Artificial Interruption
by Alexander Urbelis (alex@urbel.is)
The Merits of a Misspent Youth
Pittsburgh is a town with an unfortunate name. I recently had the chance to visit for a speaking engagement at the annual conference of the National Cyber-Forensics Training Alliance. Pittsburgh is a lovely city: historical, green, full of bridges, with no fewer than three rivers: the Allegheny, the Monongahela, and, where those two bodies meet, they forge the Ohio River. It was anything but the pits.
Looking into its etymology, I learned that Pittsburgh was named after William Pitt the Elder, Earl of Chatham, the former Prime Minister of Great Britain from 1766 to 1768. Curiously, William Pitt the Elder was also known as the Great Commoner because of his enduring refusal to accept a royal title until 1766. The "burgh" in Pittsburgh was a nod to William's Scottish roots, where the names of towns often ended in "burgh," though the Scots made noises that sounded more like "borough."
Incorporated in 1816, the founding document of Pittsburgh contained a typo - every reference was spelled without the ending "h." For many years, no one could agree whether to spell the town as "Pittsburg" or "Pittsburgh." The train station's portico left out the "h," the federal government never used the "h," but native Pittsburghers insisted on the inclusion of this consonant. It wasn't until nearly a hundred years later, in 1911, that local political forces came together in a bipartisan celebration of consistency, formally returning the missing "h" to Pittsburgh. This absurd bit of history made Pittsburgh an altogether more fascinating place. There was a similarity to my youth, to our youths, spent as hackers, through which our mistakes have made us all the more remarkable and, in many ways, shaped our futures.
I often joke that it was my misspent youth as a hacker that has propelled my career as a lawyer more than anything else. And coincidentally, at the outset of my talk to the NCFTA audience in Pittsburgh, I told a story about this very point. This story seemed unbelievable, one of those anecdotes that is entirely true but, if you saw it on television, would strain your sense of credulity.
The story in question is about how I came to be the CISO of the NFL. (Why I was asked to interview for this role is another story entirely, for another day.) Suffice it to say that it was a humid, early September day in 2019. I was wearing a full suit and tie, and took the F train uptown to the NFL's headquarters on Park Avenue. As the New York-based readership can attest, the subway in the summer can feel akin to what one would imagine a Native American sweat lodge to feel like. Having arrived on the sixth floor of the NFL headquarters, I had to ask to excuse myself so I could use paper towels in the bathroom to blot the copious amounts of sweat running down my forehead, neck, and armpits, etc., before entering the room containing my interviewers.
When I entered the room, recovering from hyperhidrosis and still overheated in all the expected areas, my interviewers were already there: two women and one man. The first woman was (and still is) the current chief security officer of the NFL, and prior to that she was the chief of police for the District of Columbia. The second woman was the head of governance, risk, and compliance. The man was a vice president in the IT department.
Starting with the CSO, I introduced myself and shook hands. The man, an Italian-looking guy on the shorter side with wispy brown hair and a bit of beard, introduced himself as Aaron, gave me a peculiar look and said, "I know you, man."
This was shortly before the pandemic, so my facial hair consisted entirely of my trademark handlebar mustache. A recognizable and memorable feature, self-important me thought that this Aaron character must have recognized my face from, perhaps, a television appearance of mine, one of my CNN Opinion pieces, maybe my articles for FT, or something like that.
"That's great," I said in response and thought we would move on. With abnormal persistence, Aaron responded, "No, I know you, man."
"Ah, O.K., I appreciate that." I hoped that would be the end of this awkwardness.
But then I heard something that no one has brought up for a good 20 years or so. Pointing at me, and with the CSO and head of Governance, Risk, & Compliance looking curious as to where all this was going, Aaron said, "You're Neon Samurai."
"Holy crap," I thought to myself. That was my hacker handle from the mid-1990s! How could this guy know that? I then started thinking about the fact that the NFL has their own intelligence unit, so perhaps it wouldn't be unreasonable to expect a form of undue and over-the-top diligence on those they're thinking of on-boarding.
At this point you can't deny it, so I confidently and without hesitation said, "Yeah, that's me. Now, who the hell are you?" With a smile cracking on his face, Aaron stepped towards me and said, "Do you recognize my face now? I'm Arkane."
