Chapter_11_-_Resurrection

After @stake I bounced around in a few low-level tech jobs here and there, mostly hardware repair and desktop support, no longer really having the confidence for anything more extravagant. By the mid-2000s the economy was pretty craptastic, and I once again found myself unemployed. I was getting a fair number of interviews and even second interviews, but no final offers. This scenario occurred about four times in a row, and I finally pieced together what I thought was going on. During the second or sometimes the third interview, I would inevitably get to speak with someone higher in the leadership chain, such as a VP or the CEO. One of the last questions they would always ask me was, “I don’t see a college degree listed on your resume, do you have one?” To which I would reply, “I have over a decade of experience in doing (insert job description). In addition I have previously done X and Y and Z, which all correlate directly with what you are looking for.” The response was almost always, “Thank you very much for coming in, we will let you know.”

After the third or so company that this happened with, I resolved that I should finally get my college degree. After months of trying and burning through all my savings, I was finally able to land a standard desktop support position at a private school in Cambridge. So while I was barely making enough money to cover the mortgage on my tiny condo and still have something left over to eat with, I signed up for my first class at the University of Massachusetts.

I did not know whether I was going to finish even that first class. The memories of my first attempt at higher education at Boston University and high school were still painful, especially regarding finances. I took what I thought should be a somewhat easy class, hoping I had not just wasted seven hundred dollars in tuition. I took College Writing 101 as an in-person evening class; I did not trust myself to do the work for an online class. The class actually turned out to be fun. I got the hard classes out of the way next so that if I ended up failing out or losing my motivation, I wouldn’t lose too much money. Algebra I came the next semester. Then Algebra II, Statistics, Discrete Structures, and on and on, doing just one class per semester, as it was all I could afford and all I had time to do. It took me eight years, during which I had three different jobs. By the time I turned forty, I had completed the degree requirements and earned a Bachelor of Science in Information Technology. I could check that box on any job application from then on.

Getting my college degree was a huge part of rebuilding my self-confidence and clawing my way out of the psychological hole from getting fired from @stake, breaking off my engagement, and moving out of my home.

###

Despite the copious numbers of hackers in and around Boston, there had never really been a hacker convention or security conference in the city. SOURCE in 2008 changed that; it was one of the first conferences to bridge the divide between hackers and professional security types in the area. One of the talks at that inaugural SOURCE conference was a L0pht reunion panel.

I’m not sure why I agreed to do it. The pain of @stake was still very raw for me eight years later, but somehow, I crawled out of my hole for a few hours to sit on the panel. I suspect the draw of seeing old friends from the L0pht and briefly stepping back into the persona of Space Rogue was part of what helped me decide. Most of the former members of the L0pht were there with the notable exception of Stefan and Kingpin, who had moved to the West coast.

But it was more than just the members of the L0pht; many people who I had interacted with from the old days from 2600 meetings or elsewhere were there in the audience. I could hang out and speak with many of them before and after the panel. In addition, the panel was also live-streamed, resulting in a flood of emails afterward. Probably the most important thing to my mental stability that happened at the conference was signing up to this new social media platform called Twitter. Twitter got me back into contact with people I knew from L0pht and my BBS days. People I had only met at cons or maybe through messages on BBSs or forums were now just a tweet away. Even people I had never met or interacted with but knew of were on Twitter. Twitter played a big part in those early days for me to reconnect with the world that I had shut myself off from. Twitter has changed a lot since 2008; it remained a useful communications tool for some time. Now I find the ads, trolls, misogyny, and other detractions to not be worth the effort.

At some point soon after the SOURCE Boston conference, I made a conscious decision to let it all go. Holding on to all that hate, anger, and bitterness wasn’t doing me any good. I started to let it flow off me. Carrying that around for years kept me warm, but it was eating me up. It didn’t fall off all at once like an avalanche, but more slowly, like pieces blowing in the wind. I still carry some of that bitterness around with me from those days, but there is less and less, to the point that it is almost no longer noticeable anymore.

