back to article In a world of infosec rockstars, shutting down sexual harassment is hard work for victims

Cassie was studying for the computer security industry qualification CISSP when the harassment started. A friend she had met at a nearby hacker meetup offered to help her prepare for the exams, and guide her through the world of infosec. "He asked me about what my goals are and offered to mentor me. He also offered to provide …

  1. Throatwarbler Mangrove Silver badge

    My prediction for this comment thread . . .

    . . . a bunch of victim-blaming and other commentary which validate the entire premise of the article.

    1. This post has been deleted by its author

    2. Crazy Operations Guy

      Re: My prediction for this comment thread . . .

      Yeah, I'm bracing for Blowhard Bob, or one of his identical clones, to burst in with his normal rhetoric about an "SJW Conspiracy" and how he is being persecuted. I can see it now, all full of randomly capitalized words and full of complaints about how everyone gets so offended these days (And completely lacking in self-awareness of how easily he gets offended).

    3. Anonymous Coward
      Anonymous Coward

      Re: My prediction for this comment thread . . .

      Harassment is a serious issue, but from personal experience, false accusations are also thrown about.

      Unscrupulous people kill careers undeservedly, so they can get ahead.

      The punishment for a false accusation should be equal to what is served out for a real one.

  2. idoxde

    The girl in the picture

    I see the hooded hacker girl in the picture forgot to put ger gloves on... Now it's only a mater of time when they hack her back by typing really fast until they get ACCESS GRANTED...

    1. Anonymous Coward
      Anonymous Coward

      Re: The girl in the picture

      No, they'd have to overclock the firewall to get past her encryption, impossible... unless they have a skull and crossbones screensaver, in which case game over.

    2. My-Handle

      Re: The girl in the picture

      Forget the gloves, she was daft enough to appear in a virtually identical picture in the splash image of another Reg article :). Now we can see her true face!

      [Cue sequence of tacky facial recognition animations and graphics, followed by a rapidly zooming-in map of her current location along with a mugshot and brief profile on one side of the screen]

      For reference, this article's image:

      1. The Man Who Fell To Earth Silver badge

        Re: The girl in the picture

        You can always tell the bad hackers from the good hackers by whether their hoodie is dark or light.

  3. Anonymous Coward
    Anonymous Coward

    A problem of the basic paranoid and secretive nature of cybersec

    Tools commonly used by harassers to make evidence gathering difficult are fairly common in the security world. Tools to cover one's tracks, and circumventing surveillance are extremely common in the cybersecurity world, especially when doing pen-testing and forensics type work. Just last year my local group had a problem with a harasser that was using all sorts of tools to cover their tracks, such as using tor, proxying through compromised servers. They were only caught when they were found hiding in the bedroom closet of one of their victims. They had found their victim's home after taking a pen test job at a place their victim had worked for in the past and they manged to get their hands on their background check records. Despite being caught red-handed in their victim's apartment, they were only found guilty of trespassing, and were sued in court for breach of contract for having used information gained from the penetration test. All the digital evidence the prosecution had was purely circumstantial, so their entire case rested on witness testimony, which since there weren't enough people willing to take stand against one of their peers, didn't exactly sway the jury. They had heavy encryption on their storage devices, and used ephemeral operating systems. The prosecution had a difficult time making their case because the tools that would be suspicious for a normal person to have, but would be suspicious if a security researcher to -not- have.

    I'm not saying those tools should be outlawed or their use restricted in anyway. What I am saying is that because of the nature of the industry, those in it need to be much more vigilant when it comes to harassment and to be much readier to take victims at their word instead of demanding evidence, because sometimes there just isn't any.

    For the record, the harasser had at it for several years and their harassment included all manner of things from basic lewd messages left to using a drone to pictures of her in her own apartment. One incident involved him breaking into her apartment, stealing her underwear, then having it sent to her place of work.

    //Anon because I testified against the harasser and they aren't too happy about their stay in the clink.

    1. Anonymous Coward
      Anonymous Coward

      Re: A problem of the basic paranoid and secretive nature of cybersec

      Brave soul, and well done for standing up to what's right.

      /anon for the same reasons, don't need a rabid mob coming after me.

