Thursday, 7 August 2014

Some more thoughts on the infosec culture

Hey, time to dust off this old blog. I don't use it very often, except in cases like this one. The following post is expressing my own personal views and is not in any way connected to or representative of the views of my employer. Okay, that's out of the way. Let's chat.

A few months ago, Rob Fuller wrote a blog post entitled "Go Home InfoSec, you're drunk" . I was not aware of this blog post until last night. A friend of mine told me about the post at a party, and said that I should read it because it would make me "hate [him]".  I consider Rob a friend, and I have a great deal of respect for him both professionally and personally. So yes, I am biased in what i'm going to say. This morning, while recovering from a hangover, I read this post. I did not find myself getting mad at Rob at all. One of my first thoughts was actually how proud I am that I'm friends with him. My second thought was promptly "aww crap, I'm part of this problem."

I have been doing a lot of thinking about our InfoSec community lately. We use that term a lot, but don't often take full stock of what it means. Being a community means, among other things, looking out for each other. It means having dialogues where we discuss the issues we are facing together. I am somewhat disturbed by the trend of hostility towards people who try to open these dialogues. Whether you are talking about drinking, like Rob, or drugs, or sexism, or general bad behaviour. The people who try and stand up and say "I think we have a problem. We need to address this" often get attacked. If you haven't noticed, it go back through some of the discussions about the environment t InfoSec conferences.

A common theme that appeared in the response to Rob's blog post was "Every conference is like this, it's not just InfoSec". That is about the worst argument you can possibly make. It's not even an argument. That's the sort of thing you tell your children is stupid. "Yeah but Billy did it". How does that excuse, or in any way make your behaviour more acceptable? It doesn't. I don't care what Billy did, I care what you did. Well, I don't care what they do at other conferences, or in other Industries. We are talking about OUR conferences, OUR Industry, and OUR community. Because we are not just an Industry, we are a community with all that entails. Let's stop shifting the conversation.

Yes, these problems are much larger than our community, but this is where we can start changing them. We have a slice of society here that is all our own. We are shaping it right now. We have incredible power and control over it, and who cares what outsiders do.  There's still tons of sexism out there. There is still racism, and prejudice against sexual orientation, gender identities, religion, and every other stupid thing people can come up with to divide "them and us".  We seem almost biologically compelled to create these seperations. Fine. Let's do it. Let's define the boundary.  Are you ready:

Us: Hackers. Every kind of Hacker. I don't care what you do, if you think you're a hacker and you are passionate about it, and love it, and want to geek out with other hackers, then you are a hacker. You are one of "Us". Done.

Them: Everyone else.

There we have a dividing line now. I don't care what race, gender, orientation, religion, political view, or anything else you are. If you're a hacker, you're just like me. If you're not, I don't care what you've got going on right now for the purposes of this blog.

So, now that I have magically solved our inclusion problems, let's get back to the alcohol thing. Rob is not attacking people for drinking. He's not asking for everyone at cons to stop drinking. What he's asking is for people to stop and reevaluate the choices they are making. Try going to a con without drinking. How was your experience different? Were you still able to enjoy it? If the answer that question is no, then we have a big problem. Rob suggests conference organizers try and add features that help build inclusion for non-drinkers or people recovering from addiction to alcohol(or any other substance). Let's not have a cycle of co-enablement that sends us down spirals of self destructive behaviour. Rob never says "don't drink" and I don't advocate that either. However, If we are honest with ourselves, can't we admit that we go too far sometimes? Is it necessary for us to get so drunk that we feel awful and useless the next day. I ask you this as I recover from a hangover in Vegas. I am not sitting here preaching to anyone who reads this. I do not have some sort of moral high ground here. I am writing this from someone who is thinking "crap, I'm part of the problem".

I don't have the solutions to our problems, I'm not that guy. I o think though, that we need to open more dialogues. We are a community. We need to band together. Look at the past few years. Think of some of the people we have lost. Not just to substance abuse, but any other problems, such as depression. Think of the people we know and care about who are currently struggling with those issues. We are a community, and we are hurting right now. So, if you are reading this while in Vegas, here's my call to action:

Keep an eye on your fellow hacker, whoever they might be. If they need help, be there for them. If they are drinking too much, at the very least be there to make sure they stay safe. You don't have to stop them from drinking, just look out for them. If you see someone struggling with anxiety or depression, talk to them. Listen to them. You never know just how much of a difference that can make.

Keep an eye on yourself. Stop to think about how you are acting from time to time. Ask yourself, is this really the way I want things to be? Is this how I want people to think of me?

Include people no matter who they are. If you see someone looking lost and lonely at the conference, reach out. It can be very hard to be new in this community. Having someone take you under their wing and introduce you to people is the most amazing thing that can happen. It affects you personally, fills you with pride and self confidence. It improves your professional life, and can be a launching pad for you to do great things. Give that gift to someone every chance you can!

Be better than "them". I defined out Them and Us. Well here's a secret, I don't like alot of "Them". Let them rot for all I care. I care about us. So stop using any of "Them" as an example. Let them go do what they will do. We will prove we are better than they are. We will make our community a shining example of what can be. Let's make them all say "Why can't we be more like the hacker community?"

Well that's it. that is my long rant for now. You can argue with me, you can attack my points. You can attack me if you really want. Just please, don't dismiss it and ignore it. We need to open a dialogue. Thanks for reading.

- David "thelightcosine" Maloney