###

In the mid-2000s, the old @stake IT Administrator contacted me out of the blue and says he still has the registration for the Hackernews.com domain and asks me if I want it. I had assumed that the domain had transferred over to Symantec when they bought @stake along with everything else, but somehow this domain fell through the cracks and was still being held by the old admin. He transferred it over to me, no questions asked. I didn’t do anything with it other than point it to my WordPress blog at Spacerogue.net, but it felt good to at least have the domain back.

Recently after rereading the purchase and sale agreements for L0pht by @stake, I discovered that the legal documents never actually list HNN as property of L0pht. Everything else, such as L0phtCrack and other products, is specifically called out, but not HNN. I am not a lawyer, but as I read it, HNN was never sold to @stake and therefore could not have been sold to Symantec either. All that time, and they never actually owned it.

Then, out of nowhere in the Summer of 2009, Tan calls me on the phone. I hadn’t talked to him at all since the SOURCE Boston panel years before. He tells me we should put the band back together and resurrect HNN. I probably laughed at him; I thought it was a terrible idea. Then he said we should do it as video, and then I knew it was a terrible idea. Neither one of us had any experience working with video at all. We didn’t even own any video cameras. At the time I was working off a PowerMac G4 as my main computer, way too slow to realistically process any sort of video. Somehow Tan convinced me to do a pilot episode. I figured okay, at least it will shut him up and I won’t have “what if” regrets for not at least trying?

So the next week I started gathering news article and writing a script. It was easy to fall back into the same old habits I had developed a decade earlier. I won’t lie, it felt good; it felt really good. I was reading news sites and writing synopses with a purpose again. As I worked on that script that first week, I knew before I even filmed one frame that somehow I was going to make this work.

I ended up borrowing an old, cheap camcorder from my current employer and somehow put together a pilot episode. It really sucked. The video was terrible, and the audio was even worse. But I could see the potential. Tan convinced me to get a green screen off eBay and film in front of that. Lighting was a problem, so I got a halogen work light from Home Depot that threw off a ton of heat and a ton of light. Too much light actually; the first four or five episodes my face was all washed out from being flooded by the halogens. Sound was one of the biggest challenges. People will sit through bad video. If you ever watched MTV through a cable descrambler in the ’80s, you know this. However, people will not sit through bad audio.

Editing was a nightmare. Neither Tan nor I had any idea how to use Final Cut Pro, but we muddled our way through it. We never figured out how to smoothly cut from one news story to the next when you only have one camera. Instead Tan had the idea to exaggerate the splice and make it seem like I was doing a Max Headroom impersonation. He threw in some moving parallel lines in the background and the stuttering effect came out well.

Like the original HNN we took a while to find our voice, but it was easy to fall back into the same groove. We focused primarily on hacking as it related to information security; we stayed away from stories about programming or that were purely privacy news items. The original sarcastic humor stayed. Our model, what we were shooting for, was somewhere between The Daily Show with Jon Stewart, NPR, and NBC News with Dan Rather. I think near the end, we got really close to that.

We developed new segments like “Tool Time” and “Behind the Firewall,” and brought back a segment from the old web-based HNN, “Buffer Overflow.” Courtnee, an old-school hacker on the West Coast, reached out to us and offered to film an occasional segment that we would write for her. She would send us her clip over the Internet, and we would incorporate it into the show. By the end of our nearly two-year run, we had what I thought was a slick production that was very entertaining.

One of our biggest obstacles was ironically YouTube. YouTube was already the default place to consume online video, but at the time they still had the ten-minute time limit for user-uploaded shows, and their advertising model was not that great. So we hosted our videos on a website called Blip.tv. This site made it hard for people to just randomly find our show and forced us to drive traffic to increase our viewership.