    2. Jim Andrakakis

      Re: A problem of the basic paranoid and secretive nature of cybersec

      “ Anon because I testified against the harasser”

      (tips hat)

    3. Anonymous Coward
      Anonymous Coward

      Re: A problem of the basic paranoid and secretive nature of cybersec

      Sounds like the harrassers are highly skilled And talented and simply need to be offered a opportunity where they can utilize their passion for those skills in a less socially demonized application.

      Put them to work in the espionage industry. People of socially unpopular talents and skill sets and no socially acceptable way to express and hone those skillsets, will eventually find their perspective had adjustted to create justification to apply those skills.

      Human Motivation is like flowing water . You cannot stop it sustainably, eventually it will always find or create a new path, you can only redirect it safely by providing a legitimate path and environment in which those behaviors and mentalities are acceptable to perfect and practice.

      1. Anonymous Coward
        Anonymous Coward

        Re: A problem of the basic paranoid and secretive nature of cybersec

        Ugh, the "Idle hands are the devils playthings" excuse. That reasoning of why someone does something has been true. People will do bad things because they get something they want without expending effort and there is nothing discouraging them from doing it, neither legal nor social.

        Yes, humans want to do things, but we as a society need to show people that being a predator will not be accepted. We need to show others in our communities that such behavior will not be tolerated, and encourage people towards positive behaviors.

        Besides, he wasn't all that skilled, everything he did is something that everyone in the group learned years ago and are fairly basic techniques for a penetration tester (Covering tracks to avoid detection by logging and monitoring systems, using stolen identities to get around security procedures or elevate privilege, using weak systems to pivot an attack, and so on). The only remarkable skill he had was using those skills to be a shitty person. We have plenty of training materials and lab resources that if he did want to challenge himself, there were more than ample opportunities to do so, we also had plenty of open contracts that would keep someone occupied.

        What needed to happen to keep him from doing those things was people in his life teaching him how to act like a person and to hold him accountable when he strayed from those expectations. He needed to experience negative consequences for predatory behavior instead of it being excused as "Boys will be boys" or "He hurts you because he actually likes you!". Or that behavior being excused because they have some skill or talent that is valued by the group.

      2. Gaius

        Re: A problem of the basic paranoid and secretive nature of cybersec

        Sounds like the harrassers are highly skilled And talented and simply need to be offered a opportunity

        No. A fundamental personality trait of anyone working in security is that you can trust them to follow the rules/do the right thing, even if they think no one is watching. You watch them anyway, obv.

  4. veti Silver badge

    Why would you want a "rockstar"?

    "Rockstars" are notorious for every kind of bad behaviour. This is true in the musical genre that gave us the term, and it's an inherited trait in every other business that lets itself be beguiled by the same idea. By definition, they are people to whom the usual rules don't apply.

    Hackers, similarly, are often motivated by a dislike of rules. In some cases they try to act as if they don't apply, and have to be harshly reminded that they do, by those of us who value our peace. Many hackers secretly, or not so secretly, aspire to "rockstar" status as a sort of superpower that will allow them to transcend the frustrating limitations of mere mortals (which explains why that godawful sophomoric bilge The Matrix was so popular in certain circles).

    I will never willingly work with anyone who considers themself a "rockstar", or who aspires to be one. While this rule may make me miss out on a 1% chance of getting insanely rich, it will also spare me a 99% chance of getting brutally abused and/or set up to take the fall for a sociopath.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why would you want a "rockstar"?

      "Rockstars" let the fame and attention go to their heads, then they go cray-cray.


    2. Erebus_77

      Re: Why would you want a "rockstar"?

      Nickelback quite clearly laid out the reasons for wanting to be a rockstar. It's so we can live in hilltop houses, driving 15 cars, the girls come easy and the drugs come cheap and we'll all stay skinny 'cos we just won't eat

    3. Kevin McMurtrie Silver badge

      Re: Why would you want a "rockstar"?

      Every time I see a job posting for a "rockstar" it makes me want to do the interview trash talking, drinking, making irrational demands, and smashing things before leaving. It's tempting when they brag about using cutting-edge tech like Java 6, Spring, and Hadoop. "I'm sorry, but I DON'T REMEMBER WHAT JAVA 6 LOOKS LIKE. WHERE YOU EVEN BORN WHEN IT CAME OUT? DOES YOUR FATHER KNOW THAT YOU TOOK HIS SPRING FRAMEWORK?"

