Posts in Kudos, Opinions and Rants

What is wrong with all of you? Reflections on nude pictures, victim shaming, and cyber security

Friday, September 05, 2014 by Prof. Spafford in General, Kudos, Opinions and Rants,

[This blog post was co-authored by Professor Samuel Liles and Spaf.]

.Over the last few days we have seen a considerable flow of news and social media coverage of untended exposure of celebrity photographs (e.g., here). Many (most?) of these photos were of attractive females in varying states of undress, and this undoubtedly added to the buzz.

We have seen commentary from some in the field of cybersecurity, as well as more generally-focused pundits, stating that the subjects of these photos “should have known better.” These commentators claim that it is generally known that passwords/cloud storage/phones have weak security, so the victims only have themselves to blame.

We find these kinds of comments ill-informed, disappointing, and in many cases, repugnant.

First, we note that the victims of these leaks were not trained in cyber security or computing. When someone falls ill, we don’t blame her for not having performed studies in advanced medicine. When someone’s car breaks down, we don’t blame him for failing to have a degree in mechanical engineering. Few people are deeply versed in fields well outside their profession.

The people involved in these unauthorized exposures apparently took prudent measures they were instructed to on the systems as they were designed. As an example, the passwords used must have passed the checks in place or they would not have been able to set them. It doesn’t matter if we approve of the passwords that passed those automated checks -- they were appropriate to the technical controls in place. What the people stored, how they did it, or the social bias against their state of dress has nothing to do with this particular issue.

Quite simply, the protection mechanisms were not up to the level of the information being protected. That is not the users’ fault. They were using market standards, represented as being secure. For instance, it is admitted that Apple products were among those involved (and that is the example in some of our links). People have been told for almost a decade that the iOS and Apple ecosystem is much more secure than other environments. That may or may not be true, but it certainly doesn’t take into account the persistent, group effort that appears to have been involved in this episode, or some of the other criminal deviants working in groups online. We have met a few actresses and models, and many young people. They don’t think of risk in the same way security professionals do, and having them depend on standard technology alone is clearly insufficient against such a determined threat.

Consider: assume you live in a nice house. You’ve got windows, doors, and locks on those windows and doors. You likely have some kind of curtains or window coverings. If you live in a house, even a house with no yard, if you close your curtains we accept that as a request for privacy. If I walk up on the sidewalk and attempt to peer into your windows, that is being a “peeping tom.” Even though I might have every right to stand on the sidewalk, face the direction I’m looking, and stop or pause, I do not have the right to violate your privacy.

Consider: Your house has a nice solid door with a nice lock. That lock likely has orders of magnitude less entropy than a password. Every night you walk through your house, lock your doors, and you go to sleep believing you are likely safe. Yet, that lock and that door will not stop a group of determined, well-equipped attackers or likely even slow them down. The police will not arrive for some amount of time and effective self-protection against unexpected provocation by a gang is uncertain, at best. As a polite and law-abiding society, we respect the door and the lock, and expect others to do the same. We understand that the door and lock keep honest people honest. They set a barrier to entry for criminals. Burglaries still happen and we use the power of law to enact punishment against criminals, although many crimes go unsolved.

If an unauthorized entry to your house occurs, whether by picking the lock, climbing through the window, or discovering a loose set of boards in the wall, we would never blame you, the victim — it is clear that the person who entered, unbidden, was to blame. Some of our peers would try to blame the companies that made the locks and windows, rather than acknowledge the bad intent of the burglar. Too many people in information security tend to think we can always build better locks, or that having “white hats” continually picking locks somehow will lead to them being unpickable. Many are so enamored of the technology of those locks and the pastime of picking them that they will blame the victim instead of anything to do with the production or design of the locks themselves. (This is not a new phenomenon: Spafford wrote about this topic 22 years ago.)

One fundamental error here is that all locks are by design meant to be opened. Furthermore, the common thinking ignores the many failures (and subsequent losses) before any "super lock" might appear. We also observe that few will be able to afford any super-duper unpickable locks, or carry the 20-pound key necessary to operate them. Technological protections must be combined with social and legal controls to be effective.

This leads to our second major point.

Imagine if that burglary occurred at your house, and you suffered a major loss because the agent of the crime discovered your artwork or coin collection. We would not dream of blaming you for the loss, somehow implying that you were responsible by having your possessions stored in your house. If somebody were to say anything like that, we would reproach them for blaming/shaming the victim. Society in general would not try to castigate you for having possessions that others might want to steal.

Unfortunately, many computer professionals (and too many others, outside the profession) have the mindset that crimes on computers are somehow the fault of the victim (and this has been the case for many years). We must stop blaming the victims in cases such as this, especially when what they were doing was not illegal. We see criticism of their activities instead of the privacy invasion as blaming/shaming no less atrocious as that of how rape victims are treated — and that is also usually badly, unfortunately.

