> CHAPTER 10

> JAKE

AFTER HACKTIVISMO’S XEROBANK browser helped drive the Tor Project to broaden its mission in 2006, the service became truly useful to large numbers of people. Tor began spreading in earnest in countries like China and Iran, where surveillance could be swiftly followed by jail time. Psiphon, Freegate, and other services could deliver forbidden parts of the web to readers, but only the souped-up Tor could both serve up such destinations and obscure who was reading them. Not coincidentally, US government funding for the Tor Project increased substantially that year. As with other free-communication projects, the greater the take-up in areas ruled by figures both opposed to American interests and repressive to their own locals, the greater the US enthusiasm for tools boosting free speech.

But Tor’s origins inside a navy lab and its ongoing federal funding gave room for suspicions about whether it contained a hidden back door for US spies or was otherwise corrupted, even though its source code was public for review. It was not, as Edward Snowden’s documents would show years later. Tor frustrated US intelligence agencies, which were unable to crack it reliably. Support from the Electronic Frontier Foundation and endorsements from public-minded cryptographers, including some on the Cypherpunks mailing list, helped convince many that they could trust Tor. But a majority of that crowd were of a previous generation, long-haired mathematicians more comfortable in a university library or the bowels of a Silicon Valley office park than hanging out with young activists.

The apparent answer to Tor’s public-relations problem arrived in the person of Jacob Appelbaum, known in person as Jake and on Twitter as @IOerror, a reference to a malfunction in input/output processing. Jake was young and good-looking, an engaging public speaker and a frequent presenter at serious security conferences. He also had an extraordinarily compelling personal story. If many hackers turned to computers early to escape hard childhoods, Jake’s case was extreme. His mother, a schizophrenic, raised him until she lost custody to an aunt, who left Jake in a group home. He went to his father at age ten, but the man grew addicted to heroin. Father and son lived on buses and in drug dens, and Jake once found his dad overdosing and near death. Returning to group homes, Jake dropped out of high school and taught himself to code, working for the likes of Greenpeace and the Rainforest Action Network. Jake met Tor leaders Roger Dingledine and Nick Mathewson at a Def Con and began volunteering. He joined as staff in 2008 and quickly became Tor’s most visible spokesman. He was also among the best traveled in Tor’s network, flying to hotspots around the world to teach locals how to use it.

Wherever the attention was, it seemed Jake was there too, even as coauthor of a research paper showing that one could recover plain-text passwords by suddenly freezing a computer’s RAM data storage. “Pretty neat,” Luke Benfey wrote when he successfully nominated Jake for Cult of the Dead Cow membership in 2008. “He is certainly enthusiastic,” Luke added, though “a little bit weird.” Most of the core cDc members at that point were impressed enough to support the motion, and Jake was in with Kevin Wheeler’s final blessing. Even those who had not met him felt like they knew him because his story had been told by security, tech, and even some mainstream press outlets. There was an added attraction because the ranks of the group were thinning, and recruits with younger followers had to be prized if cDc, already more than twenty years old, could continue as a vital entity.

Laird Brown had brought in Kemal Akman, known as Mixter, and others through Hacktivismo, and old friends like Patrick “Lord Digital” Kroupa had joined. Some fresh security researchers like Adam O’Donnell also came aboard. But more were asking to be taken off the internal mailing list. That included both some of the technological powerhouses, busy running their own companies, and old-timers who were less technical, like Carrie Campbell. In 2006, she wrote with sadness and asked to go off the list, partly blaming herself for failing to get to know new members and drifting away.

I’m afraid my interests in the hacker scene have waned long ago. You new people don’t know me. I was a 16 year old girl when “Psychedelic Warlord” saw my crazy, poorly-written teenage angst postings on his BBS and invited me to join cDc. I joined happily, honored, and proceeded to write crappy, horrific, 16 year old bloody t-files. I loved the community of smart people (and their girlfriends) to converse with and bounce ideas off of. The acceptance of my female gender is extremely rare in the hacker scene and I appreciate it. I never pretended to be a hacker, since I’m not skillful in that area (though social engineering came easily to me).

Somehow I ended up purely by accident as the only girl in the world’s most notorious hacker group, and while that was enormously amusing, I am now approaching 40 years old rapidly. I have no energy left for cDc or the mailing list. I do have energy for the wonderful friends I made throughout this oh gosh, 21 or so year journey. Please do email me from time to time.

