Patching exploitable communities

Content note: sexual assault and abuse.

The problem

A few weeks ago, T̶o̶r̶ ̶f̶i̶n̶a̶l̶l̶y̶ ̶f̶i̶r̶e̶d̶ ̶J̶a̶c̶o̶b̶ ̶f̶u̶c̶k̶i̶n̶g̶ ̶A̶p̶p̶e̶l̶b̶a̶u̶m̶ Jacob Appelbaum resigned his longstanding position at the Tor Project. He’s been a missing stair for a good long time. The many, many people he’s abused have for years quietly issued warnings about how dangerous he is, but have been afraid to speak out publicly. Some came forward within Tor, but were ignored and retaliated against. Powerful gatekeepers and authority figures defended Appelbaum. The social dynamics of this community aided Appelbaum’s abuse, but nothing excuses our silence.

Then Shari Steele took over as Tor’s executive director. Brave people were willing to speak to her. She investigated. She acted. I’m sure there’s plenty more to discover. Following this watershed moment, many of Jake’s victims felt safe enough to come forward. Some understandably chose to remain anonymous. Some, like Isis Lovecruft, Alison Macrina, Leigh Honeywell, and Nick Farr, decided to do so under their own names. I have nothing but admiration for the people who have come forward. I am lucky enough to call some of these brave souls my friends. I absolutely respect the choice to remain anonymous or to associate their account with their name. I will always believe those who report abuse, whether or not they choose to use their name.

Other organizations and communities where Appelbaum once operated with impunity have disavowed him: The Cult of the Dead Cow, Noisebridge, the Freedom of the Press Foundation, Debian, and (eventually) CCC. There’s plenty more to see on that front. Hopefully, this will help deprive Appelbaum of the status and legitimacy that he uses to find, groom, coerce, and silence his victims. I just wish it had happened a few more victims ago.

The fix

All of this is a fire-drill response to an exploit which should have been disclosed & patched years ago. Appelbaum is just one piece of malware. Adding his signature to our antivirus database doesn’t fix the underlying vulnerability. Appelbaum wasn’t the problem, he’s just the latest and most visible symptom. This CVE doesn’t come with a bespoke logo and a fancy homepage, but it will still wreck your shit.

The problem is that our communities are super broken. Cults of personality, hero worship, rock-stars: call it what you will, but we have a social dynamic tailor-made to be abused by charismatic sociopaths like Appelbaum.

Fortunately, Valerie Aurora, Mary Gardiner, and Leigh Honeywell have written a patch. Here’s the changelog:

You should listen to them. They’ve been working really hard to design, test, and implement these fixes since before you knew that there was a problem. This will not be easy. Communities are more and harder work than code. But this work is doable. Now: go put it to work in your community.

Show your support

Clapping shows how much you appreciated Tom Lowenthal’s story.