If we give users lousy technology and tell them it is safe, they use it according to directions, and they do not understand its limitations, they should not be blamed for the consequences. That is true of any technology. The fault lies with the providers and those who provide vague assurances about it. Too bad we let those providers get away with legally disclaiming all responsibility.

We are sympathetic to the argument that these exposures of images should perhaps be considered as a sex crime. They were acts of taking something without permission that violated the privacy and perceptions of safety of the victim for the sexual gratification and sense of empowerment of the perpetrator (and possibly also other reasons). Revenge porn, stalking, assault, and rape are similar...and we should not blame the victims for those acts, either. The sexually-themed abuse of female journalists and bloggers is also in this category -- and if you aren't aware of it, then you should be: women who write things online that some disagree with will get threats of violence (including rape), get abusive and pornographic messaging and images (deluges of it), and called incredibly offensive names...sometimes for years. It is beyond bullying and into something that should be more actively abhorred.

Some male members of the cyber security community are particularly bad in their treatment of women, too.

Between the two of us, Sam and Spaf, we have served as professors, counselors, and one of us (Liles) as a law enforcement officer; we have well over 50 years combined professional experience with both victims and bad behavior of their abusers. We have counseled female students and colleagues who have been stalked and harassed online for years. They keep encountering law enforcement officials and technologists who ask "What are you doing to encourage this?" None of them encourage it, and some live in real terror 24x7 of what their stalkers will do next. Some have had pictures posted that are mortifying to them and their loved ones, they've lost jobs, had to move, withdraw from on-line fora, lost relationships, and even change their names and those of their children. This can last for years.

Sexual offenders blame the victim to absolve themselves of responsibility, and thus, guilt. "She was acting suggestively," "she was dressed that way," etc. If the people around them chime in and blame the victim, they are excusing the criminal -- they are reinforcing the idea that somehow the victim provoked it and the abuser "obviously couldn't help himself.” They thus add unwarranted guilt and shame to the victim while excusing the criminal. We generally reject this with offenses against children, realizing that the children are not responsible for being abused. We must stop blaming all adult victims (mostly female, but others also get abused this way), too.

Victim blaming (and the offensively named slut shaming -- these aren't "sluts," they are victimized women) must STOP. Do you side with privacy rights and protection of the public, or with the rapists and abusers? There is no defendable middle ground in these cases.

We are also horrified by the behavior of some of the media surrounding this case. The crimes have been labeled as leaks, which trivializes the purposeful invasion and degradation performed. Many outlets provided links to the pictures, as did at least one well-known blogger. That illustrates everything wrong about the paparazzi culture, expressed via computer. To present these acts as somehow accidental (“leak”) and blame the victims not only compounds the damage, but glosses over the underlying story — this appears to be the result of a long-term criminal conspiracy of peeping toms using technologies to gather information for the purpose of attacking the privacy of women. This has allegedly been going on for years and law enforcement has apparently had almost no previous interest in the cases — why isn’t that the lead story? The purposeful exploitation of computer systems and exposure of people's private information is criminal. Some pundits only began to indicate concern when it was discovered that some of the pictures were of children.

It is clear we have a long way to go as a society. We need to do a better job of building strong technology and then deploying it so that it can be used correctly. We need to come up with better social norms and legal controls to hold miscreants accountable. We need better tools and training for law enforcement to investigate cyber crimes without also creating openings for them to be the ones who are regularly violating privacy. We need to find better ways of informing the public how to make cyber risk-related decisions.

But most of all, we need to find our collective hearts. Instead of idealizing and idolizing the technology with which we labor, deflecting criticisms for faults onto victims and vendors, we need to do a much better job of understanding the humanity — including both strengths and weaknesses — of the people who depend on that technology. The privacy violations, credit card fraud, espionage, harassment, and identity thefts all have real people as victims. Cyber security is, at its core, protecting people, and the sooner we all take that to heart, the better.

Patching is Not Security

Monday, May 26, 2014 by Prof. Spafford in General, Kudos, Opinions and Rants,

I have long argued that the ability to patch something is not a security “feature” — whatever caused the need to patch is a failure. The only proper path to better security is to build the item so it doesn’t need patching — so the failure doesn’t occur, or has some built-in alternative protection.

This is, by the way, one of the reasons that open source is not “more secure” simply because the source is available for patching — the flaws are still there, and often the systems don’t get patched because they aren’t connected to any official patching and support regime. Others may be in locations or circumstances where they simply cannot be patched quickly — or perhaps not patched at all. That is also an argument against disclosure of some vulnerabilities unless they are known to be in play — if the vulnerability is disclosed but cannot be patched on critical systems, it simply endangers those systems. Heartbleed is an example of this, especially as it is being found in embedded systems that may not be easily patched.

But there is another problem with relying on patching — when the responsible parties are unable or unwilling to provide a patch, and that is especially the case when the vulnerability is being actively exploited.

In late January, a network worm was discovered that was exploiting a vulnerability in Linksys routers. The worm was reported to the vendor and some CERT teams. A group at the Internet Storm Center analyzed the worm, and named it TheMoon. They identified vulnerabilities in scripts associated with Linksys E-series and N-series routers that allowed the worm to propagate, and for the devices to be misused.

