New sexual-assault allegations against ‘phone phreaker’ John Draper
Jay, a hacker in the San Diego area, was excited to meet John T. Draper, who in the late 1960s and early 1970s had made waves by blowing a toy whistle into phone receivers. He’d grabbed the attention of AT&T and law enforcement agencies, and served as an early influence on Apple co-founders Steve Jobs and Steve Wozniak.
He didn’t expect his encounter with the infamous “phone phreaker,” also known as Captain Crunch, to lead to sexual assault.
The year was 2000, Jay told The Parallax last Wednesday. After the eighth annual hacker conference DefCon in July, he’d learned that Draper lived in San Diego and had emailed him in hopes of meeting.
“I thought it would be cool to meet one of my heroes,” says Jay, who spoke with us on the condition that we not publish his last name nor his current occupation.
READ MORE ON TRENDS IN HACKER CULTURE
How the myth of meritocracy stymies women in cybersecurity
Facebook, EFF security experts sound off on protecting the vulnerable
Is doxing ever appropriate?
Jay was 32 at the time, older than other reported sexual-assault victims of Draper, first disclosed by BuzzFeed last week, but he describes himself back then as “a prickly, studly dude” his homoxesual friends referred to “as a ‘twink.’ I didn’t look underage, but did look young for my age. I had a zestful outlook on life.”
Over email, Jay says, the two men agreed to meet at a coffee shop in downtown San Diego. Jay arrived in his truck, and before he could park, Draper hopped in and asked Jay to drive to Ocean Beach, a bohemian neighborhood known for its counterculture vibe and sunsets.
That day, Jay recalls, he was wearing board shorts and a tank top. Draper was wearing sweatpants and a T-shirt. Over five to six hours, their conversation ranged from hacker exploits to workout techniques Draper says he learned from a “guy in Russia.” Draper “never veered into sexual innuendoes. No come-ons,” Jay says. His demeanor was “scattered and unfocused.”
“He’s like a kid in a candy store,” Jay says. “He darted from store to store, dodging traffic.” At one point, Draper lost his notebook and said, “Oh shit, it has Woz’s number in it! I need to retrace my steps.”
After their Ocean Beach stroll, Jay drove Draper back downtown, where Draper kept an “office/crashpad” on the second floor of a three-story office building. He invited in Jay, who was still hoping to discuss technical topics in-depth.
In the space, which displayed an assortment of used pots and pans, plates, and a “gross-looking” bedroll, Jay says, Draper’s energy changed. “He mentioned wanting to catch up on email real quick, and I noticed him logging into a local gay BBS that I was familiar with because I hacked it a bunch of times.”
That should have been a red flag, Jay says, but “I asked him about it, and offered to get him some free access from the accounts that I popped.” And when Draper instructed Jay to take off his shirt, and get on his hands and knees on the bedroll, Jay obliged. This must be the Russian workout he was talking about, he thought. But he wasn’t ready for what was next.
Draper climbed on Jay’s back, wrapped his hands around Jay’s neck, and told Jay to stand up. When Jay started to stand, Draper asked him to get back down on his hands and knees, and repeat the exercise. Jay says he did this “three or four” times. And each time he returned to the mat, Draper tightened his grip and grinded himself into Jay’s backside.
“I felt he had an erection,” Jay says. As he stood up completely, Draper wrapped his legs around Jay’s waist and continued to grind. Stunned, Jay “made some kind of excuse to get out of there” and left the building.
Draper’s “sexual advance”—”inappropriate…and awkward,” Jay says—was uninvited and unwelcome. “I would categorize it as an assault. A dry hump.”
“Banning Draper is long overdue; calling the organizers’ response ‘quick’ gives them too much credit, as it’s only now in the face of media scrutiny they are acting. I’m totally unconvinced that they could have been unaware of him being a problem.”—Leigh Honeywell, adviser, Ada Initiative
Jay’s story hews closely to other accounts of sexual assault against young men by Draper. It is one of two first-hand accounts The Parallax has been directly told; the other was that of James Erickson, who also recounted his story to BuzzFeed.
The details of a third account, which we do not have permission to publish, follow the behavioral pattern: Draper regales a young hacker with tales of his days as a target of the U.S. government, then invites him to a private space, often a hotel room, for “exercises” or “energy work.” Once in private, Draper finds a way to approach the man from behind, and then, without warning nor consent, rubs an erection into his victim’s backside.
There are now at least five separate allegations of Draper sexually harassing or sexually assaulting men in the hacker community. They include accounts in journalist Ethan Smith’s BuzzFeed story, as well as an account cryptographer Matt Blaze detailed on Twitter from when he was in “8th or 9th grade.”
