Skip navigation

This week started off with the latest round of news coverage dedicated to a story that just won’t depart the headlines within the hacker community: the disgraced Facebook group known as the IllMob.  The story continues to capture attention, receive column inches, and generate discussion for a couple of reasons:

  1. The key ringleaders of this posse have not apologized to their victims but instead have mostly doubled-down in their efforts to self-aggrandize and downplay any wrongdoing.  This has resulted in cringe-worthy tweets.
  2. As professional fallout continues across the industry, some of the group’s other members have sought to publicly distance themselves from the hateful behavior seen in the widely-shared screenshots.  This has resulted in interviews.


This effort to save face or explain-away why many “average nice people” were members of such a Facebook group for far longer than most folk would consider reasonable has ranged from simple hand-waving and dismissiveness (of the “I never really look at Facebook” variety) to more active arguments that could be summarized as “the group was about more than just hate” or “it was a valuable community, and in any community of significant size there will be a few assholes.”

In this vein, many of us saw an article and associated two-part audio interview from Jennifer O’Daniel and Greg Otto of the Securiosity podcast wherein they spoke both to Georgia Weidman (a hacker, author, and business owner whose success has made her one of the IllMob’s targets in the past) and Joshua Marpet (a former long-time member of the IllMob and mainstay at a number of hacker conferences where he volunteers, often in a security role.)


Georgia has been one of the principal targets of the ire thrown around by the IllMob’s most vocal members for some time now.  (Full disclosure: in case you’ve been living under a rock or in a server room in Afghanistan, you may not be aware that both my wife and I have also been targeted by the IllMob in the past, for principally the same reasons as Georgia and other prominent individuals in INFOSEC: frustrated men who feel “entitled” to success that they have not worked hard enough to earn will often lash out at individuals whom they feel have ascended to prominence and power without “merit” and they will seek to tear them down.  So, let it be known, I have also had my share of poorly-typed internet insults directed at me from this treehouse of little rascals.)  Despite being a founder of successful INFOSEC enterprises, a noted author, and a widely-sought instructor in our field, Georgia found herself under fire from this peanut gallery over superficial considerations such as choice of attire at conferences or the decision to partake in cocktails while presenting (at a conference which made it a feature of all talks to present speakers with drinks.)

Georgia adeptly points out in her Securiousity interview that much of the criticism directed at her was deeply gendered (men in our industry are seldom criticized for their attire or for drinking alcohol, even at company events) and she did a pretty comprehensive job of summarizing the challenges that many women and other under-represented groups face when one of their ranks begins to achieve success in INFOSEC.  Her whole segment on the above-linked interview is rather on-point and leaves little wiggle room for those who would seek to defend the bad behavior of immature guys lashing out with misogyny and hate.

Georgia offered additional summary of her specific thoughts for inclusion here, as well, and I’m happier letting her speak in her own words…

The DerbyCon shut down post was written in a way that caused the people who had previously pointed out bad behavior to be attacked with a “women ruined our fun” Gamergate-like narrative.  The DerbyCon founders could have simply said they were focusing on other endeavors and moving on; instead they (seemingly purposefully) incited a riot.

I tweeted, as hundreds of people did in response to the shutdown, about my own past DerbyCon experiences.  I, like so many others, was simply commenting on their decision to shut down.  IllMob put me at the center of this conversation, not me.

I was surprised when a journalist from Motherboard asked me to comment upon what was being said regarding the IllMob.  This is not the kind of thing I want for my media highlight reel nor is it the kind of thing that helps me as a consultant, an author, a speaker, a trainer, or a startup founder.

I’ve been attacked by these people before and I’ll undoubtedly be attacked by them again.  But this isn’t really about just one conference shutting down.  When I reach out to new potential business contacts, I sometimes get unsolicited dick pics rather than new business.  I’m still asked to meet potential business partners at night at their hotels (and no I can’t bring my advisor) and if something happens it’ll be my fault because, “What was I doing alone with him?”  These are just some of the many ways there are double standards and barriers holding women back.

It’s not just DerbyCon, it’s not just IllMob, and it’s certainly not just “drama”.

We’ve got to change our industry (and our society).  That we are now talking about these kinds of things publicly instead of hiding them in dark corners is actually progress.  And treating everyone with dignity and respect is just good business.  At the end of the day, we all just want to learn new things and do great work.  We shouldn’t be distracted by the actions of a few bad actors.  But we also shouldn’t tolerate them just because we always did in the past.

IllMob put me at the center of this conversation, not me.  But I won’t shy away from it, I won’t be intimidated, and I won’t be silent.


And yet, in a perhaps-misguided effort at innocently attempting to offer “balance” in their reporting, Jen and Greg sought out an additional voice to provide an alternate take on the IllMob, the end of the DerbyCon conference, and how people confront hate among their professional circle of peers.  It is unfortunate that often when journalists strive to air opposing viewpoints they frequently wind up selecting two participants who do not have the same standing… but the resultant media segment portrays a false equivalence.  (How many times have we seen a report on “Climate Change” where one half of the broadcast features a researcher from NOAA with a doctorate in atmospheric science who has read all the peer-reviewed data and the other half consists of a guy in Iowa with a snowplowing business, standing next to one of his trucks saying, “Look at all this snow!  So much for global warming, eh?”)  But search they did… and Securiousity introduced IllMob member Josh Marpet as a voice to provide a counter-point against all of us who have been critical of the hate and harassment which originated in that Facebook group.

Josh was brought on (in a separate segment… he and Georgia did not interact directly, which was probably wise) and he offered a variety of thoughts that, I must say, failed to adequately address the elephant in the room, in my view.  (Full disclosure: Josh and I are both from the Philadelphia region and are both hackers of a certain age, so we came up together in this industry.  We knew each other well and we saw each other regularly at hacker gatherings when I lived back East.  Hell, I attended his wedding.  We have lost touch over time, and recent revelations about his remarks to the IllMob concerning my wife and I have put much greater strain on our friendship… but I still reached out to him and offered him a chance to review what I planned to publish here and am affording him the freedom to offer brief corrections or rebuttals.)

Josh attempted to explain why many people who are otherwise decent and friendly would have remained as members of the IllMob Facebook group in spite of the hatred being thrown around by its most prominent participants.  He offered what has become something of a major talking point these days:  “The group was a resource for interesting information.”

If some of you are seeing unfortunate parallels to the old chestnut, “It’s about ethics in video game journalism,” rest assured, you are not alone in those thoughts.

I would like to counter Josh’s assertion by politely challenging him (and anyone else who has offered this as a defense of their membership) to please provide me evidence of any clear-cut examples when ground-breaking information was available in the private Facebook group that wasn’t being widely-covered and distributed elsewhere.  Please.  If it was so interesting, then this group must have resulted in some of you generating notes/logs/screenshots or something more that you kept because they were germane to projects you were inspired to research.  Someone, anyone, please send me evidence of even one thing that was so earth-shatteringly cool that you saved it.  I personally tend to save over 100 threads per year from the 303 Mailing List where I am a member and participant.  (Full disclosure: does the 303 Community have its share of inappropriate chatter?  Sure.  It tends to be of the “buttlol” comments and “loldongs” replies nature.  And if someone says something that is honestly hurtful or punches down in an attempt to be funny… there are honest, immediate social repercussions.  People have left the 303 list over such disagreements.)


Every Village Has An Idiot

Josh admits that this “great informational resource” had a bad element, however.  “Everyone knows at least one idiot in their friend group,” he asserted in his interview segment.  Yes, of course this is true.  My eyebrow does not raise if someone is found to have a less than perfect friend.  My spider sense tingles, however, if people fail to push back against their friends’ idiocy.  Whether your idiot friend is doing something that only has the potential to harm themself (“Dude, don’t try to ride your new unicycle through traffic!”) or they are doing something that can have ramifications for the group as a whole (“Come on, man… juggle your fire stick outside… you’re gonna burn down the house!”) we are all accustomed to having to get someone back in line when they’re being stupid.  Intervening when someone is doing something colossally stupid is the act of a friend.  If you don’t step in, who will?

What I want to know is: where was this type of kind intervention among the IllMob?  There are those who claim that they spoke up against the hate.  Really?  Then why did it continue?  Why was this an ongoing theme of the Facebook group?  Clearly, either they didn’t speak up very fervently, or the people attacking this whole community refused to listen and reflect.  And at that point… the million dollar question: why have them as friends at all?

“Everyone knows an idiot in their friend group,” may be a true assertion that Josh made.  But it’s a significant stretch to turn that into, “Everyone knows an idiot in their friend group who won’t listen to reason and whom you don’t really try to correct because they’re irredeemable but you just keep them around forever anyway.”  Far fewer people could agree that this second sentence is normal or proper.


Do I Just Leave?

But let’s assume for a moment that Josh and others in the IllMob did do their level best to correct the deeply antisocial and maladjusted behavior of the worst offenders.  Even if that was the case, clearly it did not have a positive impact.  The hate continued.  “Am I supposed to abandon the group because of a handful of people?” Josh then asked his interview hosts.  My simple answer to this rhetorical question would be: “No.  You aren’t supposed to abandon the group.  The group is supposed to abandon the assholes.”

Unless, of course, the head asshole is literally the head of the group.  Leadership sets tone in all organizations.  I feel almost astonished that this point has been glossed over or ignored in so much of the coverage of this topic.  The “handful of assholes” away from whom the bulk of the “respectable” members have done their best to distance themselves included the founder and admin of the whole group.  It also included a couple of other very prominent voices in INFOSEC.  This wasn’t a couple of no-name bozos with 19 twitter followers between them… the very name of the group was the name of the lead misogynist and internet troll among them.

Or, as I put more succinctly while joking on twitter

Assertion: “Look, all I did was eat my lunch with 500 other workers at this spot down the block where we all hung out to chat. We talked shop. I had no idea folk off in the corners were into dog fighting! I don’t support that!”
Rebuttal: “Dude, your lunch joint was literally named The Michael Vick Bistro.

The interview hosts kept returning to this question repeatedly throughout the interview, never to receive a satisfactory answer.  “That was the absolute edge cases,” Josh repeats.  The host pushes again later, asking, “When someone goes that far, however, then aren’t they no longer part of the group?”  Seemingly making my own argument for me, Josh simply replies, “Why?  Are you the admin [of the group]?”  And that’s the key point, isn’t it?  It wasn’t “some jackass” who was “out on the margins” causing a few problems.  Leadership sets tone.  The founder was the lead voice of harassment.  The call was coming from inside the house.


Drama Llama

After that in his interview, Josh made the point with which I take the greatest umbrage.  And not just when he said it… when anyone says this.  “There’s always going to be some kind of drama.”

You know what?  I am goddamn sick of that word.  I’m utterly fucking tired of it.  First of all, I should say that I roundly and wholly reject the argument being made.  I’ve been at loads of fun and awesome events that ran smoothly and I have known communities and families that were well-adjusted and happy basically all the time.  Values of respect and affirmation and tolerance and assumption of good intentions go a long way toward making that happen.  But beyond the logical fallacy of his argument, I am disappointed that Josh is one more person who loves to over-use the word “drama.”

When something awful happens to you or someone you care about: it’s trauma.

But when something awful happens to someone about whom you don’t care: it’s drama.