It was a lot of work and I really enjoyed it, but it eventually became too much. Forty to fifty hours a week at my normal paying job and then another thirty to forty hours a week to get the show out every week. Even on weeks I wasn’t producing a show like over Christmas and New Year’s, I still had to keep an eye on the news because hacking never stops. After about two years, it just became too much, and I had to shut down the show. The ending was abrupt, but it had to be for my sanity.

The resurrection of the Hacker News Network was a big deal to me personally, though. After I got fired from @stake, I was a broken person, and it took me about a decade to climb out of that hole. Working on HNN again was a huge part of restoring my mental health after the prior ten years. As part of collecting news for HNN, I decided to cover the BSides and RSA conferences in San Francisco. I used some of the money HNN had earned selling T-shirts to pay for a plane ticket to the West Coast. I signed up for a media pass with RSA, and despite the conference making a big stink about requiring an ID to get a badge, I somehow got one in the name of Space Rogue without showing any ID. By 2010 RSA had grown from the small sixty-to-eighty company affair held in the San Jose convention center when @stake had launched. It was now a huge multibillion-dollar professional event involving hundreds of companies, tens of thousands of people, and filling both halves of the Moscone convention center in San Francisco.

I had sent some emails to a few companies to request interviews. They were all more than happy to grant a video interview to someone with the name Space Rogue and a video blog with the word “hacker” in the title. One of those companies was Symantec, which had bought @stake, or what was left of it, several years earlier. I found that to be mildly lulzy. I ended up editing that week’s episode in my tiny hotel room up on Geary Street, trying to maneuver the small lamps in the room to throw enough light so that shadows wouldn’t obscure my face.

I also took my video camera out to Las Vegas and filmed some footage at Black Hat, the professional security conference; DEF CON, the annual hacker convention; and a smaller conference that happens around the same time called BSides Las Vegas. While at DEF CON I ran into Tan, and we hung out for a bit during the conference. I also ran into Mudge. When I first saw him, my first reaction was to turn and walk away, but I forced myself to say hello. This was the first time I had seen him since the SOURCE Boston panel, after which I had resolved to no longer let the anger eat me up. Mudge was pleasant, and we spent some time chitchatting. He came right out and apologized for everything that had happened at @stake. I was shocked to hear that, and I do not know why he decided right then to make a formal apology, but it was a welcome effort on his part.

An annual hacker convention that takes place in Washington DC known as ShmooCon invited me to attend and do some filming. Astaro, one of HNN’s sponsors, was also sponsoring an RV that was driving from Boston to DC (it later became known as the ShmooBus), in which I was able to hitch a ride. This was in 2010, the year of the “Snowmageddon,” or “Snowpocolypse,” when over two feet of wet, heavy snow fell across the Eastern seaboard, including Washington DC. Nobody at ShmooCon really cared about the blizzard during the conference, as we were all inside the hotel. Although, supplies of beer and chicken fingers became dangerously low at the hotel bar, and one skylight in the hotel couldn’t hold the weight of the snow and crashed to the floor along with an immense pile of snow, landing right in the middle of the lobby. The drive home on Sunday in the RV took hours longer than it should have, although once we got out of downtown and north of Baltimore where they knew how to operate a snowplow, the driving became much easier.

That ShmooCon is where I met Megan. Megan and I really made what I thought was a deep connection. After the conference we furiously emailed each other back and forth, eventually agreeing to meet up in New York City, which was halfway between Boston and her home in Philadelphia. It wasn’t long before I was basically commuting to Philadelphia each weekend, driving south immediately after I got off work on Friday and driving back north on Sunday. The next spring I had sold my tiny condo and moved everything to Philadelphia. I found another low-paying job and still pushed out episodes of HNN every week.

It was about this same time I realized that producing an HNN episode every week was extremely stressful, and we still hadn’t found any new sponsors. The money was just barely covering the expenses, I was stressed every week, and I just couldn’t hold it together any longer. I called Tan, and we talked it over, and in a rather abrupt announcement, I canceled the show. That week, instead of filming a regular news episode, I filmed a monologue thanking the viewers and cutting off the show. Many people thought the ending announcement was some sort of joke or troll and refused to believe it, but I just couldn’t do a forty-hour-a-week regular job and another forty or fifty hours a week collecting and filming news and get no return from that effort for years. I was burned out.