Linksys published instructions on their website to reduce the threat, but it is not a fix, according to reports from affected users — especially for those who want to use remote administration. At the time, a posting at Linksys claimed a firmware fix would be published “in the coming weeks."

Fast forward to today, three months later, and a fix has yet to be published, according to Brett Glass, the discoverer of the original worm.

Complicating the fix may be the fact that Belkin acquired Linksys. Belkin does not have a spotless reputation for customer relations; this certainly doesn’t help. I have been copied on several emails from Mr. Glass to personnel at Belkin, and none have received replies. It may well be that they have decided that it is not worth the cost of building, testing, and distributing a fix.

I have heard that some users are replacing their vulnerable systems with those by vendors who have greater responsiveness to their customers’ security concerns. However, this requires capital expenses, and not all customers are in a position to do this. Smaller users may prefer to continue to use their equipment despite the compromise (it doesn’t obviously endanger them — as yet), and naive users simply may not know about the problem (or believe it has been fixed).

At this point we have vulnerable systems, the vendor is not providing a fix, the vulnerability is being exploited and is widely known, and the system involved is in widespread use. Of what use is patching in such a circumstance? How is patching better than having properly designed and tested the product in the first place?

Of course, that isn’t the only question that comes to mind. For instance, who is responsible for fixing the situation — either by getting a patch out and installed, or replacing the vulnerable infrastructure? And who pays? Fixing problems is not free.

Ultimately, we all pay because we do not appropriately value security from the start. That conclusion can be drawn from incidents small (individual machine) to medium (e.g., the Target thefts) to very large (government-sponsored thefts). One wonders what it will take to change that? How do we patch peoples’ bad attitudes about security — or better yet, how do we build in a better attitude?

Thoughts on the RSA Conference, Boycotts, and Babes

Sunday, April 06, 2014 by Prof. Spafford in General, Kudos, Opinions and Rants,

I’ve been delayed in posting this as I have been caught up in travel, teaching, and the other exigencies of my “day job,” including our 15th annual CERIAS Symposium. That means this posting is a little stale, but maybe it is also a little more complete.

I try to attend the RSA Conference every year. The talks are not usually that useful, but the RSAC is the best event to see what is new in the market, and to catch up with many of my colleagues (new and old), touch base with some organizations, see CERIAS alumni, sample both some exotic cuisines and questionable hors d'oeuvres, and replenish my T-shirt supply. It is a very concentrated set of activities that, when properly managed, fits in a huge set of conversations. My schedule for the week is usually quite full, and I am exhausted by the time I return home. This year, I was particularly worn out because I was recovering from a mild case of pneumonia. Still, I mostly enjoyed my week in San Francisco.

This year, there was a boycott, of sorts, against the conference by various parties who were upset at the purported collaboration of RSA with US government agencies many years ago. I’m not going to go into that here, but I think it (the boycott) was misguided. Not only is there no hard evidence that there was any actual weakening of any algorithms, but it was over a decade ago and at a time when both the national security climate and public sentiment were different than today. There is also the issue that companies are susceptible to legal pressures that are not easily dismissed. If there is any blame to accrue to RSA, it would be better directed to the company’s products than the conference. As it was, during my week there, I only saw about 30 seconds of protest — and the conference had (I believe) record attendance.

The conference really has three general components: the technical track, the exhibit floor, and the informal connections around everything else. I’ll address each separately. I have some particular comments about the use of “booth babes” on the exhibit floor.

Technical Track

The conference every year has scores (hundreds?) of talks, workshops, and panels, usually given by industry analysts, CEOs, and engineers, and by various government officials. It is not a scientific conference by any stretch of the imagination. Although marketing talks are strictly prohibited, one of the primary motivations of speakers is to get on stage to promote “their brand.” Often, the talks are filtered through a particular product point of view to reinforce the marketing pitch given elsewhere, or to sell a book, or to subtly promote the speaker’s usefulness as a consultant. Over the last decade I have attended many talks, but found few of them really informative, and several involved misinformation that was not challenged by anyone during the session. I have stopped sending in proposals for talks because my past proposals didn’t fare well — “too academic” was the judgement. I guess if I don’t pull a hacker out of my hat and make a database disappear, I’m not entertaining enough for this crowd considering overall conference attendance, which simply goes to my point about conference focus.

This year there was at least one partially informative session. I was asked at the last minute to fill in on a panel hosted by Gary McGraw. The panel attempted to address a topic that I spend several hour-long lectures covering in class: the classic Saltzer and Schoeder principles of secure design. The panel only covered four of the principles, and superficially, but I think the panel went okay. We had a small crowd.

I attended, briefly, a number of other sessions, but didn’t stay for any but one of them. Perhaps I am getting too cynical and jaded, but I didn’t find anything that was new and interesting; yes, a few things were new, but not surprising or even well-analyzed. I’m not sure it mattered for the audience.