(All credit and thanks for that phrase go to my marvelous wordsmith of a wife who crafted that rhyme and it stuck with me ever since)

I believe you can use the word “drama” as a barometer for how much the speaker cares about other people.  Labeling something as “drama” packages up a whole litany of dismissiveness into a nice “get lost” cocktail for the party who feels that they have been wronged.  Calling them a “drama queen” not only conveys your distaste and disinterest to the principal party, but it is also a powerful in-group signal.  Slapping the label of “drama” on something serves not just as an insult but also as a warning to the rest of your peer group: “Do not engage with or sympathize with what is being exhibited over there.  We as a group do not value that person and their interests.”  By referring to the women who reported harassment at DerbyCon or the criticisms of anti-LGBTQ hate being thrown around the IllMob as “drama” I fear that Josh is participating in that cycle of dismissing and minimizing others’ concerns.  Bizarrely, Josh also included incidents of over-indulgence with alcohol or people experiencing medical episodes at cons as “drama” when discussing this term during his interview.

Maybe I do not fully grasp what Josh means by the use of this term.  But I certainly know how people who hear it feel: like they shouldn’t intervene even if they want to, and like they should simply go away if they were the one who spoke up in the first place.


A Roadmap with No Street Names

“So, looking back at DerbyCon,” asked one of the interview hosts, “do you think there was anything that could have been done to save the conference?”  Josh considered the question.  During the brief silence that followed, I honestly wondered if he would have offered real solutions such as “kick out the harassers” or “set the tone from the top.”  Josh has a background in law enforcement / corrections and he has leadership talent.  He knows about getting people to comply, securing an environment, and commanding others.

“Sure, there are things that could have been done,” he offers.  “Absolutely something could have been done [to keep DerbyCon running],” he asserts.  And then… he proceeds to not name one. single. suggestion.  Go ahead and listen to his interview segment again (jump to 1:09:25) if you don’t believe me.  I’ll wait.  Josh speaks about opportunity costs and calculations.  He imagines DerbyCon continuing to run for years into the future.  But he offers absolutely zero solutions.

The hacker community has been offering solutions for ages. There have been endless talks about this on Twitter and in Slacks and on forums and across blog posts.  Other conferences have tackled these problems as they grew and implemented these solutions.  But Josh, much like DerbyCon as a whole, simply couldn’t seem to find the way to set the right tone from a position of leadership… or bring themselves to cut ties with harassers.


Talent Begets Taunting?

To their extreme credit, the interview hosts seemed to become increasingly frustrated with the avoidance and non-answers being offered.  “That’s something of a cop-out, though, isn’t it?” Greg asks at one point.  When pressed for what, deep in the recesses of the most hateful members of the group, could have been driving their horrible behavior, Josh advances the theory that, “highly-skilled and talented people will look down on lesser-skilled people.”  This is, of course, total horseshit.

In my experience, the most fully self-actualized and capable people tend to be happy in their work and eager to do right by the rest of the world.  It is the unsuccessful individuals who wind up causing the bulk of the friction in most social groups, as far as I have seen.

The acclaimed author is a joy to be around.  The jerk who couldn’t get his manuscript published is angry at the world.  The popular artist is a joy at parties.  The failed playwright is rude to the barista at the coffee shop because they look too chipper.  So it was with the IllMob… the bulk of the hateful comments were seen to be coming from middle-class white guys who, while sometimes capable of holding down regular jobs, have never really measured up to others and who by-and-large would deal with their feelings of self-dissatisfaction not by examining what they could do to improve themselves as individuals but rather by attacking “other people” whose success they felt was “undeserved” and not merit-based.

Talented people look down on the untalented?  Maybe in your world, Josh.  But not in the one I’m trying to build.


“We Fought the Good Fight”

Individuals who were an active part of the IllMob but who want to distance themselves from the hate being thrown around in that group have taken to acknowledging the bad behavior of its worst members (including their founder) but are quick to remind people that “the rest of us pushed back” against this negativity.  Would you like to know why I believe that neither Josh nor pretty much anyone else in the group offered a full-throated push back against the assholes?  Two simple reasons:

  1. The group didn’t change
  2. Josh and others weren’t kicked out of the group


Make no mistake, anyone who has seen a toxic community like this one was knows that those are the only two real outcomes if “good” people are serious about fighting entrenched hatred or misogyny or transphobia.  If a group of people are really deeply dedicated to fixing things, they will either conquer the hate or die trying.  By dint of the fact that Josh as well as the other “500 members” of the IllMob were still enrolled in the group right up until the Motherboard article and mass exodus/great purge… I feel it’s rather clear that none of them “pushed back” against Will and his top cronies very much.


Doing Our Part to Make Change

Ostensibly frustrated that they weren’t getting satisfactory or clear answers about the problems with the IllMob, the hosts pivoted slightly and asked Josh about how we can all try to improve our industry as a whole.  After a somewhat meandering start to his answer, Josh focused on the topic of “making availability of knowledge more extensive” so that it is “easier for people to get into this industry” and “grab opportunity.”  His formula for enabling this goal was elaborated with descriptions of supporting local, low-cost events in areas that are accessible to under-represented groups.  Josh specifically identified minorities, students, etc. as people he loves seeing at hacker and INFOSEC cons.  (There was, alas, no discussion of any specific outreach initiatives, grants, special invites, or cost-sharing programs to boost diversity numbers at such events such as the measures that ShmooCon or BlackHoodie trainings have … but I share his enthusiasm for increasing women and minorities con attendance, just the same.)

But let’s say cons are lucky enough to see attendance from the very kinds of under-represented groups that Josh, I, and most other hackers are hoping to attract to our industry which is hurting for diversity in membership.  While it’s great to have them join us at cons, getting people interested in STEM has seldom been as big a problem as retention of these individuals is.  Maybe Josh simply hasn’t done the reading here… but plenty of others have.  Particularly, the many women in tech who have been invited to sit on panel after panel (by events that seldom made another spot open on their talk schedules for said women to present on whatever actual technical work they’ve been doing) have told audiences this for years now.  The drop-out rate for women or people of color or LGBTQ individuals in INFOSEC is bad and has been trending worse.  That doesn’t get fixed with Legos and free pizza lunches at BSides.  This will only get fixed by deep culture shifts and the addressing of toxic assholes in our community.

Perhaps aware of this intellectual disconnect, the hosts again appear to try to steer the conversation back into the matter surrounding the core problem we all must face: “Why do you think discrimination in the industry and the hatred seen in the IllMob exists, though?” they ask.  “Why don’t more people push back?”  Any answer given to this question that doesn’t touch on the theme of privilege is disingenuous to me.  Literally the answer is privilege … brought about by deep, long-standing ties in the community that some assholes have.  If these people had no community connections, there is no way anyone would tolerate their bullshit.  If a brand new person with no experience in the hacker scene and no industry background showed up wanting to make friends and then behaved like the worst of the IllMob, they would be shunned immediately.  So I was hoping the answer to “why do you think the hatred was seen there” would have some acknowledgment of privilege and the free rein that comes with it.

“Some people are just frustrated,” Josh asserted.

“Wow,” I thought, “Are Josh and I actually in agreement with one another?”

“…Where are people supposed to vent?” Josh continued.

Are you bloody kidding me?  Nobody cares about a guy grousing over a pay raise he didn’t get or someone complaining about a conference that didn’t accept their submission.  No one has said they have a problem with people innocuously “venting” about life’s little frustrations.  That’s fine and normal.  But you aren’t supposed to “vent” about hating women, LGBTQ folk, etc.  If that’s someone’s idea of “venting” then they don’t need to be provided with a safe space to do it.  They need to be told to get in the fucking sea.


Am I My Brother’s Keeper?

Fundamentally, for me, the arguments surrounding the IllMob, DerbyCon, and many other points of cultural friction in our community of hackers come down to disagreement over who should take responsibility for encouraging antisocial people to change.  If someone is reluctant to correct their behavior, then the choice must be made whether to shift tactics from “encouraging” to “forcing” someone to improve themselves.  And, ultimately, cutting them out of your lives if they will not.  These are the same difficult steps one often has to escalate through if someone you care about is abusive, or if they are grappling with addiction.  It’s a very difficult road and not everybody is up to the task of taking on such a challenge in others.  But here’s the key thing: these hard challenges must be faced.  And it is those who are closest to the individuals among us who need help that have to walk this hard road.

To claim that it’s not your place to speak out when a friend is in the wrong is to surrender away your duty to them.

“My sense of right and wrong is not necessarily somebody else’s sense of right and wrong,” Josh definitively told the host.  “Can I tell you, Jen, that what you do is wrong?” he asked.

Yes.  While there are shades of gray and much nuance in the world, society as a whole does share certain broad norms and values.  We all have the right to act as a helper when someone else’s conscience may be shaky.  Angrily telling others they must select pizza toppings that align with your tastes or demanding they use the text editor you prefer or requiring them to listen to the music that you like makes you insufferable.  But telling others that what they’re doing is wrong when they are actually doing something objectively bad and hurting other people in the process?… That’s the act of a friend.

You were wrong, Josh.  All of you who stood by and watched and did not fight back hard enough against the hate were wrong.




NOTE: after reaching out yesterday to Josh at several email addresses I had for him as well as trying his email address at the business he currently owns, I did not hear back.  If Josh replies to me at some point in future, I will still honor my offer to him:  If he believes that he has been misquoted, misrepresented, or mischaracterized in any way by what I have written, he may contact me with corrections.  Minor one-word or one-sentence tweaks I will try to include as marked edits at his request within the body of the main text.  Additionally, I am willing to include a brief paragraph response to appear below the article as a whole.

Almost every morning, my wife and I have a breakfast that consists of some combination of eggs, a side meat, greek yogurt (we buy Fage full 4% on the road or make our own at home using Fairlife milk in our Instant Pot), and possibly an avocado.  This all makes for a very high-protein, low-carb, zero sugar meal at the start of our day.  She’ll make a pot of her tea and I’ll typically just have water and/or zero-calorie sports drinks.

And this is great.  It’s fast, it’s fulfilling, and we look forward to it every morning.

But every once in a while, the human condition of restlessness kicks in and a desire for change may be felt.  And, I’ll admit, memories of breakfasts with my family when I was little make me pine for piles of pancakes or waffles, toast, or even just cereal.  All of which have been banished from my kitchen for being insanely carb-heavy and often also sugary.

But then recently, at Costco, I spotted this product…



This product claims to be a paleo-friendly pancake mix.  I’m not officially keeping to any “diet” that involves rules and buzzwords.  But while I don’t identify my dining as “paleo” or “keto” or anything of the sort, I am always interested in food options that are tasty while minimizing carbs in a reasonable way.  This mix, from Birch Benders, makes use of almond flour, coconut flour, cassava, monk fruit, and powdered eggs, hitting a rather effective bingo when it comes to modern “dietary wonder” ingredients that people try when avoiding wheat flour.  The only thing I think I’m not seeing here are ground crickets.  😉

Let me tell you… the results are fucking delicious.

I sweeten the preparation a bit so that we can avoid applying any syrup to the finished product.  The last time we made these (they tend to be a weekend morning specialty for us) I took photos in order to share details with others.  So here you go!


1. Set your stovetop to medium and start heating your non-stick pan…



2. Land a thwack of butter (we love grass-fed, all natural butter) in those pans as they heat as you turn to your mixing bowl…



3. The official recipe on the Birch Benders bag calls for 3/4 of a cup of their mixture plus 2/3 of a cup of water.  I’ve found that to be ideal.  However, in an effort to avoid use of any syrup during serving, I adjust my mix a bit with about a tablespoon of brown sugar alternative and a drizzle of vanilla…



4. If your pan is up to temp and the butter is melted, you’re ready to pour in some batter!  I tend to make 4 pancakes with the mix that results from 3/4 cup of powder and 2/3 cup of water.



5. I’ve found that despite being made from alternative ingredients, these pancakes have a pretty similar cook time to traditional ones.



