 

HOPE may be one of the last remaining events with what used to be the universal photo policy at all hacker gatherings.  Explicitly stated in the program and reinforced verbally by staff if someone is breaking this rule, the HOPE conference values the privacy and anonymity of their attendees to such a degree that the working rule is “do not take crowd shots, and do not film or photograph individuals if they do not consent to being filmed.”  That is solid doctrine, in my view.  It’s harder and harder to enforce (both in terms of how covert many cameras are nowadays and also due to changing societal norms surrounding the use of camera phones, social media, etc) but HOPE has held to this policy for ages and I salute them for it.

However, on at least one occasion of which I’m directly aware (and I have anecdotal but unconfirmed accounts of others) some of the alt right infiltrators either reported attendees filming them to security (in an attempt to have the regular attendees disciplined / thrown out) or they outright threatened other attendees in regard to being filmed.

I personally witnessed HOPE conference staff engaging in team debates about how to handle such matters.  (Again, the staff members involved can hopefully confirm that I was not trying to eavesdrop and that I repeatedly backed off as I waited to speak with them.  It was clear that they were engaged in heavy discussion and it wasn’t my place to be a part of that conversation… but for as much as I stepped away, voices kept raising and I inadvertently overheard parts of what was being said.)  I recall one distinct conversation between CoC team mebers as they seemed to agonize over the language of the photo policy when one of the MAGA-hat wearing provocateurs reported another event attendee (a speaker, in fact) for “filming him without consent.”

I stood by, dumbfounded, as they tried to dissect the situation and figure out whether this filming was a violation of HOPE’s event rules (they appeared to decide that it was) and then determine what remediation action was going to be necessary.  Again, hindsight is 20/20 and I’m going to try to word my thoughts in a supportive way that doesn’t come across as Monday-morning quarterbacking… but any event policy that prohibits photos should be naturally understood to not prohibit documentation of specific abuses or problems if the person doing the filming explicitly demonstrates that they are doing so in order to report an issue.

Group / crowd photos or harassing photos when someone says “don’t film me” which then get posted to Facebook or Twitter are naturally something that I support HOPE in working to prevent.

Covert photos of harassment or fights or other evidence of incidents which someone then privately shares with organizers or with authorities at the hotel in an effort to stop a problem are not at all something that I think should be prohibited.

 

You Can’t Define Good Faith… But You Know It When You See It

 

The above-described problem illustrates exactly what was so insidious about the alt right infiltrators and agents provocateur at the HOPE conference this summer.  Dedicated and well-prepared trolls have a specific plan for their actions.  They know exactly where the line is and they take great care to not cross it.  Instigators like the MAGA hat crowd whom we saw at HOPE had a playbook and they kept to it like well-rehearsed professionals.  They successfully weaponized the conference rules to their own advantage while catching the rest of the attendees with their guard down.

And here is where we see just how important it is for event staff to have the freedom to use their best judgement in edge cases.  Let’s say you’re walking down 7th Avenue near the Hotel Penn one night and a stranger approaches you.  They aren’t doing anything that is outright illegal, but your spider sense tingles.  You are pretty sure that they’re up to no good and that you are maybe being set up for a mugging or for a street scam or something else undesirable.  Everyone should pretty much understand that you are under no obligation to keep interacting with them and that no one would blame you if you want to get away from them.  So you cross the street or you quicken your stride… and perhaps are met with some string of objections from over your shoulder as they protest that they “weren’t doing anything wrong!” and so on and so on.  But, let’s be honest, you knew that they were up to no good and you took the proper steps to protect yourself.

Conference events have this same right.  An attendee who is disrupting talk sessions (but not going so far as to make actual threats) or following women down hallways (but never actually getting close enough to touch them) or getting directly in someone’s face (but not actually pushing them) knows exactly what they’re doing.  They are playing “within the rules” but finding ways to still make others feel threatened, unwelcome, or unable to participate in the conference.

This is nothing more than a grown-up version of the immature little kids’ nonsense of “I’m not touching you!” in the backseat of a car.  Yes, technically the person is “following the rules” but (and here’s the key thing) they’re not acting in good faith.

In such a hypothetical family road trip scenario, what happens next?  Does anyone honestly know of such a situation wherein the parent in the front seat would ever adjust their rearview mirror, look at what was happening, and then simply proclaim, “Well, Chris, they’re right… Sam honestly is not touching you!  So there’s nothing anybody can do about it.  Sorry!”

Of course that’s not what would happen!  The parent would whip their head around, scowl at the misbehaving child, and sternly say, “Knock it off, Sam!”  Why?  Because the parent can easily see what presumably the HOPE conference leadership was unable to discern for an entire weekend:  that it’s possible to “follow the rules” while acting in bad faith.

