Recent Happenings

• WIRED. You Can Get Some of Your Nudes Removed From the Internet Under a New Law (guest appearance from Dr. Gonzo)

• WIRED. Your iPhone Gets Stolen. Then the Hacking Begins.

• 404. How Deepfakes Tore a High School Apart.

• 404. Streamer Realtime Deepfakes Himself into Mr. Beast, Says He Loves ‘Touching Little Boys’.

• Cool sites: radio.kwsx.online ; synesthesia.club ; theshfl.com

Back in the day, I was a script kiddie. I would frequently send my friend F (who reads my s’tack; thanks!) malware through MSN messenger. One time I got his printer to waste some paper from the comfort of my house.

When I was in undergrad, I did a consulting internship at a big consulting firm. Mr. Robot season 1 aired that year, rekindling all my hacking dreams. So, I got the partner in charge of the “cyber” division to take me around for a tour and show me their labs, tools, and so on. Unfortunately, I did not find guys in hoodies typing quickly on screens. Instead, I saw a conference room with 4 guys projecting an Excel spreadsheet and doing PCI compliance. Essentially, if a company like Comcast wanted to create a page on their website that had a credit card payment widget, these guys had to make sure that you had a lock icon when visiting that page.

This was certainly not the cybersecurity ninja 1337 h4x0r vibe I was expecting. I was hoping for a bit more cargo shorts, sandals, uncovered legs and white socks stretched up mid-shin. Instead, much to my dismay, one of these Excel enjoyers would make partner and advise major companies on cybersecurity strategy; a tragic prospect that may explain why every couple of months there are major credential leaks.

It is a generally understood truth that the most legit security researchers are not wearing suits, but rather people with anime pfps and questionable (to put it kindly) social behaviors. These are people who are breaking stuff with a passion. I once worked with a kid (a bonafide youngster) who just arrived from China to Penn State. He was a top 10 CTF(a type of hacking competition) player in China. The professor hosting him had to repeatedly remind him that he could not go around probing Penn State systems or the FBI would swiftly become involved.

Another generally understood truth of the computer security field is that some of the people that have pushed the field the farthest often engage in shady and illicit activities. This is what the field has come to call “black hat” hackers, hence the name of one of the biggest computer security conferences. However, Black Hat (the conference), despite its name, failed to fully capture (and appeal to) the rogue-anarcho-cypherphunk types. So, alongside came DEFCON, a conference that built its early credibility from the fact that it attracted, tolerated, and (kinda used to) embrace criminals and miscreants from around the world. You could pay cash at the door for increased anonymity, you were advised to bring a burner phone, and you should definitely not connect to the wi-fi.

Throughout the years, Black Hat became the sanitized corporate version and DEFCON its grimy and nefarious twin. The cybersecurity community understands you need both, the sperries and the tevas. Or, to put it more scientifically, you need people who have an emic command of adversarial culture, rather than just an etic one, like PCI compliance auditors.

Somehow, the same mindset has not always extended to other areas of computer security, like research on online deviant behavior. To understand certain phenomena, you need immersion. Ethnography, after all, is the study from the point of view of the subject. A software security researcher does this context switch without noticing. When they practice an “adversarial mindset” what they are really doing is roleplaying what an attacker would do. They put on their black hat and carry out what is ultimately an empathetic exercise.

This means that if you work on, say, manosphere radicalization1, you need to understand what mogging is, along with femoids, sigmas, chads, gymcels, etc. But you need to understand them not merely through definitions but through their “cultural” context: what you are gravely missing is emic competence. Knowing that a “femoid” is a dehumanizing term for women is etic. But understanding the mix of contempt, grievance, and in-group signaling that comes with the term is emic. Thinking that pepe is just a “symbol” of the alt-right is etic (and borderline ignorant). If you see pepes––and memes, more broadly––as artifacts that store communities’ memories (especially in a website where threads and posts are ephemeral), then you can see them a bit more as a form of neo-oral tradition. Neat, huh?

Some of the most meaningful and rich research starts with deep qualitative understanding. I know this statement will have my colleagues who are more attuned to the humanities snapping their fingers. What they may not want to hear is that they are often missing emic-ness.

My best guess for why researchers working on questionable online communities fail to cultivate an emic understanding is because they seem oblivious to the fact that they are, still, studying humans. I can understand this, especially because some people online are engaging in heinous activities. In an earlier version of this post, I poked fun at some computer science papers that do research on sketchy online activities based on how they write about these communities and how they describe their ethical considerations. The reason I did this is because some researchers write as if they want maximal distance between them and their study subjects.

The consequence of this, however, is that researchers end up treating these online communities like radioactive substances to be handled with the smallest of exposures––long metal prongs and a hazmat suit. They look at some 4chan boards as biohazardous, their fumes almost escaping the screen. To be emic would expose you to a fungus that threatens to corrupt your psyche.

I often use 4chan as an example because it’s recognizable, has been around for a while, and yes, there’s a ton of mean, offensive, and malicious behaviors. But that website is not a monolith, a hive mind, a unified body with the same agenda. It’s composed of boards with slightly different cultures and norms, seeking different things. Behind all the name calling, slurs, offensive language/actions there are people, behaviors, and beliefs. With the right approach, it’s a place that provides you with a unique vantage point to observe what people do when given a podium and anonymity online. Except that, that vantage point is less so far and distant, and moreso in the trenches.

Ultimately, the case for an emic perspective when researching sketchy communities online––beyond the ability to understand the lingo, the context, the memes––is that you can quite simply do better science. In an earlier post, we talked about the ideologues who are preserving deepfake porn models. By understanding that some people are not money-motivated but ideologically-motivated, then you know that threatening Visa and Mastercard, in your quest to prevent people from creating deepfake pornography, will only get you so far. Without an emic lens, it is hard to not think that the bacteria people who are part of online cesspools communities (the subjects of observation) are bad, malevolent entities for which we need to develop antibiotics and chemotherapy: swift, deadly, and merciless eradication.

This is not to excuse anybody’s behavior online. Understanding does not mean condoning. Humanization does not mean removing the blame nor the condemnation of their actions. Empathy is just the quest of abandoning our preconceptions and trying to truly see their viewpoint, whoever “they” or “theirs” refers to. It is important to note that this often not easy and sometimes not even feasible. Some online communities require a serious amount of safeguards for your mental health’s sake (think, for example, people who produce and share CSAM online). In many other communities, however, an emic understanding is paramount.

This blend of emic and etic perspectives is something that cybersecurity folks have understood well. You need people that can think like hackers and criminals, or even better, people who were criminal themselves (your emic). And you need your etic people, the ones that have all those acronyms next to their Linkedin names. ‘Til this day, DEFCON begins right after Black Hat ends––Vegas, Aug 6th.––yin and yang.

Adjacent Reading

While I haven’t read all 3 of these books, people generally seem to believe that these people blend emic and etic perspectives well.

• Coleman. our weirdness is free.

• Phillips. This is why we can’t have nice things.

• Coleman. Hacker, Hoaxer, Whistleblower, Spy.

• Greenberg. THIS MACHINE KILLS SECRETS: How WikiLeakers, Cypherpunks and Hacktivists Aim to Free the World’s Information.

Errata

• 05/26/26. I modified paragraphs 11-14. The earlier version of this post didn’t account well for the wide range of online communities that exist. So, when read from different lenses, I came across as an insensitive ****** to researchers who have to look at terrible stuff, CSAM and the like. Hopefully, this is now fixed.