6. If you are having trouble keeping the cake from sticking to the pan, or for just about any reason you want, it’s always OK to add a little more butter to the pan by running a dollop around the outer edge on the tip of a knife, letting it melt down.



7. Keep an eye on the top, and when you start seeing tiny bubbles coming up through, you know you’re at most a minute away from flipping.  Typically, I flip after about 3 or 4 minutes of cooking.



8. Flip carefully, and hopefully the underside is a perfect golden color.  Once flipped, I let it cook for another 60 to 90 seconds, max.



9. Plate it with an additional pat of butter resting on top.  No syrup should be needed, hopefully.



10. We sometimes experiment with fruit.  Tarah likes strawberries.  A couple berries diced up and folded into the batter (along with some red food coloring that we had for another project) made for a nice result, as well.



11. Note: if you add fruit like this, the water (and likely lower temp) of the fruit will slow the cooking process a bit, so you may want to keep the cake in the pan for a minute or so longer per side, in order to ensure it cooks through completely.



The results are really delightful, I have to say.  These are delicious and, while not totally carb-free, they are much healthier than going to an IHOP or some such.



If you’re a Costco shopper, keep an eye out for them.  Maybe you’ll give these a try.  Maybe you’ll like them, too.  Good luck and enjoy!


This is a quick one from me, but hopefully it helps you save money if you run any firearm-related events.  In addition to the DEFCON Shoot, I help run other regional shooting events — sometimes at hacker cons, sometimes elsewhere — and one of the things that I feel organizers should try to do is always have a kit of “range essentials” that can help fill in any gaps of amenities and supplies that may be lacking at a venue you’re using.

Just in case you want to build such a kit, here are some bare-bones essentials that just about anyone can put together:


You’ll notice that almost everything in the above list has links.  They are links to the particular items that I have liked and trusted and opt to bring with me whenever I’m running an event.  (Other gear shows up at most of my events, too, like service and cleaning supplies, free water, free snacks, etc.  But the above list are the safety essentials.)

One item in the list does not have an amazon link, however.  That’s because chamber flags, bought retail, are very expensive.  At between $2 and $8 apiece, they are not an item that lends itself to cheap and easy purchase en masse if you’re going to set them out in a bin for give-away.  That’s why I opt to make my own homebrew chamber flags for my Gun Range Running kit.

Want to make your own nearly-infinite supply of chamber flags for almost no cost?  Here’s what you acquire:


Take the orange tube and cut it into segments roughly 1¼” long (just over 3cm)… the above-linked tube should hopefully produce just over 30 pieces.


The next steps should be rather self-evident.  Slip one of these bits of rubber tube over a zip tie…



Then affix the zip tie to itself.  Be careful to try to not pull it ridiculously tight.  Just enough to make a little “flag” stick out to the side…



There you are!  Buying one pack of the above zip ties and three of the orange rubber tubes should yield close to 100 of these for a little over $25.  That’s effectively a quarter apiece.



They work perfectly well in most sizes and actions of firearm…



And while they may not be as robust and perfect as factory-made chamber flags, these should be more than sufficient for your event attendees to grab a few and utilize them as needed.  If they return them to you, great.  If they walk off with them, meh.  It’s not a huge cost to you, but it can be a major time-saver as your RSOs walk the firing line and visually inspect all the guns on the tables before declaring a range cold.

Making cease-fires easier and faster means the sooner that people get to check and reset targets and therefore the sooner that everyone can go hot again and keep plinking away.

Enjoy!  Stay safe out there!

I keep my Twitter DMs open and my email address is public.  This, plus the fact that I’m a recognizable face at conferences and generally like to answer folks’ questions means that I field a lot of inquiries… particularly about the hacker community and the world of physical security.

While I always want to give each person who reaches out an individual and specific answer unique to them, a recent utter flurry of contacts (due to a bout of mainstream press and wider attention) has made it harder to keep up with my inbox.  Consequently, I’m going to try posting something here.  It will effectively be an amalgam of various answers I’ve written to folk in the past week or more.  Some people have been asking about their own career path and job prospects.  Others have found that my explanation of security flaws hits home for them because they see these vulnerabilities in their own work environments and want to share this news with others.  Other folk simply want to know how to best apply their limited resources in a way that can lead to a more satisfying and interesting vocation or hobby.


At the risk of grossly over-simplifying things, I’m going to paraphrase this matter as…

Question: “I think what you do is awesome.  How can I do that sort of thing, too?”


Again, while I recognize that a one-size-fits all answer isn’t ideal, this is my best shot at responding to the above.  We’ll call it the “one-size-fits-most” answer.  We are close to Halloween costume shopping season, after all!


Answer: Hey!  Thanks for reaching out!  My answer will be 100% honest, but I hope very much that it doesn’t come across as disingenuous or self-serving… it’s a very tricky subject, and far too often companies don’t understand or value this kind of knowledge and skill set properly.

Far and away, the primary answer I have to give folk is one that is simple and also a hurdle at the same time:  training.  I am not one to kneel at the altar of Certifications for their own sake, however if someone has taken the time to successfully complete training courses and pass exams, etc, then that shows current as well as future employers that this individual values professional development and wants to apply their skills.

If you have an employer and you think they can possibly help support your education and would send you to training, that’s great.  If your firm is reluctant, however, or does not exactly understand the value of this kind of knowledge or how to leverage it properly, that’s more difficult.  If you are seeing security flaws in your own office or company facilities and want to report it… I urge caution.  Advice of this nature coming from internal voices sometimes is found to be unwelcome.  It might be best if you were to bring up some of the evidence put forth in perhaps some of my talks…

…and if you get any traction with any of those presentations (don’t overwhelm folk, just see if anyone watches or nods.  You can even queue up a clip in the middle and then let it play, etc) then you can suggest taking training.  If it feels like that may still result in a shrug, then suggest the company pursue advice from outside consultation.  Again, I know this sounds self-serving since this is one feature of my own firm’s work.  Still, if you value this kind of insight and want to see your company’s security posture improved, reaching out to us or to one of the handful of other businesses who are experts in this space may be a solid choice.  Doing so in a way where you serve as a point-of-contact overseeing a consulting task as opposed to the person doing it allows you to get credit for taking the initiative and generating the findings and also insulates you from the risk of being the scapegoat if people don’t like what’s learned during testing.


The tongue-in-cheek answer I tend to give during interviews and the like regarding “how did you get your start doing this sort of thing?” has always been, “I had a few of the right friends and a few of the wrong friends.”  It’s a good line.  It’s a snappy, easy delivery and makes for the kind of amusing copy that writers and editors like.  It’s also truthful, albeit an over-simplification.

If I didn’t have friends who were urban explorers and hackers with less respect for official rules and boundaries growing up, I might have not gotten interested in these kinds of skills myself.  From the very beginning I’ve considered Barry Wels (and the other Hippies from Hell) a tremendous inspiration and source of knowledge.  And I have to thank Mike Glasser for being so welcoming and willing to teach me (and for pulling me on stage at an early DEF CON during the single-digit years) when i was just getting a feel for lockpicking.  People who were willing to teach, including teaching things that were often considered forbidden knowledge, was instrumental to me.   Business owners who were willing to give me opportunities to participate in their work or in their training sessions if I would volunteer my time to assist or do other work that needed to be done on the side were also a benefit.  If you’re having trouble determining who among this cast of characters were the “right” versus the “wrong” people to know… you’re on the right track.  In truth, it’s a broad mix of voices from many diverse sources who contributed to me turning out like this.

(I will say that some of the “wrong” people were simply individuals and companies who are just woefully bad at business and folk who wouldn’t do emotional labor… Watching these persons and institutions flounder around as they failed to maintain healthy business relationships was also quite edifying, albeit disappointing.  But it’s a simple truth that if you can’t communicate well with others and aren’t willing to check your ego at the door and satisfy the real needs of those around you — as opposed to what you perceive they should need — then you’re going to have a Bad Time no matter what you try doing, business included.)

My life and current career (10 years in this field, as you see me now) are the product of at least the previous 10 years before that (a decade of unpaid or nearly-unpaid education, volunteering, and self-development while I was working to support myself via other means.)  I have been a student at Black Hat, SANS, Lockmasters, and more.  I double-majored in college when I returned to school later in life and hold a Bachelor of Science.  I hold a range of recognized certifications.  I have spoken over 200 times to audiences who were public, corporate, government, and military.  I have published books in my field.  And I still try to take at least one training course every year, even if it’s only tangentially related to my vocation.

Are all of these above steps necessary for someone to achieve success?  No.  Not a single one of them is a “do this or forever abandon your hopes of this career” point.  But every last one of them has played some part in all of the opportunities I’ve had and continue to have.  Choose from the above list (or see the TL:DR below) and try your best at such forms of self-improvement as you can handle.  That is the path to your own success.  There is no shortcut.  (But there are some poorly-locked doors along the way, and slipping by such obstacles is the kind of thing that Tarah detailed to a great degree in her own book.  Which I strongly recommend, no matter your age, gender, or industry.)



For companies: Train your employees, ideally once per year.  Allow them to have a say in what training options they have.  Hire outside experts as needed.

For individuals: Seek out training, either paid by your employer or save up and do it out-of-pocket yourself (tips here include asking if conferences have volunteer programs for reduced or zero tuition and also asking trainers if they ever operate classes direct to the public as opposed to through intermediaries)


This may not sound 100% fair, particularly if you already have a significantly developed skill set.  But the world is full of folk with the same hunger and same good personality as you… even if you consider the result of training to be “just a piece of paper” it remains, in the business world, an important designator that can set you apart from many other candidates who are seeking the same opportunities you are seeking.

I have taken professional training just about every other year (sometimes more frequently) throughout the past decade or more via a variety of recognized and established institutions as well as smaller outfits, etc.

The benefit to me: I’ve managed to sharpen existing skills and also acquire new ones.  I’ve improved my own teaching style by learning what to do (and, far more often, what I’m glad I *don’t* do) in front of my own students

The benefit to my employers/clients/etc: They can quickly assess the fact that I most likely know what I’m talking about.  They have a way of sorting me versus other potential folk with whom they might engage.  I don’t begrudge them for using the fastest and most available tools to make these kinds of decisions.  We’re all busy and we want to maximize the impact of our limited resources, that includes time.


Make the most of your time… get training where you can and change minds when you can.  Call in outsider help when necessary.


Hope that helps, and good luck!

Right off the hop, let’s get this out of the way:  Yes, this is an homage to (or shameless theft of) the speech Colossus makes at the conclusion of the film Deadpool.  Still, there is some poignancy to how I was feeling when this thought occurred and that’s why I wanted to share it here.

This DEF CON was significant for me.  I’ve been attending the con for nearly 20 years now, but this one really seemed to impact me emotionally.  The reason:  it has become apparent that, as a whole, the conference is too large to “see it all” even if someone really, really dedicates themselves to that cause.  I realize that DEF CON has been growing by leaps and bounds.  And long-time veterans can take their pick of the year when it “wasn’t the same anymore” from a list that includes:

  • Outgrowing and leaving the Alexis Park
  • Stretching on the calendar into Thursday
  • Choosing venues that span across multiple hotels
  • Being back on the Strip in a grown-up venue where they don’t take kindly to shenanigans

…and, yes, all of these milestones did indeed change the nature of the con.  But, for me, something truly felt different this year with regard to how many activity areas there were, in the form of Villages, challenges, etc.  While it perhaps hasn’t truly been possible to see all of DEF CON in a single trip for a while now, I feel like this year was the first time that I truly heard a whole lot of voices from folk who weren’t mere observers but true interactive people, seeking to go hands-on with people and ideas and concepts that interested them.  When even those individuals were saying, “man, it’s like it’s not even possible to participate fully in DEF CON anymore,” and that is what made me a little sad.  Because it’s true.