Let me be very clear: Bad faith attendees have no place at an event.  They are not there to learn.  They are not there to participate.  They are not there to better the experience of others.  While it may be true that such individuals are “following the rules” it is completely reasonable for event staff to take a proactive stance and confront them.  How would such a possible interaction be handled?  Allow me to quote from an actual example script that I offered to someone during the weekend of HOPE.  (This tactic was not employed, but it’s an example of exactly what I would have said to these instigators had they been at one of my events.)

 

Security: “Pardon me.  Can we speak with you for a minute?”

Troublemaker: “Yeah, what’s up?”

Security: “So, we noticed you wearing a lot of Trump symbolism and being very loud and full of bluster around a number of people here.”

Troublemaker: “Yeah, I’m very passionate about my political views.”

Security: “Well, we’ve been getting some complaints about that, and folk are alleging that you’re intentionally just trying to cause trouble and sow discord.”

Troublemaker: “What damn snowflakes said that?!  I’m not doing that!  I’m just here to attend the event.”

Security: “Oh, ok… So you’re not trying to start fights or anything like that?”

Troublemaker: “No way, man, not at all!”

Security: “Wow, that’s a relief.  You had a lot of people worried and asking for you to be removed.  I’m very glad to hear that you’re not here to cause problems or harass anybody.  So then let me tell you how this is going to go…  There are specific individuals at this event who have been targets of harassment campaigns.  They have no desire to speak to you.  I’m going to make sure you understand who they are, because you are going to not approach them or speak to them in any way.”

Troublemaker: “Uhhh…”

Security: “To be clear, you said you’re here just to enjoy the event and not cause a problem, right?  People who do not want to speak to you are not obliged to speak to you.  And if you keep trying to speak to them, we consider that to be harassing behavior and you will be asked to leave.  Similarly, if any other attendee at any time decides they don’t want to talk to you and tells you ‘don’t talk to me’ you are not to speak to them.  Or else you will be asked to leave.  So, if you are truly here with no intention of causing any trouble or getting anyone’s face and pressuring them speak to you when they don’t want to, you’ve got nothing to worry about.  But if any of these individuals reports to us that you’ve spoken to them or sends us photos of you coming anywhere near them, then we’ll know you can’t follow simple rules.  You just told me you weren’t here to cause a problem. If you can follow the rules, I will believe you.  If you cannot follow these very simple rules, then I will not believe you.  And you will be asked to leave.  Now, if you think this is going to be too hard for you, I am happy to go get you a refund right now if you think this event is not for you.  So, are you going to show me that you can be a grown-up, not cause trouble, refrain from speaking to people who have said they don’t want to speak to you, and not approach anyone who doesn’t want you around them?  The choice is entirely up to you.”

 

You may criticize me and say that this would be putting the MAGA-hat wearing alt-right group into a “no-win” scenario.  To say this is to miss the point entirely.  These infiltrators put all of the attendees and the conference as a whole into a no-win scenario.  Calling them out on their bullshit and giving them the choice of…

  1. behaving as expected (shocking everyone in the process)
  2. getting the fuck out

… is the only appropriate course of action, in my view.

No amount of “that’s not fair” being screamed from the backseat of a car should change a parent’s mind when they’re dedicated to disciplining an unruly child.  And no amount of butthurt from some proud boys on /r/theDonald should make a conference waver in their dedication to ensuring that their event runs smoothly and their attendees feel safe and able to enjoy themselves for the reason that they all came to town.

Matthew Garrett put it best on Sunday after much of the shenanigans by troublemakers at HOPE. “Conferences are under no obligation to represent the community as it is,” he wrote.  “Conference organisers get to choose to represent the community they want to see.  If your conference attendees are repugnant, you bear responsibility for that.”

 

 

Specific Suggestions and Actionable Advice

 

This massive brain dump was something that I felt compelled to do, but if we are serious about improving things for the future, perhaps it’d be best if I were to distill my thoughts down to some specific suggestions:

 

  1. Security staff are mostly seen controlling the outer perimeter of HOPE. At the base of the escalators or at elevator landing on the 18th floor you can reliably encounter staff shirts and security engaging with folk, checking badges.  However, there were many talk tracks where security or even staff presence seemed virtually non-existent, save for an A/V person or two.  Likewise, out on the main con floor on the Mezz level… security tends to gather at their dispatch desk, but was only infrequently seen walking around and getting a pulse of how the event was flowing.  That is a posture for being reactive, not proactive.  Please considering bringing on additional staff whose positions would entail being seated in talk tracks up by the stages, looking out at the crowd, and reporting regularly to Dispatch on the state of things in the rooms (not just security things… but even stuff as mundane as “A/V badly needs a replacement power strip” or “the water coolers are all empty in here.”)

