I’m On A List

Note: For my regular readers, this is a post about the information security conference community. If you follow me for articles about startups and management, I’ll return to regularly scheduled programming with my next post.

The last time I flew back to the US, I got an SSSS on my boarding pass. I bought my ticket at the last minute, so I ended up on a list. Again. It took me months to get off it last time. The publication I write for, 2600: The Hacker Quarterly — a technical publication with absolutely no ties to terrorism — was at one time on a Department of Homeland Security list of terrorist threats. The government has all sorts of lists. Some of them can get you killed by a drone. Lists have consequences.

I suppose it should come as no surprise that I’m now being threatened with appearing on a different sort of list unless I immediately come out as an “ally.” What would be considered an ally? Unequivocally stating that I believe women who make sexual harassment allegations against men, I will side with them, and I will totally support banning people accused of — and of course convicted of — sexual harassment from information security conferences.

Actually, it’s very hard for me to have a problem with this ask, other than the way in which it is being made. I don’t know what it’s like to be a woman, but when your hobby is being a DJ, you see a lot of bad behavior happen — enough that I believe women complaining about this sort of thing by default. In fact, I’d go farther; there is more bad behavior than sexual harassment (or worse) in the information security community, and we should probably have a way to address the totality of it with real consequences. What are those consequences? It’s fairly well established that community organizations — in infosec and elsewhere — have a right to ban people who cause problems. If you cause problems in the information security community, you shouldn’t get to be at places like conferences where you are in close proximity to other people and can physically hurt them.

What I personally have a problem with, however, is creating the exact same sorts of opaque, unaccountable lists that the government creates to prevent us from flying, to justify warrantless spying on information security researchers, or to prevent our foreign colleagues from attending US information security conferences. All of us know how real this is. And that’s what we’re really talking about here: some parts of the information security community want to create the equivalent of a secret “no fly” list and/or a “terrorist watchlist” based on unverified allegations investigated secretly.

Having watched my editor, Emmanuel Goldstein, relentlessly dogged by a whisper campaign for years on irc led by a guy who turned out in the end to be a serial rapist, I just can’t stand by and say nothing while this happens. If we’re going to create lists, they should be public, and people who are accused should have a right to address the allegations in public. Instead, the list is being created in secret. It’s likely to be released by a pressure group at DEFCON this year, and I have been informed to either do as I’m told, or my name will be on it.

Well, my name will undoubtedly now be on it, and if it is, this should make anyone skeptical. The whisper campaign is that I “might be too aggressive in talking to young guys.” This is the standard whisper campaign waged by conservatives against openly gay people — if we’re gay, we’re probably into children and animals too, right? Yes, my last relationship was with another gay male adult who is younger than me, and who also (like me) looks younger than his age. We were together for 3 years. It was an improbable relationship, and certainly unconventional. However, it was mutually affectionate, respectful, and ended not because of age differences, but over more mundane things like career, distance, and the number of hours each of us prefers to spend at 24 Hour Fitness. So, while I have a pretty thick skin, this needs to be called out exactly for what it is: homophobia.

Allies don’t strong-arm other allies into being allies, and they certainly don’t use homophobia to do it. This isn’t right, and I have to push back.

I’ll also get ahead of one issue that is likely to be raised: guilt by association. Like many people who have been in the information security community for a long time, I am undoubtedly associated with people who have (allegedly) done some pretty bad things. That’s unfortunately one of those things that gets people on unaccountable secret watch lists and results in the pizza guy being killed by a drone.

What does associated mean? I am a member (or past member) of numerous information security community organizations, including Queercon (which I founded along with two amazing co-founders), the TeleChallenge (a DEFCON puzzle challenge I founded and co-create), and Infosec Unlocked. I have even spoken at the same conference and been to some of the same community events as Jacob Appelbaum, who has been credibly accused of sexual assault (something I was completely unaware of until the allegations surfaced). Several months after I left a separate, unrelated infosec non-profit organization, I became aware of very serious allegations against another member of the same organization. I’ll publicly state right now that I was as surprised as anyone else in the community to hear the allegations surface, and that I was completely unaware of them prior to then. Additionally, by the time the allegations surfaced, I had already left the board of the organization involved (and ended my association with the individual involved) for unrelated reasons.

