Guess You Thought I Was Someone To Mess With
- June 18th, 2013
- By georgia
- Write comment
Note: There will be no names named here. The perpetrator is not named. Likewise the heroes of the story who probably saved me from going to jail and at the very least comforted me when it felt like the floor was going to fall through are left unnamed. That said if you want to know the names I am willing to discuss it privately.
I don’t want to write this. I don’t want to get caught up in anything to do with this women in infosec bit. Everyone who does get lambasted so badly at this point I’d rather avoid it entirely. You can’t say anything about sexism without getting lumped in with the creeper cards or the talk canceling at Bsides SF. Anyways I have a hard time making any sound judgment on sexism in infosec since infosec is the only life I know. It’s a fair statement that infosec and my career in infosec make up my entire life, so I don’t really have anything to compare it to. My first job out of college was in infosec, and to this day I have never been to a nightclub unless it was at an infosec event or at the very least with people I know from infosec. In addition to that I only have my own experiences. When I feel mistreated it’s easy to say that I was passed over for this or excluded from that because I’m female. On the other hand perhaps its because I’m of Germanic descent, or because I’m a fraud, or because I have poor social skills, or any myriad other list of good, bad, true, or made up reasons. I cannot compare my successes and setbacks objectively to anyone else’s any better than I can nail down the cause. For all these reasons I don’t think I can really answer the women in infosec question. This post isn’t about that. This is something different.
I was physically and (attempted) sexually assaulted at the Confidence conference in Poland 2 weeks ago. I haven’t really said anything public about it until now, mainly because I’m busy. After Poland I flew straight to another event back in the US, and the following week I went to Israel to teach a class. Anyone who reads my Twitter has read that I’m bogged down in book edits. I’m teaching a lot of new classes this summer and fall. Needless to say, I don’t have time to process this much less write about it. Plus I’ve gotten enough pushback already. People I thought were my friends and colleagues have said things to me about this that have cut deeper than the actual assault ever could. I don’t want to deal with more of that. I don’t want to see the comments for this post. But I feel like I have to do this. I weighed my options. If I shut up and do nothing and later hear he did this to someone else, I will feel personally responsible. I have to do everything I can to make sure another speaker or attendee doesn’t get worse than I got.
Rape is a complicated issue. It’s not always so clear cut what constitutes rape at least not to me. You’ve got your statutory rape, getting a good deal of media attention in the US now in a case where an 18 year old girl is charged with raping a 14 year old, when the two were in a relationship, because the parents don’t like it that their daughter is lesbian, bisexual, or experimenting with sexuality as people do. I don’t think anyone sane would think that a 4 year old can consent to sex. The question is where is the line is. It’s a consent question, and can someone who could consent to sex yesterday suddenly not consent anymore because one partner turned 18? More complicated is this notion that an intoxicated person cannot give consent. It’s probably fair to say that most reasonable people would agree that a person who is passed out cannot give consent, ie Steubenville. But again where is the line? At security conferences the alcohol flows, and at what point is consent not consent? From women’s studies class that really the only way to avoid raping someone is to say “Can I touch you there?” at each step of the way, but face it that’s not very sexy is it? Nobody I’ve ever been with has done that. It’s more of a move forward until someone says stop thing. So what if no one ever says stop? Was the person too drunk to say stop? This is complicated and I really do think if I was a guy I might just be too scared of stuff like this to have sex at all. From the other side of the fence this sort of thing was something I ran into when I was 21 and naïve and at my first Defcon. It’s just something you learn, if you drink until you are unable to take care of yourself something bad might happen to you. This of course can happen to guys too. I recall someone passed out at the ninja party and got dicks drawn on his face. But talk to women and they seem to know better than to get wasted. Having once gotten wasted and woken up to “What the hell happened last night” I really had no one to blame but myself for not taking more caution. Now I know better, lesson learned. The third grey area for me is what constitutes rape. A lot of my fears in writing this post stem back to this post from Norin Shirley about being attacked at a conference. Reading the comments makes my stomach turn, knowing that the same thing is about to happen to me. “She’s a slut,” or “she’s making it up for attention,” sort of things. It makes me feel bad and like an anti-feminist to say this, but some guy putting his hands down my pants when I don’t want him to, while I certainly don’t condone it, sounds a bit more like life than rape. It’s just a sad fact. If you are female from time to time you will be touched without permission. Not too many years ago marital rape didn’t legally exist, and in the middle ages knights at arms were encouraged to practice chaste courtly love with the queen while gallivanting around the country forcing their lust on peasant girls. Sometimes it just sucks to be female you know. Then again sometimes it sucks to be male too. False rape accusations do happen. If I was a guy, I think I might be afraid of that. Luckily Norin Shirley was able to get away before her attack escalated, as was I.
