Friday, August 5, 2016

Security conferences != dating scene

To my female readers, hold on a minute, I have to say something to my fellow men.  Join me in just in a minute.

Men - I think there must be some confusion here about what security conferences are for.  Last time I checked, security conferences were good for a number of things, including:
  • Learning about new and exciting advances in the field
  • Participating in a CTF
  • Damaging your liver
  • Meeting new people and reconnecting with old friends

It feels like this should go without saying, but what a security conference is not:
  • A meat market
  • A quick hookup point
  • A meetup

If you follow me on Twitter, you know I attend a lot of security conferences - and I'm a speaker at most the conferences I attend (so I usually see the speaker parties too).  The conferences I attend are all over the map, from Blackhat to DEFCON to various BSides and SANS summits.  The demographics at these conferences vary wildly from hacker types with green hair and poor hygiene (FFS, please follow the 3-2-1 rule) to more professional and polished DFIR types.  

Over the last two years, I'm seeing more women attending conferences.  This is GREAT for me personally - my daughter is almost 10 and is interested in STEM.  She needs role models.  She loves talking to women who are doing "cool computer things."  Even Ray Charles isn't blind enough to claim there's no gender equality gap in infosec - the women coming to these conferences will help close that gap and make the industry better for all of us.

But they'll only do that if they feel safe and accepted.  And I have to say that I am embarrassed at the behavior I see from my male counterparts at these conferences in their treatment of women.  I don't know if it's as a result of more women being at conferences or I've just opened my eyes up to it, but I cannot believe how many seemingly professional guys go from totally cool to total douche in 10 seconds or less.  

Guys, infosec conferences aren't a place to find the love of your life.  Go use an online dating site for that.  Stop mansplaining stuff to women too.  Nobody likes that.  I saw that happen last night at the TiaraCon party.  For those that don't know, this is an event to promote diversity in infosec - making mansplaining there especially ironic.

Don't be touchy
The other thing that I see with a fair degree of regularity are men getting touchy at events - including the speaker events (where I somehow assume things would be somewhat more professional).  I have never had a guy touch me to make a point in a conversation (and good thing, I'd f*%king lose my mind). But I see it all the time at these parties and events.  And I guess some of my brethren are bad at reading people because all of the "stop f%#king touching me" visual queues are there.

At security conferences in the last year I have stepped in (or have been pulled in as an apparently safe person) on way too many occasions to defuse inappropriate and/or aggressive flirting.  I've been asked to walk women back to hotels from parties (including speaker parties) because other attendees were making them feel unsafe.  This has to stop.  If men in infosec don't make women in infosec feel safe, we'll continue with the same problems we have today. 

As we roll into the next two nights of nighttime hacker meetups - I mean drunken DEFCON parties - consider how your actions reflect the industry as a whole.  If your mom would be ashamed of your behavior, go ahead and dial it back a few notches.

Women - thanks for hanging in there
Thanks for waiting while I took a minute to talk to my fellow men.  Thank you for your contribution to infosec.  Hang in there - the men who are inappropriately or aggressively flirting, etc. do not represent all of us.  If you ever need someone safe to help you get to a taxi, hotel, etc., look for me and I'll be more than happy to help.  If any of my Rendition Infosec employees are ever inappropriate with you, report it - if they're acting inappropriately they won't be employees anymore.  I don't control anyone else's future, but I'll start with my small slice of the pie and I hope other employers in our industry will do the same. 


  1. For several years, I was a safe date for two different women to RSA Crypto Bash, because they had been practically stalked by 1+ persistent con attendees. I was able to deflect the creeprs, as a faithful married man (and with full knowledge and encouragement by my wife, I should add). It's beyond sad that this should even be a thing.

  2. It's sad that you have to post this... but I have seen it as well. As a firm believer that there needs to be more women in security (and excited that my last intern just got hired onto a security/compliance gig)... men behaving badly will not help that.

  3. If the people are not being rude, forceful or inconsiderate then you need to stow your judgement. Meeting like minded people who may be love interests is a rare thing, and these things happen in uncommon places like cons.

  4. I completely and utterly agree. With everything you said and found myself nodding at every paragraph.
    I too have had to play the role of the ambiguous possible-boyfriend to some women at cons while they give me the "help me" eyes and dart them sideways at someone who, for all their technical talents, simply isn't picking up on the fact that she isn't interested.
    Well written and well said.

  5. Well written and accurate commentary. I would add, however, that maintaining a certain level of professional decorum at public events, such as industry conferences, applies to all. At some conferences I have heard women express their disappointment with certain behavior of other women in the DFIR field because they felt it set a poor example - e.g. "Did you hear about Jane Doe (Note: not a real person) at the Acme Forensic Software (Note: not a real entity) after party? She was doing body shots and twerking like a stripper at a frat party. It's that kind of stuff that gives the rest of us a bad rep..." I think you get the point.
    Women in our profession (and other professions as well) face an ongoing struggle to be treated with the same respect as their male counterparts - to be taken seriously and not seen as a novelty in a male-dominated field. For some people, perception is reality - it doesn't matter if a person has mad DFIR skills, they unfortunately may only be judged by their behavior (or misbehavior) in public.
    The bottom line, it doesn't matter whether you're a man or woman, when you're at an event attended by your peers, think twice before engaging in any activity that might make your boss or HR cringe.

  6. i personally agree with jake's commentary.

    problem is that defcon is a con for miscreants and social malcontents whose binding mojo is the desire and ability to break rules.
    add to that: different people have different desires/expectations, both men and women. it makes it a hard target "the right message", except to treat people with respect, and if you're hitting on them (or engaging them in any way), pay attention to "back off" or "lack of permission" signals.

    basic social contract remains in place, even at defcon or similar FU events: treat others with respect and boundaries.

    primary corollary: if you witness disrespectful behavior, watch for ways you can "educate" the perpetrator. i'm not suggesting fisticuffs, but something that might actually indicate that they may need to learn to avoid certain behavior patterns.

    as for women in tech: i recently discovered that the original programmers of computers were mostly women, and that actual shit-head men "joined together" and forced them out. really stellar point in men's history. so.... girls, please come back. men are not "better at tech" and tech is not "better for men" even if the environment may still be a work in progress.

  7. I touched you at TiaraCon, but I didn't notice any "stop f%#king touching me" looks. I'm pretty sure that's a green light for the next conference...

    Jokes aside, GREAT article. We had our 21yo intern with us. The poor gal had to deal with... well, you already know. We all had to play the big brother role, forced to ward off the weirdos outside of her peripheral so that she didn't realize how bad things were getting. Sad. Just sad.

  8. This comment has been removed by a blog administrator.

  9. They can shield the place from wrongdoing and give an open security as well. What more, they are likewise furnished with the most recent innovations like the CCTV and security caution framework to give security 24 hours to any apportioned area. remove rogue virus


Note: Only a member of this blog may post a comment.