Because she had been a core human connector within cDc and went back nearly as far as he did, Carrie’s departure moved Kevin and made him worry that others would follow her. He took a long walk through Central Park, then wrote and asked the others to stay. “‘The hacker scene’ isn’t something I’m into, other than as a recruiting pool for sharp motherfuckers—and a hearty ‘hell-yeah’ for being that,” Kevin wrote. “Someday, hopefully there’ll be AIs in our mix and we’ll be trying to make practical sense of geopolitics and philanthropy. There’s always more to say, more to point out, more that’s fascinating and awesome and exciting. The universal, rock-solid, eternal part is the sharing, the communicating. Anyways—I want you guys to stick around.”

But the herd needed new blood. If Jake was as good as he seemed, he could bring not only new energy but potentially more recruits. Jake soon gave some evidence of being a good bet. His press clippings were astonishing, including a 2010 Rolling Stone profile that called him “a bizarro version of Mark Zuckerberg” and the leading spreader of “the gospel of anonymity.”

Inside cDc, Jake handled himself differently than the others, arguing more fiercely and sometimes with disdain for his elders. That accelerated after he hooked up with something even bigger than Tor: WikiLeaks. Activist hackers started the site in 2006 and first won wide attention in 2010, when they posted a video called “Collateral Murder” that captured the gunfire from a US helicopter that killed a dozen people, including two Reuters journalists, in Iraq. The video disproved US claims that the shooting was part of a battle.

The one WikiLeaks founder who would be left standing after years of internal dissension and splits was Australian Julian Assange, who had nearly as bad a childhood as Jake, including hiding with his mother from a vengeful cult. Even more of a show-off than Jake, Assange had been a belligerently antiestablishment and sometimes malicious hacker in his native Australia. Under the name “proff,” he had been on some of the most popular Internet Relay Chat channels devoted to security and hacking in the 1990s, including #hack. He was an ambitious and dangerous hacker, later claiming credit for breaking into Australian government computers and backdooring the Pentagon. He was not remembered fondly by cDc, which saw him as an egotist who usually lurked instead of contributing to discussions. When he did speak up, it was often to criticize or ask for working code he could use to break into targets.

Assange was also a regular presence on the Cypherpunks mailing list in 1996 and 1997, comparing notes with others about developments in cryptography and ongoing tensions with officials of many governments bent on restricting it. Assange advertised his own mailing list for “legal aspects of computer crime” as well, opening with a manifesto that declared computer crimes were being overprosecuted and that intrusions should not be considered criminal acts unless they caused harm. At one point he posted about a commercial spam operation and asked: “Who wants to take this site down first?” Assange and Mudge treated each other with respect, however, and met for dinner at the Chaos Computer Club’s 2009 gathering in Germany before they aligned with opposite world powers.

cDc admired much about the early WikiLeaks, with good reason. The site published a wide variety of documents and seemed most focused on government wrongdoing. When it obtained tens of thousands of US State Department cables from then Private Bradley Manning (now Chelsea Manning) in 2010, it worked with media partners that sifted through for important stories while not printing information that could lead to the deaths of those cooperating with American officials abroad. “I have quite a few issues with the organization, but I like it more than I dislike it, at least for the time being,” Laird wrote to the cDc list that year.

Assange was to speak at the HOPE conference in New York in July 2010. But the Pentagon had labeled WikiLeaks as a threat, and Assange feared arrest. Jake appeared by surprise instead. He gave a fiery recounting of the whistle-blowing site’s history and courage, which he said continued the tradition of the Washington Post and the New York Times of Watergate and Vietnam coverage, before more recent timidity such as the Times’s yearlong delay in exposing warrantless wiretapping by the NSA. “When the media is gagged, we refuse to be gagged,” Jake said. He added that he wouldn’t say anything about hacker Adrian Lamo, who had turned Manning in to the authorities after the troubled private confided in him that he had leaked State Department cables. Then Jake unbuttoned his shirt and revealed a T-shirt underneath that read: “Stop Snitching.” At the end of his talk, the room suddenly plunged into darkness, and the lights came up to show what appeared to be Jake being ushered out to safety. In reality, he was a body double, deployed in order to stop Jake from getting arrested or hurt, or simply to convince the audience that either was a possibility. The actual Jake had gone out the back.