Seven sources for this story say there likely are many more untold accounts. One source, Internet pioneer Paul Vixie, says Draper “propositioned” him at a Hack-in-the-Box conference in Malaysia about 10 years ago.
“It was the usual, ‘Come up to my room, and I’ll show you some stretches,’” Vixie wrote in an email. “While we had reason to visit his room to pick up some article or device, I had no reason to enter or remain. He was pushy, but did not lay hands upon me. I later discovered by asking around that this was a common thing.”
A year later, Vixie says, Draper expressed enthusiasm on an email discussion about a post-conference party location. It was in a “nearby Asian country which is known as a sex tourism hot spot. Draper was, on the email thread, quite enthusiastic when young boys were mentioned. I was disgusted, and exempted myself from that afterparty.”
Draper refuted the allegations of sexual assault in BuzzFeed and here. In comments made to The Daily Dot on Monday and an emailed statement to The Parallax, Draper representative Allie McKay said, “We deny that he had any intent or made any attempts further to exercising with people, and insist that he never pursued any sexual intimacy with anyone.”
“If there was an incident of this nature reported to DefCon management that was not acted upon, I’m not aware of it. In my experience, DefCon takes action when a serious complaint of any kind is made by an attendee.”—Matt Lewis, DefCon party organizer
“We acknowledge the program may have been considered unusual, and may have brought people discomfort after they gave informed consent to participate. As John has stated, participants were free to, and sometimes did, halt the exercises at any time,” McKay said. “John states that he cannot conceive of this new allegation having to do with the sex trade industry. It is also quite inconceivable to us.”
The accusations against Draper come at a time when America is grappling with many high-profile allegations of rape, sexual abuse, and sexual harassment. In recent weeks, there has been an influx of serious allegations in politics, including against President Donald Trump, Alabama Senate candidate Roy Moore, and Minnesota Sen. Al Franken; in entertainment and media, including against movie producer Harvey Weinstein, actor Kevin Spacey, talk show host Charlie Rose, comedian Louis C.K., DC Entertainment editor Eddie Berganza, and the newly appointed Marvel Comics executive Ron Richards; and in tech, including against investors Steve Jurvetson and Shervin Pishevar, and evangelist Robert Scoble.
Allegations of sexual harassment have also emerged from a number of popular male-dominant events, from TED talks to DefCon.
The Parallax has confirmed that Draper has been banned from at least four hacker conferences at which Draper has spoken or was scheduled to speak.
“We feel that the allegations at this point are sufficient to warrant a ban from our future conferences and, since one of the alleged occurrences took place at one of our events, we feel we have the obligation to ensure that our attendees are not exposed to any such future behavior,” Hackers on Planet Earth (HOPE) organizer Emmanuel Goldstein wrote in an emailed statement to The Parallax. “We are keenly aware that there are two sides to every story, and we don’t want to act hastily or based on the word of unreliable sources, or people who may have a grudge. But due to the number of independent and specific allegations here from people who don’t know each other, that danger seems increasingly remote.”
Prior to the publishing of the BuzzFeed story, Jeff Moss, the founder of DefCon, did not respond to a request from The Parallax for comment. A representative for the conference pointed to the organization’s Code of Conduct, which she says functions in lieu of an antiharassment policy. DefCon also declined to provide a list of people accused of sexual assault whom it has banned from attending the conference.
To BuzzFeed, however, DefCon provided a statement saying, “We applaud those individuals bravely stepping forward to tell their stories…The behavior described in these allegations is appalling and has no place in our community. Per DefCon’s Code of Conduct, this kind of behavior will result in a permanent ban from our events.”
Draper also has been banned from Hou.Sec.Con, a Houston-based security conference where he was scheduled to be one of the keynote speakers in 2018, and ToorCon, a San Diego-based conference.
Draper rose to notoriety as a “phone phreaker,” a telephone network hacker in the late 1960s. In 1971, he became a nationwide counterculture figure, following profiles of him in Esquire and the Los Angeles Times, which helped kickstart the myths that he discovered that a toy whistle included in boxes of Captain Crunch cereal blew a tone at 2600Hz, the same tone that AT&T used to reset its trunk lines, or invented the Blue Box, a mechanical device that can sound the 2600Hz tone, and used it to make long-distance phone calls free of charge.
While he might have never claimed to have invented the Blue Box or discovered the whistle, Draper has done little to dispel those stories. He was convicted of more than 10 counts of wire fraud and probation violations, and he has spent at least four months in federal prison in Lompoc, Calif., and one year on a furlough program. He also pleaded guilty in 1987 to a misdemeanor charge of forging Bay Area Rapid Transit tickets.
