Skip navigation

Monthly Archives: February 2019

This week started off with the latest round of news coverage dedicated to a story that just won’t depart the headlines within the hacker community: the disgraced Facebook group known as the IllMob.  The story continues to capture attention, receive column inches, and generate discussion for a couple of reasons:

  1. The key ringleaders of this posse have not apologized to their victims but instead have mostly doubled-down in their efforts to self-aggrandize and downplay any wrongdoing.  This has resulted in cringe-worthy tweets.
  2. As professional fallout continues across the industry, some of the group’s other members have sought to publicly distance themselves from the hateful behavior seen in the widely-shared screenshots.  This has resulted in interviews.


This effort to save face or explain-away why many “average nice people” were members of such a Facebook group for far longer than most folk would consider reasonable has ranged from simple hand-waving and dismissiveness (of the “I never really look at Facebook” variety) to more active arguments that could be summarized as “the group was about more than just hate” or “it was a valuable community, and in any community of significant size there will be a few assholes.”

In this vein, many of us saw an article and associated two-part audio interview from Jennifer O’Daniel and Greg Otto of the Securiosity podcast wherein they spoke both to Georgia Weidman (a hacker, author, and business owner whose success has made her one of the IllMob’s targets in the past) and Joshua Marpet (a former long-time member of the IllMob and mainstay at a number of hacker conferences where he volunteers, often in a security role.)


Georgia has been one of the principal targets of the ire thrown around by the IllMob’s most vocal members for some time now.  (Full disclosure: in case you’ve been living under a rock or in a server room in Afghanistan, you may not be aware that both my wife and I have also been targeted by the IllMob in the past, for principally the same reasons as Georgia and other prominent individuals in INFOSEC: frustrated men who feel “entitled” to success that they have not worked hard enough to earn will often lash out at individuals whom they feel have ascended to prominence and power without “merit” and they will seek to tear them down.  So, let it be known, I have also had my share of poorly-typed internet insults directed at me from this treehouse of little rascals.)  Despite being a founder of successful INFOSEC enterprises, a noted author, and a widely-sought instructor in our field, Georgia found herself under fire from this peanut gallery over superficial considerations such as choice of attire at conferences or the decision to partake in cocktails while presenting (at a conference which made it a feature of all talks to present speakers with drinks.)

Georgia adeptly points out in her Securiousity interview that much of the criticism directed at her was deeply gendered (men in our industry are seldom criticized for their attire or for drinking alcohol, even at company events) and she did a pretty comprehensive job of summarizing the challenges that many women and other under-represented groups face when one of their ranks begins to achieve success in INFOSEC.  Her whole segment on the above-linked interview is rather on-point and leaves little wiggle room for those who would seek to defend the bad behavior of immature guys lashing out with misogyny and hate.

Georgia offered additional summary of her specific thoughts for inclusion here, as well, and I’m happier letting her speak in her own words…

The DerbyCon shut down post was written in a way that caused the people who had previously pointed out bad behavior to be attacked with a “women ruined our fun” Gamergate-like narrative.  The DerbyCon founders could have simply said they were focusing on other endeavors and moving on; instead they (seemingly purposefully) incited a riot.

I tweeted, as hundreds of people did in response to the shutdown, about my own past DerbyCon experiences.  I, like so many others, was simply commenting on their decision to shut down.  IllMob put me at the center of this conversation, not me.

I was surprised when a journalist from Motherboard asked me to comment upon what was being said regarding the IllMob.  This is not the kind of thing I want for my media highlight reel nor is it the kind of thing that helps me as a consultant, an author, a speaker, a trainer, or a startup founder.

I’ve been attacked by these people before and I’ll undoubtedly be attacked by them again.  But this isn’t really about just one conference shutting down.  When I reach out to new potential business contacts, I sometimes get unsolicited dick pics rather than new business.  I’m still asked to meet potential business partners at night at their hotels (and no I can’t bring my advisor) and if something happens it’ll be my fault because, “What was I doing alone with him?”  These are just some of the many ways there are double standards and barriers holding women back.

It’s not just DerbyCon, it’s not just IllMob, and it’s certainly not just “drama”.

