InfosecN00bs, Part 2: Fixing the Problem

This is a rather difficult post because it is addressing problems in a group that does not want to listen to criticism of their behavior if it is conveyed with a tone and, thanks to @hacksforsnacks_'s experience in public relations, created a reputation that at first glance seems welcoming and supportive of all people. There are likely people who will come to defend the group but I have found, anecdotally, more people that have stepped forwards with complaints.

In my previous post I broke down a press release statement posted by the @InfosecN00bs account to discern what the statement actually says.

Here, I will speak about moderating online communities and then call out specific problems with the way that @InfosecN00bs has, and for each problem I discuss I will provide constructive and actionable solutions.

Disclaimer: I do not have a good history with this group. I am highly critical of members of their leadership. I do, however, think that highly technical fields are better for having groups dedicated to making the road in easier for those with less access to resources.

Online Communities

I have a history with online communities. I have been a member of, moderated, and owned/organized several Counterstike: Source communities. I have been the captain for at least two successful semi-professional Counterstrike: Source teams. In the days of yore, I moderated and Guild Mastered several guilds (25-75 players) on MMOs such as World of Warcraft and Guild Wars. For a decade I have paid for, operated, and moderated VoIP and chat servers for personal and communal use. I have organized and Game Mastered many groups through Dungeons and in to Dragons.

Do not mistake these as someone being a bit miffed about someone else's behavior. I learned these lessons the hard way over twelve years.

Codify The Rules

A Code of Conduct is vital. It puts into writing what behavior is allowed in your community and more importantly what behavior is not allowed in your community. It also tells people what you stand for, and who you support. It also gives you the ability to remove people from your community without it being personal. Speaking of which...

You Are Not Your Community

There is a lot to say about this, but I'll do my best to keep it brief. If you are a community then the community is bigger and more important than you are. Codifying your community rules lets you tell people what your community is about, but how your moderators behave and enforce them is what shows people what your actually about.

This is the thing literally everyone gets wrong because people love to consolidate and abuse power, and those with power don't like to be regulated. Like the police, moderators should be held to a higher standard and more closely scrutinized against the rules/laws that they have been trusted enforce.

Moderators Are Not Your Friends

You can be a moderator and be friends with all the people in the community. You can be a moderator and not like certain people in your community. But when rules are broken or a complaint is brought in front of a moderator, all of that has to be put away. Moderators are not neutral and their job isn't to pick sides. Moderators have been given a side: The Code of Conduct. A moderator's sole job is to evaluate situations against the code of conduct and decide whether or not the code of conduct has been broken.

InfosecN00bs

So there are problems with this 'community.' Problems that people don't see on twitter, but that become very obvious when you interact with the leadership. I'm going to discuss some of these problems and what needs to happen to solve them.

K_5m00th

Problem: This moderator is a problem that needs to be fixed. I place K_5m00th before Code of Conduct for a reason. At the end of my previous post I briefly gave the reasons why. I will call out the specific problems after I short-form the events that transpired.

K_5m00th was called out for sexually harassing a woman. He replied that it was just a joke. He was asked what the joke was. He said it was funny. He was told that it was not funny.

K_5m00th asked for the conversation to move to a private chat. He said the tone of the conversation was not conducive to a learning situation. He was told told to fuck off, and that he was not owed the time or sympathy to be taught why sexually harassing women is wrong.

K_5m00th took a screenshot of the conversation that only highlighted him being told to fuck off. He intentionally did not show the part of the statement that stated he sexually harassed a member of his community. He posted that in the general chat in an effort to use social violence to turn public opinion of the one who called him out into a weapon to distance and eventually remove them from the community.

This is not the first time he has threatened to do this. In fact this appears to be his go-to strategy. When I questioned a previous disagreement and ousting of part of their administration he said that if he divulged any part of the conversation he would have to post it all to the general chat out of "fairness."

So, let's review the problem: K_5m00th is currently a moderator. His actions speak directly to what InfosecN00bs are about, and the way he moderates the community sets precedents for future events. If he remains as a moderator, InfosecN00bs is showing to the community that they stand behind his actions and his tactics of social violence.

Solution: Remove his moderator status. Make a statement that you will not stand for his behavior. In your statement, set clear attainable goals against which the community can measure your honesty. You have to undo the precedent you have allowed him to set in your community.

Code of Conduct

Problem: There are no community guidelines or code of conduct. This means that as far as administration goes the community is subject to the whim of the people in charge. This will create an environment that actively pushes out and alienates people who the moderators do not like. The code of conduct is the cornerstone of a community and without one you are a loose collection of people. This will stifle the growth of the community and eventually create a poor image of your group should your community continue to be as public as InfosecN00bs.