In the weeks that followed, I was able to take stock of where I was in my life and what was happening. It was about this time that Megan and I realized that we really weren’t meant to be. The breakup was messy as breakups tend to be, but it was better for both of us that it was over.

People still ask me to bring it back, to do HNN again. Maybe I will; I still believe in the idea, and I think the format is viable. Now that self-produced video has exploded and YouTube has made it much easier for self-producers, I think a show like HNN can find an audience and from there find advertisers or at least monetary supporters, perhaps through a Patreon model. However, I think if I ever do it again, I would want to do it the right way. The right way would require more than one or two people doing all the work. I would need a couple of people to write and gather news, someone else to help with the video editing and production, and probably someone to assist with promotion and advertising sales. At the same time, I now have a family to support, so without some sort of large monetary infusion to get things started, I don’t see HNN 3.0 happening soon.

###

HNN had a few great sponsors over the years. One of them was Astaro, which was soon sold to Sophos, and another was Trustwave SpiderLabs. After HNN ended, I was lucky that Trustwave offered me a position and brought me on to help stand up a threat intelligence service like what I had done for Guardent years earlier. The web had changed in the intervening decade, definitely more commercialized but also a lot more integrated into everyday life. As a result, I had grand ideas for what a world-class threat intel system should be able to provide. It would be waaaay more than simple IP reputation and malware signatures, which was what the current threat intel market was largely shaping up to be. It took me a few months to get the system developed and ready for prime time, but I really felt that we were ahead of the curve and were about to define the market. Then, just as we were about to go live with the new service, Trustwave got cold feet and shelved the product. The process of them putting the product on the shelf took several months of them hemming and hawing and dragging their feet, leaving me in limbo in the meantime. While I waited, I moved on and started working on other things.

While this was happening, the person I was working for, Steve Ocepek, left the company. Steve was probably the best boss I have ever had in any job anywhere. He really understands what it takes to motivate people and how to take care of those who work for him. After he left, I got stuck with… well, someone I didn’t work very well with. They had me take over the floundering Trustwave podcast since I was evidently an expert at podcasting having previously run HNN. I tried to tell my boss I was burned out on that and didn’t really want to do it. I needed the job, so I didn’t protest too hard, but I was miserable. Despite that, I still endeavored to push out a quality product. Years later I would still get kudos from people who listened to the Trustwave podcast I produced and found the information it contained valuable.

Thankfully, during this time I ran into a friend at a conference to whom I could express my displeasure over my current situation. He told me, “Let me see what I can do.” On Monday when I got home from the conference, I received a call from the CEO of Tenable, Ron Gula, who said, “Hey, come work for me,” and I was like, “Sure!”

Tenable was a great company to work for, and Ron Gula was an excellent CEO. The company’s flagship product Nessus, a network vulnerability scanner, had a long history with a great reputation. Many security industry luminaries already worked at Tenable, including none other than Marcus Ranum, the former CEO of NFR, which L0pht had contracted with writing modules for Network Flight Recorder years earlier. It was a good feeling to close that circle.

A few years into working for Tenable, my old boss from Trustwave, Steve Ocepek, calls me out of the blue and says, “Hey, come work with me again.” I’m not even sure he got to mention what company it was before I said “sure!” The company turned out to be IBM of all places. “Big Blue,” the antithetical hacker company if there ever was one. Unbeknownst to me at the time, IBM had changed a lot since the days of the white shirt and blue tie. They had acquired the X-Force brand years before with the acquisition of Internet Security Systems, or ISS, and rejuvenated the brand with the creation of X-Force Red. XFR was just starting out as the offensive security services arm of IBM Security. IBM had offered penetration testing services before, but this would be the first effort by Big Blue to consolidate the service into its own business unit. So far it has been more than successful for both IBM and me. X-Force Red has evolved into just X-Force and now includes incident response and threat intel among other security services.

