An Open Letter
Information Security has always been a meeting-ground for bleeding edge issues at the crossroads of technology and society. We’re no strangers to some of the darkest parts of humanity finding expression through modern technology. Whether it’s the elderly being defrauded by advanced social engineering scams, the drug trade being imported to the Internet, or child abuse imagery being transferred over TOR. We as a community have been able to navigate these issues with a moral and ethical compass that isn’t required in many other industries.
But there’s one issue where our morality has consistently failed us — abuse accusations.
Understanding The Nature Of Abuse
It’s hard enough for us as humans to understand the small things if we haven’t experienced them ourselves. For instance, it would be almost impossible to describe the purest thrill that comes from getting your first strike in bowling, or why enjoying a warm cookie straight out of the oven is always better than one that cooled off overnight if you’re talking to someone who has never experienced either of these things.
It is then easy to see why navigating bigger issues with deeper implications like domestic & sexual abuse can be so hard to understand for people who have never been in an abusive situation with someone close to them. With this in mind, let’s consider an example of how a public accusation is often made.
“X forced themselves on me at <insert con name here> two years ago.”
Questions that are often asked:
- Why did you wait so long?
- Why are you doing this in such a messy, public way?
- Why didn’t you call the police?
- Why don’t you just lawyer up?
All of these questions make sense to ask if you don’t have the context of an abusive situation yourself, or can’t empathize with the kind of circumstances abuse victims often find themselves in. The answers to these questions can be reasonably complex and are, strictly speaking, none of our fucking business.
What difference does knowing that a sex abuse victim waited two years to come forward because they where afraid of how their rapist might retaliate make? How does knowing that they only recently found the courage to speak about it publicly fundamentally change the nature of the accusation itself?
How would knowing that the victim was aware of an “epidemic” of untested rape kits which led them to not go through the painful and often fruitless motions of calling the police materially change your (ultimately) irrelevant opinion of the accusation that has been made?
We are people who professionally understand how grim the world can be. We can’t afford to be this naive about the fact that abuse in all flavors exists, and it can be done by and against our closest friends and family. We cannot hold it against the abused if they felt that the only recourse they felt they had was to take the issue public.
“Drama, Drama, Drama”
Lest I be accused myself of being a proverbial “drama queen”, let me tell you that I would much rather be doing basically anything else right now. As I write this, I have a draft for a long-overdue FOIA walkthrough sitting in an adjacent tab begging for me to complete it. But priorities are priorities, and this is an important enough issue to address directly.
One of the complaints I tend to see most often in our circles when an accusation is made is something along the lines of “ugh…here comes the drama again” or if you like your criticisms with a more sexist spice to them, “this is what happens when you let women <in|speak|fuckin’….wear pants…|whatever>.” And yeah, accusations are disruptive. That’s true.
Accusations have a tendency to rock the boat, and if there’s one thing we in security don’t like, it’s motherfuckin’ boat rockers. Trust. But you know what else rocks the boat? When some ass hat treats your friends and colleagues like a speed bag. My boat really gets rocked when this abuser then goes on to do it again, and again, while people discuss in hushed tones who to avoid at the next conference. I’ll leave it up to you to judge which is worse.
Believing In Practice
There’s a misconception that believing the abused means trashing the abusers. It doesn’t always have to be this way. There is no playbook for how an individual should respond to a faithful accusation. For some people, trashing the abuser is the right thing to do. For others, rallying around the abused and offering support and protection is the best course of action. Believing the abused only means giving them the benefit of the doubt.
When these situations pop up, there is a doubt. One could argue that in some cases, there is even a reasonable doubt. But when it comes down to who we tend to believe, we have no excuse not to give the benefit of any doubt to the person making an accusation.
“But what about erroneous accusations? What do we do about them?” To this I’d argue that the problem we currently have is not an issue of rampant false accusations. Our problem is abusers getting away with being physically violent toward others, getting away scott-free, and then going on to victimize additional people in our own community. Our friends and family. They need us in these situations and they deserve our protection.
If a hypothetical problem bothers you more than a demonstrated pattern of abuse and violence, neither I nor this essay can help you any further. You might as well save yourself the time and stop reading now.
Burn Your Fucking Idols
We all know the names Jacob Appelbaum, and Morgan Marquis-Boire for all the wrong reasons. Men who were titans in our industry. Both had a very public, and messy fall from grace. But for anyone to say that the infosec community rallied around the victims at any point and demanded justice for the accused would be revisionist history.
Some of their victims pressed for decades against a feverish defense put on by their fans. A determined effort to protect the abusers and shut down the abused. The community response to protecting both of these predators was deeply shameful. We didn’t learn enough from them, and we collectively fogot them too soon. They are not even the most recent predators to be exposed and protected. Only the most well-known.
For a community so proud of our anarchist roots, the hacker diaspora is relentlessly dedicated to holding up our rock stars through thick and thin. We do this because we inherently value some people’s contributions more than others instead of recognizing that every role in security from the night shift on a slow SOC to a freelance code auditor, to a CISO are all vitally important to protecting our environments. All of our contributions are equally important, and all of us deserve equal treatment.
When we invest our time and energy into protecting specific individuals, we send the message that infosec is a monarchy. This encourages and enables those capable of abuse to find victims and suppress their claims.
The bottom line is, we have got to stop it with this golden-child-of-infosec bullshit and grow into the professional industry we’ve all been waiting to see for decades. Everyone is doing cool things in infosec. Act accordingly.
Why It Matters
Decisions in this space sometimes need to be made on credit and reputation alone. In fact, this concept is so important, that it’s often cited by defenders of abusers as the reason why hearing out the abused in the first place is dangerous. “A false accusation could tarnish a reputation irreparably” some say. If this is true, then what does it mean when we are dismissive of a true accusation? What then of our collective credibility?
The work we do in information security is critical to protect innocent people. The phalanx we as contributors represent often means the difference between a breach report and an IPS log. When one of us fails, we all fail. We have no other choice but to look out for each other and consider what it means if an accusation is genuine.
When we don’t take out our garbage and let abusers run rampant, our collective credibility is called into question. This ultimately compromises our ability to be taken seriously by those both inside and outside of our community. When integrity is all we have, standing up for what’s right needs to be our priority. Enabling potential predators in our own ranks cannot be considered a mark of success by any standard.
A Final Word
Standing up to well-known, well-liked abusers comes with its own set of needless negative consequences. Some of those with the strongest voices back down in the face of blistering backlash just for defending the abused. I have personally heard:
- I am a Social Justice Warrior (as if I should be embarrassed of this)
- I am not a “real” hacker (whatever the fuck that even means)
- I am a shit coder (this one is true)
- I haven’t submitted enough CVEs to matter (If you say so, sweetie)
There’s a non-zero chance that I’ll hear some of these pointless and unproductive criticisms in response to posting this essay. But this is all distraction from the central fact that we have a problem.
The only legitimate response we can offer to protect our community’s reputation and our loved ones is to admit we have a problem, and start working to solve it for the ones we walk with now, and the ones who will come after us.