Solution: Create a code of conduct. It's that easy, right? I know it isn't, so here are some steps to make one.
  1. Decide what kind of people you want in the community. "Everyone" is not an option. As a community you are a group of like-minded people when it comes to at least one thing, and this is when you decide what that thing is. Write it down.
  2. Decide what kind of people you do not want in your community. This is going to take longer than step one. This question is harder than "I don't want people who are assholes into my group." Do you want to let sexist or misogynistic people into your community? Do you want to allow racists in? What about people who are very vocal about a specific social issue that you feel runs counter to the kind of people who you want in your community? Write down these broad groups of people.
  3. Since you already have a community, run the groups you listed by everyone in your community. Let them add groups to your list under either column.
  4. Profile the groups of people you wrote down. What specific actions or views do those people do that makes you want or not want them in your community? Think about the personality traits those people have as you do this. Write down at a broad level what kind of language they use that you want or don't want and the things they do that you like or don't like. Being specific here will pay off later.
  5. Go read the code of conduct for other communities or organizations that align with what you want from your community. Keep your notes with you as you do this and refine the specific actions you want and don't want.
  6. Write down your commandments. "As a member of this community you will not reduce other people, inside or outside of this community, to aspects of their body. As a member of this community you will hold people accountable against the Code of Conduct. You will report breaches of the Code of Conduct to a moderator. You will not..."
  7. Decide what will be done when the code of conduct is broken. Specific steps. A warning, temporary ban, permanent ban, etc. These should escalate in a reasonable manner and unless there are flagrant breaches of the code of conduct these steps should not be skipped when enforcing the rules.
  8. You are not done. You have an established community, and moderators. You must run this your draft by your community to make sure that the majority of them agree with your choices. You must run it by all moderators who must have zero reservations about the code of conduct. If a moderator expresses concern you have to determine what they have a problem with and why they perceive it as a problem. You will have push-back from moderators who just want to be in charge and who do not wish to uphold a set of rules or be accountable.
  9. Once everything is signed off you must publish the code of conduct in an easily accessible location. The Code of Conduct must be easy to find and easy to read and understand. It needs to use simple language so that it cannot be misinterpreted.
I understand that InfosecN00bs has financial issues. If you cannot pay for a dedicated website on which to host your code of conduct and other information, there are plenty of free services you can use in the meantime. You can use blogger or even tumblr. Place your code of conduct to a post, and post the link to the code of conduct in all locations where people might interact with your community. These locations include the biography section of the official twitter account and in the message of the day for the General chat in the community Slack and IRC channel.

Contact

Problem: The moderators of InfosecN00bs are mostly hidden and several steps must be taken to identify them, including DMing random people on twitter until somebody answers. Funneling all communication through one shared channel removes your community's ability to voice complaints about moderators.

If users do not have a path to safely discuss another moderator's behavior then they will stay quiet and leave. Moderators must be held accountable to the code of conduct, and protecting people from the ire of a moderator they feel isn't doing their job properly or abusing their power is very important to the long term success of a community.

Solution: Since you have made a code of conduct, and have run it by your moderators, you need to be able to enforce it. If people have a complaint or are in distress they have to have reliable avenues of contacting moderators. This means they have to know who the moderators are.

In order to learn the identity of the people in charge of InfosecN00bs I had to dig through Slack account settings to find the administrators. This is not acceptable. People need to know who the moderators are. Create an About Us section on your web page or blog that lists moderators and their preferred contact methods. Any moderator who does not wish to be identified in this way should not be a moderator.

Transparency

Problems: The administrative actions of the moderators are not visible, have no guidelines, and projects undertaken have not adequately assured the infosec community at large that the group understands what it's goals are.

Solution, regarding close of fundraiser: I wrote this for you before your press statement. I literally wrote it knowing that you were receiving complaints about your fundraiser as an example for how to properly close out a community effort.

Things to take note of looking at that blog post: State what goals you had when you started your project. State what succeeded, state what fails, and most importantly state what lessons you have learned from the project and what you will do next.

Solution, starting projects: Like the solution above: Be open with your community. Set SMART (Specific, Measurable, Achievable, Realistic, Time-bound). Show those goals to your community at the start of a project. Make sure they can reference it as you move through the project and especially at the end.

Being transparent about this is especially important because you are a small, new community that has to earn the trust of the larger infosec community and because you need to raise funds to accomplish anything. If you want people to commit their money they have to know that you understand what you are going to do with it and the easiest way to get them to trust you is to tell them the details of your goals and how you will achieve them.

Solution, administrative actions: Create a channel in the Slack that everyone can join and view (if you can limit the ability to post, do so) in which you post summaries of administrative actions. Administrative actions may include banning of a member of a community - do not shame them, or expose the details of anyone affected by the user's actions.

These summaries are to explain to the community what rules in the code of conduct were breached, and what steps were taken to enforce the rules. Posting these for offenses such as sexual harassment, bullying, or other actions against the code of conduct are here to set a precedent. These should not be issued for warnings. These must not contain details of any targets/victims of the offender's actions in order to preserve their privacy and protect them from being targeted for harassment by other members of the community.

Example summary: "John6969 has on multiple occasions made inappropriate comments and used racially offensive language towards multiple members of the community. Despite two warnings, John6969's actions continued and he has been permanently banned from this community."

Conclusion

There are more problems with the @InfosecN00bs "community," that need to be addressed by the staff. At the time of publishing I have been writing and editing all day and I am spent. I do hope that these good-faith suggestions for improvement reaches them. I also hope that anyone else who is looking to start a community can take on some of these suggestions to avoid similar pitfalls when starting an online community.

Comments

Popular posts from this blog

InfosecN00bs, Part 1: Press Release

BlackHat/DEFCON, Part 1: Travel Advice