We’ve got to change our industry (and our society).  That we are now talking about these kinds of things publicly instead of hiding them in dark corners is actually progress.  And treating everyone with dignity and respect is just good business.  At the end of the day, we all just want to learn new things and do great work.  We shouldn’t be distracted by the actions of a few bad actors.  But we also shouldn’t tolerate them just because we always did in the past.

IllMob put me at the center of this conversation, not me.  But I won’t shy away from it, I won’t be intimidated, and I won’t be silent.


And yet, in a perhaps-misguided effort at innocently attempting to offer “balance” in their reporting, Jen and Greg sought out an additional voice to provide an alternate take on the IllMob, the end of the DerbyCon conference, and how people confront hate among their professional circle of peers.  It is unfortunate that often when journalists strive to air opposing viewpoints they frequently wind up selecting two participants who do not have the same standing… but the resultant media segment portrays a false equivalence.  (How many times have we seen a report on “Climate Change” where one half of the broadcast features a researcher from NOAA with a doctorate in atmospheric science who has read all the peer-reviewed data and the other half consists of a guy in Iowa with a snowplowing business, standing next to one of his trucks saying, “Look at all this snow!  So much for global warming, eh?”)  But search they did… and Securiousity introduced IllMob member Josh Marpet as a voice to provide a counter-point against all of us who have been critical of the hate and harassment which originated in that Facebook group.

Josh was brought on (in a separate segment… he and Georgia did not interact directly, which was probably wise) and he offered a variety of thoughts that, I must say, failed to adequately address the elephant in the room, in my view.  (Full disclosure: Josh and I are both from the Philadelphia region and are both hackers of a certain age, so we came up together in this industry.  We knew each other well and we saw each other regularly at hacker gatherings when I lived back East.  Hell, I attended his wedding.  We have lost touch over time, and recent revelations about his remarks to the IllMob concerning my wife and I have put much greater strain on our friendship… but I still reached out to him and offered him a chance to review what I planned to publish here and am affording him the freedom to offer brief corrections or rebuttals.)

Josh attempted to explain why many people who are otherwise decent and friendly would have remained as members of the IllMob Facebook group in spite of the hatred being thrown around by its most prominent participants.  He offered what has become something of a major talking point these days:  “The group was a resource for interesting information.”

If some of you are seeing unfortunate parallels to the old chestnut, “It’s about ethics in video game journalism,” rest assured, you are not alone in those thoughts.

I would like to counter Josh’s assertion by politely challenging him (and anyone else who has offered this as a defense of their membership) to please provide me evidence of any clear-cut examples when ground-breaking information was available in the private Facebook group that wasn’t being widely-covered and distributed elsewhere.  Please.  If it was so interesting, then this group must have resulted in some of you generating notes/logs/screenshots or something more that you kept because they were germane to projects you were inspired to research.  Someone, anyone, please send me evidence of even one thing that was so earth-shatteringly cool that you saved it.  I personally tend to save over 100 threads per year from the 303 Mailing List where I am a member and participant.  (Full disclosure: does the 303 Community have its share of inappropriate chatter?  Sure.  It tends to be of the “buttlol” comments and “loldongs” replies nature.  And if someone says something that is honestly hurtful or punches down in an attempt to be funny… there are honest, immediate social repercussions.  People have left the 303 list over such disagreements.)


Every Village Has An Idiot

Josh admits that this “great informational resource” had a bad element, however.  “Everyone knows at least one idiot in their friend group,” he asserted in his interview segment.  Yes, of course this is true.  My eyebrow does not raise if someone is found to have a less than perfect friend.  My spider sense tingles, however, if people fail to push back against their friends’ idiocy.  Whether your idiot friend is doing something that only has the potential to harm themself (“Dude, don’t try to ride your new unicycle through traffic!”) or they are doing something that can have ramifications for the group as a whole (“Come on, man… juggle your fire stick outside… you’re gonna burn down the house!”) we are all accustomed to having to get someone back in line when they’re being stupid.  Intervening when someone is doing something colossally stupid is the act of a friend.  If you don’t step in, who will?

What I want to know is: where was this type of kind intervention among the IllMob?  There are those who claim that they spoke up against the hate.  Really?  Then why did it continue?  Why was this an ongoing theme of the Facebook group?  Clearly, either they didn’t speak up very fervently, or the people attacking this whole community refused to listen and reflect.  And at that point… the million dollar question: why have them as friends at all?

