Skip to main content

Vulnerabilities and exploits

What happened when the infosec community outed its own sexual predators

Illustration by William Joel

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

In 2016 I noticed something odd on Twitter — without context or explanation, Andrea Shepard, a Tor developer, had posted a string of random letters and numbers. Some days later, news broke that the Tor Project had cut ties with Jake Appelbaum, a lauded activist and the most high-profile of their developers, in response to allegations of sexual harassment. Shepard tweeted again, revealing that the mysterious message was a SHA-256 hash of the sentence, “It seems one rapist is one rapist too many.”

It was a veiled accusation, one that omitted Appelbaum’s name or the context of his alleged acts — a statement that only landed a punch when lined up next to the Tor Project’s official statement and the many accounts that followed. It could have been a Weinstein moment, but in 2016, his accusers were met with harassment from many quarters. Although Appelbaum had been a well-known missing stair for many years, the moment was a “controversy,” not a reckoning.

In 2017 we’ve moved on from veiled words hidden behind encryption, to victims tweeting out their accounts and naming their alleged attackers. Whisper networks have turned into loud broadcasts, and even — for a brief, disastrous moment — public Google spreadsheets of misdeeds.

This post-Weinstein moment is not just about sex, or gender, but still, almost all of the recent flurry of accusations have been leveled at men and almost all of the victims (with a few notable exceptions) have been women. But we don’t live in a binary world where chromosomes and phenotypes can determine moral propensities. There is nothing inherent in men to make them sexual predators; sexual harassment, particularly of the kind that is being revealed over and over again in this moment, is a systemic cultural failure where men are repeatedly given a pass when they don’t deserve one.

Sexual harassment is a systemic cultural failure where men are repeatedly given a pass when they don’t deserve one

The system is embodied by the Miramax executives who stood by and said nothing; the university departments that allowed their problem men to silently depart and become other universities’ problem men; the human resources staff that discouraged victims from escalating their complaints. The system doesn’t always actively victimize women, but it consistently forgives men where it refuses to forgive those who are not men.

This structure is painfully visible within the tech community: indeed this summer’s infamous “Damore Memo,” a manifesto written by a disgruntled Google employee positing that biological differences make women less suited to computer programming, doesn’t just offer insight into a nasty undercurrent inside Silicon Valley. It also exposes the sloppy science and lazy thinking that men in the industry know they can get away with. Men, especially white men, belong to the tech industry, after all — they are the tech industry. Everyone else has the burden of proving they belong there.

The post-Weinstein moment has left many women pensive and anxious, waiting for the other shoe to drop, waiting for a shaky set of accusations to trigger an inevitable backlash. “One man unfairly fired over a misinterpreted bump in the elevator could transform all of us women into the marauding aggressors, the men our hapless victims,” writes Rebecca Traister. But it’s also left us asking whether anything will change. Is this only a brief window of transparency during which the worst aggressors take on all the blame for what is obviously deep institutional failure? A few dozen high profile men have fallen from grace; the public has read the first-hand accounts of their victims with horror, disgust, and anger — but what now?

Oddly, a corner of the tech sector has produced the most promising sign that the post-Weinstein moment isn’t just a moment — and it isn’t from the corporate sector where sexual harassment is legally defined and theoretically policed by human resources departments. In November, the Verge reported that Morgan Marquis-Boire, a rockstar security researcher, had allegedly raped multiple women, with accusations spanning over a decade. And the information security community — which sports a reputation for misogyny that is egregious even for tech at large — has responded largely with belief and even soul-searching.

If you get raped at a hacker conference, well, you were warned

This specific shift of values is an important marker in how much things have changed. Information security, as both an industry and a culture, does not only suffer from the sexism that is endemic across many industries, or even the implicit bias soaked into the male-dominated tech sector. The cult of hacking, after all, also valorizes the nonconsensual violation of boundaries. Hacker culture has long placed the onus on the target to not get hacked in the first place — victim-blaming is deeply baked into that subculture’s values. Unsurprisingly, this toxic attitude carries over into the real world. Everyone who’s ever attended DEFCON, the largest hacker conference in North America, has been warned not to connect to the hotel wifi and to bring burner devices to the conference. It’s a rite of passage. But if you’re a woman who’s attended DEFCON, you’ve probably gotten the second, bonus spiel from someone in the know — don’t wear a skirt, don’t stay too late at parties, keep an eye on your drink at all times. If you get hacked at a hacker conference, well, you were warned. If you get raped at a hacker conference, well, you were warned.

That cultural toxicity is all the more troubling given the outsized importance that infosec culture has had for mainstream tech. In 2017, Silicon Valley might be a respectable oligopoly of buttoned-up corporations, but for better or for worse, its soul has long drawn from the weird wild outliers that make up the hacker subculture. The love of moving fast and breaking things is little more than hacker idolatry, and so the quirks and foibles of a tiny subculture infuse the technology that drives the modern world. The legendary hacker and phreaker Captain Crunch used to run with Steve Jobs and Steve Wozniak; Google’s open source strategy is descended from an ideological movement spearheaded by a shambling man with a wizard-beard who eats things off his foot. People like Morgan Marquis-Boire, who worked at Google for many years, straddle both worlds, injecting hacker values into officious corporate policies. HTTPS would not have rolled out across most of the web if chief security officers all over the Valley weren’t also devotees of Black Hat and DEFCON; Apple’s stand against the FBI was pushed along by the ideology of its rank and file.

