RSA/BSidesSF: The other side of the Violet Blue controversy

When I wrote a post about Violet Blue’s canceled BSidesSF talk the other day, I wanted to keep the focus tightly wound around one opinion that goes something like this: While I admire the work she does, I didn’t consider the talk she was scheduled to deliver pertinent to the issues infosec professionals were there to hear more about.

I still feel that way, and you can read my full explanation here. But there’s more to this story. Much more.

There was drama around how her talk was canceled, and it made a lot of people angry. Being the drama that it was, I wanted to ignore that aspect of things. Silly me.

A fair number of people disagreed with me, as I anticipated when I was writing it. With a couple exceptions, that disagreement was civil and respectful — more proof that the B-Sides crowd is a lot more reasonable than some people give them credit for.

There’s been a lot of talk this week about what BSides wants to be when it grows up; that some of the decisions being made were the result of a compulsive need to keep the vibe countercultural and youthful. I didn’t necessarily agree, and still don’t. My opinions on that are in the post “Some say #BSidesSF needs to grow up. Here’s what I say.” Though I remain a huge backer of B-Sides and the content, I agree the event is going through some pre-puberty confusion. That’s not an unfortunate thing. Every popular security event has gone through it, including RSA Conference, Black Hat, and ShmooCon, to name a few. It’s the natural order of things.

Regarding those growing pains, here are two of the observations I’ve heard about BSidesSF 2013, immediately followed by my reaction:

–Organizers were wrong to pull Violet Blue’s talk. Whether you agree with the content or not, once you put it on the agenda, you have to see it through. I agree with that statement. If you want it on the agenda in the first place, you have to own it. Retreating in the face of criticism from one person or group is wrong. I didn’t think her talk was infosec focused enough, but would never have called on organizers to scrub it. I just wouldn’t have gone, and would have offered the same opinion as in that first post.

Having said all that, it was Violet Blue herself who canceled the talk, which had to be a difficult, painful decision. She deserves a lot of credit for that. I can’t say it enough: This to me was never about the legitimacy of her work. It was simply about whether I thought her talk fit the infosec mold.

–Mental health matters, including the part about sex and drugs, are absolutely relevant because a person’s mental health has a direct impact on their ability to the job properly. I agree with that, too. Anyone who doubts that has never read my personal blog, which was started to break stigmas around depression and addiction in the first place. Of late, I’ve been hell-bent on spotlighting efforts in the infosec community to aid the mentally ill. One organizer told me that Violet Blue’s talk was absolutely relevant in that regard, and another organizer told me: “If depression has a place at infosec cons, so does conversation about sex and drugs.”

That’s a fair point that I take to heart. I still believe this talk, as advertised, was more about entertainment than anything else. I’m not going to change minds, nor do I want to. I believe what I believe, and if you think I’m full of it, I respect that.

I never see my opinions as the absolute only way. I’ve changed my opinion on issues before, and that’s healthy. If we’re brazen enough to venture an opinion in the first place, we have to be open to feedback that may well prove us wrong. My mind is unchanged on this topic, but that doesn’t mean I’m right. It’s simply what my gut tells me.

I’ve also learned that more often than not, the absolute truth in any matter usually lies somewhere in the middle of two extremes. I offer my opinion to jolt a discussion. I want mine and the other guy’s opposing view to be picked apart by the readers, debated over and over again and beaten to death because the fallout always moves us closer to the real truth.

One criticism I am going to dispute, though:

One commentator from the last post demanded I take it down because he or she found it offensive. The person then suggested my points were damaged goods because I’m a self-proclaimed devout Catholic. That person clearly doesn’t know me.

Sure, I periodically discuss my religious beliefs in the personal blog, but religion has never been a factor in my infosec opinions. Religion has no place in the security discussion. Call me a liar if you wish, and feel free to scan everything I’ve ever written in Salted Hash in search of a post about my religious beliefs. You won’t find anything, but I wish you luck, anyway.

The infosec community is a complex beast operated by an immense diversity of personality and beliefs. It’s difficult, if not impossible, to break down and simplify all the components. People generally accept that fact when it comes to technology itself. The human element is just as complicated. In fact, it’s more complicated. Knowing where to draw the line is a hopeless art.

That doesn’t mean we stop trying.