Security con harassment cuts both ways

There's a lot of discussion on Twitter about harassment at security conferences lately, sparked by a newly-announced harassment policy at Brucon. But is the debate too one-sided?

I've observed a lot of heated debate over harassment at security conferences in my day, especially the Las Vegas events. There are tales of date-rape drugs being snuck into people's drinks when they're not looking. There are stories of guys putting their hands where they don't belong. Now the debate has been rekindled by news that Brucon has adopted a harassment policy for its gathering next month.

Brucon -- two days of infosec training and presentations scheduled for Sept. 26-27 in Ghent, Belgium -- has posted the policy on it website. It reads, in part:

We do not tolerate harassment of conference participants in any form. Conference participants violating these rules may be sanctioned or expelled from the conference without a refund at the discretion of the conference organizers. Harassment includes offensive verbal comments related to gender, sexual orientation, disability, physical appearance, body size, race, religion and actions such as deliberate intimidation, stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention. Participants asked to stop any harassing behavior are expected to comply immediately.

The policy is being cheered by some folks who claim to have had their bad experiences, including the folks at The Ada Initiative, a site supporting women in open technology and culture. That site issued a challenge to conference organizers to adopt strict policies protecting women. That same site also has a post by Valerie Aurora in which she explains her reasons for skipping the most recent Defcon. She wrote:

This weekend was DEFCON 20, the largest and most famous hacker conference in the world. I didn’t go to DEFCON because I’m a woman, and I don’t like it when strangers grab my crotch. Every time I read about something cool happening at DEFCON, I wanted to jump on the next flight to Las Vegas. But I didn’t, because of my own bad experiences at DEFCON, and those of people like KC, a journalist and student in San Francisco who wrote about attending DEFCON 19:

Nothing could have prepared me for the onslaught of bad behavior I experienced. Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff.

Or the experience of one of my friends, who prefers to remain anonymous. At a recent DEFCON, while leaning over to get her drink at the bar, someone slid his hand up all the way between her legs and grabbed her crotch. When she turned around, the perpetrator had already disappeared into the crowd.

One problem I have with Valerie's post: She didn't attend the most recent Defcon. My discomfort is shared and summed up by Michael Schearer, owner and founder at Leverage Consulting & Associates, who wrote on his Facebook page the other day:

In all sincerity, considering the author of "DEFCON: Why conference harassment matters" hasn't been to DEFCON since 16, why should I listen? Are things better since DEFCON 16? Are they worse? The same? This article gives no context because she hasn't attended.

That said, I've heard from plenty of other people over the years who HAVE witnessed this kind of behavior. Some of them may have exaggerated details, but some of them I believe without reservation because I know them and their integrity.

I also know of people whose drinks were tainted with drugs in past years. It does happen. And when it does, it gives the entire hacking community a black eye.

But then most of the people who attend these events agree. It's always a small minority of punks who do these things.

Personally, I think it's great that Brucon has put forth a harassment policy. I just hope nobody abuses it, accusing someone of harassment because they simply don't like a person. That happens elsewhere, too.

I also hope people remember that this isn't just a problem for women. Men get harassed at these events too. It's not necessarily sexual, but it's there -- particularly when drunken disagreements ensue.

I don't claim to be the definitive voice on this subject. I have never, ever been harassed at a security conference. This post is based on what I've heard over the years from various sources.

I'd also like to point out that harassment isn't just a problem at hacker conferences. It happens everywhere.

We should keep this discussion going, because it IS important.

Copyright © 2012 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022