  5. Anonymous South African Coward Bronze badge

    Sad to hear that there' sstill people who won't take no for an answer.

    May they get their just desserts.

  6. Outer mongolian custard monster from outer space (honest)

    "The thing is, you never hear from the people that are quietly doing the work, because they are just doing the work," noted Quintin. "The people that are doing the work don't want the attention, they don't have time to go on stage, they do it quietly and they are not being recognized."


    1. Erik4872


      Second Dotcom Bubble conference culture is interesting. All those people up on stage at ToolCon 2019 love the attention. Being CTO of some startup means you have the unstated goal of having an architecture you can blog, tweet and con about. :-)

  7. Anonymous Coward
    Anonymous Coward

    I wanted to say

    so much about this post, but it would have turned into a book. A pointless book because I cannot think of an answer to this awful situation.

    I have tried to imagine the fear and pain that the victims must go through. I have failed. All I have managed to come up with is that something must be done. I cannot remember saying anything so pathetically useless in my life

    My heart goes out to the victims. (Though fat lot of good that will do them)


    1. sparklyboots

      Re: I wanted to say

      At least you care, that's more than most. The best anyone can do is to say something when they see it happening, for good men and women to protect others. :)

  8. Pascal Monett Silver badge

    It is disheartening

    It is disheartening and despicable to realize that we are in the 3rd Millennium CE and there are still men who treat women as objects to be acquired, without acknowledging that they are also people.

    I do not understand that mentality. If you really think a woman is just an object, then go buy yourself a Real Doll. You'll have exactly what you want and women will have what they want : not you.

  9. Anonymous Coward
    Anonymous Coward

    Just because you've got CISSP doesn't mean your are a hacker or anything like it.

    But many people in infosec do work on investigations and so are probably very aware of what is possible and to some extent how to cover their tracks. A bit like the police going criminal.

    I'm in the public sector and glad to say I haven't seen or even heard of this from my infosec peers. The women in our nitch are some of the most respected in it.

    1. Anonymous Coward
      Anonymous Coward

      CISSP is a management qualification - holders of it manage security departments (including physical security, fire suppression and so on). I would be surprised if any CISSP was doing hands-on technical work on a day-to-day basis. For that you would be looking for holders of SSCP, OSCP and suchlike.

    2. sparklyboots

      Tech lady here, thankfully most men are absolutely wonderful.

  10. sum_of_squares



    The problem with those debates is they are usually overly emotional and not very constructive. So let's all stay nice and well-collected, shall we? Come to think of it, let's just shout "she deserved it!" or "victim blaming!" (depending on your opinion), OK? ;-)


    Now let's go though this step-by-step:

    A dude finds a girl attractive, but she thinks he's a bit creepy or something. So she is "making it clear she is not interested", but nevertheless "the man continued to pester her with messages", "approaches her at infosec events" and even "invites himself over".

    Since the guy doesn't seem to respect her "no" there are different possibilities we should consider:

    1) The guy is a total freak, close to a rapist. This is what the article seems to suggests anyway. In this case she could call the police and get a warranty that he has to stay away from her.

    2) The girl didn't make herself as clear as she expected. It is not uncommon that people think they are clear when they just weren't. What to do here? See the next point.

    3) Another possibility: The guy is not very experienced with girls, has a crush on her and can't read her signs or thinks he will win her heart by being stubborn. For me this seems to be the most realistic scenario, since this happens all the time, especially with "nerdy" guys who naturally have spent more time in front of a screen than interacting with other people in RL. The best way to deal with this (for both of them!) is to overcome the first escape reflex and have a "real talk" to tell him that there is no way that she will get with him. And let's face it, most people (guys and girls alike) are terribly bad at this. It's not about "sending signals", it's about LITERALLY saying: "Dude, you are only a friend for me. I will NOT be your girlfriend. You are not my type. I am not interested in you physically. There are other men/women I find more attractive. Did you get it?". If she is unable to do this, she might consider bringing a friend with her. This is still fair play if she feels overly uncomfortable in a situation alone with him. It is NOT fair play, however, to avoid this conversation and trying to set up a whole community against him.

