Posts Tagged ‘Errata Security’

DEFCON is one of the largest and longest-running hacker cons. It takes place in Las Vegas as this nerd baccanal where hackers show off their research and party with their peers. Its founder Jeff Moss–known by his handle Dark Tangent–now sits on the Homeland Security Advisory Council and is the chief security officer for ICANN. The director of the NSA, General Keith Alexander, made a first-ever appearance in large part to woo hackers to the agency.

Despite this new air of, well, respectability, the conference is a free-for-all–heavy on alcohol, black hats, and off-color talks.  DEFCON’s unofficial “survival guide” gives a taste of what to expect: Rule #1 reminds attendees that prostitution is illegal, Rule #2 warns against using the very-likely compromised ATM, and Rule #4 admonishes anyone who would connect to the DEFCON network–using no less than six anal sex jokes.  This is not out character for a hacker con; one of my favorite presentations from HITBSecConf this year started with painful language lesson on picking up a prostitute in Malay. Once you got past that (oh, and the “fisting” references, too), there was some great information. Get the picture?

Recently, I trolled someone on Twitter who said wouldn’t attend DEFCON or Black Hat, because he preferred more secure, vetted environments. The comment is all kinds of stupid, because a convention like DEFCON is exactly where people who want to understand attackers should go–namely, anyone responsible for defending networks and hosts. However, there is no doubt that these conferences can be a hostile environment for a lot of professionals–not the least of which are women.

Make ran a story on one attendee’s response to sexual harassment at DEFCON. Her name is KC, a freelance journalist preoccupied with technology and social justice, who blogs at Single Voice.  She devised a project of Red and Yellow Cards (in the rugby or soccer vein) to call out sexist behavior.  We are talking some very serious behavior.  KC describes the catalyst:

Let it be known that I went to Defcon with a reasonable amount of armor on already. I was reasonably aware of the frat party environment I was stepping into. I have many friends who are involved with helping make Defcon roll smoothly each year, from speakers to goons. And still, nothing could have prepared me for the onslaught of bad behavior I experienced.

Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff (I do not have words for how slimy it is that the official security staff were in charge of what was essentially a competition to get women to show their boobs). Or lastly, the man who, without prompting, interrupted my conversation and asked me if I’d like to come back to his room for a “private pillowfight party.” “You know,” he said. “Just a bunch of girls having a pillowfight…. fun!” When I asked him how many men would be standing around in a circle recording this event, he quickly assured me that “no one would be taking video! I swear!” I’m pretty sure this is the point where my lovely partner Morgan asked him if he thought propositions like his had anything to do with contributing to women not feeling welcome at Defcon. This was a very difficult concept for this poor soul to wrap his head around.

The cards themselves (yellow and red) received a very positive reaction from women and Dark Tangent himself, but there was some pushback from male attendees.

The project intrigued me and I have been meaning to write something, but I felt a real urgency to do so when Robert Graham of Errata Security posted a counterpoint of sorts to what he saw as punitive sexual harassment policies entitled “Sexual harassment policies: education please, not threats.”*  His bottom line is this:

Education is a better solution to this than threats. Men should be told that just because she hasn’t slapped you doesn’t mean she’s in to you, it just means she is in a social situation she’s had little experience with.

The thing about hostile, threatening policies is that they discourage legitimate speech. People become scared and go too far censoring themselves. It becomes something that can be exploited by the disgruntled to censor things that have little to do with sexual harassment. As a guy, I don’t see the cases of sexual harassment that I know exists (from reliable reports), but what I do see is the frequent exploitation of anti-harassment policies.

Graham is a libertarian who has written some compelling arguments of that bent (which I commented on in “Law, Order, and the Accidental [Cyber] Guerrilla“); KC is an “anarchist” with a feminist bent. I wanted to hear the dialogue between the two, so I tweeted.

KC responded with several tweets:

I fail to see what is aggressive, angry, infantalizing or threatening about holding people accountable for their behavior [cite]

I also flat out don’t believe the whole “men don’t know better/are unaware!” excuse. [cite]

Also, let’s talk about the frustrating social expectation of women needing to to be the patient educators… (1/2) [cite]

…vs the nonexistent expectation of men simply being more responsible and sensitive at cons. (2/2) [cite]

Graham responded in kind. The gist is that shaming doesn’t solve the problem long-term while education is a better route. Frankly, I find KC’s to be the more compelling argument. I, too, am unconvinced by the “‘men don’t know better/are unaware!’ excuse.” Graham cites the misogyny among male attorneys, for example; he seems to be saying attorneys are the exception to the rule, but I think there are some uncomfortable commonalities.

For better or worse (mostly worse), I have a lot of experience with attorneys. Today, more than 50% of law students are women, and the general sense I get is that there is this growth in very hostile attitudes among thirty-something (and younger) male attorneys towards women as a perceived threat to men’s position in the workplace. The harassment isn’t some poorly articulated come-on; it is a power play to defend their turf. While I doubt women have reached anywhere near that parity in the hacking community, it is worth asking the question how much of this behavior boils down to bullying and turf-defending.