 

  1. HOPE should acknowledge (indeed, anyone running an event should acknowledge) that organizers and staff have an absolute right to confront someone who is perceived to be a jerk or causing problems. Furthermore, HOPE could acknowledge that they absolutely have the power to take proactive steps and head problems off at the pass.  I wrote as much during the event, suggesting that organizers should step in and give everyone present (regardless of their politics or beliefs) the immediate choice to remove hateful iconography or leave.  HOPE did not agree with my assertion, replying to attendees’ concerns with the curt (and inaccurate) statement, “We can’t ban MAGA hats. It’s absurd to think we can.”  This twitter thread shows much of the debate seen on all sides of the issue.

 

  1. Please do not take criticism of your event as though it is a personal insult leveled at you directly. I genuinely fear that my decades-long friendship with individuals such as BernieS may be irreparably damaged after this past HOPE event.  I witnessed Bernie replying to many attendees and speakers with a level of ire and contempt that would normally be reserved for persons who had called someone’s mother unkind names.  I witnessed other staff members treat attendee concerns as though they were playground squabbles, offering Judge Judy-esque “don’t bother me with this nonsense” kind of replies.  It felt like some of the senior staff were taking these criticisms of the event personally.

 

  1. I believe many of these problems would be ameliorated if there were individuals on staff who had been afforded the benefit of professional training in crisis management and/or victim advocacy. While this doesn’t have to be something that every single staff member takes the time to do, department heads at the very least would be well-served by it.  And, most of all, at any given time of the day or night there should be at least one trained person on shift in the role of the official attendee ombudsman who is there to interface with people who are having major problems, to do emotional triaging, and to advise security or event management on what the next best steps to take would be.

 

  1. Part of such foresight and preparation involves tabletop planning. Think not just about the expected scenarios but about the worst-case scenarios.  We have witnessed time and time again how the HOPE security staff excel at being positioned and prepped for exactly the kind of awful, unexpected events that take place occasionally when you combine unathletic hackers, plenty of recreational substances, and a hotel that was seemingly constructed before the notion of OSHA or general principles of safety were ever invented.  Indeed, this year when one attendee had an awful accident on a Segway, his life was quite possibly saved thanks to the quick effort (and, equally important, the training and planning) on the part of HOPE security staff.  Tawnie and others worked to maintain an open airway, stop bleeding, and coordinate with emergency responders.  Unfortunately, it seems that the CoC crew was put into a very hard position given their newly-created status and what (I’m so sorry to say) appears to have been an over-abundance of optimism.  This is clearly seen, I believe, in this tweet exchange, wherein a con staff member asserted that part of the difficulty this year stemmed from the fact that the HOPE conference “had no idea that any of this would happen.”  I have a hard time wrapping my head around that.  HOPE has always been a political event.  They have always courted and danced with controversy.  And this year, amid what is arguably the most tumultuous political climate that many of us can recall in our lives, they invited one of America’s most controversial figures to be a keynote speaker.  Forgive me if this sounds abrupt, but the event simply cannot claim that they had no way of knowing that some people may have had a problem with this.  I am trying so very hard to speak in a supportive way about the event staff, especially the Code of Conduct team, given what they were put through.  I hope that my feelings for all the staff were conveyed properly when I stepped out briefly and returned with armloads of gifts in the form of chocolates, fruit, crackers, protein bars, hand lotion, lip balm, Aleve, and NERF guns in the hope of helping them manage stress in the face of everything.  My support for the staff remains, but I feel that it’s disingenuous for the conference to say “how could we have known?” when all this was said and done.

 

  1. More than anything else, I would like to see the HOPE Conference empower their staff to make their own best judgement calls in situations where the organizers are not present or not reachable or whenever exigent circumstances arise. As I mentioned here, I had a remarkable conversation with Doug, one of the HOPE staff members who was running A/V during talk sessions.  He explained that as news started to surface that alt right trolls were attempting to disrupt talks by taking over the Q&A sessions, one of the concerns on the part of some members of the A/V team who were running sound was that they were “worried it might happen in a talk track where [they] were working.”

 

I asked what he meant by this.  I inquired if he wouldn’t have simply cut such a person’s microphone if they started to spew vitriolic hate speech.

 

“But how could I know if I’m allowed to just cut their mic?” he asked me in reply.  “Do I have that kind of authority?  Would HOPE come down on me for stifling free speech?”

 

I responded to him simply, “If not you… who?”