    1. Anonymous Coward
      Anonymous Coward

      Clearly, you have never been harrassed

      Someone who breaks into an apartment is not "being stubborn".

      1. sum_of_squares

        Re: Clearly, you have never been harrassed

        It's always nice to hear both sides, don't you think? I have seen more than one case where people tried to pull off a smear campaign. I'm not telling that she is a liar, I'm just telling that outsiders have no chance to tell if it's the truth or not. And that's exactly the reason why we all should public witch hunting like the plague. The whole idea of denouncing people within a scene based on hearesay is just very bad style and leads to very bad results. If someone is an idiot, go tell this person to eff** himself. If necessary call the coppers, put him into jail, put pepper spray in his face or whatever. And of course you can tell all you friends that this person is an idiot. But this is something completely different than trying to put someone on a public "walk of shame", which is exactly the solution some people suggest.

      2. Anonymous Coward
        Anonymous Coward

        Re: Clearly, you have never been harrassed

        agreed, breaking into someone's apt... wtf..

    2. Just Enough

      Not victim blaming, oh no.

      We understand your option 3. "Dude" is not a fault. "Girl" is at fault for not being clear and not accepting it's her responsibility to fix poor nerdy guy's understanding of how relationships work. But you aren't victim blaming.

      1. Bite my finger

        Re: Not victim blaming, oh no.

        And you aren't assuming the "victim" is ALWAYS in the right.

        1. sparklyboots

          Re: Not victim blaming, oh no.

          See I don't get this. Why would anyone lie about this? What's their motivation? They're gonna trash their reputation if they're found to be lying. This is just willful blindness and victim blaming. Yes it's happened, like 0000.5% of the time.

          I've been harassed. In my 20's I worked in a computer room, had to call the on call VP in to make a decision about a solaris machine, per protocol.

          He said "oh now everything seems fine, you fixed it" and slapped me on the butt, so hard it hurt the next day. Not like a pat, like assault.

          My first thought was "UGH, now I HAVE to do something, wtf why did you do that dude!?" Whatever HIS problem was, was now my problem, that's the most annoying part. Plus that sh*t hurt.

          It was found that 4 women complained about him before then when company policy was 3 strikes your out, but he was a VP. They investigated.

          All my AMAZING male coworkers (and female, they said he said stuff to them) spoke up too when they investigated internally. He was heard yelling when he got fired "Do you know who I AM?!" . He had 4 daughters... weird.

          tl;dr: Women don't *ask* for it. I dressed in jeans and tshirts, fyi. lol (like that should even be a question but just saying)

      2. sum_of_squares

        Re: Not victim blaming, oh no.

        You see, in modern society we have to PROVE someone is guilty. If two girls (who don't know each other) tell the same story about a guy we have a strong evidence. If the victim has mails, chats, pictures or witnesses (unbiased or even better unbeknownst to the victim) that's strong evidence.

        f course it can be frustrating if bad people get away with doing bad stuff, but if we can't prove anything we cannot automatically assume somone's guilty only because one person says so. Yes, that can be terribly frustrating sometimes, but that's how our society works. If I accuse someone I have the burden of proof, not the other way around.

        "Victim blaming" is something completely different. The first difference is that in victim blaming we have a victim in the first place. It sounds something like this: "Yeah she got harassed, but it's her fault for wearing a short skirt." You see the difference between this and "She claimed she was harassed, but she has no evidence."?

        The second difference is that victim blaming tries so discredit the victim. Something like this: "She is totally nuts, we can't believe her." This is another difference, because society says: "Yes, I want to believe her, but unless she has some sort of evidence this is yet unproven."

        As for your question why someone would do this: People (men and women alike) do all kind of crazy stuff. Or do you assume all women are good people? For many college teachers (especially in sports) there is this rule to never be alone with a girl under any circumstances. And this is first and foremost to protect the teacher, because there were many cases were girls claimed they were harassed, the teacher was fired and later it turned out that is was a false accusation. The problematic part is you don't even have to prove anything, you can totally ruin careers only by the loss of reputation that comes with such accusations. That's why we must stop whisper campaigns, in the long run they do more damage than good.