“Everyone knows an idiot in their friend group,” may be a true assertion that Josh made.  But it’s a significant stretch to turn that into, “Everyone knows an idiot in their friend group who won’t listen to reason and whom you don’t really try to correct because they’re irredeemable but you just keep them around forever anyway.”  Far fewer people could agree that this second sentence is normal or proper.


Do I Just Leave?

But let’s assume for a moment that Josh and others in the IllMob did do their level best to correct the deeply antisocial and maladjusted behavior of the worst offenders.  Even if that was the case, clearly it did not have a positive impact.  The hate continued.  “Am I supposed to abandon the group because of a handful of people?” Josh then asked his interview hosts.  My simple answer to this rhetorical question would be: “No.  You aren’t supposed to abandon the group.  The group is supposed to abandon the assholes.”

Unless, of course, the head asshole is literally the head of the group.  Leadership sets tone in all organizations.  I feel almost astonished that this point has been glossed over or ignored in so much of the coverage of this topic.  The “handful of assholes” away from whom the bulk of the “respectable” members have done their best to distance themselves included the founder and admin of the whole group.  It also included a couple of other very prominent voices in INFOSEC.  This wasn’t a couple of no-name bozos with 19 twitter followers between them… the very name of the group was the name of the lead misogynist and internet troll among them.

Or, as I put more succinctly while joking on twitter

Assertion: “Look, all I did was eat my lunch with 500 other workers at this spot down the block where we all hung out to chat. We talked shop. I had no idea folk off in the corners were into dog fighting! I don’t support that!”
Rebuttal: “Dude, your lunch joint was literally named The Michael Vick Bistro.

The interview hosts kept returning to this question repeatedly throughout the interview, never to receive a satisfactory answer.  “That was the absolute edge cases,” Josh repeats.  The host pushes again later, asking, “When someone goes that far, however, then aren’t they no longer part of the group?”  Seemingly making my own argument for me, Josh simply replies, “Why?  Are you the admin [of the group]?”  And that’s the key point, isn’t it?  It wasn’t “some jackass” who was “out on the margins” causing a few problems.  Leadership sets tone.  The founder was the lead voice of harassment.  The call was coming from inside the house.


Drama Llama

After that in his interview, Josh made the point with which I take the greatest umbrage.  And not just when he said it… when anyone says this.  “There’s always going to be some kind of drama.”

You know what?  I am goddamn sick of that word.  I’m utterly fucking tired of it.  First of all, I should say that I roundly and wholly reject the argument being made.  I’ve been at loads of fun and awesome events that ran smoothly and I have known communities and families that were well-adjusted and happy basically all the time.  Values of respect and affirmation and tolerance and assumption of good intentions go a long way toward making that happen.  But beyond the logical fallacy of his argument, I am disappointed that Josh is one more person who loves to over-use the word “drama.”

When something awful happens to you or someone you care about: it’s trauma.

But when something awful happens to someone about whom you don’t care: it’s drama.

(All credit and thanks for that phrase go to my marvelous wordsmith of a wife who crafted that rhyme and it stuck with me ever since)

I believe you can use the word “drama” as a barometer for how much the speaker cares about other people.  Labeling something as “drama” packages up a whole litany of dismissiveness into a nice “get lost” cocktail for the party who feels that they have been wronged.  Calling them a “drama queen” not only conveys your distaste and disinterest to the principal party, but it is also a powerful in-group signal.  Slapping the label of “drama” on something serves not just as an insult but also as a warning to the rest of your peer group: “Do not engage with or sympathize with what is being exhibited over there.  We as a group do not value that person and their interests.”  By referring to the women who reported harassment at DerbyCon or the criticisms of anti-LGBTQ hate being thrown around the IllMob as “drama” I fear that Josh is participating in that cycle of dismissing and minimizing others’ concerns.  Bizarrely, Josh also included incidents of over-indulgence with alcohol or people experiencing medical episodes at cons as “drama” when discussing this term during his interview.

Maybe I do not fully grasp what Josh means by the use of this term.  But I certainly know how people who hear it feel: like they shouldn’t intervene even if they want to, and like they should simply go away if they were the one who spoke up in the first place.