 

So, yes, it felt to me that there was very little in the way of empowerment from the organizers regarding how to handle these situations.  No instructions were given and no preparation of the staff appeared to have taken place in advance of what just about anyone could have predicted was going to be one of the most controversial HOPE events yet.

 

I asked Doug, “What if someone at the Q&A mic just started using the n-word or shouting ‘Kike!  Faggots!  Spicks!  Fuck you all, goddamn commies!!’ or encouraging people to smash things?”  I said, “Would you have put a stop to that?”  He said yes, he would have.

 

So, hopefully, perhaps we could agree that it was indeed his place and within his power to regulate the room when that’s needed.  When asked how he could know where the “line” was, I simply said… “You’re a decent person.  Trust your gut and listen to your heart.”

 

If someone is acting in bad faith and not making an honest attempt at dialog, then they don’t deserve the whole room as their audience.

 

I’ll conclude with another hat tip and head nod to the venerable Burning Man element in the hacker community.  Without individuals who know how to pull together grand, life-changing things on a shoestring budget and very little sleep, many of the cons we all love to attend would simply not happen.  But there will continue to be a tug-of-war between the Burners and the more “mainstream” citizens in hacker land.  This manifests at many events.  A dear friend and key figure at a number of cons is Scotland Symons… and she and I have had more than one discussion in the past about another magical and biennial hacker event: ToorCamp.  Being a Burning Man veteran, Scotland is always keen to see ToorCamp operate using constrained resources that encourage attendees to do more with less and plan ahead so they can see to their own needs for a week at the very edge of our nation’s boundaries.  She and I might debate the merits of trash collection services on the campground, however there’s one element of ToorCamp where self-reliance is never the order of business: attendee safety.

Anyone who attends can reliably expect to be in a safe environment, free from harassment or abuse.  That is not up for debate or discussion and efforts to ensure this are never farmed out to anyone except the event staff.  And with everyone secure in the knowledge that their basic safety is taken care of, the attendees at ToorCamp are free to cast aside their concerns, their inhibitions, and often their clothes as they teach and learn and talk and create amazing technology and art.

When you agree to stay on someone else’s turf, certain things are “amenities” or simply “nice to have” while other core needs are understood to be guaranteed and functional.  Let’s say a rock band who had been on hiatus for a long time decided to get back together and travel to a luxury cabin in the mountains for some secluded time that would afford them the opportunity to write new music and lay down new tracks.  They’d have little grounds to complain if there was no delivery food service or decent phone reception.  But if they found that the power was out or they were asked to fix the plumbing in order to cook or take a shower, then they might start to object pretty loudly.  “We’re paying you to be here!  How can you not have basic utilities functioning?” they would ask.  The cabin management wouldn’t really have reasonable grounds to respond, “Well, think of how empowering it is for you to discover all the ways that you can manage for yourself under these conditions!”  While such a test of will and skill may indeed be rewarding to some individuals, that wasn’t the goal of the band’s time away.  They wanted to collaborate on art, making new music, and they hadn’t planned on wasting much of their precious time doing maintenance labor.

At HOPE this year, I missed out on many magic moments.  I didn’t get to attend a number of talks I’d been super excited to see.  I didn’t get to say hi to many of the friends I encounter so rarely these days.  I didn’t get nearly enough sleep.  This is because I – and many others with me – spent so much of my time chasing down problems, intervening in tense situations, escorting speakers to their hotel rooms, and looking after my staff of volunteers.

I very much hope that next time around in 2020, the event staff and security will be positioned for a more proactive approach to potential issues and all of us who attend HOPE will once again get to dedicate all of our time to participating in the wonderful magic that exists there without having to look over our shoulders for troublemakers looming in hallways with undeserved confidence they won’t be kicked out the moment they rear their heads.

 

Post Script 1 – For those of you who I’ll be seeing two weeks from now as opposed to two years from now, it looks like DT and his whole crew at DEF CON are totally spun up on this issue and ready to confront any alt right interlopers, head-on.

 

Post Script 2 – I penned a feedback email to the HOPE Conference organizers summarizing some of the thoughts above and offering effort and help for them if they wished to do some things differently or better in the future.  It was dispatched to their official feedback address as well as personal addresses of some of the senior conference staff with whom I have regularly corresponded in the past.  No response was ever offered in return.

 

Post Script 3 – One of the conference organizers mentioned in this blog post tried to call me.  I texted him and he began immediately asking me for a phone call.  Since I had reason to believe that the conversation being attempted may not have been in good faith, I explained that I preferred any conversation to remain written, either via SMS or email.  My friend from HOPE continued to pressure for a voice call, in defiance of my clearly-expressed boundaries.  The conversation wound up not taking place.