After that, American customs and border patrol officers often stopped Jake at airports and interrogated him without charges. He complained vociferously in public and to his fellow cDc members, telling them in early 2011 that “the U.S. government has flagged me just as the Nazis forced Jews to wear a gold star. I don’t have the choice of removing my marks, though, they’re in the passport system for life.” As someone who lived on the internet and credited it with saving him as a kid, Jake would have been aware of Godwin’s law. Named for its originator and EFF’s first staff attorney, Mike Godwin, the aphorism states: “As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1.” Godwin was mourning both the declining quality of online discussion and the lack of gravity owed to the Holocaust.

The old-timers in cDc were not impressed. “Dude, seriously?” Luke wrote. “You just managed to pull off the elusive one-man Godwin. Jake, I think you need to have some understanding that you’ve made this bed, and now you have to lie in it.” Prosecutor Glenn Kurtzrock was more precise in referring to the rules governing US Customs and Border Protection. “It doesn’t appear that CBP did anything wrong. They are entirely authorized to search and detain you when entering the country under the U.S. code, including the contents of any electronic devices.” Jake also sparred with the others repeatedly over Assange, whom Laird said was about as democratic in management style as the ruler of Saudi Arabia. “So much for hacktivist solidarity,” Jake complained. Luke and Kemal took a middle ground: Assange was an asshole, but he seemed to be doing good things.

Broadly speaking, the State Department cables released by WikiLeaks showed US officials doing their jobs. There was no great sinister conspiracy. But the various stories still embarrassed the American government and hurt diplomatic relations. The cables contained candid assessments of foreign heads of state, including their unsavory alliances and appetites for corruption. The antisecrecy fervor at WikiLeaks stoked a rollicking debate inside cDc. Glenn and others saw Assange as reckless, noting that the judicial system and other parts of government have very good reasons for keeping some facts confidential. Arguing out a hypothetical about missile launch codes getting into the wrong hands, Jake declared: “Perhaps you shouldn’t have missiles to launch if you can’t keep your codes secret?” Jake said a lot of provocative things, declaring that wiretaps were “entirely bogus” and that most search warrants were improper. One of the most surprising assertions came in response to questions about who should decide what secrets to publish. Instead of WikiLeaks holding that right as a publisher, Jake said it was up to WikiLeaks’s sources, whoever they were. “It’s a rough reality, but bitching about WikiLeaks makes little to no sense,” he wrote. “The point of the press is to inform.”

Members of Congress condemned WikiLeaks, and a federal criminal investigation put pressure on PayPal, Visa, and others that helped people donate to the website. The sprawling online activist group known as Anonymous then coordinated denial-of-service attacks on PayPal and Visa, effectively commandeering the mantle of hacktivism. The story of Anonymous, told more fully in books by anthropologist Gabriella Coleman and journalist Parmy Olson, is fascinating and complex. It also owes a little of its culture to cDc. One of cDc’s good friends and onetime web hoster, Tom Dell, had written software for Patrick Kroupa’s MindVox and then run Rotten.com, an early shock site that was a forerunner of 4chan. 4chan was mostly teenage boys chatting about pictures, and posts were labeled “Anonymous” by default. But it had flashes of political action when core internet values, such as freedom of speech, were threatened. When the Church of Scientology tried to suppress publication of its secrets, 4chan users coordinated online and real-world protests, and the participants spun off as Anonymous. Subsequent targets included copyright enforcers such as the Motion Picture Association of America. From the beginning, corralling massive crowds in Internet Relay Chat into something productive was extremely difficult. Organizers would peel off into secret smaller channels to thrash through priorities and then return to the larger gatherings to spread the word.

Anyone could declare themselves a member of Anonymous, and any member could call for an operation, most commonly a denial-of-service attack. It was up to other members whether to participate in any of the operations. With the denial-of-service attacks, members were encouraged to download a tool that would let them participate. But while that let participants feel like they played an important role with little risk, neither conclusion was justified. Some were arrested, because the tool did not hide their IP addresses. And most of the real firepower came from botnets, networks of captured machines controlled by a small subset of Anonymous members. The regular members were helping to provide cover and confusion, and that was about it.

As Anonymous allied with WikiLeaks and struck the payment sites with denial-of-service attacks, cDc members split on the ethics of the issue and opted to do nothing as a collective. Laird, who had been giving speeches for years on the ethics of hacktivism, carried the most weight on the subject. He opposed the denial-of-service attacks as censorship, arguing that the cure for bad speech is more speech. As reporters sought him out for comments about Anonymous, he stood firm. Luke, on the other hand, held that some denial-of-service attacks were reasonable civil disobedience, depending on the motives and targets. The onslaught only temporarily disabled PayPal and Visa while they shored up their defenses, he said. But knocking them briefly offline brought media attention and greater awareness of the issues involved. When the focus of crowds is one of the few things that can change policies, Luke felt, it made for a decent trade-off.