A Roadmap with No Street Names

“So, looking back at DerbyCon,” asked one of the interview hosts, “do you think there was anything that could have been done to save the conference?”  Josh considered the question.  During the brief silence that followed, I honestly wondered if he would have offered real solutions such as “kick out the harassers” or “set the tone from the top.”  Josh has a background in law enforcement / corrections and he has leadership talent.  He knows about getting people to comply, securing an environment, and commanding others.

“Sure, there are things that could have been done,” he offers.  “Absolutely something could have been done [to keep DerbyCon running],” he asserts.  And then… he proceeds to not name one. single. suggestion.  Go ahead and listen to his interview segment again (jump to 1:09:25) if you don’t believe me.  I’ll wait.  Josh speaks about opportunity costs and calculations.  He imagines DerbyCon continuing to run for years into the future.  But he offers absolutely zero solutions.

The hacker community has been offering solutions for ages. There have been endless talks about this on Twitter and in Slacks and on forums and across blog posts.  Other conferences have tackled these problems as they grew and implemented these solutions.  But Josh, much like DerbyCon as a whole, simply couldn’t seem to find the way to set the right tone from a position of leadership… or bring themselves to cut ties with harassers.


Talent Begets Taunting?

To their extreme credit, the interview hosts seemed to become increasingly frustrated with the avoidance and non-answers being offered.  “That’s something of a cop-out, though, isn’t it?” Greg asks at one point.  When pressed for what, deep in the recesses of the most hateful members of the group, could have been driving their horrible behavior, Josh advances the theory that, “highly-skilled and talented people will look down on lesser-skilled people.”  This is, of course, total horseshit.

In my experience, the most fully self-actualized and capable people tend to be happy in their work and eager to do right by the rest of the world.  It is the unsuccessful individuals who wind up causing the bulk of the friction in most social groups, as far as I have seen.

The acclaimed author is a joy to be around.  The jerk who couldn’t get his manuscript published is angry at the world.  The popular artist is a joy at parties.  The failed playwright is rude to the barista at the coffee shop because they look too chipper.  So it was with the IllMob… the bulk of the hateful comments were seen to be coming from middle-class white guys who, while sometimes capable of holding down regular jobs, have never really measured up to others and who by-and-large would deal with their feelings of self-dissatisfaction not by examining what they could do to improve themselves as individuals but rather by attacking “other people” whose success they felt was “undeserved” and not merit-based.

Talented people look down on the untalented?  Maybe in your world, Josh.  But not in the one I’m trying to build.


“We Fought the Good Fight”

Individuals who were an active part of the IllMob but who want to distance themselves from the hate being thrown around in that group have taken to acknowledging the bad behavior of its worst members (including their founder) but are quick to remind people that “the rest of us pushed back” against this negativity.  Would you like to know why I believe that neither Josh nor pretty much anyone else in the group offered a full-throated push back against the assholes?  Two simple reasons:

  1. The group didn’t change
  2. Josh and others weren’t kicked out of the group


Make no mistake, anyone who has seen a toxic community like this one was knows that those are the only two real outcomes if “good” people are serious about fighting entrenched hatred or misogyny or transphobia.  If a group of people are really deeply dedicated to fixing things, they will either conquer the hate or die trying.  By dint of the fact that Josh as well as the other “500 members” of the IllMob were still enrolled in the group right up until the Motherboard article and mass exodus/great purge… I feel it’s rather clear that none of them “pushed back” against Will and his top cronies very much.


Doing Our Part to Make Change

Ostensibly frustrated that they weren’t getting satisfactory or clear answers about the problems with the IllMob, the hosts pivoted slightly and asked Josh about how we can all try to improve our industry as a whole.  After a somewhat meandering start to his answer, Josh focused on the topic of “making availability of knowledge more extensive” so that it is “easier for people to get into this industry” and “grab opportunity.”  His formula for enabling this goal was elaborated with descriptions of supporting local, low-cost events in areas that are accessible to under-represented groups.  Josh specifically identified minorities, students, etc. as people he loves seeing at hacker and INFOSEC cons.  (There was, alas, no discussion of any specific outreach initiatives, grants, special invites, or cost-sharing programs to boost diversity numbers at such events such as the measures that ShmooCon or BlackHoodie trainings have … but I share his enthusiasm for increasing women and minorities con attendance, just the same.)