Then I was fortunate to have a bite to eat on Sunday with my wife and one of our friends, Elissa Shevinsky.

As we dined at The Palm (Bruce and Wozzi’s place where head chef Kiko Ojeda does a really fine job creating everything save for the crab and romaine salad) and sipped cocktails, Elissa was quite chipper.  “I had a really successful time this weekend,” she pointed out.  “I had five top priority things to see and do, and I checked each item off that list.”

In that moment (as ridiculous as it may sound, such a vague platitude this is) her words really hit me.  For years, my philosophy at DEF CON has pretty much been “do absolutely everything… and then some.”  I would stop by every Village, try my hand at numerous contests, get to every party for either a brief appearance or stay to close the room down, and on top of all of this I was running multiple contests, events, and often giving talk presentations in Villages and/or on the main stages.  For me, any time I went up to my room at DEF CON, the Fear Of Missing Out™ would kick in almost immediately and I would steel myself with another whisky and dash back to the elevators, eager to get downstairs again and on to the con floor.

I can’t do that anymore.  None of us can.  DEF CON is simply “too big” now, we admit to ourselves.

But Elissa’s theory works, even for those of us who have a list as long as our leg of stuff we would like to do and see.  The solution?  Prioritize your list… do this well before DEF CON starts.  It’s OK to have a nearly-endless agenda of things you’d like to do at the con, but at this point DEF CON is so massive that your satisfaction should come from successfully achieving your top four or five moments.

Maybe your moments are seeing three talk presentations that looked really interesting to you, spending time in a Village, and then participating in a particular contest.

Maybe your moments are going to a specific party, getting into the SkyTalks room, witnessing Drunk Hacker History, and having two very special dinners with friends you don’t usually get to see anymore.

Maybe your moments are five Goon duty shifts where you feel you’ve made a positive impact on other con-goers’ days.

Whatever your four or five moments are, let that become the standard by which you judge whether your DEF CON was a “success” or not.  None of us can do it all anymore.  It’s ok to still try.  (Just stick with the 3-2-1 rule at all times!)  But don’t let yourself feel down about all that you “missed” because you ran out of time.

If you achieve the four or five moments that you predetermined as your top priorities before you went to Vegas, then that DEF CON can go in the Win column for you.

Well, that’s another year in the books.  I thank absolutely everyone for a terrific and successful DEFCON Shoot!  The staff and RSO volunteers were indispensable and all credit goes to them as well as everybody who so marvelously brought amazing firearms and content to the range for everyone to share.  The cannon made a triumphant return, Joe’s full-auto collection had numerous specimens on site, and plenty of folk got to try a multi-shot rotary drum 40mm grenade launcher!

The theme this year (on badges, decoration elements, etc) was “resistance fighters who fought fascists” and we thought that was quite timely.

So, as always, everybody seemed to have a very good time and it was marvelous to see friends, listen to talks, and watch people compete in challenges like the dueling tree and crypto puzzle (folk are still working on that to see who can win this amazing 80% lower!)

One of the most hilarious moments of the Shoot was when Puking Monkey pulled a “Yo, dawg, I heard you liked cannons… so I shot a cannon out of my cannon!” for everybody.  😀

But one of my favorite parts of this year’s DEFCON Shoot came toward the end of the day.  To tell the story properly, however, we’ll have to reflect upon the conditions at the shoot site when we first arrived.  Many areas of public land which are used for recreational shooting are, as a lot of gun folk will know, subject to awful and unnecessary abuse.  My friend Karl documented as much on InRange TV and plenty of other news reports and anecdotal evidence shows just how thoughtless some firearms folk can be when no one’s looking.

The Indian Springs location (where we shot last year as well as this year) is sadly no exception.  Some bad apples have a long history of going out there and shooting at ridiculously inappropriate targets that make a mess and leave debris everywhere.  This was immediately visible as we arrived and were setting up…

We noticed assorted debris like target backer boards and old metal school lockers.  At least those are either bio-degradable or relatively self-contained and box-shaped items.  Plenty of things were not suited to being targets at all, however.  Mattresses and more, for example…

It’s a shame when folk take old appliances out to the desert because they shatter in so many ways when shot or blown up…

But perhaps the most horrendous offenders are consumer electronics, like TVs.  These not only shatter into loads of bits that will never biodegrade, but they also contain plenty of other materials that are harmful to the environment and require special hazardous disposal protocols for e-Waste when being thrown away properly.

I was very inspired by my attendees and volunteers at the DEFCON Shoot.  Almost right from the start, it was possible to see everyone there taking the time to at the very least police up much of the waste into more organized piles.  (This was as much to aid in the parking of cars as it was simply good practice… and no one had to be asked to do this.  The group of hackers just took it upon themselves without direction.)

In the middle of the day, I looked at the large group of folk (many of whom came from less free states or totally un-free countries) enjoying this public land and getting to shoot guns that they would never otherwise be able to handle… then I looked at the fold of bills in my pocket from individuals who arrived without pre-registering and instead opted to pay cash on-site.

Then I started googling.

There are a number of waste haulage firms in the Las Vegas metropolitan area.  But none of them said they would service a job so far outside of the city, up in a nowheresville like Indian Springs.  Eventually, on the verge of giving up, I asked one fellow very directly, “Look, you said that this job’s distance wouldn’t make it financially feasible… but I fear you may be underestimating this group’s willingness to incentivize you.  Exactly what kind of additional compensation would make this job viable to you?  Tell me a number.”

My jaw dropped when, after some brief consideration and a pause, the owner said it would cost possibly “as much as an additional $150” to come that distance.  I hired him and his crew immediately.

And, sure enough, after the conclusion of the DEFCON Shoot, Dennis and his team lead James and a crew of workers arrived on site and began to police up as much debris and junk as their vehicle could hold.  I told them that I was prepared to pay extra disposal fees for any TVs they could gather and that we’d cover the costs of a full 15 cubic yard truckload.

As the clean up haulers were working, a car from the town arrived and wanted to see what was going on.  (Both years that we’ve come around, locals have showed up during the Shoot itself to say hello and see what we’re about and they seem to generally like us and come to regard the “hacker bunch” as “those people who treat the place well and don’t make a mess” so that makes me very happy.)

But this was a cut above… I hope everyone can be very happy to learn that the locals who arrived offered thanks over and over again for the work being done in the area.  They commented on how much better it looks… and they remarked that they’d never seen anyone go to the effort of cleaning it up before.

Thank you all who came, who shared, who taught, who learned, and who made all this possible.  I’ll see you next summer.  For now, enjoy the rest of DEF CON!

Hey, everybody.  This is just a quick post about something that any one of you can build in order to make a fun and engaging lockpicking contest suitable for running at a bar or other meetup where there’s drinks on the menu.

Some of you have seen the deep and detailed build I did when creating the “Booze Box” which has appeared at hacker cons and been a source of fun and a challenge to those who want a chance to win free drinks.  But, let’s be fair, that was a huge undertaking.  No one else is likely to build something like that.

Here’s a super easy way to make a small, portable version of such a contest!

1. Buy a bottle of Booker’s Bourbon.  It comes in a nice wooden display box.

2. Drill a small hole (3/8″ diameter, i’d recommend) in the top of the box, approximately 1/2″ from the lip, as indicated in this image.

3. If you wish, you can sand the outsides of said box in order to remove the Booker’s logo and marketing silkscreening.  Then, if you want to, feel free to stain the box in whatever color you desire.

4. Either modify the original plexiglass front piece or laser cut your own new replacement piece (so that it is free of any marketing logos, etc) to a size of 12″ x 3⅝”

5. Now you have a box that can contain either a pint glass, a wine bottle, or a whisky bottle, etc.  And the application of a padlock can “secure” that resource until someone liberates it by picking the lock.  If they succeed, they either win the right to fill their glass for free or they can claim the bottle inside, etc. The game lends itself to very fast resets and reloads, and of course can be adapted to whatever degrees of difficulty you wish by simply changing out the padlock.     

Good luck and have fun!

“You can’t write endless laws and expect to prevent every crime.  All it does is reduce liberty without actually stopping criminals.”

“We live in a free society.  Everyday we have opportunities and chances that others can only dream of… and the price we pay is the occasional tragedy.  I and many others accept that price, when the alternative is a nanny state like England or Singapore.”

“Personal responsibility and rugged individualism are the pillars of who we are.  We cannot expect anyone but ourselves to watch out for us or lord over us.”


All of these quotes are more-or-less verbatim, and they come from many conversations I’ve had over the years with fellow hackers, friends, and family.  The conversation is sometimes about guns, sometimes about drugs, sometimes about freedom of speech or thought.  I’ve probably advanced something of the above thoughts in various contexts as often as I have heard them from others.


The Hackers on Planet Earth conference, from its very beginning, has been a magical place where the line between organizers and attendees has always been blurry.  Sometimes this grey area has stemmed from the way that attendees and bystanders so often pitch in to raise banners, stand up activities, and fix technical glitches.  Other times the “leaderless” nature of HOPE has manifested as a blind eye turned to shenanigans and pranks that would bring quick reprimand at other events.  I have experienced more interesting conversations and made stronger and longer bonds with others at HOPE than perhaps any other event over the years, all-told.


This recent weekend in New York City, however, we all experienced the downside of what can happen at a semi-anarchistic event where almost anything goes and where it often feels that there’s no one at the wheel.


I expect that almost all of you have by now read the assorted coverage of how the HOPE conference was descended upon by a small but willful cadre of instigators / alt-right / fascist boys whose mission was to infiltrate the event and cause disruption by harassing attendees and attempting to intimidate and stalk some of the speakers.  If you haven’t seen the details there, Unicorn Riot were among the first to report directly from the scene of the event.   That piece is mostly accurate, and additional coverage from Motherboard took a more measured tone but conveyed no less concern over the failings of the organizers, the staff, and the community as a whole at HOPE. There was also a later article up on The Parallax by Seth Rosenblatt.


You can take time to read the news if you haven’t yet already.  (Or, if you’re a patron of the terrific Violet Blue you can check a recent Patreon entry in her Cybersecurity News feature for the bullet.)  But what I’m writing here will not be about the incidents of disruption at HOPE this year as much as it will be about what I would have hoped to have seen in response.


Love all, Hack all


The HOPE conference has adopted a Code of Conduct that, while not the most comprehensive and explicit that I’ve ever seen, is remarkably in-line with their community values and conveys both support for the airing of diverse opinions while also expressing (with near-ironclad language) what is ostensibly a strong commitment to preserving diverse voices and guarding the dignity and safety of individuals in attendance… especially people who may be marginalized or more easily preyed upon or pushed out of mainstream positions of acceptance.

The HOPE CoC urges everyone to “step beyond prejudices, societal norms, and other perspectives that lead to disrespect for people and groups” and expresses explicit support for people of all ethnicities, gender identities, etc.  The CoC states that HOPE does not want “any [attendee] to feel marginalized or intimidated” and calls out a number of specific behaviors that will be considered a violation of the event’s rules, including “stalking, following, harassing photography or recording, disruption of talks or other events, inappropriate physical contact, or unwelcome sexual attention.”

It may be difficult for some to look at a document such as this and square it with the fact that a posse of MAGA-hat-wearing alt-right shitbags could have wandered around the Hotel Pennsylvania with what appeared to be total impunity, at liberty to harass or intimidate conference-goers.  But a closer look at the history of HOPE and the east coast hacker scene (particularly in New York) can shed light on this topic, I believe.


