InfosecN00bs, Part 1: Press Release

UPDATE 2017-07-29

This post previously stated that @BretMattingly was a member of the leadership of @InfosecN00bs. Just before Defcon BretMattingly stepped away from @InfosecN00bs for unstated reasons. After this blog post was originally published, he took the concerns to @Hacksforsnacks_ and @K_5m00th, who did not want to return funds raised, issue a statement regarding the matter, or take any corrective actions. The fundraiser was done under @Bretmattingly's name because he was being set up to be the fall guy for when everything toppled over.

Original Post

The twitter account @InfosecN00bs has posted an official statement regarding their failed crowdfunding campaign after a few people publicly questioned where the money was being used. The @InfosecN00bs group is run by @Hacksforsnacks_, @K_5m00th.

Official Statement: Part 1
Official Statement: Part 2

To be perfectly clear: This is a press release statement playing damage control. @InfosecN00bs is a group that has solicited money from the community on more than one occasion. Like any press release statement it is important that we recognize this is an organization and not a person going in and keep in mind that ultimately the organization has its own best interests at heart. One would hope that their best interests are also your best interests but that often is not the case.

I will break down this statement piece by piece to assess what it is saying about the situation. I will also talk briefly and angrily about what ultimately led to this statement being released. I will provide constructive feedback on how InfosecN00bs can build a better community in InfosecN00bs, Part 2: Fixing the Problem.

Welcome To The Breakdown

First paragraph: Good on them for refunding. I think they should have taken this step before people started to question where the money went. It was clear with DEF CON a week (or even two weeks) away that their goal would never be reached in time. They should have taken proactive, rather than reactive, approach.

Unless they were hoping people would forget. For now, let us assume they had the best intentions.

Second paragraph: What standards? This isn't a rhetorical jab. I am asking "What are the standards you set for this project? What did you determine a success would be? What were your plans if you failed?"

Refunding everyone is a good start to this failed campaign. But this only happened after doubt had already been cast on them and their motives. This is a reactionary statement hiding behind the language of a proactive statement. So far, anyways.

They try to take credit for starting the "crowdfunding trips to conferences" talk. I saw them place themselves in the conversation being had by professionals. They fought against people providing good points against crowdfunding trips to BlackHatUSA and DEF CON. Due to the large number of crowdfunding campaigns started at the time many professionals in the infosec community were having strong opinions about it. I wrote about my opinions in a previous blog post.
"This is an opportunity we would like to attempt to provide in the future."
I will talk about this in my next blog post.

Third paragraph: They don't try to hide the intent here. They address direct complaints that they hadn't made an update to their crowdfunding campaign for 18 days. This is what gives away that this statement is a reflex, not an action. They could have been playing effective damage control until they said this. They tipped their hand. 
"While this that point is understandable (silence is not a good look for us), we must express our thoughts on the matter: Ascribing malicious or insidious intent to simple inexperience and unfamiliarity is so opposed to the values that make this community great that it should be considered forever unwelcome."
Here are the talking points and my commentary on them:
  • We were silent about the crowdfunding, we understand your suspicion. 
Okay. Yeah. Nothing to say about this.
  • Suggesting we had malicious intent is wrong… 
You are a new group asking for money. An unknown group. A group where the members of your leadership are intentionally obscured, who moderate their community without a code of conduct, and who raise funds on the goodwill of the infosec community without knowing what to do once you get the money.

Questioning you and asking for transparency is the responsible thing to do.
  • … because we're not evil, we're just inexperienced… 
This point runs counter to the apology because it is saying that if you were suspicious - they posted this to clear suspicion - then you are just wrong. How dare you think that we are evil when we just have no fucking idea what we're doing.
  • ... and if you suspect we are doing bad things then go away and never show yourself here. 
That's not very welcoming. Especially since this whole post is a direct response to one tweet in which they were asked where the crowdfunding money went and what was going on with it.

