Question Box Question: How do I start a career in internet research?

In an effort to blog just a fraction more than hardly ever, I’ve added the Question Box, where citizens of the internetz can submit their questions and thoughts and I will try my hardest to answer them. As with everything on the internet, YMMV.

The first Question Box Question comes from Grace:

I am currently in a job where I do online consumer behavior research and strategy work. I love it, but I would prefer to use the skill for “good” (education) instead of “evil” (advertising/direct benefit of large corporations). I feel like a research role would be a great fit for me and would allow me to delve deeper into cultural trends and patterns, particular segments and issues, etc. However, the financial/time investment of moving my career in this direction is daunting, as you need a PHD. (I only have a BA). Where would you recommend someone start if they want to explore this as an option? Is there anything you would you have done differently on your journey to where you are in your education/career?

TL;DR: What advice would you give someone looking to research internet culture as their career?

The first job I ever had as an internet researcher, as an RA at the Berkman Center for Internet and Society, I got straight out of undergrad.  The idea that you need an advanced degree to do research, especially in the field of internet culture is, as a colleague just told me, “an enormous crock.”  One of the great things about this field is that it’s still very much an open playground. A lot of the most important work is being done by people without tenure or a shiny endowed chair.

Continue reading

HOPE9 Talk: Activist DDOS: When Similes and Metaphors Fail

EDIT: The video of this talk is now up! Check it out.

I presented this talk last night at HOPE Number Nine, which has been a super fun conference.  Don’t forget to check out the slide deck, which is full of lolcats.

In the interest of getting this up fast, I’m posting the raw version of my notes.  I’ll be adding citations over the next couple of days.



Previous characterizations of activist DDOS campaigns have traditionally fallen into one of two camps: those that unilaterally condemn activist DDOS campaigns as bullying and censorship, and those that align such actions with IRL sit ins.  Both these characterizations, however, cannot be applied to the entire landscape of activist DDOS campaigns as a whole. Rather, each campaign must be examined individually before a judgement can be made regarding its validity as a protest action.  DDOS as a tool cannot be wholly condemn or lauded without its surrounding context.

In this talk, I’ll be examining those previous characterizations, and at different DDOS campaigns that do and do not fit those models.  Next I’ll be outlining the current state of play of activist DDOS.  Finally I’ll be presenting a new analytical model for looking at activist DDOS campaigns, and presenting an analysis of the December 2010 Operation PayBack DDOS campaign against PayPal.  Also, to reward all you find people for coming out so late for this talk, there will be lots of pictures of cats.

Continue reading

Back from Kenya! And The Atlantic!

Yesterday I got back from the Global Voices Citizen Media Summit in Nairobi.  It was a pretty epic trip all around and I’ll be writing more about it soon.

A few hours after I touched down, The Atlantic posted my latest article on internet regulations and the hacker folk devil.  My sixteen-year-old self just gave my 26-year-old self the biggest high five.

Books that get you banned from the internet in Texas

A version of this article originally appeared on the EFF’s Deep Links blog

Earlier this month, an inmate in Texas was denied access to computers and an electronic messaging system because he ordered a copy of the information security handbook Hacking Exposed.  Does simply ordering a copy of an information security handbook render an individual a threat to the safe, secure, and orderly operation of a federal prison? Almost certainly not.

Hacking Exposed was written by three well-respected information security professionals, two of whom work at McAfee, and is intended to educate infosec professionals about the threat landscape. But the warden of the prison, and subsequently a federal district court, found that just by ordering the book, Reginald Green constituted a substantial enough threat to the orderly running of the prison to ban him from accessing the TRULINCS electronic messaging system or using computers for the rest of his incarceration.  Could the exploit information contained within Hacking Exposed be misused in the right environment? Sure, but so could lots of other things, like the hammers in the prison workshop or the weights in the prison gym.