Dozens of Anonymous members did have hacking skills, as became clear after I wrote a short 2011 story in the Financial Times about a researcher, Aaron Barr, who said he would give a conference talk about the people he believed led the group. Highly skilled Anonymous ringleaders had a private channel for communication, and after my story appeared, the members of that channel broke into the files of Barr and two affiliated companies, HBGary Federal and HBGary, in part to make sure he didn’t have the goods on them. They published emails from the companies that showed that Barr was off the mark and that he was engaged in some questionable pursuits, including seeking a deal to discredit WikiLeaks by supplying faked information.

The ace hackers announced themselves to the world as Lulz Security, began tweeting as @LulzSec, and went on a wild performance-art run, hacking Rupert Murdoch’s tabloids to post stories announcing his death and even taking requests from their followers. LulzSec kept up a prolific and funny Twitter stream, largely manned by Topiary, later identified as eighteen-year-old Shetland Islands resident Jake Davis, and updated a web page with a logo and the slogan “Set sail for fail!” In an anonymous interview shortly before his arrest, Davis explained why he thought LulzSec had so much of the public behind it: “What we did was different from other hacking groups. We had an active Twitter (controlled by me), cute cats in deface messages, and a generally playful, cartoonlike aura to our operations. We knew when to start, we knew when to stop, and most of all we knew how to have fun.”

Davis later said he had been inspired by UK satirist Chris Morris and comedian Noel Fielding, and that his playfulness had a serious point: he wanted people to wonder why major security failures were so common, instead of attributing all breaches to unstoppable geniuses. “It was a mix of deliberate absurdity [and] a carefree childishness that was intended to alter the conversation to ‘These people are clearly just doing this as a game. Perhaps we should actually start thinking about security if these morons can wreak this much havoc.’”

The stunts and public commentary echoed the Back Orifice performances. Davis had honed his writing by drafting entries for the satirical, inside-hackerdom site Encyclopedia Dramatica, which looked a bit like old-time cDc text files. In person, Davis was quiet and shy—quite like cDc founder Kevin Wheeler offstage. But the serious illegal acts put Lulz Security on a different path, and in any case it would have lacked the stability of the Cult of the Dead Cow. That’s because the members did not know each other in the physical world, so they could not make good decisions about trust. That problem was multiplied a thousandfold in Anonymous writ large. All the same, Anonymous and LulzSec launched a new era of stealing and publicizing material in a manner that was claimed to be for the public good.

Many of the LulzSec capers were driven by both politics and entertainment value. Toward the end, after puzzling as cDc did about what to do with all the attention, Davis announced that LulzSec would revive Antisec, an old campaign against white-hat security professionals. This time, LulzSec would ally with the broader Anonymous and go after government security agencies, banks, and other establishment powers. Julian Assange was tracking events closely, at one point contacting the group for help getting into Icelandic email services that might show that government treating WikiLeaks unfairly. After LulzSec supporter Jeremy Hammond hacked US intelligence consulting firm Stratfor, WikiLeaks published millions of Stratfor emails with clients. Eventually authorities caught almost the entire LulzSec crew. Technological ringleader Hector Monsegur, alias Sabu, flipped and helped put Davis and the others away. After he began working undercover for the FBI in return for a radically reduced sentence, Monsegur encouraged hackers to disrupt more targets, and he repeatedly reached out to Assange and Jake, which suggests both were under US investigation.

The FBI was not the only agency to infiltrate Anonymous. Taking advantage of its loose structure, ordinary criminals used a group protest of Sony Corporation policies to break in and steal credit card numbers. Russia also had a substantial presence in Anonymous. In retrospect, it is interesting that some Anonymous members would later go on Moscow’s payroll. One of them, Cassandra Fairbanks, moved from real-world Anonymous demonstrations, to attending and writing about Black Lives Matter protests, to avidly supporting Bernie Sanders in the 2016 primaries. With more than a hundred thousand Twitter followers, she then took a job at the Russian propaganda outlet Sputnik and switched to full-throated support for Trump through the 2016 general election and afterward. Just before the November vote, she appeared on Alex Jones’s YouTube conspiracy channel, saying it was “pretty likely” that emails hacked from Hillary Clinton campaign chair John Podesta’s Gmail account contained coded references to pedophilia.