The Power Was Inside You All Along


To truly know and understand the east coast hacking scene, it is possible that you need to have experienced hacker events in New York, Philadelphia, or Pittsburgh in earlier years.  Better still would be a history of attending the parties or crashing at the spaces and homes of various hacker collectives in the mid-Atlantic region.  I can recall gatherings on the rooftop of the Hacker Halfway House in Brooklyn or PumpCon or even down in DC… occasions when most of the best things happened without explicit authorization because folk simply seized the moment and made coolness happen.  Whether by slipping a maintenance man at a hotel $20 on the side in order to unofficially have a meeting room or by “happening upon” a source of electricity nearby a pool to set up a DJ’s table… many of us were simply accustomed to asking forgiveness instead of permission.

A lot of this mentality still percolates through the hacker scene in NYC.  A classic example of this at HOPE could be seen with regard to the “signage on the floor” near the info booth.  For those unaware, there were some raised eyebrows early-on in the conference regarding a message that was written on the floor using masking tape.

While it encouraged attendees to read published information before asking questions with obvious answers, the brusque delivery of such a message had some folk taken aback.  And one can admit, while the sentiment is something with which most hackers would agree (learning on your own is better than immediately asking for help before you’ve even tried) the manner in which this was being expressed was somewhat uncharitable.

When this was pointed out to the con, their response was a distinct non-response.  What unfolded was very characteristic of HOPE… they didn’t immediately move to address the concern, but at the same time they didn’t stand in the way of others who eventually chose to edit the sign themselves.   When @ystvns & @dbateyko knelt down and rearranged the tape letters to spell out something different and more constructive, they weren’t stopped by security or reprimanded by event staff.  Quite the contrary, the official HOPE twitter account sung the praises of folk who took it upon themselves to remake their environment in a way that better suited them and their needs.

This is part of what makes HOPE special.  They show true support for the hacker ethos of “if this thing isn’t working for me they way I want, I should find out how to change this thing!”  And that’s great… with regard to modifying technical systems, options for cheap food, or how to play your music at a party.  Where this kind of thinking no longer really works at large events has to do with security of the group.  For context, there are many hackers (particularly at HOPE) with deep roots in both the punk and Burning Man communities… such folk are familiar with places where groups self-police from top-to-bottom.

The punk shows of my native Philadelphia in the 80s and 90s serve as an example here.  I can recall being in the basement of the Unitarian Church or the TLA on South Street… when white pride skinheads would show up and try to crash the concert, seldom did the crowd wait for event security to deal with them.  Fists and elbows were thrown in the circle pit until the fascists understood that they weren’t welcome and had to get the hell out.  Scans of some very old photos of mine illustrate this point…

a lead singer admonishes fascists and encourages the crowd to stand up and protect one another.


circle pit immediately in the aftermath of a fight.  assholes were forcefully ejected from the venue.


group unity and principles of relying on one another to be safe and be strong are reinforced by the band


another anti-fascist / anti-racist band reminds everyone that we have to look out for and protect one another



But the past is the past.  Try that today and what do you think would happen?  I guarantee you it would result in two things:

  1. Both the racists as well as the regular attendees would be ejected and wind up next to one another on the same curb outside
  2. Instead of just taking a punch and going home, the interlopers would call police who will respond and, quite likely, side with the proud boys


Burning Man, too, has a strong philosophy of self-reliance and self-policing.  Burners in the hacker world might take a similar view of how to handle intruders.  They value immediate participation and principles such as civic responsibility and communal effort would likely have some folk thinking that the ideal of “if you see a problem, step up and try to fix the problem!” would apply even to security threats, not just faulty art installations or people who need more water.  Indeed, the head of HOPE’s security detail (a venerable member of the Burning Man crowd) expressed such a notion to some of the speakers and attendees who were inquiring why event security wasn’t implementing the Code of Conduct more directly and immediately.   Here, we see Roadie responding to two women who stated that they observed harassment and that reports the community made to staff were not acted upon.  When one event speaker, Gus Andrews, acknowledged aloud that, “There is a need for somebody, hopefully someone with the spoons to handle it, to take point on the Code of Conduct,” Roadie shot back later that day with an exasperated-sounding, “OH MY GAWD! That person should be YOU. Why defer and hope ‘someone’ will do it? If you have better ideas don’t you think you should share them and help the process get better?”

Permit me to assert that, while this is a fine viewpoint to have during the rest of the year, when people are all at their desks and have the time and the spoons to put in such efforts, it is a rather unhelpful comment during the actual event.  Attendees who came to NYC expected to spend their energy, time, and resources participating in the con, not fixing the con or protecting others who needed to stay safe.  I, frankly, do have the energy and willingness to work on this matter (which is why I’m planning to engage with the organizers and staff if they will have my input) but that doesn’t mean I feel great about missing out on more than half of the event because I spent time escorting LGBTQ folk around the con floor or walking speakers to and from their hotel rooms when they were being stalked and harassed.

During the event itself, the organizers and the security team could have done much more to become directly involved in the safety of the participants and speakers instead of waiting for the attendees to make the first move and report problems, urge action, etc.  The HOPE official twitter account announced on Saturday afternoon, “Anyone who’s a nazi, preaching hatred/racism or harassing someone will be booted from @hopeconf.  But you have to let our security team know!”   Again, this illustrates the wildly differing views that the organizers had compared with the expectations of attendees when it came to security proactively engaging with the alt right crowd who crashed the party.

Ask yourself, would you expect this kind of public statement from a major league baseball team if a loud, angry drunk was running amok in the upper deck of their stadium during a game or from a rock concert venue if someone was setting of fireworks in the aisles during songs?  Yes, attendees should report problems to event staff… but the event itself should also have a significant enough presence on site and they should be in direct communication enough with their HQ and Dispatch so that their staff can step in before things get bad enough for attendees to have to complain en masse.

Which leads directly to the next point…


Why Speak Up When There’s No One Listening?


The other side of the equation of the “attendees need to step up and take responsibility and report problems to the conference so that staff can handle them” argument (which, as mentioned above, isn’t quite the best position to take in the first place) is the (one would think obvious) need for said staff to appear receptive and helpful in the eyes of the attendees.  Yet – as we saw from multiple statements by many of the people at HOPE – a lot of the blue-shirted staff members at the conference reacted to reports of problems by the alt right trolls either by (a) informing people that they had told the “wrong” staff members and directed them elsewhere or (b) by actively shutting down reports of problems with pushback that ranged from “that doesn’t fit the definition of harassment” to “did you do anything to provoke them?”  This, in my view, was the biggest issue where HOPE did not meet the expected standard to which the community was rightfully holding them.

By now (especially if you’ve read any of the above-linked articles or twitter threads from people who were in attendance) you are aware that many individuals described interactions with HOPE staff members that left them shocked over what was seen as gross insensitivity toward victims attempting to report problems or what was interpreted as distinct camaraderie between certain staff members and the very instigators from the alt right who were causing trouble.

I’m not here to complain about the fact that HOPE security forced one German kid to return a MAGA hat which he snatched off of the head of one of the alt right trolls.  Physical actions, unwanted physical contact, and theft of personal property are all bright-line, clear-cut transgressions of any reasonable Code of Conduct and event rules.  I agree that HOPE did the right thing in returning the stolen property.  If this makes you stop reading, feel free.  Please see the cashier in the ticket booth at the top of this page for a full refund of your internet dollars that you spent to browse my blog.

What I and others most certainly are pretty justified in being shocked and appalled about, however, is the fact that many reports have surfaced of HOPE staff members speaking with dismissiveness or outright disdain to the attendees… and HOPE staff members being visibly chummy (or even laughing over drinks off-site) with the individuals who arrived intent on causing problems.  That is not OK.

Any event of this scale should have staff who are trained in even a cursory manner about how to interact with attendees (particularly attendees who appear to be in a crisis situation or who are attempting to solve a problem that’s troubling them) with respect.  Staff should be trained how to see things through a lens of professional detachment and how to avoid the perception of taking sides or being biased.

I have personally listened to the audio recording made by Unicorn Riot reporters while they attempted to describe problems taking place upstairs to staff, only to be hushed and dismissed… and part-way through that conversation Koosh arrives, very loudly hollers at everyone, and proceeds to assert that any iconography (including Nazi apparel) is fine at HOPE, according to him.  This as well as other accounts from different attendees who had similar conversations are going to be hard for HOPE to manage, given this tweet… because I do not think that Koosh or other staff members are personally to blame for such interactions.  They were under tremendous stress and were not equipped with a playbook and guidance from leadership before this event kicked off.

I personally watched Bernie S – a staff member who is older, is a cis het white guy, and is over 6’ tall – aggressively talking down to a near-tears trans woman who was all of 5’4” and weighed maybe 115 lbs soaking wet with rocks in her pockets.  I kept stepping back since I wasn’t directly in that conversation and I was trying to be polite and maintain a respectful distance, but his increasing volume levels resulted in my repeatedly overhearing what was being said.  Bernie is a long-time friend of mine.  He is a terrific hacker and event runner.  But he should definitely not have been put into a position where he was interacting with victims.

Currently I am not aware of any single HOPE staff member (including individuals on the Code of Conduct team) who had any professional training in Incident Management, Crisis Intervention, or Victim Assistance.  Diverse groups – everyone from NOVA to the DOJ – has training programs that are available, often online, for this kind of education.

While most staff members appeared to simply be un-equipped with the right tools to do emotional triaging and take statements in a neutral and supportive manner… there were a minority of HOPE staff (particularly on the security team) who appeared to be outright antagonistic to attendees with concerns.  I have already mentioned above the widely-disseminated photos of HOPE security staff sharing laughs and beers at Hooters with a group of the disruptors.  It doesn’t matter if these people are legitimately your friends in real life… at the con, when you are event staff, you are obliged to adopt a neutral and unbiased posture if you wish to convey to attendees that you have their safety and well-being at heart.

This is to say nothing of the ongoing conversation that was taking place all weekend via IRC / SMS-IRC which was full of HOPE staff members and their associates blatantly speaking ill of the event attendees and speakers.  A small sampling of such chatter includes…

<recoXXXXXX> Who else is in the room with the traitor giving the talk?  [the “traitor” being Chelsea Manning… the invited keynote speaker who reported large men who tried to corner her and who followed her back to her room, only to be told by event security that they would not kick out the individuals who were known to be causing havoc at the conference]

<ch0lXXXXXX> I think I will some wear nationalist t-shirts at defcon this year.

<ch0lXXXXXX> I should have kept my swastika tat.

<licuXXXXXX> maybe some trump challenge coins would be good for the lulz

<lameXXXXXX> Its all the fucking trannies causing shit woth their fucked up hormone levels and frahkle psychiatric state

<recoXXXXXX> Please force add (XXX) XXX-9274 chelseas-dick

<mathXXXXXX> Wow look at all you mofos not helping clean up hope

<recoXXXXXX> Get the coc crew to help

<recoXXXXXX> Since it’s their con according to them

NOTE – I’m redacting the names here because I cannot personally verify a primary source on that IRC chat log dump.  But more than one person who allegedly was participating in (or was force-added to) the chat has acknowledged it took place.  I will let internal HOPE investigations make their own determination of veracity there.