This is an unfortunate, aggressive reaction to the social concept of “the hacker,” without pausing to consider the facts of the case.  If the book had been called “Offensive Information Security” instead of “Hacking Exposed,” would it have been confiscated, or Mr. Green deemed a threat?  We’ve seen many examples of security researchers and others calling themselves hackers and falling under undue and aggressive legal scrutiny because their motives and actions were misconstrued.  This is in part because the term “hacker” can, in general parlance, mean anything from a DIY enthusiast building portable chargers in Altoids tins to a hardcore cybercriminal selling stolen credit card numbers on a deep web message board. Individuals either calling themselves hackers or dubbed so by the media have been repeatedly targeted for publishing information on how to jailbreak your own devices. For example, Sony sued members of the hacker group fail0verflow after they revealed at CCC that they’d mathematically calculated the keys Sony uses to ensure only approved code runs on the PS3. In the same suit, Sony also sued George Hotz, better known as GeoHot, jailbreaker of the iPhone, for publishing the PS3 root key, even though he made clear he didn’t do so to enable people to run pirated games. People have also been targeted for offering jailbreaking services commercially. For instance, prosecutors brougth criminal charges against Matthew Crippen for modding XBOX 360s to run DRM-free games, which were ultimately dismissed.

Whether you call them hackers, makers, tinkerers, or information security researchers, people on the hacking spectrum have been a boon to society for decades.  They power innovation in all sectors and operate as a valuable check on the security and stability of the technology that forms the basis for our modern society.  Their curiosity drives our economy and challenges entrenched corporate and governmental interests.  However, the word “hacker” has changed since its origins in creative prank culture and innovative computing at MIT, and is now popularly used, more often than not, as a pejorative one that encourages fear-based knee-jerk reactions. Hackers are used as go-to villains by policy makers, who wave the nightmare scenario of rampant cybercrime and imminent cyberwar to justify legislative proposals that threaten to encroach on your digital civil liberties.

Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposed book, the warden in this case appears to have latched onto the word “Hacking” and overreacted.  The security paranoia displayed in banning Mr. Green from the TRULINCS electronic messaging system and access to computers entirely also doesn’t bode well for their information security practices.  Theoretically, if the Bureau of Prisons is truly concerned about users within the prison system compromising TRULINCS, it ought to have measures in place to prevent users from, say, uploading or downloading attachments, installing and running programs, accessing the Internet, or gaining admin access to the workstation or local network.  If the system does potentially allow these actions, and is relying on the lack of knowledge in its user group to protect itself (aka security by obscurity), then that is a much bigger problem than one guy ordering one book.  A Bureau of Prisons memo (, states that an inmate can be banned from the system if they have “special skills or knowledge” of computers or the internet.  Unless those skills or knowledge were used in the commission of a crime, the BOP wouldn’t necessarily be aware that an individual possessed those skills.  So rather than strengthening the TRULINCS system against unknown, potentially strong actors (people who enter the system with “special skills and knowledge” or outside attackers), the BOP here appears to be opting to take punitive action against a known weak actor (if he had the requisite skills and knowledge to compromise the network, one would assume he wouldn’t have needed the book).

What is being attacked here is the ability of individuals to pursue technical knowledge.  Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposedbook, the warden in this case appears to have latched onto the word “hacking” and overreacted.

Where’s the digital street?

I just read “Policing Protests in the United States: 1960-1995,” a fascinating article by Clark McPhail, David Scheingruber, and John McCarthy on the development of policing tactics in the US. Highly recommended for anyone interested in the history of social movements in the US.

The article reference to something called public forum doctrine or public forum law. As McPhail describes it, public forum doctrine divides the physical world into different categories, categories which have implications for the different protest actions which may (or may not) take place there. McPhail identifies four broad categories, which he articulates as “the ‘traditional public forum,’ the ‘limited’ or ‘designated’ public forum,’ the ‘nonpublic forum,’ and private property.” The most permissive of these is the traditional public forum, streets, parks, sidewalks, town commons, and other areas traditionally recognized as being held in common for the public good. Limitations of speech and protest actions in these spaces, can, according to McPhail, be subject to only limited “time, place, and manner restrictions,” which cannot be based on the message of the protesters themselves. The next two categories on the continuum, the limited/designated public forum and the nonpublic forum which “includes governmental property that is not a public for ‘by tradition or designation’–such as a post office or jail,” McPhail identifies as being subject to the same criteria as the traditional public forum. That is, speech acts at these locations cannot be restricted based on the content of the speech, and such restrictions must be “reasonable.” The only property category that is not subject to such limits on restrictions is private property. The owners of private property are relatively free in the restrictions they can place on the speech of others when it takes place on their property.