This wasn’t like any of those grey areas that make anybody question the validity of any rape claim. It started off easily enough. Guy calls me from downstairs in the hotel. I had left the speaker party about an hour ago and was working on book edits. I had had a bit to drink at the speaker party and thus decided to head back. Guy wants to come hang out. That’s fine by me. I don’t really have any good friends at this conference, and I’m always open to making more friends since I travel so much and it can get really lonely. I had had dinner with this guy, another speaker, and one of the conference organizers a couple times earlier in the week since I had arrived early for training. He seemed pretty cool. He wasn’t bad looking either. Why not? Guy comes up to my room. I let him in. We talk for a little bit about nothing consequential. Guy jumps on me and pins me down. At which point I think, “Gee this guy seems to have gotten the complete wrong idea about this situation.” I try to pull away and say something to affect of, “You know I really like to get to know people before I do stuff like that.” This certainly wasn’t the first time someone had tried to touch me when I wasn’t receptive. That said I’d always been able to either say “No thank you,” and or physically remove myself from the situation. No harm no foul. Additionally, I can think of a time or two when I tried to initiate contact with someone who turned out to not be receptive. These things happen. Signals are hard to read particularly when alcohol is involved. On both sides of this it’s embarrassing, but you laugh about it later. I’m friends with people who I’ve shot down as well as people who have shot me down. Actually one of my best friends tried to kiss me in an elevator when I first met him. I pulled away, he apologized profusely, and we have been great friends ever since. I have never felt at all threatened. Trouble was, this guy wasn’t letting me go.
Perhaps I was not making myself clear, “No!” “Stop!” “I don’t want to do this!” Though the guy in question had carried on a conversation in English just fine as well as performed talks and training in English, perhaps he just couldn’t understand me when I tried to explain I’m a boring person who likes to get to know someone before intimacy. Also I like to begin with kissing and work my way up to the pants down action he was trying to initiate. Once he had my pants down and his pants down and was completely ignoring my shouting for him to stop, it suddenly became clear to me what was about to go down. If I didn’t do something I was going to be raped without protection in a foreign country. I was unsure of what legal and medical help would be available to me. I could catch a disease. I could need an abortion. Do they have the morning after pill in Poland? Do they have whatever it is they give you if you have been potentially exposed to HIV? I decided it wasn’t going to go down that way, not if I could help it.
He was holding my arms down of course, so I leaned up and bit him on the arm as hard as I could, at which point he started swearing and punched me in the face. There was a good deal of struggle, at one point I had my phone and was trying to get in touch with someone I knew at the event while not live tweeting what was going on. He got a hold of my phone and threw it across the room. I hit him in the face but all that did was piss him off more. He slammed me against the wall. I hit my head pretty hard and felt dizzy. Up until now I’d only feared for my chastity, but now I realized this could be even worse than that. He obviously had no qualms about injuring me to get what he wanted. That was about it. I had been hitting the wall with my fist so hard my knuckles were bruised the next day because I knew another speaker was in that room. If between my shouting and banging I could get his attention surely he would help me. I assume he was still at the speaker party. No help was going to come. This was going to happen. I nearly got away half a dozen times, but one time I managed to lunge up towards the table and grab hold of a coffee cup. I knew I only had one shot. So I hit him with everything I had, and I got him right in the temple. And guess what, he let me go. He keeled over in pain clutching his head swearing at me. Even in the dark I could see the blood gushing from his face.
Suddenly I was filled with even more fear. Perhaps it comes off as a bit sensationalist to say it occurred to me that I might be destined to be the next Amanda Knox rotting in a foreign prison for killing someone. What was the law in Poland for right to a fair trial, self defense, etc. I screamed at him to get out of my room as he writhed around, presumably based on what he said after the fact trying to find his wallet and phone. I picked up the room phone and called the front desk and albeit rather hysterically tried to explain the situation. During this conversation, the guy left my room. The front desk wasn’t offering me anything in the way of assistance, but he did explain that the manager was out and that he did not speak English well. As upset as I was it is plausible that he really didn’t understand what I was saying.
At this point I’m still thinking I’m going to jail for assault. I took to Twitter for help. I had not been able to get in touch with the only person I knew well. As I found out later he was already asleep. I wasn’t able to convince the front desk to call the police or the embassy. I couldn’t manage to get an outside line on my room phone; my cell phone was still missing at this point and after I did find it, it took me hours to realize the SIM was dislodged in the fall. Someone to whom I am eternally grateful was able to get in touch with the Embassy and 3 way me in. Others were able to get in touch with another speaker who I had not met before but who really rose to the occasion. The police came. They were very blah blah about the whole thing. They were really blah blah about it when I spoke to them later too. I had no proof. I had been drinking. He denied it, all that jazz. The US Consulate was great though. It was a night and day difference between dealing with them and the Polish police. I’d recommend getting in touch with them to anyone who has an incident in a foreign country. While ultimately they aren’t able to force charges against him, having someone on my side was nice.