But let’s say cons are lucky enough to see attendance from the very kinds of under-represented groups that Josh, I, and most other hackers are hoping to attract to our industry which is hurting for diversity in membership.  While it’s great to have them join us at cons, getting people interested in STEM has seldom been as big a problem as retention of these individuals is.  Maybe Josh simply hasn’t done the reading here… but plenty of others have.  Particularly, the many women in tech who have been invited to sit on panel after panel (by events that seldom made another spot open on their talk schedules for said women to present on whatever actual technical work they’ve been doing) have told audiences this for years now.  The drop-out rate for women or people of color or LGBTQ individuals in INFOSEC is bad and has been trending worse.  That doesn’t get fixed with Legos and free pizza lunches at BSides.  This will only get fixed by deep culture shifts and the addressing of toxic assholes in our community.

Perhaps aware of this intellectual disconnect, the hosts again appear to try to steer the conversation back into the matter surrounding the core problem we all must face: “Why do you think discrimination in the industry and the hatred seen in the IllMob exists, though?” they ask.  “Why don’t more people push back?”  Any answer given to this question that doesn’t touch on the theme of privilege is disingenuous to me.  Literally the answer is privilege … brought about by deep, long-standing ties in the community that some assholes have.  If these people had no community connections, there is no way anyone would tolerate their bullshit.  If a brand new person with no experience in the hacker scene and no industry background showed up wanting to make friends and then behaved like the worst of the IllMob, they would be shunned immediately.  So I was hoping the answer to “why do you think the hatred was seen there” would have some acknowledgment of privilege and the free rein that comes with it.

“Some people are just frustrated,” Josh asserted.

“Wow,” I thought, “Are Josh and I actually in agreement with one another?”

“…Where are people supposed to vent?” Josh continued.

Are you bloody kidding me?  Nobody cares about a guy grousing over a pay raise he didn’t get or someone complaining about a conference that didn’t accept their submission.  No one has said they have a problem with people innocuously “venting” about life’s little frustrations.  That’s fine and normal.  But you aren’t supposed to “vent” about hating women, LGBTQ folk, etc.  If that’s someone’s idea of “venting” then they don’t need to be provided with a safe space to do it.  They need to be told to get in the fucking sea.


Am I My Brother’s Keeper?

Fundamentally, for me, the arguments surrounding the IllMob, DerbyCon, and many other points of cultural friction in our community of hackers come down to disagreement over who should take responsibility for encouraging antisocial people to change.  If someone is reluctant to correct their behavior, then the choice must be made whether to shift tactics from “encouraging” to “forcing” someone to improve themselves.  And, ultimately, cutting them out of your lives if they will not.  These are the same difficult steps one often has to escalate through if someone you care about is abusive, or if they are grappling with addiction.  It’s a very difficult road and not everybody is up to the task of taking on such a challenge in others.  But here’s the key thing: these hard challenges must be faced.  And it is those who are closest to the individuals among us who need help that have to walk this hard road.

To claim that it’s not your place to speak out when a friend is in the wrong is to surrender away your duty to them.

“My sense of right and wrong is not necessarily somebody else’s sense of right and wrong,” Josh definitively told the host.  “Can I tell you, Jen, that what you do is wrong?” he asked.

Yes.  While there are shades of gray and much nuance in the world, society as a whole does share certain broad norms and values.  We all have the right to act as a helper when someone else’s conscience may be shaky.  Angrily telling others they must select pizza toppings that align with your tastes or demanding they use the text editor you prefer or requiring them to listen to the music that you like makes you insufferable.  But telling others that what they’re doing is wrong when they are actually doing something objectively bad and hurting other people in the process?… That’s the act of a friend.

You were wrong, Josh.  All of you who stood by and watched and did not fight back hard enough against the hate were wrong.




NOTE: after reaching out yesterday to Josh at several email addresses I had for him as well as trying his email address at the business he currently owns, I did not hear back.  If Josh replies to me at some point in future, I will still honor my offer to him:  If he believes that he has been misquoted, misrepresented, or mischaracterized in any way by what I have written, he may contact me with corrections.  Minor one-word or one-sentence tweaks I will try to include as marked edits at his request within the body of the main text.  Additionally, I am willing to include a brief paragraph response to appear below the article as a whole.