Through McKay, Draper emphasized that he hasn’t taken credit for the invention of the Blue Box or the discovery of the Captain Crunch whistle tone.
“Crunch’s relationship with the history is one of infamy, contribution and growth—not invention,” she wrote. “He has never made such claims or given any such impression.”
Phil Lapsley, who also dispelled the myths in his 2013 book Exploding the Phone, a comprehensive history of phone phreaking, said that before agreeing to be interviewed in 2008, Draper required him to give him a “half-naked…piggyback” ride around “a dingy apartment” in Burbank, Calif. He referenced similar accounts of this “Draper initiation ritual” stretching as far back as 1985, in Douglas G. Carlston’s book Software People.
Draper is hardly the only person in the hacker community to be accused of sexual assault. Following a recent report in The Verge that outlined six public accusations of rape and detailed one of them, Morgan Marquis-Boire, aka Morgan Mayhem, was forced to resign from positions of influence at Citizens Lab and First Look Media, publisher of The Intercept. And following public accusations of rape, sexual abuse, and sexual harassment in 2016, Jacob Applebaum, known for his work with The Tor Project and WikiLeaks, was blocked from attending Chaos Communication Congress, the largest hacker event in Europe.
DefCon would not confirm whether it has banned Marquis-Boire nor Applebaum from its future conferences.
Matt Lewis, who has been involved with DefCon since 1996, organizing official and unofficial conference parties, tells The Parallax that he has had more than 20 confrontational encounters with Draper, including blocking him from events because partygoers complained that he made them feel “uncomfortable.” But he says there’s no hacker blocklist for conferences—and there doesn’t need to be one.
“If there was an incident of this nature reported to DefCon management that was not acted upon, I’m not aware of it. In my experience, DefCon takes action when a serious complaint of any kind is made by an attendee,” Lewis says. “All the organizers know each other very well, and I think it’d be fairly common knowledge if someone had been banned from one of the conventions.”
“I think [people in positions of power] can always be somewhat more proactive without necessarily engaging in what might be a witch hunt.”—Gabriella Coleman, cultural anthropologist specializing in hacker culture, McGill University
Although there is a lot of cross-pollination among attendees and organizers, Lewis adds, there’s “no formal process” for communicating to others when someone’s been banned. “Each conference needs to come to their own conclusion of who’s welcome and who’s not.”
That approach doesn’t work for protecting attendees who’ve been targeted, and it doesn’t address abusive behavior by less-famous attendees, says Leigh Honeywell, a hacker and adviser to the now-defunct Ada Initiative, a nonprofit organization that advocated for better treatment of women in tech. Honeywell says she stopped attending DefCon in 2014 despite what she says is DefCon’s “unquestionable” importance in the hacker community.
“Banning Draper is long overdue; calling the organizers’ response ‘quick’ gives them too much credit, as it’s only now in the face of media scrutiny they are acting. I’m totally unconvinced that they could have been unaware of him being a problem,” she said in an email, recalling that “there was a CTF [Capture the Flag] team called Too Old For Captain Crunch at one point.”
Honeywell, who publicly told her story of being targeted by Applebaum, says that when conference organizers wait until there are public accusations of abuse, they put attendees at risk. They also discourage people from attending, which can have a measurable impact on their careers.
Gabriella Coleman, the Wolfe Chair in Scientific and Technological Literacy at McGill University and a cultural anthropologist specializing in hacker culture, says that historically, it’s hard for communities to respond to rumors and even “open secrets” because of a lack of evidence. But that’s changing, she says.
“The tipping point is when people get together to start sharing them. That’s what happened with Applebaum, and with Morgan, and to a degree with Captain Crunch,” she says. And, she adds, it’s not out of line for people in positions of power such as conference organizers and cybersecurity team managers to take a more active role to investigate rumors.
“I think they can always be somewhat more proactive without necessarily engaging in what might be a witch hunt,” Coleman says. “It’s something that can be done with people who have authority and power, but it’s also on a case-by-case basis.”
Honeywell is skeptical about the lasting impact of public accusations of sexual assault at DefCon, in part because of what she sees as a lack of training in handling complaints among people in positions of power, including DefCon’s mostly volunteer staff of organizers, known as Goons.
“While some of the Goons are great folks, others are themselves part of the problem,” she says, “and the organizers have a track record of getting offended and angry at people who try to engage with them about harassment issues rather than being willing to acknowledge that their event has major problems.”