As a side note, it gets a little bit weirder. When the police were there they asked for my ID. At that point I still thought maybe I was the one going to jail. I had a rapidly darkening eye but other than that I was fine. Based on the reactions from people who saw the guy later, he was in a lot worse shape than me. The thing was I couldn’t find my passport. I had put my drivers license in my pants pocket the night before to go to the speaker party in case I got carded. I was wearing tight pants, so the whole wallet didn’t fit, and I don’t carry a purse. Guess that’s further proof I was asking for it, wearing tight pants to a speaker party. So I gave them my driver’s license and after they left I tore the room apart looking for my passport. In all my passport, wallet, iPad, one of my test phones, one shoe, and my Tag Heuer Carrera watch were stolen. Anyone who is into watches will know my pain at losing it. He originally said he had nothing of mine when questioned by hotel security. Then he magically found my iPad and passport but nothing else. The phone was later found in the hallway of his floor of the hotel. The rest of my things were recovered the next evening from his room by conference staff. I didn’t actually notice I only had one shoe until it was time to go give my talk so I actually took a cab to the venue and gave my talk barefoot, which kind of makes me laugh all in all.
Conference staff was originally very supportive. But then they went to hear his side of the story and they suddenly wouldn’t even look at me. I realize it’s a complicated situation, but what I hit myself in the eye? I asked an organizer point blank if he believed me, and he said he didn’t know. I don’t know what the guy’s story is, but from the police and the conference’s refusal to act, I assume it’s pretty convincing. Hotel staff pulled the security tapes. Someone I thought was a friend of mine watched them with hotel staff. The general jist I got from the interaction was because I was on the tape letting him into my room, walking in the hallway with him, etc. I must be lying. Where in any of that did I consent to unprotected sex, being hit, etc?
The interesting stuff is the reactions. The people who say things like, “This isn’t what I think of course, but I bet a lot of people don’t believe you because you flirt on Twitter,” or “Everyone saw you kiss so and so at this party, so of course no one believes you didn’t want to have sex with that guy.” The implication is I think a bit disturbing. If I pursue a relationship with one guy, I have now consented to sex with any guy? I realize the typical argument is that a girl wearing a short skirt is asking to be attacked. But this seems to go a little further than that even. Because I from time to time express myself in a provocative manner, there was no attack at all. I have consented to any sexual thing any human being wants to do to me ever. Of course reasonable people should see that this is complete nonsense. “I watched the security footage. You let him in your room. How can I believe your story?” I never said I didn’t let him in. While in hindsight this was ultimately a bad move, the real irony is the author of the quote above invited me to hang out in his room alone at an event a couple months ago and have a few drinks. I accepted and we hung out and had a great time, alone. At no point did I feel threatened. The number of times I have hung out alone with another conference speaker are too many to count. I just want to be one of the guys you know. I want to be invited into your exclusive little groups of infosec rockstardom. I want to be good enough to be friends with you guys. I want to be invited to be on panels. I want to coauthor some research. Good luck having any of that ever happen for me if I have to hide in my room alone.
After it happened I Skyped with a guy I used to go out with. His immediate reaction after I told him what happened was that no one who had ever been with me would think I have consented to sex in that situation. Implication that I am boring, vanilla, and condom obsessed aside, that really shouldn’t be an issue. Say hypothetically I had invited him in with the expressed interest in having sex with him (I didn’t.), I still have a right to change my mind at any time. I think most people at least like to kiss before they have their pants pulled off. If he wanted to do it without a condom and I didn’t, I have a right to say no to the sex and he has to honor it. I will admit that I let him in my room with the intention of getting to know him better, research and personal wise. He seemed nice enough. At the very least I wanted to see if we could be friends. But all of that is beside the point. At any point either party can say no, and if the other person fails to stop it’s not ok. All this talk about my past or my character is moot. I said no.
This is not an infosec issue. This isn’t even a women’s issue. While the most common scenario is man attacks woman, men rape other men, women rape other women, women even rape men, and of course all these groups physically injure each other as well. This could have happened to me anywhere, perhaps it has more to do with what a career obsessed shut in I am than anything else that I’m still naïve enough to open my door. I don’t know. I wouldn’t have opened my door for a stranger. This was a colleague, and yes in hindsight having been at a bunch of the same events doesn’t prove anything about anyone’s character, it just didn’t seem like a threatening situation. I can’t fix the world at large, but I can try to fix infosec. So many people scratch their heads when asked why there aren’t more women in infosec, presenting at conferences, etc. I scratch my head too. I am a woman in infosec after all. Something awful happened to me and the conference buried it. That might have something to do with it. Then again it might not. Like I said, I realize I can be attacked on the street, at a nightclub, etc. I don’t walk down the street alone at night, I don’t go out by myself. But I’m not going to stop going to the speaker party or trying to develop friendly relationships with colleagues that could lead to opportunities for work and collaboration. My career will not suffer because someone does not know how to stop himself from raping.