Disrespect for speakers, attendees, or fellow staff members makes an event look disorganized and chaotic.  Again, to be totally clear… I think that everybody has the absolute, unquestioned right to hold whatever views and beliefs they wish in their own head and in their own heart.  My criticism here is not about that.  However, an event most assuredly is not out-of-line if they opt to instruct their staff (especially their security team) that when they are working and representing the conference, they are obliged to maintain a respectful and neutral attitude and decorum.  I mean, can’t you keep hatred and bullshit like this in check for just one bloody weekend?  Anything less than this, the attendee base as a whole begins to question whether the event has everyone’s best interests at heart.


The Right to Be Anonymous


HOPE may be one of the last remaining events with what used to be the universal photo policy at all hacker gatherings.  Explicitly stated in the program and reinforced verbally by staff if someone is breaking this rule, the HOPE conference values the privacy and anonymity of their attendees to such a degree that the working rule is “do not take crowd shots, and do not film or photograph individuals if they do not consent to being filmed.”  That is solid doctrine, in my view.  It’s harder and harder to enforce (both in terms of how covert many cameras are nowadays and also due to changing societal norms surrounding the use of camera phones, social media, etc) but HOPE has held to this policy for ages and I salute them for it.

However, on at least one occasion of which I’m directly aware (and I have anecdotal but unconfirmed accounts of others) some of the alt right infiltrators either reported attendees filming them to security (in an attempt to have the regular attendees disciplined / thrown out) or they outright threatened other attendees in regard to being filmed.

I personally witnessed HOPE conference staff engaging in team debates about how to handle such matters.  (Again, the staff members involved can hopefully confirm that I was not trying to eavesdrop and that I repeatedly backed off as I waited to speak with them.  It was clear that they were engaged in heavy discussion and it wasn’t my place to be a part of that conversation… but for as much as I stepped away, voices kept raising and I inadvertently overheard parts of what was being said.)  I recall one distinct conversation between CoC team mebers as they seemed to agonize over the language of the photo policy when one of the MAGA-hat wearing provocateurs reported another event attendee (a speaker, in fact) for “filming him without consent.”

I stood by, dumbfounded, as they tried to dissect the situation and figure out whether this filming was a violation of HOPE’s event rules (they appeared to decide that it was) and then determine what remediation action was going to be necessary.  Again, hindsight is 20/20 and I’m going to try to word my thoughts in a supportive way that doesn’t come across as Monday-morning quarterbacking… but any event policy that prohibits photos should be naturally understood to not prohibit documentation of specific abuses or problems if the person doing the filming explicitly demonstrates that they are doing so in order to report an issue.

Group / crowd photos or harassing photos when someone says “don’t film me” which then get posted to Facebook or Twitter are naturally something that I support HOPE in working to prevent.

Covert photos of harassment or fights or other evidence of incidents which someone then privately shares with organizers or with authorities at the hotel in an effort to stop a problem are not at all something that I think should be prohibited.


You Can’t Define Good Faith… But You Know It When You See It


The above-described problem illustrates exactly what was so insidious about the alt right infiltrators and agents provocateur at the HOPE conference this summer.  Dedicated and well-prepared trolls have a specific plan for their actions.  They know exactly where the line is and they take great care to not cross it.  Instigators like the MAGA hat crowd whom we saw at HOPE had a playbook and they kept to it like well-rehearsed professionals.  They successfully weaponized the conference rules to their own advantage while catching the rest of the attendees with their guard down.

And here is where we see just how important it is for event staff to have the freedom to use their best judgement in edge cases.  Let’s say you’re walking down 7th Avenue near the Hotel Penn one night and a stranger approaches you.  They aren’t doing anything that is outright illegal, but your spider sense tingles.  You are pretty sure that they’re up to no good and that you are maybe being set up for a mugging or for a street scam or something else undesirable.  Everyone should pretty much understand that you are under no obligation to keep interacting with them and that no one would blame you if you want to get away from them.  So you cross the street or you quicken your stride… and perhaps are met with some string of objections from over your shoulder as they protest that they “weren’t doing anything wrong!” and so on and so on.  But, let’s be honest, you knew that they were up to no good and you took the proper steps to protect yourself.

Conference events have this same right.  An attendee who is disrupting talk sessions (but not going so far as to make actual threats) or following women down hallways (but never actually getting close enough to touch them) or getting directly in someone’s face (but not actually pushing them) knows exactly what they’re doing.  They are playing “within the rules” but finding ways to still make others feel threatened, unwelcome, or unable to participate in the conference.

This is nothing more than a grown-up version of the immature little kids’ nonsense of “I’m not touching you!” in the backseat of a car.  Yes, technically the person is “following the rules” but (and here’s the key thing) they’re not acting in good faith.

In such a hypothetical family road trip scenario, what happens next?  Does anyone honestly know of such a situation wherein the parent in the front seat would ever adjust their rearview mirror, look at what was happening, and then simply proclaim, “Well, Chris, they’re right… Sam honestly is not touching you!  So there’s nothing anybody can do about it.  Sorry!”

Of course that’s not what would happen!  The parent would whip their head around, scowl at the misbehaving child, and sternly say, “Knock it off, Sam!”  Why?  Because the parent can easily see what presumably the HOPE conference leadership was unable to discern for an entire weekend:  that it’s possible to “follow the rules” while acting in bad faith.

Let me be very clear: Bad faith attendees have no place at an event.  They are not there to learn.  They are not there to participate.  They are not there to better the experience of others.  While it may be true that such individuals are “following the rules” it is completely reasonable for event staff to take a proactive stance and confront them.  How would such a possible interaction be handled?  Allow me to quote from an actual example script that I offered to someone during the weekend of HOPE.  (This tactic was not employed, but it’s an example of exactly what I would have said to these instigators had they been at one of my events.)


Security: “Pardon me.  Can we speak with you for a minute?”

Troublemaker: “Yeah, what’s up?”

Security: “So, we noticed you wearing a lot of Trump symbolism and being very loud and full of bluster around a number of people here.”

Troublemaker: “Yeah, I’m very passionate about my political views.”

Security: “Well, we’ve been getting some complaints about that, and folk are alleging that you’re intentionally just trying to cause trouble and sow discord.”

Troublemaker: “What damn snowflakes said that?!  I’m not doing that!  I’m just here to attend the event.”

Security: “Oh, ok… So you’re not trying to start fights or anything like that?”

Troublemaker: “No way, man, not at all!”

Security: “Wow, that’s a relief.  You had a lot of people worried and asking for you to be removed.  I’m very glad to hear that you’re not here to cause problems or harass anybody.  So then let me tell you how this is going to go…  There are specific individuals at this event who have been targets of harassment campaigns.  They have no desire to speak to you.  I’m going to make sure you understand who they are, because you are going to not approach them or speak to them in any way.”

Troublemaker: “Uhhh…”

Security: “To be clear, you said you’re here just to enjoy the event and not cause a problem, right?  People who do not want to speak to you are not obliged to speak to you.  And if you keep trying to speak to them, we consider that to be harassing behavior and you will be asked to leave.  Similarly, if any other attendee at any time decides they don’t want to talk to you and tells you ‘don’t talk to me’ you are not to speak to them.  Or else you will be asked to leave.  So, if you are truly here with no intention of causing any trouble or getting anyone’s face and pressuring them speak to you when they don’t want to, you’ve got nothing to worry about.  But if any of these individuals reports to us that you’ve spoken to them or sends us photos of you coming anywhere near them, then we’ll know you can’t follow simple rules.  You just told me you weren’t here to cause a problem. If you can follow the rules, I will believe you.  If you cannot follow these very simple rules, then I will not believe you.  And you will be asked to leave.  Now, if you think this is going to be too hard for you, I am happy to go get you a refund right now if you think this event is not for you.  So, are you going to show me that you can be a grown-up, not cause trouble, refrain from speaking to people who have said they don’t want to speak to you, and not approach anyone who doesn’t want you around them?  The choice is entirely up to you.”


You may criticize me and say that this would be putting the MAGA-hat wearing alt-right group into a “no-win” scenario.  To say this is to miss the point entirely.  These infiltrators put all of the attendees and the conference as a whole into a no-win scenario.  Calling them out on their bullshit and giving them the choice of…

  1. behaving as expected (shocking everyone in the process)
  2. getting the fuck out

… is the only appropriate course of action, in my view.

No amount of “that’s not fair” being screamed from the backseat of a car should change a parent’s mind when they’re dedicated to disciplining an unruly child.  And no amount of butthurt from some proud boys on /r/theDonald should make a conference waver in their dedication to ensuring that their event runs smoothly and their attendees feel safe and able to enjoy themselves for the reason that they all came to town.

Matthew Garrett put it best on Sunday after much of the shenanigans by troublemakers at HOPE. “Conferences are under no obligation to represent the community as it is,” he wrote.  “Conference organisers get to choose to represent the community they want to see.  If your conference attendees are repugnant, you bear responsibility for that.”



Specific Suggestions and Actionable Advice


This massive brain dump was something that I felt compelled to do, but if we are serious about improving things for the future, perhaps it’d be best if I were to distill my thoughts down to some specific suggestions:


  1. Security staff are mostly seen controlling the outer perimeter of HOPE. At the base of the escalators or at elevator landing on the 18th floor you can reliably encounter staff shirts and security engaging with folk, checking badges.  However, there were many talk tracks where security or even staff presence seemed virtually non-existent, save for an A/V person or two.  Likewise, out on the main con floor on the Mezz level… security tends to gather at their dispatch desk, but was only infrequently seen walking around and getting a pulse of how the event was flowing.  That is a posture for being reactive, not proactive.  Please considering bringing on additional staff whose positions would entail being seated in talk tracks up by the stages, looking out at the crowd, and reporting regularly to Dispatch on the state of things in the rooms (not just security things… but even stuff as mundane as “A/V badly needs a replacement power strip” or “the water coolers are all empty in here.”)


  1. HOPE should acknowledge (indeed, anyone running an event should acknowledge) that organizers and staff have an absolute right to confront someone who is perceived to be a jerk or causing problems. Furthermore, HOPE could acknowledge that they absolutely have the power to take proactive steps and head problems off at the pass.  I wrote as much during the event, suggesting that organizers should step in and give everyone present (regardless of their politics or beliefs) the immediate choice to remove hateful iconography or leave.  HOPE did not agree with my assertion, replying to attendees’ concerns with the curt (and inaccurate) statement, “We can’t ban MAGA hats. It’s absurd to think we can.”  This twitter thread shows much of the debate seen on all sides of the issue.


  1. Please do not take criticism of your event as though it is a personal insult leveled at you directly. I genuinely fear that my decades-long friendship with individuals such as BernieS may be irreparably damaged after this past HOPE event.  I witnessed Bernie replying to many attendees and speakers with a level of ire and contempt that would normally be reserved for persons who had called someone’s mother unkind names.  I witnessed other staff members treat attendee concerns as though they were playground squabbles, offering Judge Judy-esque “don’t bother me with this nonsense” kind of replies.  It felt like some of the senior staff were taking these criticisms of the event personally.


  1. I believe many of these problems would be ameliorated if there were individuals on staff who had been afforded the benefit of professional training in crisis management and/or victim advocacy. While this doesn’t have to be something that every single staff member takes the time to do, department heads at the very least would be well-served by it.  And, most of all, at any given time of the day or night there should be at least one trained person on shift in the role of the official attendee ombudsman who is there to interface with people who are having major problems, to do emotional triaging, and to advise security or event management on what the next best steps to take would be.