The one session that I stayed for, and thoroughly enjoyed, was the closing session with Stephen Colbert. He was brilliant and funny. His off-the-cuff answers during the Q&A session was excellent all by itself — he not only displayed better than superficial knowledge of portions of the field, but he gave some very quick answers that showed some level of insight as well as humor. Not all of his answers went over with all of the crowd, but I think that showed he was giving some genuine answers of his own rather than trying to amuse.

Informal Connections

Lots of the real business at the conference really isn’t at the conference, but in the halls, hotels, restaurants, and bars in the vicinity. Companies hold both formal and informal receptions for past & future customers, everyone from CEOs to sales reps work out deals over dinner and drinks, analysts and commentators get news over lunch and finger foods, and employees are recruited in all sorts of venues. Some of the media conduct interviews with notable people (and some rather sketchy types). Organizations presented awards and recognized members at receptions (e.g., the ISSA honored their newest Fellows and Distinguished Fellows, and the (ISC)2 celebrated its 25th anniversary).

These connections are a major draw of the conference for me. I get to reconnect with people I don’t often get to see otherwise, and I also get to meet many others who I might not otherwise encounter. I get to hear about interesting stories that aren’t told to the general sessions, hear about new projects, and tell people about how they are missing out on hiring our great grads from CERIAS. I always return home with a stack of business cards with notes on them of things to send, lookup, and people to call.

This year was no different: I connected with over 30 people I had not seen in months…or years, and met another few score new. I missed running into several people I was hoping to see, but generally had a full schedule. Luckily, there are enough people who have yet to get the memos, and I was invited to some of the receptions. In several instances, I got to meet some people in person that I have only known via on-line persona. In other cases, I got to meet long-time friends and acquaintances who I never get to see often enough because of schedule issues. Some people I was hoping to see weren’t able to make it because of budget issues this year curtailing travel, which seems to have been a little more pronounced this year than the last couple of years, at least among my circle.

I should note that few academics attend this conference: the cost, even with a discounted admission, is significant, and combined with travel, hotel, and other expenses, it can take a sizable chunk out of a limited academic-sized budget. I saw a few colleagues in attendance, but we were all senior. In past years I have tried to cover the expenses for junior colleagues to attend at times in their careers where the possibility of networking with industry might be beneficial, but there is seldom enough unrestricted funding coming in to CERIAS (or me) to cover this on a regular basis.

Overall, I saw little impact from the “boycott.” In fact, I saw several people who spoke or attended the “boycott” event and were also present at the RSA events!

Exhibit Floor

The exhibition at the conference is huge. Nearly all major vendors — and several government entities, from several countries -- have booths of some sort. This year the booths covered both the North and South halls at Moscone Center — there were many hundreds of them. Walking the exhibit floor is mind (and foot) numbing, but I try to do it at least twice each year to be sure I get a good coverage of what is new and interesting…and what is not.

Some companies opt for large — even multistory — booths with lots of screens and demos. Others have small booths with simply a counter and some literature. Many new companies spend a fair amount for a booth to try to gain some market awareness of their products and services. I haven’t done a formal tally, but I’d guess that somewhere around 20% of the companies I see in any given year are no longer there 2 years later — either they fail or are acquired.

Overall, I didn’t see much that excited me as new or particular innovative. Again, that may simply be the longer perspective I bring to this. I remember the old National Computer Security Conferences in the 1990s as a sort of precursor to this, and the baseline trend is not a good one. In the 90s, the exhibitors were all about secure software development and hardened systems. In 2014, the majority of big vendors were flogging services to detect threats that get through all the defenses on Windows and Linux, recovery from break-ins, and other technologies that basically already concede some defeat. Of course, there were also trends — more about encryption, threat intelligence, big data, and securing “cloud” computing, for N different definitions of cloud. I think the best summary of the exhibits was given by Patrick Gray and Marcus Ranum (click the link to hear the audio): somewhat cynical, but dead on.

As I noted in my last blog entry here, the industry is continuing to focus on solving some of the wrong problems.

Flash and Booth Babes

With all those exhibitors on the floor, they are all seeking ways to place some branding with attendees, and to get people to stop by the booths for longer discussions (and to harvest addresses for later sales calls). Usually, this is with some form of giveaway item, such as pens, candy, or T-shirts with clever designs. Sometimes they have a notable security figure there autographing books. I certainly pick up my share of T-shirts and books, plus a few other items that I may use, but the majority of items I decline. The giveaway that amazes me the most is the free USB item that people gladly accept and plug into systems. This is a security conference in 2014 and people are doing that?? Consider that one of the vendors that seemed to be successful giving out a lot of USB sticks was Huawei…. simply wow.

Also annoying are the booths where the people can’t even answer simple questions about their companies. Instead, they want to scan my badge and have me sit through a presentation. No thank you. If you can’t tell me in 30 seconds what your company is about, then I’m not about to sit through 10 minutes of someone breathlessly extolling your “industry leading” approach to … whatever it is you do, and I certainly don’t want to sit through a WebEx presentation next month when I am right here with you now.