Where am I going with this? I can’t in good conscience take things to their logical conclusion: permanently ostracizing people without any recourse from the infosec community based on a single secret unverified allegation where no criminal charges or even a formal complaint has been filed. Some have asked that this be done. I especially can’t agree with blacklisting or damaging the reputation of otherwise innocent people just because they know or are/were friends with a bad actor. Even when we’re talking about people who actually did something that is clearly out of bounds, I question whether — as a community —we have the right set of tools at our disposal:

  • Who creates blacklists?
  • Who does the investigations that inform them, and what are the rules of evidence? These probably don’t need to be as strong as in a court of law, but we need to avoid the “tr0n problem” (context: the smear campaign against the editor of 2600 was led by a disturbed individual using that handle).
  • For how long are people on them and for which actions will they be placed there?
  • Should there be any appeal process?
  • Should the lists be public?
  • Should the accused have the right to face their accusers?

We rushed headlong into creating all manner of watchlists and blacklists and other secret files that can have a massive impact on people’s lives after 9/11. You can be killed by a drone if you end up on the wrong list, even if you’re a US citizen. In the information security community, we rail against this stuff and it’s for a good reason: it is wrong, and it is dumb, and it’s simply not how a free society operates.

So I might show up on a list now. And none of that changes the following:

I am an ally.

I believe you.

I believe in you.

I think we need to do better in the information security community.

Startups are hard. Every year of a conference is essentially a startup. In this context, I can probably appreciate more than most just how hard it is to get things right.

I don’t have all the answers, and I also want to help the community do the right thing.

And if I show up on a list for vague whisper reasons, you should question who created the list and what their motivations are.

Should there be an infosec blacklist? For conferences, probably, but this isn’t the right way to build it. What’s my sense of the right way? Loudly, publicly, and for clear, verifiable reasons. Should there be a watch list? Sure! Conferences already have these. For example, security teams know which guys (it’s almost always guys) regularly get drunk and cause trouble, and because of this, they’re pretty good at intervening before bigger issues can occur. I understand HOPE has a list of people who aren’t welcome. I also understand that if you’re on it, you know you’re on it, and you also know why.

However, a secret list created in secret that is apparently going to be dumped at a major hacker conference, where the subtext is “it’s open season on these people?” That doesn’t sit right with me. The Codes of Conduct circulating around various information security conferences are now being used as a weapon by people who want power and authority, and it is natural (and correct) for hackers to question power and authority. Even when it is about this. Our willingness to question each other — and to question authority — is what makes us different and special, but it’s also why the stuff we build is some of the world’s best and most enduring code. Yes, as a community, we do experiment a lot, but we also tend to think things through before we do stuff that can cause permanent damage.

We’re not really thinking this through. This isn’t right. Done wrong, it can cause permanent damage. Given the history of vendettas and irc wars in the hacker community, we just don’t have a very good track record around implementing this sort of thing. I am fortunate in that I live a very public life and there isn’t anything untoward in it, so it’s relatively easy for me to clear my name. Others, however, may not be so lucky.

And that hurts the people we’re trying, as a community, to help. If the idea of blacklists loses credibility because of a bad implementation, we’ve just re-invented browser warnings. People may pay attention at the beginning, but a couple of years from now, we’ll be back to where we were before #MeToo.

I’d love to hear your thoughts. This is the start of a conversation, not the end of it. But for now, if you’ll excuse me, I need to file a redress letter with the TSA and try to get off their list.

Epilogue: Occasionally, truth is stranger than fiction. After publicly naming me, the person who attempted to blackmail me was publicly exposed to have secretly been a member of an anti-gay hate group. While the basis for targeting me was unclear, I suspect it was the runaway success of Queercon. In any event, I’m moving on with my life.