  1. Part of such foresight and preparation involves tabletop planning. Think not just about the expected scenarios but about the worst-case scenarios.  We have witnessed time and time again how the HOPE security staff excel at being positioned and prepped for exactly the kind of awful, unexpected events that take place occasionally when you combine unathletic hackers, plenty of recreational substances, and a hotel that was seemingly constructed before the notion of OSHA or general principles of safety were ever invented.  Indeed, this year when one attendee had an awful accident on a Segway, his life was quite possibly saved thanks to the quick effort (and, equally important, the training and planning) on the part of HOPE security staff.  Tawnie and others worked to maintain an open airway, stop bleeding, and coordinate with emergency responders.  Unfortunately, it seems that the CoC crew was put into a very hard position given their newly-created status and what (I’m so sorry to say) appears to have been an over-abundance of optimism.  This is clearly seen, I believe, in this tweet exchange, wherein a con staff member asserted that part of the difficulty this year stemmed from the fact that the HOPE conference “had no idea that any of this would happen.”  I have a hard time wrapping my head around that.  HOPE has always been a political event.  They have always courted and danced with controversy.  And this year, amid what is arguably the most tumultuous political climate that many of us can recall in our lives, they invited one of America’s most controversial figures to be a keynote speaker.  Forgive me if this sounds abrupt, but the event simply cannot claim that they had no way of knowing that some people may have had a problem with this.  I am trying so very hard to speak in a supportive way about the event staff, especially the Code of Conduct team, given what they were put through.  I hope that my feelings for all the staff were conveyed properly when I stepped out briefly and returned with armloads of gifts in the form of chocolates, fruit, crackers, protein bars, hand lotion, lip balm, Aleve, and NERF guns in the hope of helping them manage stress in the face of everything.  My support for the staff remains, but I feel that it’s disingenuous for the conference to say “how could we have known?” when all this was said and done.


  1. More than anything else, I would like to see the HOPE Conference empower their staff to make their own best judgement calls in situations where the organizers are not present or not reachable or whenever exigent circumstances arise. As I mentioned here, I had a remarkable conversation with Doug, one of the HOPE staff members who was running A/V during talk sessions.  He explained that as news started to surface that alt right trolls were attempting to disrupt talks by taking over the Q&A sessions, one of the concerns on the part of some members of the A/V team who were running sound was that they were “worried it might happen in a talk track where [they] were working.”


I asked what he meant by this.  I inquired if he wouldn’t have simply cut such a person’s microphone if they started to spew vitriolic hate speech.


“But how could I know if I’m allowed to just cut their mic?” he asked me in reply.  “Do I have that kind of authority?  Would HOPE come down on me for stifling free speech?”


I responded to him simply, “If not you… who?”


So, yes, it felt to me that there was very little in the way of empowerment from the organizers regarding how to handle these situations.  No instructions were given and no preparation of the staff appeared to have taken place in advance of what just about anyone could have predicted was going to be one of the most controversial HOPE events yet.


I asked Doug, “What if someone at the Q&A mic just started using the n-word or shouting ‘Kike!  Faggots!  Spicks!  Fuck you all, goddamn commies!!’ or encouraging people to smash things?”  I said, “Would you have put a stop to that?”  He said yes, he would have.


So, hopefully, perhaps we could agree that it was indeed his place and within his power to regulate the room when that’s needed.  When asked how he could know where the “line” was, I simply said… “You’re a decent person.  Trust your gut and listen to your heart.”


If someone is acting in bad faith and not making an honest attempt at dialog, then they don’t deserve the whole room as their audience.


I’ll conclude with another hat tip and head nod to the venerable Burning Man element in the hacker community.  Without individuals who know how to pull together grand, life-changing things on a shoestring budget and very little sleep, many of the cons we all love to attend would simply not happen.  But there will continue to be a tug-of-war between the Burners and the more “mainstream” citizens in hacker land.  This manifests at many events.  A dear friend and key figure at a number of cons is Scotland Symons… and she and I have had more than one discussion in the past about another magical and biennial hacker event: ToorCamp.  Being a Burning Man veteran, Scotland is always keen to see ToorCamp operate using constrained resources that encourage attendees to do more with less and plan ahead so they can see to their own needs for a week at the very edge of our nation’s boundaries.  She and I might debate the merits of trash collection services on the campground, however there’s one element of ToorCamp where self-reliance is never the order of business: attendee safety.

Anyone who attends can reliably expect to be in a safe environment, free from harassment or abuse.  That is not up for debate or discussion and efforts to ensure this are never farmed out to anyone except the event staff.  And with everyone secure in the knowledge that their basic safety is taken care of, the attendees at ToorCamp are free to cast aside their concerns, their inhibitions, and often their clothes as they teach and learn and talk and create amazing technology and art.

When you agree to stay on someone else’s turf, certain things are “amenities” or simply “nice to have” while other core needs are understood to be guaranteed and functional.  Let’s say a rock band who had been on hiatus for a long time decided to get back together and travel to a luxury cabin in the mountains for some secluded time that would afford them the opportunity to write new music and lay down new tracks.  They’d have little grounds to complain if there was no delivery food service or decent phone reception.  But if they found that the power was out or they were asked to fix the plumbing in order to cook or take a shower, then they might start to object pretty loudly.  “We’re paying you to be here!  How can you not have basic utilities functioning?” they would ask.  The cabin management wouldn’t really have reasonable grounds to respond, “Well, think of how empowering it is for you to discover all the ways that you can manage for yourself under these conditions!”  While such a test of will and skill may indeed be rewarding to some individuals, that wasn’t the goal of the band’s time away.  They wanted to collaborate on art, making new music, and they hadn’t planned on wasting much of their precious time doing maintenance labor.

At HOPE this year, I missed out on many magic moments.  I didn’t get to attend a number of talks I’d been super excited to see.  I didn’t get to say hi to many of the friends I encounter so rarely these days.  I didn’t get nearly enough sleep.  This is because I – and many others with me – spent so much of my time chasing down problems, intervening in tense situations, escorting speakers to their hotel rooms, and looking after my staff of volunteers.

I very much hope that next time around in 2020, the event staff and security will be positioned for a more proactive approach to potential issues and all of us who attend HOPE will once again get to dedicate all of our time to participating in the wonderful magic that exists there without having to look over our shoulders for troublemakers looming in hallways with undeserved confidence they won’t be kicked out the moment they rear their heads.

I am still considering being back in NYC for another HOPE.  How about you?


Post Script – For those of you who I’ll be seeing two weeks from now as opposed to two years from now, it looks like DT and his whole crew at DEF CON are totally spun up on this issue and ready to confront any alt right interlopers, head-on.

Months ago, when Tarah and I were visiting Mike and Liz Poor over in Port Townsend, we visited an antique shop.  I typically pick through old cookware looking for cast iron to re-season or have a look at old pocketknives while my wife seeks out stemware that matches our pattern, because having extra goblets and cordial glasses always comes in handy.  However, I never would have expected to make the discovery which I did that afternoon.  Way down in the basement, amid other unloved items, was an old US Postal Service mailbox.  I do not mean a blue collection box.  I mean a segment of what were once a series of many individual boxes all along the wall in a town’s Post Office.

It was marked as $80 and the woman working there stated that she “though it had keys” but this turned out to simply be a huge jar of unmarked and well-worn keys that were mostly worthless.  It would take me forever to decipher which keys serviced what doors… and even then there were bound to be doors that couldn’t open.  The box itself had been subject to years of use and at some point became the victim of a very unfortunate paint job.  Still… I knew I had to have it and almost instantly had an idea for a project.  After negotiating down to $60 we managed to get this heavy beast up the stairs and out to my truck.  And there you see it, sitting in our basement… where it remained for a time.

Very fortunately, the unit had no back (after all,the rear side of a box like this would normally face into a back room at the Post Office so that staff could slip mail into each cubby hole for the recipients) and I was able to reach through and manually trigger the spring-loaded door releases.  So I could open each flap and inspect the inside.  The mailboxes would at one time have been equipped with Federal Equipment Company “Grecian Style” combination locks (the embossed “star” pattern on each metal door features alphabet letters arranged around in a circle which were used for dialing the combination) but those locks had been retro-fitted at some point with keyed locks.  I removed one cylinder for closer inspection.

I took off the door, as well, while I was at it.

I set most of the parts aside at first, because I wanted to focus on the lock.  The idea I had in my head involved re-pinning and rebuilding these locks for a contest.  Now, while contest locks don’t necessarily need working keys, I knew I’d need fresh keys if I wanted to use this box in day-to-day life (and also having blanks around would make disassembly easier)

These lock cylinders feature a small downward-protruding cam (which is affixed mid-cylinder as opposed to out at the tail) to engage the door release.  They also feature a rather unique keyway.  It looked almost exactly like a classic Yale 8 keyway… but something didn’t seem right.  I grabbed a Yale blank and it fit… but only if I inserted the key in from the tail side!  Yes… just as I suspected, these locks used what was once a famous key: the “Reverse Yale”

There are threads on some lockpicking forums about this key, and how the blanks are ostensibly very restricted.  According to Knowledgeable Internet Persons™ it’s a Super DoublePlus Bad Crime to possess such keys and it is not easy to source blanks.  I wasn’t going to let a little thing like alleged Federal regulations stop me, though.  😉

With some very appreciated help from fellow TOOOL member and noted antique lock restorer Nite0wl, we started looking through key references.

I measured a series of assorted conventional Yale keys I had in my shop and tried to determine exactly what keys might work.  While US companies like Ilco may defer to our regulations, foreign suppliers like JMA and Jet have no such compunction.

I found two likely candidates and ordered them, then created a keying chart to achieve the results I had in mind.  I checked my LAB pinning kit and noticed some of the trays were a little low on quantity… so I also ordered some replacement pins.  A few days later, I was ready to take the next steps.

As I had awaited the key blanks and pins, I took a shot at picking some of the locks on the mailbox.  While a number of them would open, many were really janky due to age.  And the Yale keyway is close enough to paracentric that it’s not a trivial task to pick.  I didn’t find the idea of manipulating sixteen of these locks in a row appealing.  Thankfully… those who have been in our classes before know that we advocate rear-side shimming with the use of thin slips of metal and a blank to ease disassembly.

So things were looking up!  These locks, old and corroded though they may be, were opening pretty easily for me.  One curious note I had pertained to the numerical codes stamped on to the rear of each lock.

At first I wondered if these could be direct bitting codes, but as you can see… that’s not the case.  Oh well, no worries… I was not planning to keep the original pins and bitting of all the locks.  Everything was going to be rebuilt 100% fresh.  And speaking of fresh, these locks needed some extra care and attention before I could consider them useful again…

This corrosion and tarnish simply would not do.  So it was time to break out the WD-40!  Now, as many folk will tell you, WD-40 is not an ideal lubricant to use on locks that are in service.  However, if you have old and corroded locks… WD-40 is not a bad product for cleaning and breaking free old, tarnished parts.  One of the most interesting ideas I ever heard was someone who advocated putting all their old restoration project parts in a bucket, pouring WD-40 in there, sealing the lid, and then keeping the bucket in their trunk as they drove around for weeks.  But I didn’t want to wait weeks.  It was time for an ultrasonic bath…

After merely 30 minutes in WD-40 under heavy cavitation, this is how the plugs and housings came out!

Not bad, right?  I laid out all the parts and was very happy with how things were shaping up…

… I thought that the very front face of each plug could use a little more shine, however.  Being the most exposed part of the locks over the years, they were subject to the most handling, fingerprints, etc.  I grabbed a rag and some Brasso and shined up those front faces!

That sure spruced things up.  I also, however, left some of the Brasso residue packed into the keyways and I wanted to flush that out of there.  I tried blasting some air and wiping the parts off, but honestly, I had the ultrasonic bath right next to me and it was still full of WD-40 so I said why not give things another round

Everything came out fresh and clean.  But, as we have said many times, WD-40 is not an ideal lock lubricant.  So after wiping everything dry, I gave a good treatment of graphite to the inside of the lock housings and across the plugs.

