TD;LR: Be cautious and if something doesn’t seem right, ask! Don’t be afraid to reach out and get help. There are many InfoSec folks that want to help. The community is strong—but in any community, bad things will happen! Don’t be afraid to stand up and speak out. Any noob that doesn’t post about technical content is questionable! Starting in InfoSec is hard and we are willing to help.
Earlier this year, a group appeared called “#n00bsec” or “@InfoSecN00bs“. The Twitter account appeared April 2017 and a Slack and substantial community followed. The idea of a group to aid anyone new to infosec by noobs meant a ton of focused assistance and time from those (in theory) trying to learn from each other and share resources/experiences. The group seemed to be run by @hacksforsnacks_ AKA Aaron McBee and @K_5m00th.
I first heard about @hacksforsnacks_ from his presentation in @BSidesSATX, then I heard about the #infosecn00bs group and was excited to help. As are a fair number of infosec professionals, I am very interested in making sure noobs get assistance—since I want to see more success and less front page headlines from breaches. I got help when I started and feel obligated to pass on the good karma. I worked with an academic group back in 2012-2013 to help create a national InfoSec group, and even went to “The Colloquium for Information Systems Security Education” Conference on behalf of CyberWatch (said Academic Group) to help push this effort forward.
Initially, I thought @hacksforsnacks_ was all of n00bsec, but I saw the group’s growth snowball over the coming months. Between Slack and Twitter, it took off! Then I heard @hacksforsnacks_ was going to be at @NolaCon and was excited to meet him—as he was becoming a really popular noob, seemingly helping folks get started. Sadly, those hopes were dashed when some confusion about flight cost in exchange for volunteering occurred. At Circle City Con, @hacksforsnacks_ appeared as a volunteer (which was cool to me, as I see volunteering at cons as a great way to meet people). Sadly, my hopes were somewhat dashed when he showed a somewhat elitist attitude; I started to get worried for n00bsec. However, I met @BretMattingly, a member of n00bsec, and was quite excited since his talk on curiosity at Circle City Con matched my current research interests perfectly. (On the way to Circle City Con, I had done a close reading of a Carnegie Mellon research paper on curiosity.) At Circle City Con, @hacksforsnacks_ seemed determined to make a fool of himself as he made several statements that seemed far-fetched and turned out to be lies, which led me to be more concerned about the group. I got very concerned for the future of n00bsec and I really do want to see new folks be successful— especially the ones that are truly curious, as it is such an important personality trait within infosec.
When n00bsec started a Kickstarter to fund noobs going to Hacker Summer Camp, I had rather mixed feelings. I strongly believe everyone should start with local events and meet some folks first. This makes the summer camp trip so much more valuable! (And having someone else to go with to Vegas also makes it far more friendly!) After it was all said and done, I heard the concerning news that issues with money came up and Bret made a safe decision when things went wrong to refund the money. Bret caught a lot of heat for the decision, but given what he said in the posts below, I believe he made the right decision. The following stream was after Hacker Summer Camp, but the events occurred before.
As we approached “Hacker Summer Camp” (AKA Black Hat/BSidesLV/DEFCON), things blew up. One of my students won a BlackHat scholarship from a VP at Microsoft was relying on @hacksforsnacks_ for a room, but the day before he was supposed to fly out, @hacksforsnacks_ finally informed my student that no longer had a place to stay in Las Vegas. Panic ensued. I ended up covering my student’s room to get him the opportunity for his first BlackHat then I got him a DEFCON badge as well. However, I was and still am really annoyed.
On Sunday, the last day of DEFCON, I heard that @hacksforsnacks_ had been escorted from the hotel for sexual harassment. I have heard all kinds of negative rumors about the leaders of n00bsec using the group for inappropriate behavior.
@AwfulyPrideful tweeted at DEFCON to remove @hacksforsnacks_ for terrifying another attendee:
A few minutes later, Matt Parker tweeted his experience hanging out with @hacksforsnacks_ at Circle City Con:
Rumors of @hacksforsnacks_ convincing InfoSec professionals to “help him out” by covering everything from flights to his cell phone bill and rent. It amazes me how successful he was at scamming professionals trying to help noobs—and it bothers me how much damage this has done to our community. One of the many examples below:
Repeatedly, I’ve heard about use of the n00bsec group for sexual harassment. Most of these rumors had focused on @K_5m00th after he claimed @hacksforsnacks_ was innocent, but even that turned out to be incorrect. @K_5m00th was implicated in sexual harassment at several events and more. I was not present and don’t have details; One person sharing their story gets the ball rolling, If you were a victim, please send a message—anonymously, if you need to. A member of NoobSec stated clearly in DM that he made several members uncomfortable through his actions within the group:
A Victim has already mentioned being harassed at the BSidesLV party as to where her boyfriend was and why he wasn’t with her. @K_5m00th and a friend apparently bothered her around for ~20 minutes bothering her, asking various versions of where her boyfriend was and if she was available, as she attempted to steer the conversation to NoobSec. He seemed determined to ask about her personal life despite her attempts to talk about NoobSec, he showed no interest.
AwfulyPrideful had given warning before Defcon about the behavior of @K_5m00th:
She then gave a larger press release about the concerns. Then she wrote a post on how to Fix the Problem with NoobSec.
On August 16th, @K_5m00th tried to redeem himself for his offensive actions with the following:
There was actually a lot of discussion about having new leadership for n00bsec, but I think a new brand is needed since so much negativity occurred. Several people have showed interest in helping to rebuild a similar group focused on ethics and helping noobs: @SushiDude, @Dan_Crowley & @MarkusJCarey and more that haven’t tweeted about it, but have said in person they want to make something safe..
Brake Sec PodCast offered to have any noobs use their slack. (invites: https://brakesec.signup.team) InfoSec Mentors Project focuses on connecting mentors with Mentees. Here is my own resource for starting infosec.
So in the past, I posted a detailed coverage of my story being scammed by Joe McCray and have since had numerous requests from Joe through several people to remove the post as the information has warded off enough people to for him to start a new brand: InfoSec Addicts (infosecaddicts.com & @infosecaddicts) as of September 2016 (for the Twitter account, at least). From what I can tell, it still seems like Joe. I say: be wary based on Joe’s performance with Strategic Security…that said, I have no stories on InfoSec Addicts slighting anyone as yet. See previous experiences of Joe’s classes for background.