In an attempt to stand out, some vendors have gone in odd directions by trying to have some “flash” at the booth to bring people in. In prior years, I saw people in suits of armor and gorilla costumes. There have been booths with motorcycles and sports cars. This year, they had professional magicians, gymnasts, and even a ring with a boxing match! These are not items with branding that someone will walk away with and possibly display in the weeks to come, but simply an attempt to attract attention. It is fairly strange, and annoying, however. Why should those tell me anything about a product or security service, other than the company leadership thinks flash is more important than substance? How the heck do those displays relate to information security?

The most egregious example of this disconnect is the “booth babe.” These are when women (and rarely, men) — usually in some scanty outfit involving spandex — are on display to draw people into the booth. They are never themselves engineers or even in sales: there are agencies that hire out their staff to do this kind of thing. Heck, they can’t even answer basic questions about the company! I make it a point to try to talk to some of these people to see why they are at the booth, and I can’t recall an instance in the past few years where any of the women actually had a technical job within the company whose booth they “adorned."

Let me make clear that I appreciate attractive women. That has been my particular orientation for 45 years, and I am not unhappy with it (although I have always wished more of them appreciated me in return!) But more to the point, I appreciate all women — and men who exemplify achievement and dedication. I appreciate imagination. I appreciate professionalism. I do not appreciate attempts to lure me to a vendor through setting off fireworks, dangling shiny objects, or having women in short shorts trying to get me into the booth. It is insulting.

It is insulting to those of us who find women particularly attractive because it implies we need to be seduced in some way to pay attention to technical merit -- that we so lack self-awareness that such lures will overcome our judgement.
It is insulting to those of us who do not find women overly attractive, because it implies that we are somehow not part of the community if we aren’t affected by such displays.
It is insulting to those of us who are not skinny, or young, or …whatever, because it suggests those features are the values of the companies on display and the values that we are seeking.
In is insulting to the women who work in the field, especially the ones who work for those companies in technical positions, because it suggests their abilities and accomplishments are secondary to come-hither looks.

Simply put, it is the wrong message in the wrong context, and the people sending the message are seriously short of clue.

This kind of behavior is harmful to the field because it conveys a message that women are valued primarily because of their appearance, and it trivializes their intellectual contributions. I talked about this in a recent interview and recently wrote about how the field is skewed. We should not and cannot condone the negative messages.

Let me make it clear that I have no quibble with the women themselves who were involved in this — they were hired to put on costumes and be cheerful, to try to draw people in. Standing on concrete floors in 3” heels all day, in not enough clothing to stay warm with the A/C, and trying to be cheerful is not easy. Some of them are students, working to pay tuition, others are supporting children. In one case, the company receptionist and her friend were gamely hanging out in short-shorts to support her company in return for the trip to San Fran. In another case, a company had a beauty pagent winner present, dressed conservatively. She is a pleasant person, and uses her minor celebrity for some good causes, but I do not think that is why the company had her at their booth; I don’t fault her for that decision, however.

Across the exhibition I saw many women who were not on display. Some were in t-shirts and jeans. Some were in heels and dresses. (I asked a few, and it was their first RSA — few will wear heels a second time!) More importantly — it was their own choice, and not something imposed by management. They dressed to be comfortable —as themselves — and if asked technical questions, they were able to respond. Some were thoughtful, some tired, some funny — but all real and there to interact as members of the profession, not as window dressing. That is precisely how they should be treated, and how they want to be treated — as professional colleagues.

I know I’m not the only person who thinks the "booth babe" approach is wrong. I discussed this with several people I know, men and women, and the majority were bothered by it as well. I think the blog posts by Marcus Ranum and Chenxi Wang sum up some of the different reactions quite well. Winn Schwartau actually captured this and many of my other frustrations with the exhibits in one wonderful article.

My message to the vendors: start treating all of us as thinking adults. Focus on the value proposition of your products and services and you'll get a much better response.

Summary

I think it was overall a good experience. I hope to attend next year’s conference, and I look forward to seeing old and new friends, maybe hearing something innovative, and seeing a change in the way exhibitors are showing off their wares. We shall see.

Telling the Future, Looking at the Past: A Few Short Items

Sunday, March 02, 2014 by Prof. Spafford in General, Kudos, Opinions and Rants, Secure IT Practices,

I have continued to update my earlier post about women in cybersecurity. Recent additions include links to some scholarship opportunities offered by ACSA and the (ISC)² Foundation. Both scholarship opportunities have deadlines in the coming weeks, so look at them soon if you are interested.

The 15th Annual Security Symposium is less than a month away! Registration is still open but filling quickly. If you register for the Symposium, or for the 9th ICCWS held immediately prior, you can get a discount on the other event. Thus, you should think about attending both and saving on the registration costs! See the link for more details.

