An Observation of our State of Affairs
Friends, firstly, I thank you for taking time to read this; what I have to say will be communicated will be in a conversational format, because I feel it's all time we have a serious talk. As the title suggests, I plan on staying as objective and subsequently neutral, not use terms that compartmentalize groups of people such as “SJW” or “White Male Privilege.”
We've lost the hacker spirit, we've lost sight of what we use to be as we've all gotten older. I am disheartened to see genuine and good people on both sides of the table begin to create a rift and divide in the community over the actions of other individuals. What I hope to outline is how I feel how we got here, some non-named community examples (you'll be able to infer who it is if you research hard enough) and hopefully a plan that both the community, conferences, and attendees can engineer and adopt.
In order to understand how I've arrived to my opinion, I'd like to explain a little about my background and life's experiences, so that you may be able to understand how I've arrived to the conclusions I'll later explain.
I joined the hacker community when I lived in the South in the mid 90's; like so many others, I danced madly on the lip of the volcano of what is legal vs a Terms of Service violation from an upstream provider. However I've never meant any direct ill intent. My moral compass was derived from the Boy Scouts, where I became an Eagle Scout. I had an educationally challenging childhood, that included lots of bullying and observed at an early age as to what happens when a community attempts to police itself.
On the topic of police, I also work in a federal law enforcement agency, and have so for almost a decade. I've seen the best of humanity, and the worst; more frequently, I see the worst because we go after the worst. It gets to me sometimes… I see flashes of horrific videos and images from a variety of events on occasion when I'm alone with my thoughts. I'm not asking for a hug or pity by disclosing these experiences. I chose this job to help people and to give back to society… to catch the monsters in the closet.
What we all recognize is that growing up is hard, everyone takes a different path, and some folk never quite find their way; in all cases, this is fine to some degree. Being a legal adult is different from being an actual adult; making the hard choices now for a better outcome in the future is one of the pinnacles of those lessons. But even folks who are adults by day, at events such as our conferences, become children by night. This is unfortunate, and I've spoken to many people to gain insight into their experiences in our community. Good people make mistakes, and bad people keep getting away with bad behavior; combining the two, I feel, is a disservice, but more on this later.
We do have monsters, and it's time to address how I feel we've allowed them to grow and become part of the hacker community.
Having been to many hacker conferences since my first Hackers On Planet Earth almost over two decades ago, I've seen a reoccurring theme from legal advisors and hackers alike: don't talk to the police.
Big names and heroes in the community have echoed and championed this position, and law enforcement agencies have opened themselves up to criticisms of “attacking the hackers” for decades. The position of don't talk to the police used to be limited to the context of "if you're a suspect," but it has now turned into "don't talk to the police, ever."
This position has also gained popular momentum from what I feel is increasing public awareness regarding police brutality and abuse of authority that have made national attention. This has created the environment in which victims of abuse have nowhere to turn for support.
Over the last year and a half, we've seen one popular anonymity community battle with this very problem. A predator exists in that community that has been able to successfully isolate victims from obtaining support from law enforcement… by re-enforcing fears about law enforcement. Those events are tragic, especially for the victims, because now they have no legal recourse and the predator may continue their abuse (and by some accounts, still does).
Every community our size has monsters; we're not unique in this situation.
From abusive family members, predatory clergy, opportunistic politicians, and more… people are going to be people and eventually make bad decisions. But we're hackers. We pride ourselves in not being like the others.
However, if I may borrow from the famous and inspirational words written by The Mentor's Hacker Manifesto, "we're just damn kids, and all alike."
We're adults, legally, whether we behave like it or not. And as our community has grown recently, we've stopped being all alike. Out of an effort of trying to address situations and problems that have arisen within our community, we've drawn hard lines in the sand of "you're with us or against us."
We've become fractured. We've become just like the immoral, unjust, and discriminatory people we so vehemently despised when we were kids. Furthermore, we're setting a bad example for the next generation who is soaking up every word every hero tweets, blogs, or boasts.
Let's all hit the pause button, take a breath, take a walk, don't hit "send", and objectively address our elephants in the room.
Legally, there is a spectrum of assault and harassment. There are definitions and they are important to explore and understand.
What I plan on discussing now is how the community could better handle our monsters, in order to expel them. Other huge events, especially sporting events, could serve as models… for identifying organizer responsibilities, for analyzing how they can handle misconduct, and for understanding how better and healthier interaction with law enforcement my help us confront and expel our monsters.
In no particular order, I have a suggested list of behaviors everyone could use as a baseline so that we don't entangle ourselves in narrowly-scoped Codes of Conduct, thus creating word-gamed loopholes that the predators will continue to exploit.
Much like everyone has heard in their Human Resources Training Videos, this form of non physical assault can manifest itself in a variety of forms. In law enforcement, they teach us that documentation and de-escalation are important objectives when confronted with adversarial situations.