In information security, as in many other industries where the accused is a prominent figure, accusations can turn into a competition of social capital, and the accused almost always wins out over their accusers. But in this community, giving an accused rapist a pass has often been framed as a moral imperative with four words:  “He does good work.” The assumption is that talent is scarce and sexual misconduct must be tolerated for the good of society. Little to no consideration is given to what we lose from disbelieving victims — their technical and social contributions, any future contributions by people who quite reasonably decide to avoid a toxic culture, and even beyond that, the quiet erosion of trust among bystanders. Complicity leaves a stain on us all.

But things are changing. The response to the accusations against Marquis-Boire make a marked contrast next to the response to accusations — ranging from minor harassment to rape — levied against Jacob Appelbaum. Appelbaum’s presence in the public sphere has been severely curtailed but his career in information security continues — he is currently pursuing a Ph.D at the Eindhoven University of Technology in the Netherlands, under Tanja Lange and celebrated cryptographer Daniel Bernstein.

“He’ll be kept on payroll, somewhere.”

“The people that matter will be spoken to, quietly,” Lex Gill wrote in 2016, outlining what has, up until now, been a standard response to accusations of abuse. “They will tell others how it’s ‘destroying him,’ how he’s suffered enough. It’s ‘complicated,’ but they’re not at liberty to discuss. He’ll be kept on payroll, somewhere.”

Almost everyone in the infosec scene that I’ve spoken to has expressed surprise that Marquis-Boire has been universally shunned where Appelbaum — despite his behavior being an open secret for many years prior to the public allegations — was not. “It’s tempting to think that we all learned something from what happened with Jake,” one activist told me.

It’s possible that Marquis-Boire will make a comeback — Appelbaum, after all, is now resurfacing in his old activist circles, entirely unapologetic. But something about the community’s reaction this time feels very different.

Perhaps the allegations against Marquis-Boire were more believable simply by virtue of coming in the midst of revelations across society. And Marquis-Boire was hardly the only prominent figure in infosec accused of sexual misconduct in the post-Weinstein moment: Buzzfeed reported in November that Captain Crunch, whose legal name is John Draper, had been banned from security conferences for sexually harassing young men, sometimes even teenagers.

And the revelations around Morgan Marquis-Boire come on the heels of ongoing stories of sexual harassment in mainstream tech too. For anyone familiar with the tech industry’s repeated failures around systemic misogyny, Susan Fowler’s blogpost might have been shocking but hardly surprising. What was surprising was the lack of doubt in the court of public opinion. If a woman in tech alleges sexual misconduct and discrimination, the first question asked is whether she was slutty and incompetent. Rank-and-file developers are blamed for their own harassment, and even relatively privileged venture capitalists like Ellen Pao are met with ad hominem attacks on their personal character and abilities.

Something had shifted. Because one woman had been believed, more women felt ready to come forward

Fowler, on the other hand, was almost universally believed. The surprising public reaction became a watershed moment — weeks later, women entrepreneurs spoke to the Information and The New York Times about being sexually harassed by venture capitalists, prompting resignations and even the shutdown of one VC firm. The entrepreneurs were frank with the press: Fowler had inspired them. Something had shifted. Because one woman had been believed, more women felt ready to come forward.

As more women came forward, well-meaning but unobservant men could no longer ignore sexism as a systemic problem. What was happening to their female colleagues was not individual incidents of bad behavior: it was an indictment of an entire industry. And once they could see that, they were less inclined to doubt women whistleblowers right off the bat.

It’s a big shift, but in the corporate world, things still appear slow to change. Boards of directors, executive suites, venture capital firms, and the ranks of highly-prized technical labor are dominated by men, especially white men. But again, the winds of change are stirring, coming out of the most improbable place: infosec.

Hackers are the soul of the tech industry and the hackers themselves are changing — heroes fall, social capital is redistributed, and sexual predators are the new enemies of the day.

“Who else is there? How many other people do I know are a danger to people in the community? It scares me,” one security researcher told me.

Paranoia runs deep in infosec; it is almost a job requirement. After honing that professional sense of fear against governments and corporations for years, suddenly the sector’s paranoia has turned inward, brought to bear with laser focus on their male heroes.

“How many other people do I know are a danger to people in the community?”

In a conversation with a different security researcher who had previously looked up to Morgan Marquis-Boire, I reassured him off-hand that it wasn’t as though every man in infosec was a rapist, that he didn’t have to go around wearing a tinfoil hat, worried about all of the secret rapists around him. He laughed bitterly. “It’s too late, Sarah. I’m already wearing the tinfoil hat.”

In retrospect, I wonder why I took a moment to reassure him. Perhaps that came from an inculturated instinct to add “not all men” when discussing sexism, perhaps it came from my own deep desire to put away my heightened post-Weinstein paranoia. Not all men are rapists, but any man can be a rapist, and that’s something I both know and work actively to not know. I’m sick and tired of thinking and talking and writing about abuse, but the national conversation is ubiquitous and inescapable, and despite my exhaustion, it’s about time.

Since autumn, I’ve noticed SHA hashes popping up again across my social media feeds — hashes of men’s initials or sometimes full names. These strings cannot be decrypted but if you know or suspect what the solution is, you can try running the same algorithm over it and see if the hash matches. Women describe how they or a friend were harassed or assaulted, they describe in vague terms the man in question. And then they post the hash, so their friends can check to see if they’ve been attacked by the same man.

It’s a step up from the “Shitty Media Men” spreadsheet that went viral a couple of months ago, a means of sharing information that is easy enough among the women who are capable of opening a command line window and running SHA-256 on a man’s name — women who deal professionally with secrets, privacy, truth, and verification. These are women whose technical abilities, whose place in their world, have long been questioned. They have been treated like fakes and posers and interlopers and arm candy. But they are here and have always been here. And when all the bad men who “do good work” have fallen from their pedestals, those women are waiting, ready to inherit the tech industry.