One very sad story

This article by ZDnet's Mitch Ratcliffe on Identity Rape and Mob Mentality sends shivers down the spine.  Partly because a bunch of our friends are involved.  Partly because the dynamics are just scarey.

Allen Herrell, one of the accused attackers in the Kathy Sierra controversy, has written a long email to Doc Searls explaining that his entire online identity has been compromised. If true, and I believe it, because I have known Allen for many years, it appears there have been many more victims here than Ms. Sierra.

I am writing this from a new computer, using an email address that will be deleted at the end of this.

I am no longer me. My main machine despite my best efforts has been hacked, my accounts compromised including my email. and has been disconnected from the internet.

How did this happen? When did this happen? shit doc, i don't have a fucking clue. I thought i was pretty sharp. I guess not.

just about every online account that i have has been compromised. Most importantly my digital identity and user/password for typepad and wordpress. I have been doing damage control, for my clients. How the fuck i got to be part of this mess is revolting.

The Kathy Sierra mess is horrific. I am not who ever used my identity and my picture!!

I am sick beyond words over this whole episode. Kathy Sierra may not be on my top 10 list , but nobody deserves this filthy character assaination (sic). 

A lynch mob mentality has come over the Blogosphere. Kathy Sierra has ever right to be angry about the messages directed at her, but her allegations appear to have been misdirected and misinformed, because they relied on simplistic analysis of the sites and assumed that appearance and reality were identical. And she's making it worse, writing today:

You're damn right I'm *linking* these folks to these posts. You're wrong about their involvement. The posts and comments were NOT made by–as you said–heinous trolls.

Whoever made the posts was a registered member, and they *know* who made the comments — he was one of their participants. I never said Jeaneane was the one creating the noose picture or comment. I said she was a participant in and “celebrated” and encouraged I believe that when prominent people encourage this kind of behavior, they don't get to wash their hands of it, ethically.

I should be more clear, though, that while *someone* broke the law with the noose photo/comment, I'm definitely NOT suggesting that anyone else did anything legally wrong.

But I think Hugh put it better than I can:

–You might not be the guy raping the cheerleader, but if you're the one standing by saying, “go go go!” you share some responsibility.–

Not legal, but ethical. I don't believe any of these folks should be able to create these forums, *celebrate* them, send people there, and actively participate… and then claim complete innocence. If you hand someone a loaded gun. and encourage them to shoot…

The rape metaphor applies to everyone involved who had words and images they find deplorable attributed to them. But it is far more important to understand that the rape claimed attributed to them probably didn't happen wasn't their doing in the first place. The gun shoved in Chris Locke, Jeneane Sessums, Frank Paynter and Allen Herrell's hands is as likely to be illusory as not. We need proof, not accusations, just like in the physical world.

Trolls created the impression of a crime and sat back to watch human nature show its worst side. They are still enjoying it.

As Chris Locke explained in his email to me yesterday, he took the offensive postings down “shortly after it appeared.” Nevertheless, Bert Bates, Kathy Sierra's Head First Java co-author has commented on this blog, saying “By definition, these ‘posts’ were made by the author(s) of the site – it IS a small circle of candidates.” When you factor in the possibility that accounts were co-opted, according to this definition, anyone who has ever had their email address spoofed is responsible for the content of the messages sent under their name.  (Post continues here…)

There are so many things to be learned from this story that it boggles my mind. 

It brings back a conversation I had with Allen (The Head Lemur) at Ester Dyson's Release 1.0 conference, years ago, where we first talked about identity.  He was skeptical (as is his wont) but I had good fun talking to him.  And there is no doubt in my mind that we should, as our civilization has learned to do, consider Allan innocent until proven guilty – and there doesn't seem to be any sign of that. 

The worst is that I hear stories like this all the time.  Not just in my work, but from my family. 

My daughter tells of a lady friend who's gmail account was broken into – resulting in pandemonium that – if it weren't so unbearable – would be the stuff french farces are made of. 

My son's instant messaging account was hacked by the ex of a ladyfriend he wasn't even dating.  Again, he was dragged through weeks of confusion and reconnection. 

So one of the things that separates this story from all the others happening all over cyberspace is just that we know the people involved.  The broad strokes are common today given the randomness of web security and identity.

To make matters worse, imagine technical people saying, in a world of passwords and keystroke loggers, “these ‘posts’ were made by the author(s) of the site – it IS a small circle of candidates…”  Help me.

It's a great proof point that even though blogs don't involve high finance, they still need high quality security.  The loss of privacy and loss of dignity we have witnessed here can't really be undone, even if one day they can be forgotten.  Protecting identity and protecting access is not a joke.

Some days, when I'm really tired, I look at the vast job ahead of us in fixing the internet's identity infrastructure, and wonder if I shouldn't just go and do something easy – like levitation.  But a story like this drives home the fact that we have to succeed. 

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets.  This won't extinguish either flaming or trolling, but it can sure make breaking in to someone's site unbelievably harder – assuming we get to the point where our blogging software is safe too.

Published by

Kim Cameron

Work on identity.

4 thoughts on “One very sad story”

  1. Kim,

    One of the interesting points of this is that it highlights very strongly some of the meat space problems that I'm not sure any identity solution can solve. The problem in particular is that as much as we try to associate a digital identity with a real person, so long as the two can be separated without exposing the split we have no hope of succeeding.

    For so long identity technical commentators have pushed the idea that a person's digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say ‘This digital identity is nothing more than a string puppet that I control. I didn't do this thing, some other puppet master did.’

    What's the solution? I don't know. Perhaps we need to stop talking about identities in this way. If a burglar stole my keys and broke into my home to use my telephone it would be my responsibility to demonstrate that but I doubt that I could be held responsible for what he said afterwards. Alternatively we need non-repudiation to be a key feature of any authentication scheme that gets implemented.

    In short, so long as we can separate ourselves from our digital identities, we should expect people not to trust them. We should in fact go to great lengths to ensure that people trust them only as much as they have to and no more.


Comments are closed.