I periodically post an item to better define my various social media presences. If you follow me (Spaf) and either wonder why I post in multiple venues, or want to read even more of my musings, then take a look at it.

I ran across one of my old entries in this blog — from October 2007 — that had predictions for the future of the field. In rereading them, I think I did pretty well, although some of the predictions were rather obvious. What do you think?

Sometime in the next week or so (assuming the polar vortex and ice giants don’t get me) I will post some of my reflections on the RSA 2014 conference. However, if you want a sneak peek at what I think about what I saw on the display floor and after listening to some of the talks, you can read another of my old blog entries — things haven’t changed much.

We’re Out of Balance

Tuesday, January 07, 2014 by Prof. Spafford in General, Kudos, Opinions and Rants,

I’ve had several items cross my social media feeds, along with email, in the last few days that prompt me to write this. It’s gotten a bit longer than I intended, but there’s a lot to say on an important topic. As a first post to this blog in 2014, I think it is a good topic to address. It has to do with imbalance and bad behavior in the overall field of cybersecurity: the low percentage of women, and how they are sometimes treated.

Computing, as a field in the USA, has had a low and almost constantly decreasing percentage of women going into the field and staying. (The US is the primary focus of this blog entry; I believe the problem is similar in Canada, the UK, Australia, and others, but don’t have the data. Also, there is a corresponding problem with other traditional minorities, but that’s not what prompted this post and I hope to visit it later.). There are many reasons posited for this, many of which are likely somewhat to blame; there is no single, dominant reason, apparently. Many studies and reports have been conducted, experiments tried, and programs put into place, but few have made any measurable, long-term change. The problem is almost undoubtedly rooted in social behaviors and expectations because there are other cultures where the ratio of women to men is about 1:1, or even has women in larger percentages.

Cybersecurity is little different, and may be worse. I regularly speak at conferences, companies, and agencies where the room will have 30 men and one (or no) women. At events where there are speakers or panels, all the speakers and panelists are men. The few women attending often are simply the ones there processing registrations. And there are a nontrivial number of reports of women being groped and harassed at professional meetings (see, for instance, this). Also bad, women are frequently abused online as well as offline, and not only in security and computing. Many are reluctant to publish email addresses or contact info online because of unwanted, inappropriate content sent to them — no matter whether they’re 8 or 80.

(Right now, if you are thinking to yourself that there isn’t a real problem, that things are fine, and it is all a problem of some women who can’t take a joke, then you are part of the problem, and you need to shape up. Worse, if you think that women shouldn’t be upset about this status quo, instead they should get back to the kitchen, then you are so out of touch that I don’t know where to start. In either case, try telling that same thing to women doctors, pilots, police, firefighters, or better yet, to our many women in the military — especially when your safety is in their care. Then come back when you’ve healed up. If nothing else, at least keep in mind that there are legal reasons to treat people equally and with respect.)

Assuming you are actually living in the 21st century, let me assure you that the overall situation is a HUGE problem for us. As a field, and as a society this is bad because we have a shortage of talent that is getting worse with time. We also have some rather skewed and limited ideas of how to approach problems that might benefit from a more inclusive pool of designers and practitioners. And as human beings we should be concerned — especially those of us who are sons, brothers, fathers, and husbands — people who could be (and sometimes are) our mothers, sisters, daughters, and wives are being mistreated and demeaned. That simply isn’t right. Neither is it right that we are limiting the opportunities for individuals to learn, grow, and achieve.

Computing, security, privacy, creativity — those are all traits of the mind. Minds exist in all kinds of bodies, including those with other colors, more or fewer curves, different masses and volumes, varied ages, and some have less physical abilities than others. But that doesn’t change what is possible in their minds! We should applaud ability, dedication, and imagination wherever we find it. Discouraging women (or anyone with ability) from pursuing a career in computing, abusing them online, and groping them at conferences are all counterproductive to our own futures — as if rude and wrong wasn't enough. Cybersecurity and privacy are key areas where we need more insight and creativity — we should enhance it rather than diminish it.

No field is populated only with superstars and wild talents. That is especially true in IT. We hear about people with great accomplishments, and we like to think we’re special in our way, but the truth is that the field is too large for any individuals to master it. Success comes from teams, and the most successful teams are those that integrate many different viewpoints, backgrounds, and skill sets, and who respect their differences yet work with common goals. That includes bringing in people from different genders, ethnicities, ages, and more. Success is enhanced by diversity.

I’m not going to go through a longer litany of problems here, or try to analyze the situation further. I’ve been working with various women’s groups for over 20 years and I still don’t pretend to be able to understand all of what is happening. It is complex. However, I see the problem continuously when I look at our student body, when I visit professional meetings, and when I read reports. I know it is real.

What I can do, is offer some advice to those who care.

For Men

Here are some general tips that should be common sense.