Monsegur liked to talk about his political work. He told journalists that he had hacked for a cause long before, protesting US Navy test-bombing in Puerto Rico, where his family had lived. He also claimed to have defaced Chinese websites in 2001, as other Hacktivismo supporters did. Monsegur said he joined Anonymous as it fought PayPal and Visa and moved up from the cacophony of the main Internet Relay Chat channel to more elite planning channels, including the one that morphed into LulzSec. The most impressive story: as part of Anonymous’s Operation Tunisia, during the Arab Spring democratic uprisings, he personally defaced the web page of the country’s prime minister, who had approved mass hacking of citizens. But that and the other relatively high-minded feats proved impossible to confirm. Author Olson described the Tunisian defacement as Monsegur’s work, citing him as the only source. Professor Gabriella Coleman, who was perceived as sympathetic, obtained chat logs and said Monsegur did not lead the team that performed the Tunisian defacing. In any case, even Monsegur’s few remaining supporters would have to agree he was an inveterate liar. His more prosaic crimes, such as stealing car parts and credit card numbers, were no mystery at all.

Another core LulzSec member, sixteen-year-old Mustafa “tflow” Al-Bassam, an Iraqi refugee in London, did something more challenging than defacing a website. With help from a local Tunisian who got trick phishing emails from the government, Al-Bassam hacked into the server sending the emails and modified the malicious program they carried, quietly rendering it impotent.

Like Monsegur’s, Assange’s judgment was soon called into doubt. Wanted for questioning in a Swedish probe of sexual misconduct, Assange lost a bid to avoid extradition and jumped bail in 2012, fleeing into Ecuador’s embassy in London and remaining there. After Assange railed against his Swedish accusers from hiding, some of those inside cDc who had reserved judgment about him moved into the opposition. But as that furor grew and WikiLeaks increasingly focused on exposing US secrets, Jake stayed the course. That loyalty built his stature as an information-security rock star for those who remained believers in Assange. Within cDc, however, he caused more friction.

Laird wrote to the private cDc email list that he was concerned about the departures of other WikiLeaks stalwarts fed up with Assange’s dictatorial ways and grandstanding. That meant that the group depended on one man, who was showing himself to be less and less dependable. “I had heard that Assange had problems with women months before any of this Swedish thing became public,” Laird wrote. “Does Assange tone down his profile until the rape cloud is lifted, Hell no. He can’t be in front of the press enough. So if he’s convicted of some sort of sexual misdemeanor this will—in my opinion—completely torpedo WikiLeaks.” Jake came up firing, defending Assange as a visionary and dismissing the female complainants as “fame seeking.”

WikiLeaks’s flagging reputation was one reason Edward Snowden did not turn to it with his documents in 2013, though Assange did later dispatch a colleague to spirit him from Hong Kong to Moscow and asylum. Inspired by John Perry Barlow’s independence declaration, Snowden wore an Electronic Frontier Foundation sweatshirt on the job at the NSA. When he felt compelled to warn the world about what his agency had been doing, Snowden first reached out anonymously to a new EFF spin-off called the Freedom of the Press Foundation, which had been formed in support of WikiLeaks by Barlow, Pentagon Papers leaker Daniel Ellsberg, Boing Boing’s Xeni Jardin, and a few EFF staffers. One of the staffers recommended Snowden get in touch with Freedom of the Press Foundation director Laura Poitras, who had been making a movie about WikiLeaks, and former Salon columnist Glenn Greenwald at the UK’s Guardian. The Guardian published many of the most important revelations from Snowden’s trove, but the pair also collaborated with other publications, including the Washington Post and the New York Times, to write up Snowden’s disclosures.

Jake later reported related stories for Der Spiegel in Germany, going further in exposing specific US capabilities instead of broad practices. Though it was widely assumed the documents referred to in the stories came from Snowden, the information they contained has not been cited by the Guardian, New York Times, or Washington Post, which all had access to the main Snowden archives. That suggests a few possibilities: Der Spiegel may have had a different standard about what to publish, the material may have come from a second, still-unknown source, or it may even have been obtained through hacks by the Russian government, which then leaked to Der Spiegel.