I have a hard time passing judgment on anyone for mistakes. I’ve made my fair share of both professional and personal mistakes, and infosec has been around to see a lot of them. Can I in good faith judge someone else for making a mistake, particularly when he was severely intoxicated? Let he who is without sin cast the first stone and all that. Enough people have pointed out I’m partially to blame for letting him in my room. He seemed like a nice enough guy in my previous interactions with him. Maybe alcohol makes him a monster. But you know what, if you can’t handle your liquor, don’t get wasted. I have a really low alcohol tolerance. If I drink enough I pass out I might get taken advantage of. So guess what, I don’t drink until I pass out. Long before that happens I have a tendency to talk existential philosophy when I’m drunk. If I don’t want to embarrass myself with philosophical jargon in front of a bunch of hackers, guess what, I don’t get drunk. I drank a fair amount at the speaker party that night. They had the whisky that tastes like fire balls, which is a known vulnerability of mine. I noticed myself starting to giggly and drunken like, so I got in a cab and went home. If you drinking is going to endanger yourself and others, learn your limits. That’s all there is to it. Attacking someone is never acceptable. Alcohol is not an excuse.
It’s oddly premeditative that as this whole Ada Initiative debacle was going down I sat on my couch and mused aloud that all they were doing by having that talk cancelled at Bsides was making it worse for women in infosec. I believe the exact quote was something to the effect of, heaven forbid someone really is attacked. I don’t mean bum touching in an elevator, or socially inept bad flirting in the beer line at Defcon, but a real attack where someone is raped or injured. If it was I, I would want the infosec community to bury the guy who did it. After stuff like this, I’m afraid no one will take it seriously. Rape has become a joke about playing cards. Sexism sucks, no doubt about it. Sexism in technology sucks. But this is something else. This wasn’t tits in a powerpoint presentation. This wasn’t some guy groping my ass in line. While those things are bad, and I don’t condone them, face it those things are a fact of life. You’re going to get a lot of pushback for pointing out sexist behaviors. You can get groped in the line at any night club same as you can at Defcon. This isn’t the same thing though. If I had not used “excessive force” against this guy I could have been infected with an incurable disease. If I had not hit him as hard as I did his retaliation based on what he had done so far could have seriously injured me. I did what I felt I had to do, and though I don’t normally condone violence, I’m proud of myself. I took charge of the situation and saved myself from harm. No one can convince me I did the wrong thing. My other option was let him do it regardless of the consequences, and I worked too hard to get here to let someone else take control of my future. Pin a medal on me; don’t call me a whore.
As the final note on this, in talking with other people who have dealt with this guy before, while I have no stories of attempted rape, he has definitely behaved badly towards women at conferences before. The stories aren’t mine to tell, but it’s at least telling that the female conference staff said they put him in a cab at the speaker party because he wouldn’t leave them alone. I have reason to believe this is not his first offense nor will it be his last.
So do what you want to do infosec. Say that Georgia is a big whore and got what she deserved. Say that it wouldn’t happen to any other girl in infosec because no one else would be stupid enough to let a guy in her room. Say I’m making it up to further my feminist agenda and I’m secretly in league with Ada Initiative. Believe me, you aren’t going to say anything I haven’t heard already, and from people I thought were my friends. Do your worst. You can’t hurt me anymore than you already have. The people who were kind to me will forever have my thanks. Some of you really saved me that night. Some of you really saved me in the days after when I was alone in a foreign country and no one wanted anything to do with me. And some of you have hurt me. Some of you have failed to be there for me when I thought we were friends. Things like this have a way of clearing that up.
This is the last thing I have to say about all this. My duty is done. I don’t want to be the poster girl for infosec feminism. I want to be a researcher, and a trainer, and a speaker, and an icon. There’s a bad guy out there who has no remorse. I have reason to believe he was behaved badly towards women before at conferences and will do it again. The Polish legal system, while they have a report refused to take any action on the grounds that I had no proof, I had been drinking, etc. The US Consulate in Poland also has a record of it. But that’s it; it’s over and done with. I gave a talk the next day, I taught a class the next week. You aren’t going to get rid of me that easily, and I’m not going to stop expressing myself because someone can’t behave. If I want to show you my “I Love Joe McCray” sharpie tattoo on stage, I’m going to do it. If I want to say something silly on Twitter that could be construed as sexual I’m going to say it. The last thing I’m going to do is stop being myself because of this. Then he wins. And he didn’t win. People have offered to beat him up for me. I already did that. I’m not asking anybody to do anything for me, I’m asking you to do something for the next girl. This guy is dangerous. I was lucky. She might not be.