Simple: be aware. Help others be aware. Don’t limit your involvement to this alone, but everything else flows from here.
If you have children, encourage them and their friends to consider computing in school. Be supportive of anyone trying an IT profession. Be positive and not condescending.
If you are a teacher/professor, don’t let the male students bully or harass the females. You are there to create a learning environment for everyone. Generally speaking, many women are less quick to respond to questions as they think about how to frame the answers, and they tend to let others speak without interruption; males generally are the opposite. Don’t let anyone be interrupted when speaking, and ensure that everyone gets a chance.
At a conference or professional meeting? Don’t assume that the women are less important than then men there -- especially if they look young! Address everyone equally. No one should be invisible. Would you want people to ignore you or trivialize what you had to say if you looked different than you do? Address the person, not the appearance.
Don’t ever touch a woman, without her clear uncoerced permission, in any manner that you would not touch a male authority figure. That is, would you touch your boss/professor/policeman in the same manner — without getting slugged/fired/arrested? Thus, shaking hands, fine. Catching someone if they stumble, fine. A greeting hug? Let her initiate it. Grabbing their butts? Definitely no. Use the same rule of thumb for language. Would you proposition a male policeman you just met?
As for language, think carefully about your adjectives. If you would be “firm” and “decisive” in what you do, don’t describe a woman colleague as “bitchy” if she acts similarly! If you are "aggressive" she is not “pushy.” Banish “overly emotional” and “moody” from the list, too.
Don’t set perceptions based on age. Women report that young male colleagues are often given opportunities to “prove themselves” or “learn the ropes” but they are not given the same opportunities because they are too young. Don’t either give or limit opportunities based on age or whether you think someone is attractive — either way, you are limiting what you could get and what they can do, and that is your loss.
Be polite to everyone. Manners matter, even if it doesn’t seem that way some times. Don’t treat any group differently than any other. This includes not making jokes about people to others, staring openly, etc. That’s maybe the norm in 3rd grade, but not in a professional context.
If you see someone else being gropy, rude, or otherwise inappropriate, speak up. (And “Attaway, bro!” is not the thing to say.) No, of course you are not defending someone weaker — you are chastising someone acting unprofessionally. That is because you should also do the same for anyone being rude to someone in a wheelchair, wearing a turban, with brown skin, with a missing limb, speaking with a lisp, or simply standing there. Being different is never an invitation to be abusive or rude. Report it to event organizers or management, too.
If you are invited to speak or appear on a panel at an event, ask who else has been invited. If they don’t seem to have invited (m)any women, suggest some and don’t agree to speak until they filled out the roster a little more. I have heard one good rule of thumb (which I try to follow) is not appear on a panel unless at least one woman is also on the panel. Help give other voices a chance to be heard.

Can’t think of any? Then either you aren’t paying attention or you are willfully ignoring the situation. Here’s a partial list of some of the better known women in the field of cybersecurity/privacy, all of whom I hold in great regard (and my apologies as there are many more I could list — these are off the top of my imperfect memory): Anita Jones, Dorothy Denning, Mary Ann Davidson, Window Snyder, Jean Camp, Elisa Bertino, Rhonda MacLean, Deborah Frincke, Melissa Hathaway, Chenxi Wang, Terry Benzel, Cristina Nita-Rotaru, Jeannette Wing, Cynthia Irvine, Lorrie Cranor, Dawn Song, Helen Wang, Cathy Meadows, Harriet Pearson, Diana Burley, Rebecca Herold, Shari Pfleeger, Shafi Goldwasser, Barbara Simons, Erin Jacobs, Becky Bace, Radia Perlman, Nuala O'Connor Kelly, Wendy Nather, Linda Northrup, Angela Sasse, Melissa, Dark, Susan Landau, Mischel Kwon, Phyllis Schneck, Carrie Gates, Katie Moussouris, Ronda Henning…. There are literally thousands more who are less senior but are likely to have interesting things to say. Simply look around. And if you’re organizing the event, consider this.
If you are a VC or senior executive, don’t automatically hire someone from the “good ol boys.” That you only think of men to fill senior positions may be a case of tunnel vision, as in the previous item. Look around. And don’t let implicit assumptions about age or gender drive your decision-making: leaders come in all shapes, sizes, and ages.
Besides giving opportunities to women to speak or lead, give them opportunities to fail without blanket condemnation. Everybody has limits and make mistakes. If you asked a young male employee to do something and he didn’t succeed, would you think to yourself “I never should have assigned that to a man”? Unless the task is peeing his name in a snowbank, gender doesn’t have anything to do with it (and if that is the tasking you give employees you have other serious problems to resolve).
In a professional setting, don’t exclude the women because you think they’ll be “offended” or that they’re “too sensitive.” They aren’t china dolls that are easily broken! Include them as part of your team and make them feel like part of it. We look at the world in different ways. If you’re concerned that jokes or activities might be offensive, then maybe those aren’t the right kind of team-building experiences you should be having. (For example, you don’t need to go out for beers to the strip bar on Friday to build team presence; going out to a nearby Irish pub or a restaurant will accomplish the same thing if what you are after is a social experience.) Do the same with students if that is your context.
Similarly, think about mentoring — be a positive mentor for colleagues and those junior to yourself, men as well as women. Offer it, but don’t force it (that’s what a mentor is: a voluntary guide).