This statement says that if you think they are doing malicious things with the money you gave them that you should not be in infosec because you are toxic. By extension, then, if you ask for transparency you are accusing them of malicious intent and therefore you are toxic and should not be in infosec.

Last paragraph, paraphrased: "In case you forgot, this was an apology. We can and will do better in the future. Just trust us on that."

Conclusion

At what point was this an apology? Go back real quick and read their statement and you will see that they did not apologize for anything. They said they were issuing refunds, and then talked about unspecified standards and undocumented values. The statement was ended by telling people who question their actions that they are not welcome in the community.

This PR statement was a direct subtweet to a few specific people, myself probably included. This post is not an appology and should not assure you in any way that they are going to learn from this ordeal.

I suspect this was written by @hacksforsnacks_, who previously launched a startup company that offered Public Relations services. Damage control, non-apologies, and weightless statements are something that he would have been required to do professionally.

This blog post follows my initial reactions here (thread), here, and here (subtweet).

What next?

So, what now? In my next post I am going to discuss the ways that @InfosecN00bs needs to improve. Even if their leadership doesn't like me I urge them to read it. I promise to offer constructive and actionable criticism about the way @InfosecN00bs is run. I think that this group could do much better if their leadership had a plan and goals, both of which it currently lacks.

Click here to see InfosecN00bs, Part 2: Fixing the Problem.

As an aside...

This official statement didn't address their moderator's behavior. @K_5m00th's behavior. The moderator who I called out for sexually harassing a woman in the official @InfosecN00bs Slack. The moderator who asked me to move the discussion with him to private so he could tell me that I was spoiling his learning opportunity with my tone. The moderator who after being told to go fuck himself for his non-apology and tone-policing posted a piece of my conversation with him out of context to the general chat to try to sway people against me. The moderator who, after reading statements I made on twitter that did not disclose his identity (subtweets) about how his behavior followed typical sexual harassment narratives, liked a tweet I posted expressing my concern that if I called him out on publicly he would try to sabotage my trip to DEF CON. They didn't mention that incident, strangely.

IIt was following my publicly this incident that a few users began stepping forwards with their experiences with @hacksforsnacks_ and @K_5m00th, and some users questioned their crowdfunding campaign.

Comments

Post a Comment

Popular posts from this blog

BlackHat/DEFCON, Part 1: Travel Advice

I recently returned from a trip to Vegas to attend BlackHatUSA 2017 and DEF CON 25. While writing my travel blog I realized that I had a lot of stories, and a lot of travel advice. After working on it a little I decided it would be most useful to post the advice and stories separately. This post will contain all my advice for navigating your first DEF CON adventure. I will share stories in future posts. I am going to jump straight in because I have a lot to share here. Packing Never check bags if you can avoid it. Prevents loss, theft, or mishandling. If you check bags, keep all your valuables on you. Pack light; leave room for treasure. If you plan on collecting lots of treasure then pack an ultralight duffel in your carry-on. They pack small, you can check it on the trip home. Personal item should be a cross-body bag or backpack. Put your electronics and valuables in it. Carry-on item should be a frameless soft-bodied item. It’ll hold toiletries and clothes; all your valuab
Read more

Asus Chromebook C201

One of the many things that I paid attention to as I walked the halls of Defcon nearly a month ago was the devices people used for the capture-the-flag (CTF) events. During my first walk around the contest area I noticed many people sat against walls or such with macbooks. On later passes I started taking note of the devices that other people were using and a common one was the Asus C201 chromebook. Chromebooks are basically low-spec linux laptops designed around the use of Google Chrome. Though like many linux devices once you gain access to a terminal you often have free reign to alter the system and gain access to powerful command line tools. About a week and a half ago I picked up an Asus C201 for about $250 CAD. I will talk about what my typical use case is, what I wanted out of the C201, what my experience was, and a walk-through of how I set mine up to meet my use case. UPDATE:   Sarah Jamie Lewis wrote a thread on twitter adding her 2.5 years of experience to this s
Read more