Personal anecdote: Way back when, I worked as a user wrangler for a social networking site which shall go unnamed. Part of my job involved taking down content that violated our Terms of Service: content that was pornographic or offensive or harassed another user, etc. About 80% of the time, upon deleting the offending material, we would get an email from the poster, accusing us of violated their First Amendment rights by deleted their content. We hadn’t, because as a private company, we had the right to determine what speech content we wanted hosted on our privately owned servers. The First Amendment only extends to the actions of the government with regards to he abridgment of free speech. However much within our rights as the website to remove user content, essentially, at will, this crystallizes for me an issue that is coming more and more to the forefront of political action on the internet.

I would argue that there are no public fora on the internet. This is devastating when it comes to the development and use of digital protest tactics. While protest taking place in the various public fora ‘in real life’ have a foundation of history and legal doctrine to support their legitimacy as valid and protected political speech, actions that take place in the online sphere can only ever infringe on privately held property. The architecture of the network does not, as of yet, support spaces held in common. Moreover, I would argue that any attempt to establish dedicated public fora online for the legitimization of digital protest would do little more than create “free speech zones” online, distancing protest speech from the general online discourse.

A great thing about those traditional public fora mentioned above is that, IRL, public streets and roads go, if not everywhere, a hell of a lot of places. In most instances, street protests can take place in actual and rhetorical proximity to the target, be it corporate or governmental, of their speech while remaining in a physical location that protects their rights to free speech. The private-ownership model of the internet co-opts that possibility in the online space. Despite what Neal Stephenson foreshadowed, here is no “street” on the modern internet.

Right now, digital protest tactics, digital direct action in particular, are attacked as illegitimate because they inevitably tread on the private property of someone. This conflict does have a physical world parallel. The initial Occupy Wall Street camp was established at Zucotti Park, a “privately-held public space” which is ostensibly available for public use but still subject to the potential restrictions of private property. The free speech obligations/protections provided by such spaces are legally murky. As more of our public spaces are privatized, and as the private spaces of the internet become an important nexus of speech, the guarantees that protect our ability to engage in public protest become less certain. If digital protest tactics are going to be held as legitimate, and I believe they should be, then this is a fundamental issue that needs to be addressed.

x-posted from the Networked Social Movements class blog

Media Lab Member Week

DDOS as an Activist Tactic at Member Week

Got a chance to talk about my research into Distributed Denial of Service attacks in activism at the Media Lab’s annual Member Week. We even had an instance of LOIC running on a closed network so people could see how the tool worked.


my favorite demo



Highlights included making a Space Invader out of gaff tape on the floor of the Media Lab. I love this fucking place.

Confusion, Apathy and the Tools at Hand

Last night I attended the Cultivating New Voices memorial for Persephone Miel, held by the Berkman Center.  It was a fascinating event, and a very moving memorial that made me sad I had never known Miel (she passed away a month or two after I arrived at Berkman).  The event featured talks from journalists Fatima Tlisova of Voice of America and Dele Olojede of the Nigeria’s Next Newspaper, as well as Ethan Zuckerman, Colin Maclay, Ivan Sigal and Jon Sawyer.  You will soon be able to access an archived webcast of the event at the Berkman site, and in the meantime, David Weinberger has posted a liveblog of the event here.

A major question that continued to fall out of the discussions being had, on stage and amongst the crowd later, dealt with the problem of apathy, or at least the appearance of apathy, among the population at large in response to news coverage.  After the event last night, I had a chance to think more about this question.  This is my attempt to talk/write through my thoughts and reactions to the issue.

During his talk, Olojede told an anecdote about what his newspaper experienced when they published an extensive expose about extensive and blatant corruption in the petroleum industry in Nigeria.  Significant attempts were made “by everyone I had ever known” to keep Olojede from publishing what was sure to be an explosive story on one of Nigeria’s chief industries.  He was offered $20M to spike the story.  The story was published anyway.  Nothing happened.  No reaction, no outcry, no public outrage.  In what seems to Olojede to be a “slap in the face,” key officials from the implicated sections of government were reappointed by the Nigerian Senate, “with no questions asked.”

“So,” concluded Olojede. “”What happens when you arm the public with all this infomation, and they do nothing?”

