InfosecN00bs, Part 1: Press Release

UPDATE 2017-07-29

This post previously stated that @BretMattingly was a member of the leadership of @InfosecN00bs. Just before Defcon BretMattingly stepped away from @InfosecN00bs for unstated reasons. After this blog post was originally published, he took the concerns to @Hacksforsnacks_ and @K_5m00th, who did not want to return funds raised, issue a statement regarding the matter, or take any corrective actions. The fundraiser was done under @Bretmattingly's name because he was being set up to be the fall guy for when everything toppled over.

Original Post

The twitter account @InfosecN00bs has posted an official statement regarding their failed crowdfunding campaign after a few people publicly questioned where the money was being used. The @InfosecN00bs group is run by @Hacksforsnacks_, @K_5m00th.

Official Statement: Part 1
Official Statement: Part 2

To be perfectly clear: This is a press release statement playing damage control. @InfosecN00bs is a group that has solicited money from the community on more than one occasion. Like any press release statement it is important that we recognize this is an organization and not a person going in and keep in mind that ultimately the organization has its own best interests at heart. One would hope that their best interests are also your best interests but that often is not the case.

I will break down this statement piece by piece to assess what it is saying about the situation. I will also talk briefly and angrily about what ultimately led to this statement being released. I will provide constructive feedback on how InfosecN00bs can build a better community in InfosecN00bs, Part 2: Fixing the Problem.

Welcome To The Breakdown

First paragraph: Good on them for refunding. I think they should have taken this step before people started to question where the money went. It was clear with DEF CON a week (or even two weeks) away that their goal would never be reached in time. They should have taken proactive, rather than reactive, approach.

Unless they were hoping people would forget. For now, let us assume they had the best intentions.

Second paragraph: What standards? This isn't a rhetorical jab. I am asking "What are the standards you set for this project? What did you determine a success would be? What were your plans if you failed?"

Refunding everyone is a good start to this failed campaign. But this only happened after doubt had already been cast on them and their motives. This is a reactionary statement hiding behind the language of a proactive statement. So far, anyways.

They try to take credit for starting the "crowdfunding trips to conferences" talk. I saw them place themselves in the conversation being had by professionals. They fought against people providing good points against crowdfunding trips to BlackHatUSA and DEF CON. Due to the large number of crowdfunding campaigns started at the time many professionals in the infosec community were having strong opinions about it. I wrote about my opinions in a previous blog post.
"This is an opportunity we would like to attempt to provide in the future."
I will talk about this in my next blog post.

Third paragraph: They don't try to hide the intent here. They address direct complaints that they hadn't made an update to their crowdfunding campaign for 18 days. This is what gives away that this statement is a reflex, not an action. They could have been playing effective damage control until they said this. They tipped their hand. 
"While this that point is understandable (silence is not a good look for us), we must express our thoughts on the matter: Ascribing malicious or insidious intent to simple inexperience and unfamiliarity is so opposed to the values that make this community great that it should be considered forever unwelcome."
Here are the talking points and my commentary on them:
  • We were silent about the crowdfunding, we understand your suspicion. 
Okay. Yeah. Nothing to say about this.
  • Suggesting we had malicious intent is wrong… 
You are a new group asking for money. An unknown group. A group where the members of your leadership are intentionally obscured, who moderate their community without a code of conduct, and who raise funds on the goodwill of the infosec community without knowing what to do once you get the money.

Questioning you and asking for transparency is the responsible thing to do.
  • … because we're not evil, we're just inexperienced… 
This point runs counter to the apology because it is saying that if you were suspicious - they posted this to clear suspicion - then you are just wrong. How dare you think that we are evil when we just have no fucking idea what we're doing.
  • ... and if you suspect we are doing bad things then go away and never show yourself here. 
That's not very welcoming. Especially since this whole post is a direct response to one tweet in which they were asked where the crowdfunding money went and what was going on with it.

This statement says that if you think they are doing malicious things with the money you gave them that you should not be in infosec because you are toxic. By extension, then, if you ask for transparency you are accusing them of malicious intent and therefore you are toxic and should not be in infosec.

Last paragraph, paraphrased: "In case you forgot, this was an apology. We can and will do better in the future. Just trust us on that."


At what point was this an apology? Go back real quick and read their statement and you will see that they did not apologize for anything. They said they were issuing refunds, and then talked about unspecified standards and undocumented values. The statement was ended by telling people who question their actions that they are not welcome in the community.

This PR statement was a direct subtweet to a few specific people, myself probably included. This post is not an appology and should not assure you in any way that they are going to learn from this ordeal.

I suspect this was written by @hacksforsnacks_, who previously launched a startup company that offered Public Relations services. Damage control, non-apologies, and weightless statements are something that he would have been required to do professionally.

This blog post follows my initial reactions here (thread), here, and here (subtweet).

What next?

So, what now? In my next post I am going to discuss the ways that @InfosecN00bs needs to improve. Even if their leadership doesn't like me I urge them to read it. I promise to offer constructive and actionable criticism about the way @InfosecN00bs is run. I think that this group could do much better if their leadership had a plan and goals, both of which it currently lacks.

Click here to see InfosecN00bs, Part 2: Fixing the Problem.

As an aside...

This official statement didn't address their moderator's behavior. @K_5m00th's behavior. The moderator who I called out for sexually harassing a woman in the official @InfosecN00bs Slack. The moderator who asked me to move the discussion with him to private so he could tell me that I was spoiling his learning opportunity with my tone. The moderator who after being told to go fuck himself for his non-apology and tone-policing posted a piece of my conversation with him out of context to the general chat to try to sway people against me. The moderator who, after reading statements I made on twitter that did not disclose his identity (subtweets) about how his behavior followed typical sexual harassment narratives, liked a tweet I posted expressing my concern that if I called him out on publicly he would try to sabotage my trip to DEF CON. They didn't mention that incident, strangely.

IIt was following my publicly this incident that a few users began stepping forwards with their experiences with @hacksforsnacks_ and @K_5m00th, and some users questioned their crowdfunding campaign.


Popular posts from this blog

BlackHat/DEFCON, Part 1: Travel Advice

Anatomy of an Apology