Snowden showed how closely the US government worked with and through American technology companies, sucking up domestic calling records, sifting through emails for specified content, and examining communications in other countries, which are not protected by the Constitution’s prohibition on unreasonable searches and seizures. Google, for one, had not realized that the NSA was breaking into its properties overseas, and it moved swiftly to encrypt internal transfers of user data. Other stories showed that the NSA had continued to corrupt security products by paying for back doors to be implanted or by promoting standards that it knew it could break, such as the Dual Elliptic Curve pseudo-random number generator. No major reforms passed Congress, and the anger in other countries hastened the balkanization of the internet and sped up the introduction of nationalist technology policies that hurt US providers, to the detriment of populations everywhere. At the same time, the revelations intensified work on more secure alternatives.

One of the most promising was Signal, developed by a team led by the brilliant anarchist and ex-hobo known as Moxie Marlinspike, and released in 2014. The Snowden disclosures carried enough force that Signal’s end-to-end protocol became mainstream even without most of its users’ knowledge. The two founders of WhatsApp, an enormously popular messaging app for smartphones, were Jan Koum and Brian Acton. They sold the company to Facebook in early 2014 for $19 billion and stayed to run it with some independence. Koum belonged to the long-running hacking group w00w00, which included cDc’s Adam O’Donnell and such cDc friends as Dug Song. Song urged Koum to get in touch with Marlinspike, and Koum agreed when Acton proposed having WhatsApp adopt the nonprofit Signal’s open-source technology, protecting a billion people from mass surveillance. In 2018, Acton would donate $50 million to create a new foundation to spread Signal much further and sign on as executive chairman, citing the opportunity to “make a meaningful contribution to society by building sustainable technology that respects users and does not rely on the commoditization of personal data.” Later, he said he had been motivated “by an increase in requests from law enforcement and the desire to render those requests useless.” Koum stayed on at Facebook, where he was one of only three executives also serving on the company’s board. Though he continued to run WhatsApp, Facebook began demanding more data than expected about WhatsApp users, building up ad revenue but also exposing the users to greater corporate and government scrutiny. Koum would quit in mid-2018.

Jake moved to Germany in 2012 and spent more time promoting Tor than he did coding for it. He attached his name to security research on other issues that drew wide attention, but some coauthors later complained that he had asked to be added so that he could use his fame to promote the work.

Jake flouted his edginess in multiple ways, including boasting of his past work for San Francisco bondage porn site Kink.com and sexually propositioning people at first meeting, even in professional contexts. He bragged of multiple lovers and had relationships with filmmaker Laura Poitras, who later acknowledged that he had mistreated a friend of hers, as well as Boing Boing’s Xeni Jardin, a friend to several in cDc. Jake spoke of waking up in bed with Assange and two women, and he attended private sex parties (less rare in hacker culture than elsewhere). Even there, he pushed past the norms of the environment.

One of his techniques in pursuing sex from someone who might otherwise object was to begin transgressive behavior in front of another senior hacker, said longtime friend Andy Isaacson. That hacker, not wanting to burn a relationship, would not object. This in turn put more pressure on the prey, who was more likely to assume that Jake was following norms in the situation or would have a witness on his side if not. “Jake’s magnificent gifts overlap with the same fundamentals as his failure. He’s very intelligent, and he doesn’t let things go,” said Isaacson. A key lesson from the experience, he said, is that “abusers can use loose organizations as hunting grounds.”

As a champion social engineer, Jake exploited his role as a gateway to hacker prominence, victims said, leading many to conclude they would be frozen out if they objected. He targeted more junior people in the Tor community, where complaints led to a ten-day suspension for suspected harassment in the spring of 2015. That did not dissuade him. Fortunately, longtime EFF head Shari Steele took over as Tor executive director later that year, bringing more responsive leadership.

Steele came too late for some, including a young engineer named Chelsea Komlo, who had gravitated toward security after hearing Jake speak at her company about Snowden’s leaks. Komlo traveled to Hamburg for the Chaos Computer Congress in December 2015 and went to Berlin with others after to socialize. At Jake’s apartment the night of January 1, she blacked out and woke to realize Jake was having sex with her without consent. Earlier, she had refused his repeated requests to have sex in front of and with others, but both of those things occurred. Back home and upset, she confided in people who knew other victims, and she got in touch with them. Steele’s arrival at Tor gave them hope that change was possible. To protect themselves and warn others, they went to Steele and also prepared a website where they told their stories of assault and coercion under pseudonyms. “For me, it was really important that new people entering the community not have what happened to me happen to them,” Komlo said.