Maybe the problem isn’t apathy.  It may not be that Olojede’s audience did not care.  Rather, they did not manifest their feelings about the issue at had in a way that Olojede could see or recognize as “caring.” He did not receive the outcome he thought was appropriate, which would have been some sort of public political outcry and subsequent reform.  This feeling of rhetorical abandonment, like you and your colleagues are shouting with all your might down a well, is incredibly frustrating and demoralizing, and I sympathize with Olojede’s frustrations.

However, just because his audience didn’t react in a way Olojede wanted doesn’t mean they didn’t care.  I’d like to posit that what occurred in this case, and what occurs in many similar cases what not apathy, but confusion: confusion of the next step to take.  Reasonable, reactive anger without a constructive outlet can quickly dissipate or malignantly fester, but very rarely spontaneously manifests into useful action.  You can feel genuinely outraged by an event, but sitting by yourself at the breakfast table with your newspaper, it’s easy to feel your outrage is isolated, and there is no sure next step to take. However, if you are angry, and you look out the window and your neighbors are marching in the street, suddenly your personal path of action is clearer.  An active path needs to be available when the public is angry, perhaps laid out in conjunction with news coverage or even by journalists themselves.  Without the clear option to act, and a clear path to follow, anger and confusion can lead to hopelessness, and, indeed, a sort of defensive apathy.  I think there are palpable feelings of shame associated with inaction in the face of a wrong, and it may be an action of self-defense to hunker down in the motion of everyday life if you truly feel you can do nothing about it.

An example to consider: the popular participation in Anonymous’s Operation Payback last December.  The DDOS tool LOIC had been around for a while, and had been used in Anon actions before, but news versions of the tool, included versions that could run on Android phones and jail-broken iPhones and simplified versions with attractive and easy-to-use GUIs expanded the potential user-base considerably.  Add to that the use of public Twitter accounts (rather than IRC, which can be intimidating for neophytes to access) to advertise target IP addresses and coordinate actions, and constant news coverage that either linked directly to or provided search terms for the active Twitter accounts and newsfeeds, and you have a swarm of factors that enable a population that was angry at current events to quickly, easily, and with little perceived risk to themselves participate in significant protests actions online, though they may never have been an active member of such a group before.  They reached for the tools at hand.  Those tools may not have been perfect (the most commonly used versions of LOIC were later found to have security flaws that exposed their users IP addresses during an attack), and DDOS as a mode of political protest is controversial at best, but they represented the most visible path, the tool closest and most clearly at hand.

Another example to consider, from the other side of the issue: the (lack of) mobilization among the hordes of American unemployed.  The unemployed population in previous generations had been ripe for organizing and social action.  Why not now?  Catherine Rampell published an excellent analysis of the issue in the New York Times, in an article called “Somehow, the Unemployed Become Invisible.”  She draws attention to problems of the unemployed experiencing feelings of powerlessness, social shame and depression that make them less likely to take political action.  Another issue she brings up is suburbanization of the unemployed population:

“Back in the 1960s or even the 1980s, the unemployed organized around welfare or unemployment offices. It was a fertile environment: people were anxious and tired and waiting for hours in line…The Mon Valley Unemployed Committee, which is based in Pittsburgh, helped organize workers in 26 cities across five states, simply by hanging around outside unemployment offices and harnessing the frustration.  Today, though, many unemployment offices have closed. Jobless benefits are often handled by phone or online rather than in person. An unemployment call center near Mr. Oursler, for instance, now sits behind two sets of locked doors and frosted windows.”

The scattering of the target population means that it loses a sense of community.  The feelings felt by individuals are allowed to dissipate, rather than reinforce each other in a group and become organized.  Even those online resources aimed at the unemployed are more focused on resume composition or other similar services than encouraging, harnessing and directed any sense of outrage at national policy.

Journalists, distributing information to large number of people through whatever media is at their disposal, are in an ideal position to tap into the outrage and desire for change that their work ideally seeks to inspire.  If it is truly their intention to cause significant social and political change with their work, then it seems the focus on dispassionate, uninvolved journalism that only informs and refrains from directing the feelings it inspires represents an ocean of missed opportunities.  At worst, it actively contributes to a sense of hopelessness and, yes, apathy, by inspiring emotions but offering no way for those emotions to grow into action.

I’m just at the beginning of my analysis of these issues.  If you’ve got an opinion or reaction, I’d love to discuss it!