I remember during my first month or so working at IBM several people reaching out to me through the internal chat programs and email to ask “hey, remember me? I used to go by (handle) and called X BBS in the YYY area code. Welcome to IBM.” Evidently, IBM was hiding a ton of hackers within its 380,000 employees who used to surf among the dark alleys of the Internet and BBSs “back in the day.” One of those people who reached out to me told me he was in the IRC chat room that I had logged the day the Legion of Underground declared war on China and Iran. Another circle closed.

The mantra of some companies that proudly proclaim “we don’t hire hackers” has always fascinated me because my response has always been “how do you know?” Hackers gotta eat, just like everyone else, they gotta work somewhere, they might very well be working for you. I think what they mean to say is “we don’t hire criminals,” but they mistakenly equate the definition of one with the other.

Another ironic thing about working at IBM was that it is also where Ted Julian ended up. The same Ted Julian who told me “too little, too late” a decade and half earlier and had collected my employee badge and walked me to the door of @stake. Ted arrived at IBM through the purchase of Resilient, an incident response platform company. I got to say hello to him at IBM’s THiNK conference one year. It was a little awkward, but it closed yet another circle.

###

After HNN and ending my relationship with Megan, I found myself with a bit of free time. I started hacking on several projects, never really finishing any of them. I checked out the local hackerspace Hive76, which felt a lot like being in the old L0pht but was more nostalgia for me than I’d like. I even tried my hand at online dating.

I met Maureen through OKCupid. She was an hour late for our first date, but I waited outside the restaurant, in the rain for her, and I am glad I did. We more than hit off. I think we both knew that this was something different. It was more than magical. I met her son a few months later, and a few months after that, we were engaged. We got married in June 2014.

Maureen had a large family: four sisters and an uncountable extended family, many of whom she invited to our wedding, along with lifelong friends from college and even high school. I invited the L0pht; despite the estrangement over the years, I still considered them my family. Tan had some medical issues and couldn’t make it, and Kingpin had already committed himself to give a talk at a conference. But Dildog, Silicosis, Mudge, Brian, and Weld all showed up. I’m not sure I can describe what it meant to me to have everyone there. Especially since I knew that with the wedding being in Philadelphia, everyone spent more than a token amount of effort to attend. It meant a lot to hangout and be friendly with everyone again during the reception, even if it was only for a few hours. The feeling of us all in that room stayed with me for a long time after.

###

I rarely blurt out “Hi, I’m a hacker” when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers. If that isn’t enough, I’ll say I do internet security or I try to make the internet safe. If whoever is asking keeps pushing, I’ll explain that I try to keep bad guys from getting your credit card when you buy something online. When I’m talking with someone I’ve first met, I almost never use the word “hacker.” Why? Because it means so many things to different people, and many people instantly equate “hacker” to criminal. When I use the word “hacker” I also usually have to delve into a long drawn-out explanation about how I’m not one of “those hackers,” I’m a good guy hacker. This is usually way more investment into a conversation than I often have energy for, so I just say I work with computers, and for most people, that is more than enough.

This also goes for my wife’s family, which includes four sisters, their husbands, dozens of cousins of varying ages, and more. Sure, they know where I work and have a general idea that it has something to do with internet security, but I don’t think I ever told them the long-involved story of the L0pht or of testifying to congress or any of that.

In June 2015, Craig Timberg at the Washington Post decided to write a major story about the L0pht and our testimony entitled “A Disaster Foretold - And Ignored: L0pht’s warnings about the Internet drew notice but little action.”97 The story ran on the front page, on Tuesday the 23rd of the month. They used a picture of the L0pht testifying in 1998. The picture with Mudge and his long hair, sitting in the center and the rest of us flanked out on each side, and me looking down at the table. A picture we have affectionately come to call “the L0pht Supper” because of its resemblance in style and format to the famous 15th-century mural painting by Leonardo da Vinci.