Jake resigned on Thursday, June 2, 2016, but Tor gave no reason in its announcement. Only after the anonymous website went live the next day did Steele acknowledge, on Saturday, that concrete sexual assault allegations and an investigation were behind Jake’s departure. At various times over the next year and a half, some victims identified themselves, including Komlo and Leigh Honeywell, a Canadian security engineer for big tech companies. Honeywell said that during an on-and-off consensual relationship a decade earlier, Jake had ignored a safe word and become violent. “Being involved with him was a steady stream of humiliations small and large,” Honeywell wrote on her own site. “He mistreated me in front of others and over-shared about our intimate interactions with friends who were often also professional colleagues.”

Without criminal charges, Jake fought back, in part through media connections who cast doubt on some of the anecdotes. He denied the worst accusations, threatened legal action against the women, and implied that the attacks against him stemmed from his work for free speech and secure technology. Still more people came forward, and the weight of evidence against him grew. “Tor handled it in a way that you would hope and expect,” Komlo said. Komlo was invited to a Tor conference the next year, began writing code for the project, and later was designated a core contributor. That was especially encouraging, Komlo said, because of the male dominance in the field and because women are more likely to be abused by men who spy on them. “Security and privacy is a great field for women, because there is a lot of moral reasoning, and you are in it because you want to protect people, and that should be something that resonates with not just straight white men.”

The Tor Project replaced its entire board. Even Jake’s mentor, Roger Dingledine, and Nick Mathewson stepped down while remaining lead employees. People involved in the process said that the prior regime had had a leadership vacuum and consistently played down what many people told them about Jake. “What you tolerate and don’t tolerate defines you,” one of them said. New directors included the EFF’s Cindy Cohn, cryptography experts Bruce Schneier and Matt Blaze, and Gabriella Coleman, the anthropologist who chronicled Anonymous. After a few days, Barlow’s Freedom of the Press Foundation, which by now had added Snowden to its board, dropped Jake as an unpaid advisor. Noisebridge, a warehouse-sized San Francisco hacker space Jake had cofounded, said he could not come back.

Jake’s early defenders included some Tor node operators, EFF cofounder John Gilmore, and Daniel J. Bernstein, an antigovernment cryptographer who had helped loosen export rules with Cohn’s legal help years before. Most cautioned against rushing to judgment without legal process. Now a professor in the Netherlands and a major figure in spreading non-NSA-backed encryption, Bernstein kept Jake on as a graduate student.

The revelations were especially painful for cDc, which had built Jake’s credibility with other hackers. His conduct underscored the male domination in security generally and in the hacker social scene in particular. Worst, Jake embodied the dark side of cDc’s formula, wielding a media-savvy, boundary-flaunting personality that could drive awareness while also feeding a rapacious ego.

What had made cDc special was shared values despite different viewpoints and areas of expertise, and that had been shattered. “Those of us who knew Julian back in the day always knew he was kind of a shit. I personally was always dubious of WikiLeaks largely because of that,” Paul Leonard said. “The reasoning all goes back to the core of cDc, and furthermore was why Jake Appelbaum hit us in an unreasonably painful way, which is that to an extent cDc functioned as something akin to a family unit.”

cDc could have said nothing. It was not as famous as it had been a decade earlier, and many of the articles about Jake wouldn’t mention his affiliation with it. To the group’s credit, its far-flung members scrambled even before the anonymous website appeared or Tor elaborated on its one-sentence announcement of Jake’s resignation. Jake was still on the cDc mailing list, so the discussions had to happen elsewhere, including in smaller email chains. Luke alerted Kevin and Laird to early references on Twitter about rape accusations. Christien Rioux also wrote to Misha Kubecka. The concern was followed by caution.

“It’s bad news, but I would definitely want to see more evidence than just some random dudes on twitter before we took any action internally,” Luke wrote. Misha spoke from the gut: “Fuck. What is up with WikiLeaks people and rape?” After Christien spotted the anonymous accusers’ website and passed along the link, Laird weighed in Saturday morning, saying that he had known that women had been trying to gather evidence of rape against Jake and that he had heard some “unsavory” stories of sexual conquests. “He can be a complete dick,” Laird wrote. “I have my own experiences with this when I hosted him in India and he pulled some dumb stunts.” Luke added Adam O’Donnell to the thread and suggested they seek out Jake’s side of the mess.