Memories flooded back. I immediately recognized him at this point and understood why he was weirdly persistent moments ago: we were hackers together on Long Island in the 1990s, we were great friends, and I hadn't seen him in over 20 years.
"I don't believe it," I said. A hug ensued. The CSO and head of GRC were simultaneously confounded and amused. Aaron then said, "Chief, I think the last time I was hanging out with Alex was in his parent's house on Long Island - we were cloning cell phones in his bedroom with an EEPROM reader/writer."
"Uhhh, that does sound about right," I responded. To which Aaron said, "I can honestly say, if there's anyone who understands how hackers think, it's Alex."
To abbreviate this long-winded story, the interview started. I was way over-prepared because I don't like to lose. And I wound up becoming the CISO of the NFL.
Because of the shared history and friendship that Aaron and I had as hackers, there was no getting up to speed or sizing up your counterpart. We worked together like old friends. And precisely because of all of the crazy things we had done together in our misspent youths, I had no question that he knew his shit, and he had no question that I knew mine. As readers who work in cybersecurity will know, there can sometimes be friction between the IT and cybersecurity teams. When the heat from that friction started to agitate our respective teams, Aaron and I would have lunch and we always worked out an innovative way to bring down the tension and accomplish our missions. I'm proud to say that Aaron is now the deputy CIO of the NFL and even prouder to say that I count him as one of my dearest friends.
A few months ago, I was at an invite-only Chainalysis VIP dinner associated with their Links conference in New York. Putting aside the questionable location of the dinner - the terribly touristy Times Square - the venue was chock-full of people working in the blockchain forensics space. I sat at a long table with a dear Chainalysis colleague who had invited me to the dinner. Two tables away, I saw something familiar. Between the several bodies obscuring the item, I could see what was clearly a black t-shirt with what appeared to be an electronic schematic in white on its front. You, me, and any longtime reader of this rag would instantly recognize this as a 2600 blue box shirt. I made it my mission to make my way over to this man by the night's end.
Recognizing this, I said to my companion, "That guy is an old-school hacker, and he wants people to know it." Going further, I speculated, "My guess is that he's wearing that shirt as a sort of flare - to send a signal to anyone else out in the room that recognizes the shirt." After massive salads and about 30 pounds of pasta was served to our collective tables, I made my way over and tapped this guy on the shoulder.
"Excuse me, I couldn't help but notice your blue box shirt."
"Thank you!" he shouted over the din of the dinner. "I have been wearing this shirt for the last two days at the conference wondering if anyone would recognize it, and you're the only person who's said a word about it."
My companion was with me when this happened. I remarked to my new 2600 friend that I had said to her that I believed he was wearing the shirt as a message to others that he was an old-school hacker. "Exactly, exactly!" he said.
This guy and I became instant friends. I will not mention his name, company, or affiliation, but suffice it to say that he does quite stimulating work tracking dark money across blockchains, with a specialization in sub-Saharan Africa, and so has eyes on all sorts of treacherous transactions and perilous persons. We stay in touch and I know that I can call on him for any aid or assistance and he knows that he can call on me for the same.
These bonds and friendships that involve 2600 and the hacker subculture are strong. They're also weird. They can run deep in our veins for three decades, like the friendship between Aaron and me, or be made instantly and indestructibly as was the case with my newfound dark money-tracking friend. This raises the obvious question of "Why so?"
The bonds of a shared experience provide a solid foundation for sure, but the kinship is richer than that. We share an ethos, a value system, and a philosophy, not unlike the Freemasons. We don't have our own secret handshakes, but we do have our own esoteric modes of recognition: when you see another wearing a 2600 shirt, you have found your tribe. We don't meet in the Lodge, but we meet at HOPE and other like-minded conferences. Like the city of Pittsburgh, our historical imperfections are what make us interesting and who we are.
We are not afraid to roll up our sleeves to take apart devices, or to take on systems, and we put the pursuit and sharing of knowledge above all else. We stick together. We must pass this on. And we must ensure that the next generation has the opportunity to make the same mistakes as us, with as much mirth and as much hope, so that they protect and pass on this wonderfully bizarre culture of ours.