Kelly Lum, better known in hacking circles as Aloria, passed away on Sunday.
Aloria was a veteran of the cybersecurity community, especially the one in New York, her home for many years. The Twitter account of the New York City security conference SummerCon announced her death on Monday, prompting a seemingly endless list of people to publicly mourn her loss and pay tribute to her life.
People who knew her call her an “angel,” an “incredible woman,” “so prickly and dark and funny, and yet warm and welcoming,” “brilliant, sharp, deeply witty […] a daring adventurer, a kind soul,” “one of the funniest, kindest and most honest people” on Twitter, “unique and memorable,” “a legend […] brilliant, generous, hilarious,” the “the archetypal hacker, both technical and unconventional in the non-technical,” “kind and welcoming,” someone whose “magic was making us all feel seen & appreciated just as we were,” an “inspiration,” “the peak of original content, a real character,” and someone who “truly did change stuff for the better.”
According to the SummerCon official Twitter account, “Kelly did not take her own life, but passed due to progressed critical illness, in a hospitalized setting surrounded by her family.”
Aloria was 41, and she’s survived by her husband.
Some people remember her for her qualities as a person, and for her contributions to hacking culture, more than for her technical abilities, even though she was very knowledgeable and a remarkable cybersecurity professional.
“I feel like Aloria represented what the infosec industry is at its best: performing fantastic feats of problem-solving with playfulness, ingenuity, and authenticity. She was an industry legend and a trailblazer, but I don’t think she ever saw herself that way,” said Kelly Shortridge, who knew her for more than a decade as both she and Aloria were part of the New York City hacking scene. “Unlike most security luminaries, she actually lived her life as to what fulfilled her rather than what inflated her ego. She was generous and the antithesis of a gatekeeper; she welcomed me in the industry when few others did.”
Zach Lanier, who knew her for more than a decade, said she was like “a sibling” to him, and one of his best friends. When he and Aloria lived in New York City at the same time in the early 2010s, they would have a tradition of going out with other cybersecurity folks every Thursday, first to a Mexican restaurant in Union Square, where they would order “too many tacos and margaritas,” and then to a karaoke bar.
Aloria loved to sing Separate Ways by Journey. The two would also sing Forgot About Dre, with Aloria singing Dr. Dre’s parts, and Lanier singing Eminem’s parts, Lanier said.
“She would nail it and knock it out of the park every time,” he said.
“You don’t want to go after her because it’s like: ‘Oh, God, how do I follow that up?’ It’s as if your opening act is a professional and you are an amateur,” said another friend of Kelly who works in cybersecurity, who asked not to be named as his company doesn’t allow him to speak to the press.
Her death, Lanier said, is particularly tragic because from his point of view, “she found a semblance of happiness that I had not seen for a while.”
“She was the happiest she’s ever been,” said Erik Cabetas, another veteran of the New York cybersecurity scene who knew her since 2009.
Katie Moussouris, who also knew her for more than a decade, highlighted the fact that Aloria had been part of the cybersecurity industry for around 20 years — one of the few women to have done so. Other than her technical qualities as a hacker and cybersecurity professional, Moussouris said that Aloria “was so giving not just with her time, but her spirit. Anything she could share that would help a person she would, and she did.”
“She was just a beautiful tortured soul,” Moussouris said. “Her whole existence and everything that she gave to everybody — I was like: how does she even have it left given her struggles?”
Aloria often talked openly about having bipolar disorder, a chronic — and often misunderstood — condition that I also suffer from. It’s impossible to quantify something like this, but having someone so prominent and well known in the cybersecurity scene talk so openly about mental health probably inspired and helped so many people overcome the stigma that mental health issues, particularly bipolar disorder, unfortunately still carry.
“I’ve been trying to explain away stigma, and it kind of occurred to me that that’s not how you erase stigma. I suffer from Bipolar II disorder and I’m also a multiple suicide attempt survivor,” she said in a 2016 video. “You don’t rationalize away stigma, you can erase it by being a positive example of someone who has gone through these things and come out on top, being successful at overcoming the challenges that they are faced with.”
“If there hadn’t been so much stigma associated with bipolar disorder I might have been diagnosed earlier,” she continued, explaining that she was only diagnosed recently, despite struggling with her mental health for a long time. “And I wouldn’t have had to spend 20 years struggling and becoming hopeless because I didn’t think there was a solution for me.”
“My life now is — I’m not gonna say it’s perfect. I still have dark days but I have done so many amazing things, traveled to some awesome countries, have awesome friends, flew a plane once,” she said. “It’s a long hard road ahead sometimes, but that doesn’t mean that the journey isn’t going somewhere, and it isn’t worthwhile.”
Lanier said that Aloria “was always very helpful… she always wanted to help people,” by being open and honest about her own mental health struggles.
Matthew Bischoff, a former Tumblr product and engineering manager, who worked with Aloria at the social media network, said that Aloria’s “ability to meme almost anything will stick with me for a very long time.”
“Her sense of humor, commitment to doing the right thing for users and fierce advocacy for the causes she believed in were all hugely impactful on me and my career,” they said.
While at Tumblr, Aloria advocated for turning on HTTPS by default on the site, which would make users’ connections to the site more private and secure. The well known Twitter user SwiftOnSecurity wrote that her “pushing HTTPS and LetsEncrypt at such a massive blogging platform had real waves across the industry.”
“She was also an unsung hero, and a lot of things she did, she didn’t really like to broadcast. I think that’s true of a lot of — especially women in the security community,” her anonymous friend said. “Because of how unfair the security community can be, I think a lot of women are hesitant to stand out.”
“Many people know her for her iconic retro computing swag, [the meme account] Infosec Reactions, and other cultural contributions to infosec but she wrecked many systems. In fact, I suspect her humility relative to her peers is why her fierce exploitation prowess was not mentioned as often,” Shortridge said. “She could deftly navigate compromising systems as well as defending them, and her views were always well-reasoned rather than self-serving — again in contrast to many of her peers.”
Cabetas said that Aloria was a great hacker, but also asked me to “let people know that she was about the lulz.”
Indeed, she was. In her spare time, Aloria maintained the hilarious Twitter parody account “Infosec Reactions,” 3D-printed things like a pickle with Nicholas Cage’s face, collected silly t-shirts and hats, traveled the world — Lanier said she set foot on all continents, including Antarctica — and took beautiful pictures that she would post on her Instagram and Tumblr.
And, of course, she was a formidable karaoker.