The news stories started showing up on Sunday, and a friend of the group, Nick Farr, wrote publicly about being threatened by Jake and his supporters. That happened after Farr obliged Jake’s demand that he cancel a five-minute talk during the Chaos Computer Congress’s open-mic session by someone claiming that Jake was a US intelligence plant. Farr refused to hand his correspondence with the would-be speaker over to Jake. “Every night, I came back to my hotel room, a typewritten note on my pillow stating, ‘Don’t make us use extreme measures. Hand it all over.’” Farr said he contacted people he thought he could trust to explain what he was doing, but they all told him to find a compromise. “You can’t dialogue with a sociopath,” Farr wrote. “What’s worse is when people you consider your trusted friends take the sociopath’s side.”

That was enough to push Laird toward making a public statement, and Adam seconded. Without having heard back from Kevin, Luke asked Misha to remove Jake from the mailing list so that they could out a proposed decision and statement to the full group. Finally, late Sunday night, Kevin showed up and said he wanted to quietly remove every trace of Jake from cDc sites, including the alumni roster. “I’m very sorry for my part in accepting this guy. That was dumb,” Kevin wrote. “What I’ve come to realize is that personality matters 100% more than skills for this stuff. Whether any of these allegations are true or not, he doesn’t fit in with us.” The group convinced Kevin that they needed a public distancing. They collaborated on what would be its most serious public statement in more than a decade, then posted it to the cDc home page and to the then-open cDc Facebook group, where many of the members and fans shared information.

“Like much of the hacker community, we were troubled to hear the allegations of sexual abuse, manipulation, and bullying leveled against one of our members, Jacob Appelbaum, A.K.A. ioerror,” it began.

We’re also aware that the Tor Project is conducting an internal investigation, and encourage anyone with relevant testimony to come forward. For some, it won’t be easy. There can be shaming or humiliation, or the fear of not being believed. It is also our responsibility to create an environment where people feel safe to come forward. We have always stood for freedom of speech and expression, which sometimes necessitates the right to anonymity. This is something that victims of abuse often require. We stand by their right to be anonymous. Others, like our friend Nick Farr, who decided to go public with his own difficulties, deserve our respect and support. Everyone will do this in their own way. We know that it may be scary, but we also encourage victims to contact their appropriate local authorities. We understand the complicated relationship we all have with law enforcement, but there is a time and place for government intervention. If the most extreme of these allegations are true, they should be addressed in a court of law, and dealt with appropriately.

CULT OF THE DEAD COW is known for a lot of things, but treating people horribly is not one of them. If communities are to thrive and remain relevant we have to do some housecleaning from time to time. As we have become aware of the anonymous accusations of sexual assault, as well as the stories told by individuals we know and trust, we’ve decided to remove Jake from the herd effective immediately.

In a personal post on Medium, Laird said he hoped the ouster would help educate others about systemic sexism in hackerdom, exacerbated by a tendency toward rule-breaking, distrust of legal authorities in reporting transgressions, and some excessive scenesterism: “There’s been a lot of looking the other way in the hacker community when powerful people overstep the bounds, and that has to stop.”

It didn’t take long for that wish to start coming true. As the broader antiharassment movement known as #MeToo built up steam in the fall of 2017, the hacker community rose up against other accused predators. Even Cap’n Crunch, John Draper, who had haunted hacker cons from the days of HoHoCon, was finally outed for pursuing underage boys and banned from gatherings. A Draper spokeswoman denied his seeking sex.

At least Jake was gone from cDc before the election of 2016, when his association with WikiLeaks would have been indefensible to everyone in cDc. WikiLeaks would be a central, partisan player in helping elect Trump, who lavishly praised it on the campaign trail. Emails stolen from the Democratic National Committee by Russian operatives were gleefully published by WikiLeaks as the Democratic convention was getting under way, when they could be dumped with maximum impact. Hours after Trump’s campaign was blown off course by the publication of a video in which he bragged of grabbing women “by the pussy,” WikiLeaks muddied the day by beginning to roll out stolen emails from Clinton campaign chairman Podesta. Long-promised leaks about Russia, meanwhile, never materialized. And Assange repeatedly tried to throw off suspicions with misinformation, denying that Russia was a source and hinting that a DNC staffer was one. In the summer of 2018, the special counsel’s indictment of twelve Russian military intelligence officers would quote the emails between WikiLeaks and its real source, a Russian-created persona calling itself Guccifer 2.

Jake and Assange were far from alone in draping themselves in morality while serving other causes. Instead, they were just the most prominent exemplars. From 2016 on, a substantial amount of purported hacktivism would be something else in disguise.