It took me a while to really decide to pull the trigger on this post. For several reasons:
1. I think the way that @ZeroFOX handled this was impeccable. As far as “we” are concerned this issue was to bed once the instigator (@avriette) balked out on actually having a constructive discussion when invited to.
2. Deciding to pick this up the next day showed me that @avriette blocked me on twitter. That kind’a shows the level of maturity we are dealing with here. Burying your head in the sand and refusing to deal with your provocation is not something that I can respect.
Nevertheless, I did want to put my personal thoughts on this out there (specifically since I don’t think that ZeroFOX needs to handle this anymore, and since I have already voiced my thoughts about this before: http://www.iamit.org/blog/2014/02/women-in-infosec-that-thing-again/).
So here goes: During a presentation at Shmoocon, that discussed research conducted with John’s Hopkins University about a red team / blue team exercise over social media. As such, the students have learned about attack vectors that were effective, and have engaged in launching those against their fellow students in other universities. As the talk title implied, the obvious attack methods online were ones that appealed to the target demography: “Mascots, March Madness & #yogapants”. It should have been pretty obvious, that when discussing any attack vectors on social media (and social engineering), anything related to sex, sports, food, free/discounted stuff, will all show up with varying degrees of effectiveness.
And yes – Tinder showed up there as an effective method (yes, it’s a sex-as-a-service app) to target people. I can admit to using Tinder (and Grindr, and happn, and okcupid, and others) as highly effective means of social engineering my targets on red team engagements. I also admit that I have totally stereotyped my female targets and used discounts on Manolo Blahnik shoes, LV bags, and high-end wine. And it was very effective. I’ve used free hot cocoa offers in the winter, and beach getaways in the summer, and iTunes cards, and free food samples, and court side tickets for Knicks games (yes, people actually still go there), and a gazillion other “objectifying” methods of appealing to my targets. Because these things work. And as such, I have presented my experience and research about it, just like this one (and I have been passing along that knowledge very successfully on our Red Team Trainings in the past as well).
During the presentation, it was brought to my attention that someone is tweeting about how the talk is objectifying women and making women in the audience feel uncomfortable. Mike (@theprez98) posted a short blog about this here: http://theprez98.blogspot.com/2015/01/hacker-cons-and-speech-codes.html.
The funny thing is that while I was sitting at the talk, I had two women who I highly respect, tell me how they fail to see whether the content or presentation would make them feel uncomfortable, nor that it was objectifying women in any way. Anecdotally, one of these women also runs the @ZeroFOX account, which “Jane the destroyer” was tweeting to, probably thinking that a man was running it (can you say stereotyping?).
I can’t put myself in anyone else’ shoes, so there is no way for me to debate the “making me feel uncomfortable” claim. Should have been a trigger warning at the beginning of the talk? Probably not. Especially if you bothered to read the talk title, or the short abstract. But going out, and just for the sake of making a potential scene, and then to bail out when offered to discuss things in more details shows me the true nature of the instigation.
And that’s where it gets me – it’s doing more damage than good. Like I have said before – my personal experience in the industry is not of “holding back women”. It’s of a very equal approach that puts women and men in the same position: professional. Just like another person that I highly respect in the industry put it in the past: “Calling bullshit on women in infosec” (thanks again Jennifer), and then Amanda’s post about the BSidesLV “incident” – these instigators are just doing more damage.
Yes, just like in any large enough group of people, you’ll find the assholes who are sexist. You’ll also find bigots, racists, trolls, anti-social people, douchebags (bro’s), etc… You cannot expect that since this environment is “yours” (i.e. infosec), it would be devoid of your run-of-the-mill social miscreants. Just like you deal with it on your non-infosec life, deal with it here. I’m dealing with it because I’m bald, and Israeli, and am often associated with Jews (no – I don’t care for kosher food. I like GOOD food, which usually excludes kosher. Stop stereotyping!). And I’ve dealt with it when I saw other people out of line when it comes to my friends or the hacker family. Whether it was a cop picking on a black person, or a women being harassed at a bar or a conference (not that they need it – they stood up for themselves just fine…).
So here goes. You got your 15 minutes of fame, I hope you enjoy them. I wouldn’t want mine to be about stuff like this. I’d like it to be about things that I’m passionate about, and that can actually make a difference.
Think about it.
Update: This pretty much puts it to bed.