Bullying is one form of this, but is not illegal; saying mean things is still protected speech from government action, however there are times in which it can cross the lines. One of those is when you tell the individual to stop, clearly and articulated, and they continue the contact. This is where documentation is important. If this happens at a conference event, it should be initially handled, I feel, by the conference staff, who absolutely have the right to unilaterally remove someone from their private event. If harassment happens online, then block/unfollow/document the iteration; if it continues, report it to the police, every time. A conference can help with this escalation, since those wishing to report something to law enforcement may face logistical hurdles and having the full support and backing of a larger event can help an individual with this.
If you are ever asked to provide documentation to a conference, please do not send the raw events you experienced. Please send the documentation the police have written about it where it includes their own letterhead. Not everyone is a lawyer or a detective, and it can be hard to distinguish what is what in terms of paperwork. A complaint and a report are two separate things, and we certainly shouldn't forward accusations in intimate details to event organizers, as it will turn into rumors, hearsay, and other negative community artifacts that we experience right now.
If the harassment involves one person touching another, report it to the police. I cannot stress this enough. Forwarding the documentation to a conference legal contact (see below) is also a terrific step, in terms of establishing a written record of what has transpired. If there is paperwork with the appropriate letterhead, then there are clear and articulated ramifications that must kick in.
Conference & Attendees Responsibilities
Conferences have the expectation of providing a physically safe environment for their attendees, and attendees have the expectation of behaving at a minimum in accordance to the conferences outlines Code of Conduct. These expectations have been taken advantage of by bad actors on both sides, and this needs to stop.
The scenario is that we're all excited to see each other when we get into town. We're family… but sometimes we're a dysfunctional family. If we then add alcohol, drugs, and other events as a catalyst, the worst comes out… just like those awkward Thanksgiving dinners where the one quiet, racist family member does the something where everyone gets quiet and drops their forks on the plates (ya'll have that too, right?).
Event staff owe it to the attendees to be models of good behavior.
If you're staff… be the model, be the mentor, be the leader. Do NOT party, get drunk, or become a problem; you're setting a bad example.
Attendees… stop taking advantage of the conferences, playing word games to excuse bad behavior, and being generally reckless. Our community – our family – does have some substance abuse problems and we become our own worst enemies because of our addictions. I'm not advocating sobriety, I'm advocating responsibility; if you see someone who has had too much, help them. If you're on the receiving end of that, don't get upset or embarrassed; recognize someone is trying to help you because they care about you. People behave in our conferences in ways that they wouldn't at home, work, or other social events; it's time to stop being abusive with each other. This way, we can better identify the real elephants in the room who are the people who continue this behavior no matter the circumstance.
There should also be a better mechanism to intake, acknowledge, track and memorialize transgressions that aren't resolved peacefully between adults in conferences. In Infosec, we call this “incident response.” I recommend that conferences have two email addresses created: legal@some-con and complaints@some-con.
Legal@some-con would be the account used by attendees to send, far enough in advance as possible, any legal documentation in which would prevent another individual from attending the conference. This is the place to send appropriately letter headed documentation. Please, do not send details as to why or what happened that lead to the legal outcome.
Complaints@some-con would be the account where non-criminal grievances could be memorialized between one or more parties. Sometimes people just need a mediator to work out indifferences, but now it is memorialized and recorded. No conference would be able to state ignorance of the event, as they would have a record and process for intake. A complaint record number should be all it takes to share with another event, so that once again, details aren't shared but the outcomes could be; or that the appropriate individuals could share the right information to be able to explain their conclusions that lead to action or non-action.
Much like there is a spectrum of harassment, there is a spectrum of monsters. On one end, there are merely coarse, abrasive, harsh, and irritating people. On the other end, there are the true monsters who should be expelled and have their day in court.
For the first category, my previous advice of ignoring them still holds true; some people have personality quirks that won't ever and/or can't ever change. They're human. It's up to the community as to how to handle these individuals, but my suggestion is to make them irrelevant to the point in which their contributions back to the community are meaningless compared to what real hackers can bring to the table.
As for the true monsters, I am observing that our community is attempting to expel them, but we're going about it in the wrong way which has led to most of the fragmentation I observe. Involve the police; make it an actual legal problem. Help make the world around you better by getting a monster not just out of our community, but recognized as one by future communities that they will eventually interact with and where they may potentially continue harm.
Our community has had predators since the beginning, even ones that were celebrated as heroes in the origins of hacking, as they “crunched” their way through networks. We, as a community, missed opportunities to self-correct the situations that would later plague us. We would mock or joke about the situation (even make posters about people watching you poop), or spread the colorful rumors about individuals meeting in conference hotel rooms, or worse. We're human, we're all at fault. But also, our community is a lot bigger than it was, is evolving and has another brand new generation growing up in it.
By having reasonable debate, we can address the same problems many other communities have encountered.
We can do better than the rest of the world. We can gain control of our core values again. We can restore trust in one another.
After all, we're all alike.
P.S. Thank you to the many friends who went over this with me (@dntlookbehindu) today. If you/’re okay as being named, let me know. Due to such a polarizing topic, I/’m not sure many folks are comfortable putting their names on something like this. One contributor who has agreed to be recognized is Deviant Ollam (@deviantollam); thank you sir for your assistance in smoothing out my thoughts.