My brother-in-law who lives in the Washington DC area reads the Washington Post every day. According to him, he didn’t even notice the front-page picture. It wasn’t until he got to page A11 that his mouth dropped open as he realized my face was staring back at him from a half-page photo. The family was a little surprised at my origin story showing up in the Washington Post unannounced. My wife’s sister was kind enough to have the photo from the paper set into a large frame, which now hangs on my office wall.

###

In early April 2018, the L0pht members realized, “Holy shit, it’s been twenty years!?” At some point a few years earlier, Dildog had been able to re-acquire the L0pht.com domain name from whoever ended up with it and set up our old “resident” email list. Traffic to the list has been sporadic with some of us only checking in occasionally. Occasionally people would accidentally fall off the list as they changed addresses and didn’t bother to send an update. No one would even notice for months because of the lack of traffic. It is good to be in contact with people I worked so closely with all those years ago, even if only sporadically. The pain and hurt are still there and will probably never go away entirely, but things are mostly scarred up now, enough that we can talk to each other and occasionally joke about the old days.

The mailing list became the center of how we were going to plan the revisit of our Congressional testimony on the twenty-year anniversary. We thought we might do something in DC, or maybe a panel at DEF CON, or even some other thing to continue our original message and commemorate the initial event.

While we were trying to decide what to do, I submitted a proposal to DEF CON for a panel discussion. I was a little vague about who would moderate and how many of us would show up, because at that point, no one had really committed to the idea. Hell, we were still trying to figure out how to get in contact with everyone as we soon realized that not everyone’s email had been kept up to date. In the meantime, Weld tried to get something together for Washington DC. Since it was already late April, scheduling was difficult, but we eventually found May 22 worked for most people.

We couldn’t do a full-blown hearing again; instead, with the assistance of the Senate Cybersecurity Caucus, we were able to get four of us in a room. We convinced our old friend Katie Moussouris who had worked with us at @stake to moderate the panel. The format was supposed to be a seven-minute intro by each of us, and then Katie would ask us a few questions and they would stream the whole thing live. I wrote out my statement and timed it to just under seven minutes. I ended up speaking first, and mine was the shortest statement. Weld’s, Mudge’s and Kingpins’ statements were each longer than the one before it, with Kingpin taking up about fifteen minutes, twice the allotted time. I think he might have been subconsciously trying to make up for the lack of speaking he did during the original hearing.

But overall it went well. What we said was well received and, as always, it was good to see old friends from long ago. Weld and I both brought our kids to the hearing, and they had fun playing with each other at the reception afterwards.

A day or two before the panel discussion in Washington DC, we heard from the DEF CON review committee that they had accepted our panel proposal, which is rare. Panels are not generally accepted for DEF CON, and the review board actively frowns upon them. We had recruited Elinor Mills to moderate that panel. She was one of the first reporters at Wired to cover the L0pht, and several of us had worked with her on various news stories over the years. Everyone made it to Vegas except Brian and Silicosis. Again, it was fantastic to see everyone in the same room, even if things were still a little awkward, at least for me anyway. The conversation in the green room before the talk quickly devolved into our old banter from twenty years previous as we each pulled up old personal memes and sayings that only made sense to us. It was both a little awkward and familiar at the same time.

The DEF CON conference room was enormous; I think it could probably seat twenty-five thousand people and was about three-quarters full. A lot of our friends and colleagues were sitting right up in the front rows, trying to heckle us and make us laugh. Elinor asked some brilliant questions and kept the conversation on track. And then when it was over, we all just sort of said our goodbyes and went our separate ways.

Our resident emailing list is still working but receives almost no traffic. I’ll see someone from the L0pht post a tweet here or there, and occasionally run into Weld or Mudge at a conference now and then. Who knows, maybe on the 25th or even 30th anniversary, they will invite us back to testify at a hearing in DC again. Maybe this time, they will listen.