CreeperCard

At the latest Def Con, the annual hacker conference held in Las Vegas, there were presentations on hacking automotive network and control systems, remotely gaining control of consumer devices, and NSA snooping. But perhaps the most important discussion took place over a private email list, and it centered on unchecked sexism at the event. This is the second year in a row the “s” word has been thrown around, and I doubt it will be the last.

Awareness of the issue has been building. Last year, a group of women, tired of sexual harassment at Def Con, created “creeper” cards for women to give out to men who bothered them with unwanted and offensive attention. Many in the hacker community  responded with a barrage of criticism, since hackers in general don’t take kindly to being told to play nice.

This year, however, it was a man on the aforementioned private email list, populated by some of the biggest names in hackerdom, who complained. He was disturbed by the antics during a Def Con-related game show called “Hacker Jeopardy” that featured a woman who removed articles of clothing when contestants answered correctly.

Yeah, “that’s just Vegas,” you might say. Unfortunately, this isn’t just a case of an out-of-control beer bash. It’s an annual tradition at the largest gathering of hackers and security professionals in the world. Top security researchers come to Def Con to present cutting-edge research into computer security threats and swap tales from the front lines. Younger hackers come to learn about new tools and techniques from their role models. In past years, federal officials showed up to recruit hackers to help with cyber security efforts, although this year, the feds were politely asked to stay away because of all that NSA surveillance mishegas.

Def Con is instrumental in shaping and defining hacker culture, as it bleeds from the teenage bedroom into the IT security offices of corporate America. It’s a culture and an industry that is in dire need of attracting more women, and not the naked variety.

Nevertheless, the culture has been changing. When I first attended in 1995, the few women there were mostly the girlfriends of attendees, usually referred to as “scene whores.” The numbers of female attendees have risen, but it’s still predominantly an XY geek event.

It’s one thing to be in the minority, and quite another to be subjected to lascivious entertainment you didn’t sign up for. That’s the complaint Dan Farmer had.

Farmer, who made a name for himself when he released a network security audit tool called SATAN in the mid-90s, hadn’t attended Def Con since those early days. This year he seemed to be enjoying the conference until he chanced upon Hacker Jeopardy, which he called “misogynistic bullshit.” The game, a hacker version of the popular “Jeopardy” TV game show, attempts to energize the crowd by including a prurient sideshow featuring an entertainer known as “Vinyl Vanna.” Apparently, this year the crowd was grousing, because contestants were mostly answering incorrectly. To pacify them, the emcee asked Vinyl Vanna to oblige anyway.

Farmer wrote a letter complaining to Def Con founder Jeff Moss and asked him to “make Def Con a place where women and young girls will be rewarded and want to go, not degraded and demeaned on stage with a bunch of guys cheering on strippers.” He emphasized that he’s “sex positive” but draws a line between what is “sexy” and what is “sexism.”

I asked Moss for comment and he said Vinyl Vanna has historically been a part of Hacker Jeopardy but that “game organizers set it up such that Vanna will never undress to more than what you might see at a nightclub in Vegas. Stripping is not permitted in the hotel.” He added that she was joined onstage by a man wearing a blue or green full body suit.

Moss explained that there are two Hacker Jeopardies at Def Con. One happens in the evening, and is the one Farmer wrote him about, and a new PG-13 version, targeted to 9-to-16 year-olds occurred earlier in the day.

“Yes, we welcome everyone and have a very diverse population of not just genders but sexual orientations, with QueerCon being a popular party put on by community members for many years,” Moss wrote in an email. “Our goal is to create a safe place for everyone to hang out and learn.”

I’m no prude either. As I like to put it: “Annie Sprinkle – yes, Andrea Dworkin – no.” It’s about context. We all know there are strippers at Def Con parties, and I can choose not to go to those private events. But if I want to learn from some of the brightest security minds at a Def Con quiz show, should I really have to sit there and watch women egged on to strip? To those men who take the “boys will be boys” stance, would you want to go to an industry event where you were more valued for the size of your muscles than your ability to answer tough security questions?

I can see how some hackers might view this as an attack on their traditions and culture. But there’s a time and a place for strippers — you are hard pressed to ignore them in Vegas – and a Def Con sanctioned event isn’t it. The bigger problem isn’t whether or not someone should or shouldn’t be offended by seeing nude female flesh. The issue is what kind of culture does Def Con want to create?

Does it want to be inclusive, with presentations that appeal to a broad population, including women, or exclusive, with events that few if any women will attend or feel uncomfortable if they do? Not only does that kind of environment alienate women who might otherwise enjoy Hacker Jeopardy, it sends the wrong message to younger hackers. It suggests that women are more likely to make it onstage at Def Cn if they strip than if they do topnotch security research.

This insensitivity contributes to the gender gap in the computer security industry. It’s a serious, self-perpetuating problem. The more women perceive hacking as male-oriented, the less likely they will enter the field, and the more likely men will consider it their exclusive domain.

The numbers back up the gender disparity. According to the U.S. Bureau of Labor Statistics, one-quarter of computer and information systems managers are women. As far as information security analysts specifically, there were only 44,000 in the census, such a low percentage it didn’t even register. Overall, women make up 47 percent of the professional workforce in the U.S., but only 28 percent fill core IT positions.

“This kind of activity discourages women,” Stephanie Fohn, CEO of WhiteHat Security, says about Hacker Jeopardy. “We all know there aren’t enough women in science and technology, and certainly not enough women overall in our industry.”

The key is reaching out to girls in junior high and high school to encourage them to go into these fields early, she says. “Girls get discouraged in middle school because being smart in math and science isn’t cool. And in universities, we need to let women know that these careers, while challenging, are fulfilling and lucrative.”

One such effort was born out of Def Con a few years back. The goal of Def Con Kids, renamed R00tz Asylum, is to teach “white hat” hacking skills and ethics to kids. Participants are evenly split between girls and boys, although 80 percent of the contest winners and speakers are girls. The non-profit was co-founded by 12-year-old CyFi, who exemplifies the girl power. She discovered a new class of mobile vulnerabilities affecting iOS, Android and BlackBerry platforms and was awarded a bug bounty from Samsung for finding a flaw in its smart TV.

Meanwhile, a program at New York University’s Polytechnic Institute, partially funded by the NSA, teaches computer security skills to girls in high school. The Open Web Application Security Project Foundation (OWASP) offers grants to help women in college or the workforce get training in application security. There also are efforts to recognize women who have made names for themselves in computer security. For instance, the Executive Women’s Forum gives out “Women of Influence” awards for the security industry.

I don’t mean to pick on computer security. Sexism isn’t just a problem at Def Con. It’s endemic to the male-dominated conference industry, where scantily clad booth babes are ubiquitous. Unlike most other industry shows, however, Def Con isn’t a typical event with vendors hawking products. It boasts edgy research presentations and security professionals, rather than salesmen and marketing slides.

There’s more substance at Def Con, and ostensibly more critical thinkers who should be capable of breaking with tradition. In fact, I would think hackers prefer to buck the stereotype of the sex-deprived loner who objectifies women instead of perpetrating it.

But Hacker Jeopardy, in its current form, promotes the negative stereotype of sexist hackers, who should seek to overturn that stereotype rather than blindly fulfill it.

[Image courtesy gruntzooki]