A more compelling counterpoint came from @maradydd:

If you’d like some context, one of the stories @ErrataRob is telling is mine. [cite]

My creeper didn’t learn from “stop touching my butt/asking to see my boobs.” I doubt a card would’ve helped. [cite]

Here, KC and Graham are not too far apart. The card is an educational tool–one that might not work. Indeed, all education may not work.  I sympathize with Graham’s desire to protect freedom of speech; I really do. However, I see little recourse except for the more ‘punitive’ measures such as BRUCON’s anti-harassment policy.

* – On Twitter, I initially attributed the article to David Maynor.  Both are with Errata, and both tweeted about it.  I simply hit “quote tweet” on the wrong one, and the misattribution followed from there.  Mah bad!


Read Full Post »

In Mikko Hypponen’s fantastic TED talk, there were two big takeaways.  First, we must be prepared those times when–not if–hackers will be able to break systems (perhaps even the system) in which we live and work.  This is not simply a matter of low-tech alternatives (although that is not a bad idea) but also making sure our technology is resilient.  Secondly, those on the side of law and order must find those who are about to become cybercriminals, as Hypponen says, “with the skills but without the opportunities” and co-opt them into using their skills for good.

While I could not agree more with these two priorities, I do not share Hypponen’s optimism that they will be addressed.  In terms of resilience, the start of the rebooted Battlestar Galactica in which humanity is annihilated through an enemy exploiting vulnerabilities in complex, hypertechnological military systems seems completely plausible to me.  (The miniseries should be required viewing for RMA kool-aid drinkers.)  In terms of recruiting those on the verge of becoming cybercriminals or, indeed, cyberguerrillas like Anonymous, I see an outcome that is even less hopeful than the Cylons’ onslaught.  We are failing–miserably–at co-opting talent.

There are a lot of reasons for this, but one of the most important requires broaching an uncomfortable subject.  Earlier in the month, Robert Graham of Errata Security made a provocative claim that, while white hat hackers on on the side of the “law,” they are not on the “side of law enforcement” or, as Graham puts it, “order.”  He goes on to explain:

The issue is not “law” but “order”. Police believe their job is not just to enforce the law but also to maintain order. White-hats are disruptive. While they are on the same side of the “law”, they are on opposite sides of “order”.

During the J. Edgar Hoover era, the FBI investigated and wiretapped anybody deemed a troublemaker, from Einstein to Martin Luther King. White-hats aren’t as noble as MLK, but neither are white-hats anarchists who cause disruption for disruption’s sake. White-hats believe that cybersecurity research is like speech: short term disruption for long term benefits to society.

I have personal experience with this. In 2007, I gave a speech at the biggest white-hat conference. It was nothing special, about reverse engineering to find problems in a security product. Two days before the speech, FBI agents showed up at my office and threatened me in order to get me to stop the talk, on (false) grounds of national security. Specifically, the agents threatened to taint my FBI file so that I could never pass a background check, and thus never work for the government again. I respond poorly to threats, so I gave the talk anyway.

I point this out because it so aptly proves my point. I am not on the side of law enforcement, because law enforcement has put me on the other side. One of the requirements (from the above post) to volunteer is to pass a background check — a check that I can no longer pass (in theory). I cannot volunteer to train law enforcement because they perceive me as the enemy.

This is exactly why I am so dire about recruitment. First, there is a distinctly libertarian bent throughout hacker culture suspicious of government and resistent to impingement of freedoms as far flung as free speech and fair use of digital media.  This, as Graham argues, puts those inclined to respect the “law” against “order.”  Secondly, abuses do more to create cybercriminals than curtail them.

This got me thinking about David Kilcullen’s idea of “the accidental guerrilla”–that, in a counterinsurgency, even the slightest misapplication of force or failure to understand the complexities of one’s operating environment (culturally or otherwise) may lead to the exponential creation of insurgents.  Misinterpretation of this idea has caused many to come to the conclusion that less force is always better, but Kilcullen does not suggest this.  Similarly, it is not simply that the U. S. has begun to project force through this crudely defined “cyber” realm but rather that it does so without any understanding of its human terrain.

I am throwing some counterinsurgency buzzwords around too flippantly; thinking about a population-centric cyberwarfare would be a useful lens, but there needs to be a long hard look at past failures in addressing those Americans previously labeled as insurgents–for example, the Civil Rights Movements as Graham so aptly notes.  There also needs to be a look at the “short-term disruptions” that Graham touches on with the context of cyberguerrillas as well as counterinsurgency practice at large.

I am not purporting any of this to be new or even my own; I am sure folks like John Robb have been connecting these dots for a long time.  However, I am flagging this as an issue that needs more attention.

Read Full Post »