Now it was time to try to do something about the very unfortunate heavy coating of mauve paint that had been applied to those metal doors.  It was really caked on and had been there for decades.  So I wasn’t sure what it would take to get it off there.  I started out by trying odorless mineral spirits…

When the OMS didn’t work (even in a heated ultrasonic bath) I asked the staff at Home Depot for suggestions.  They sold me a small tub of a thick gel stripper compound, and said to let it sit for a while on the part.  I tried that…

And that didn’t make any difference.  So I returned the gel and then started to throw everything I could at the painted metal…

I left little portions of the metal doors coated in spots of product and waited a while.

While a few spots resulted in some tiny flakes if I really rubbed and scrubbed hard, nothing seemed like a truly functional solution.  These metal doors feature all kind of crenelations and stippling all over their surfaces.  I couldn’t dig in with hours of effort on all 16 doors just to hopefully get the paint off.  But then, a breakthrough…

One spot on one of the frames started to show some good signs of flaking after I let things sit a bit longer.  I checked my notes, and it turns out this was a spot treated with Jasco Paint Stripper and Epoxy Remover.  So, the most caustic and formidable product I had was likely a big enough gun to fire at this problem!

If you have a project like this at home, I cannot stress enough just how dangerous this substance is.  It’s not going to eat away at your flesh like xenomorph blood… but it will not escape your notice if you get any on yourself.  Rinse it off quickly, lest you start to feel a burning sensation that won’t abate until you flush the area with water.

Wanting to maximize the effect of things, I prepared another hot bath and had some success with one test piece…

… then I started running the parts through it in 3 to 5 minute rounds each…

… basically I was taking doors off the front of the box and dropping them into the Jasco bath, and with each new door going in on one side of the tub, I’d pull one out of the queue from the other end.  It was like an assembly line.

I was of course disassembling all the other components from the doors as I removed them…

As I pulled the doors out of the Jasco solution and let them sit, the impact of the heated agitation was immediately obvious…

With the paint finally worked loose, I was able to use a wire brush to scrub it all away.  The deep grooves, the stippling, all of it came clean and revealed the wonderful original brass beneath.

I was thrilled to have finally stripped the metal clean of all that old paint.  But, of course, I didn’t want to leave the doors in this condition.  I wasn’t going to let caustic chemicals remain in the grooves and hinge crevices, etc.  So I put them back into another WD-40 bath to soak out all the remaining Jasco while I turned my attention to the next phase of the project.

It wasn’t just the gorgeous old brass doors that had been painted over.  The wood cabinet itself was a dull khaki color and had some government codes stamped on it.

As neat at that is, I was planning to use this as a display piece in our home and at an upcoming event.  So I knew this would have to be sanded down.  I love restoring old furniture, so this was well within my wheelhouse.

The belt sander and my sanding pad made short work of things.  Given all the small, curved surfaces I’ve restored in the past… it was beyond wonderful to simply have nice, flat boards to work with!

The only spots where paint was a little recalcitrant were the dado joints, since surfaces didn’t match up perfectly smoothly.  But a little extra effort got them into line.

Finally the entire wood was bare on all sides and even on the small slats in the middle.

I had started with 60 grit and then 100 grit paper, then I did a pass with 220 to prep the surface for staining.  I took a short break from this effort by getting all the brass doors out of the ultrasonic bath to pat them off and let them drain, then I applied the first coat of stain and brought the box inside to dry for the night.

That evening, I set about the task of re-pinning all of the lock cylinders.  I had cleaned, polished, and lubricated them all so it was really a treat to see how smoothly they started to function as I pinned them up.  I had all of my proper, working keys for the task on hand (the JMA blanks were a perfect fit, and the keys were originated on a Blitz 1200, if you’re curious) and a detailed pining sheet allowed me to progress through the task easily, as I listened to podcasts.

Because I didn’t want to mix up the locks once I had meticulously prepared them, I added my own numerical stamp codes to the rear sides of their housings.

Happy with the day’s work, I went to bed.  The next morning I awoke eager to keep at it, and that afternoon I was back downstairs and hauling the big box outside again for more stain.

With a second coat of stain applied, I had time to then begin re-assembling the individual brass doors.  I cleaned all the panes of glass (I was amazed that they had all survived and were intact when I purchased this piece) and I took care to not crack any of them now.

I reassembled the spring latch rods and fitted locks into their mounts.  The doors all worked like a charm.  🙂

Sixteen doors… all reassembled… all locks re-pinned… all lubricated… all brass clean and polished… it felt amazing, I won’t lie.

I went back outside and the second coat of stain had sufficiently dried enough to begin applying varathane satin clearcoat.  Things really started to look wonderful at that point.

I also took a look in my assorted oak board pile and found a piece suitable to become the back cover.  Some measurements and a quick run with the Skill saw had a decent board ready for stain and coating.  After letting things sit in the driveway for a time while I did other work, I hauled them all back inside and applied another coat of polyurethane.

Much later that night, just before going to bed around 2:30, I went all the way back downstairs to apply one more coat across everything and let it dry all through the night.  The next morning was going to be the start of assembly day.  🙂

My goal was always to have this piece feature a finished (and enclosed) back.  Both for display purposes but also so that it could function as a contest at upcoming events.  (You’ll see how… read on!)  I pulled an old Abloy Protec cam lock from a previous project box and took some measurements.  I then grabbed a 5/8″ Forstner bit and marked the two very close points on the wood where I would drill for a Double-D prep for the cam lock.

It was a perfect fit for the cam lock body… but I still opted to install a metal reinforcing plate anyway.  Because if something’s worth doing, it’s worth doing right.  (Or, worth over-doing, as some folk say when watching me work. 😉 )

The same care and attention was taken when mounting the hinges and hanging the back panel door.  Precision, careful attention to detail, and pilot holes ensured the wood wouldn’t split and everything would fit perfectly.

Now, the back panel was only going to be 1/2″ thick (I didn’t have any oak sheets in 3/4″ or 1″ at the time) and the brass screws that came with the hinges would have poked through (always an utterly frustrating thing to happen when you didn’t anticipate that!) so thankfully I saw that coming and took the time to trim down the screws which would drive into the back door.

With everything looking alright, it was time to hang the rear door.

A small metal reinforcing L-plate on the inside was sufficient to engage the Abloy cam with a nice, snug fit when the door is fully closed.

It was now — finally — time to re-install all the brass doors.  This was a moment I had really been waiting for, since I wanted very badly to see things all back in their proper place!

I can’t really say how satisfying it was to have this all back together and to see all the keys work as they should, front and back.

And there you have it!

Now, dear friends, our story could have simply ended there.  A fun and satisfying restoration project… yes, all well and good.  But you may recall that I told you at the outset how I had specifically envisioned a plan for this box back when I spotted it in the antique shop.

Let me first haul the completed unit all the way back up the stairs and place it by my bar so I can tell you the rest…

You see, from the outset, I thought that this would likely make an ideal bottle rack.

But my wife (even back when I first discussed the idea, as we were riding the ferry back from Port Townsend) knew better.  While this is a very cool idea for a wine and whisky storage solution, it is not nearly as practical as our wall-mounted rack for the former and my bar shelves for the latter.  The post box, quite frankly, doesn’t display enough of the bottles to allow easy selection.  The little windows merely show just enough to tantalize but not quite enough to actually inform someone.

But what if the aim was not to give someone the whole picture?  What if we want to tantalize and entice someone else with the hope of securing a bottle for themselves?

Ladies and Gentlemen, I give you the next lockpicking contest I will have at an upcoming hacker conference:  The Booze Box

Remember when I said I planned out the pinning and bitting chart with care?  I had a purpose in mind.  My plan is to stock this box with an array of 16 different bottles of wine and whisky — with simple, economical delights at the top and progressing to rare red varietals and single malts as one gets further down — and set it out for aspiring lockpickers and drinkers to see what they can open!

If you look through the little window and see a bottle is still present inside… you know no one has yet claimed it.  Try to pick the lock… if you get the door open, the bottle is yours!

I hope this all works out.  And even during the rest of the year when I’m not displaying this as a contest at hacker events, it will live in our home as a conversation piece and one more in a long line of restored furniture which I enjoy.

So there you have it!  I hope that you found this story to be a fun read.  May it inspire you to tackle projects of your own.

Go create something wonderful.


My wife owns a small blue ceramic bowl.  I was never the biggest fan of it, since it doesn’t quite coordinate with anything in our kitchen (everything on the counters in there is stainless steel or Kitchenaid’s empire red) but she really treasures it due to the history this piece has.  So it finds its way here and there in our home, offering a resting spot for little odds and ends.  At least, it did… until it cracked.

Now, Tarah and I are pretty vehement about getting rid of things.  For every new item we have ever acquired since we became a couple, I’m going to guess that we have shed at least ten other things.  But every once in a while, you just can’t let something go… even if it’s in need of repair.  We value mending as a skill and like to get more use of items when possible, but this has historically been relegated to repair of garments, electronics, or furniture.  Sewing, soldering, and either wood refinishing or welding are all solidly within our wheelhouse as far as skills go.  But neither of us had extensive experience with pottery repair.

Instead of trying to do a subtle and covert glue job on the handful of ceramic fragments from the broken bowl before us, Tarah asked me if I had heard of the Japanese process of Kintsugi.  I admitted I had not… but when I read about it, it pleased me.  From the article linked just there…


The practice [of Kintsugi] is related to the Japanese philosophy of wabi-sabi, which calls for seeing beauty in the flawed or imperfect.  The repair method was also born from the Japanese feeling of mottainai, which expresses regret when something is wasted, as well as mushin, the acceptance of change.


All of this is right up my alley, so when Tarah suggested we research methods for attempting this, I was instantly on board.  I checked with some folk among our local maker and hacker scene, but none of them had any insights to offer.  After some googling, however, it became apparent that some people have attempted a kludge-y method of this technique that simply involves mixing gold pigment into modern ceramic bonding glue.  We were game to try!


I purchased two simple supplies from Amazon… a tube of 3M ceramic adhesive and a jar of Jacquard gold pigment powder.  When they arrived, we simply re-created the steps that others had described in the occasional internet forum post:


1. Mix a dollop of the ceramic adhesive with a portion of the gold pigment.  How much?  Eh, the internet is non-specific.  We just sort of mixed in gold until there was a nice sheen and solid color but the adhesive did not appear to be turning into paste or otherwise losing its viscosity.

2. Load the gold adhesive gel into a baggie.  We just used our mixing toothpicks to spoon the gel into a zip-loc bag which was inverted.

3. Snip the end of the bag just a little bit on the corner.  Anyone who’s done cake decorating can see what’s coming next.

4. Squeeze the baggie to pipe the gold adhesive onto the seam of the pottery you’re attempting to repair.  You want good, even coverage so that when you press the pieces together they “splurp” just a little bit outside of the seam.  (That’s a scientific term, of course)

5. Press together the pieces you wish to repair, and use rubber bands to hold them in place.  NOTE – it is immensely easier to apply the rubber bands with a second person participating in the process with you.  I frankly can assure you that there would have been a lot more swearing and crumbling during failed attempts if I was trying this solo.

6. So there you go!  After about 4 to 6 hours the adhesive will be somewhat robust.  In my experience, it won’t totally set until at least 12, however… so let it stay there overnight.  Proceed cautiously, one crack at a time, and in the end you will hopefully be satisfied and happy with your DIY Kintsugi repair!  🙂