The basic idea here is really embodied in #8. Be thoughtful and don't treat anyone as substantially different Instead, relate to every person as a professional. But most of all, speak up if you see someone getting picked on or treated badly, or if they aren’t getting encouragement they should. It’s like security and privacy itself — an attack on any link is an attack on the whole, and if a link falls we are all diminished.

For Women

As a general tip similar to the list above, don’t ever think you are the only one experiencing some of the things that happen. Don’t blame yourself, or wonder what it is you are doing wrong — that is sometimes a natural reaction when you are in the minority and everyone seems to react to you in a manner you don’t expect. Do push back on rude behavior, don’t be afraid to make it clear when limits are reached (or exceeded), and do consider reporting persistent or very rude misbehavior to event organizers or supervisors. Yes, it can sometimes have unexpected consequences, but without that negative feedback the behavior is likely to continue against you and others; evaluate your own tolerance for risk vs. harassment.

There is debate within many minority communities of whether aligning with self-interest groups is helpful. On the plus side, the mentoring, the support resources, and the sense of community can all be a big help. However, that also runs the risk of not sufficiently engaging in the mixed environment where one has to work, of developing unrealistic expectations based on anecdotal stories, and failing to help educate the majority in how to help. There seems to be enough positive “buzz” about some groups and their activities to warrant recommending them. Not all are likely to fit your own particular needs and interests, so check them out. If you know of some I have missed, please let me know so I can add them here.

ACM-W is generally for women in computing, world-wide, and provides community and resources. See their web page for more info. They have a mailing list to which you can subscribe, even if you have not (yet) joined ACM; computing professionals should consider joining the ACM.
There is a long list of organizations for computing, in general, at the Ada Project that I won’t try to duplicate — I suggest you look at it. (I will also note that I have heard some criticism of the Ada Project itself, so I am only recommending the list.)
The Ada Initiative is different from the Ada Project, above. It supports women in open software, and has a number of worthwhile resources.
The Anita Borg Institute. The ABI sponsors the annual Grace Hopper Celebration conference, which is worth attending, plus they do a lot more in events and activities, one of which is the Systers List.
The National Center for Women & Information Technology (NCWIT) has quite a few resources and activities.
The Computing Research Association’s CRA-W is directed to enhancing the careers of women in computing research
The ISSA has a SIG with multiple blogs, meetings, and resources. You must be an ISSA member to access them. They also have a private LinkedIn group. (Security professionals should give thought to joining ISSA)
I am told that ISACA is another organization in the security space to check out for their support and activities.
The Women’s Society of Cyberjutsu is a security-focused organization for women that seems to have a fair bit of momentum.

The (ISC)² is organizing a women’s special interest group. I have spoken with organizers , but am unsure of the status of it at this time.

The Women in Cyber Security conference will be held in April in Nashville. I know nothing about it other than what is on their web page, but it looks like it could be a great experience.

ACSA has a scholarship program for women in computing; multiple scholarships are available. The (ISC)² Foundation also has scholarships available.

Of course, please keep in mind that not all men are the same! Many want to do the right things but aren’t always sure what is appropriate. Help train a few. grin

Parting Thoughts

From a professional point of view, being a member of ACM and ISSA is good idea for anyone in the field, based simply on the value of the organizations. Both promote professionalism, community, and personal growth, and there are a variety of other benefits to membership. Both have steep discounts for student members. I am a long-standing member of both, and can recommend them.

Our society has a lot of problems with cybersecurity and privacy. New flaws show up, and old flaws don’t really get fixed. Parties ranging from individual criminals to nation-state organizations are all seeking ways to penetrate our systems and mess with our information. We need every good person we can get on board and working together if we hope to make progress. We should make every effort to enable that partnership.

Or think of it in these terms: if we can’t be trusted to protect and empower those within our own community, why should anyone trust us to protect anything else?

Updated 1/7: Added a few list items about mentoring and language, listed ISACA, small grammatical corrections.

Updated 1/8: Corrected several typos

Updated 1/10: Added ISSA group link. Added comment from Anita Jones; this is the memo she mentions in that comment.

Updated 1/14: Small grammatical corrections.

Updated 1/22: Added ACM-W page link

Updated 1/24: Added the Systers link

Updated 2/16: Added link to subscribe to the ACM-W list. Minor grammatical cleanup.

Updated 3/2: Added links to ACSA and (ISC)² scholarship information.

Updated 6/8: Added link to the Ada Initiative

If you have any additions or corrections to the above lists, please send me private email. Also note that, as usual, anonymous, spammy, or abusive feedback to the blog may not be published as is, if at all.

Recent Blogs

Blog Archive

Posts in Kudos, Opinions and Rants

Page Content

What is wrong with all of you? Reflections on nude pictures, victim shaming, and cyber security

Recent Blogs

Blog Archive