    3. Mike Moyle

      Taken from a recently-seen meme (probably paraphrased, since I don't have the thing right in front of me): "Too many guys fail to understand that the 'Friend Zone' is actually the 'I'm Trying to Get Away From You Without Pissing You Off Enough to Commit a Crime Against Me' Zone.' "

  11. John 73
    Thumb Up

    Thank you

    Just to say thanks very much to Shaun for writing this article, and to The Register for publishing it. All too often (as the article itself says), these actions are excused and ignored. Part of the answer is to admit what's been happening for so long and to talk about it, including in the media. So, keep up the good work!

  12. Cederic Silver badge

    whisper campaign

    Since my other post was rejected, I'll be more succinct:

    Do not start whisper campaigns. That's defamation and slander.

    1. Mike Moyle

      Re: whisper campaign

      "Do not start whisper campaigns. That's defamation and slander."

      Only if you can prove that what's being said is not true.

    2. First Light

      Re: whisper campaign

      Gossip has been the weapon of the powerless for millenia - its also the way of getting the word out to others to be wary of a particular individual when other options are unavailable. Look at the use of NDAs in harassment settlements eg "Sir" Philip Green, Harvey Weinstein, etc. Even when a victim has the courage to speak up and sue the harasser, they can end up forced to stay quiet.

  13. baud

    > This was certainly the case for Cassie, who said that after she finally stepped up and tweeted about the harassment she was receiving

    I think taking it in public might be the worst possible solution, since tempers will flare quite badly when doing it (even if it takes a good measure of courage to do it). The article didn't tell if other solutions were tried before it went to that (restraining order? Asking help from the organizer of the tech meetup?)

    Anyway f*ck those assholes who make life harder for everyone else

    1. Anonymous South African Coward Bronze badge

      Anyway f*ck those assholes who make life harder for everyone else

      Upvoted for that.

  14. Erik4872

    Rockstars get a free pass unfortunately

    It's not just infosec -- rockstar salespeople, rockstar executives, rockstar people-who-invented-your-billion-dollar product -- they all unfortunately get free passes. Google just paid an executive to go away to avoid further sexual harassment charges, and employees are reporting behavior from management that indicates anyone who's a rockstar will have any bad behavior ignored, paid for or worked around. Many of the companies I've worked for have justified leaving some rainmaker salesperson alone and letting him do whatever by offsetting his insane sales figures with cost of goods sold and still coming up with a very positive number. Same reason you pay out the salespersons' insane expense accounts -- what's a $1000 steak dinner compared to a million in insanely high margin revenue?

    Out of the sales/exec realm and into infosec/IT/development...there are just too many excuses companies can make for employees' bad behavior, and having a toxic personality is almost a badge of honor. Add to that the hero-worship culture and the secrecy/knowledge hoarding of infosec, and you've got quite a brew. I work with developers who happen to know a lot about various obscure systems that keep money flowing into our company...they're far from rockstars but they love the attention they get. Tech companies seem to be willing to go even further. If you're at a FAANG company, Microsoft, etc. and your stuff generates enough revenue, they'll just put a staff of handlers in front of you. (Saw this first-hand dealing with a couple of geniuses who built an Azure service our company is using.)

    It's time to get rid of nerd culture and make people at least adhere to basic social norms. I know that's going to upset a lot of "freedom-loving" people who feel they can say whatever they want. But, if I went around making some of my opinions about our company known, I wouldn't be working there very long.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rockstars get a free pass unfortunately

      It's time to get rid of nerd culture

      Nerd culture is fine. Your beef is with techbros. Nerds would be glad to get rid of them too.

  15. JoMe

    There's really two premises in terms of harrasment here..

    First type, which is abhorrent, is the described form. Unwanted advances clearly rebuffed. No problem with that being labelled harassment.

    The second type - "this for that" - I get frustrated hearing about. For example, starlets complaining that some movie bigshot gave them a break - their big break as it turns out - for sex. It's a simple transaction that they could have refused, but then no big break. How many women have gotten a break and landed their dream career because of "this for that", and then go on to complain that they were harassed? Far too many. If you willingly engaged, and then gained from the encounter, I'm sorry but you don't get to gripe about it later.

    The other problem we have is what counts as harassment. To some women, you don't even need to do more than looking in their direction to be a sexual predator. This demeans and undermines the real cases of harassment and rape, and I wish that would be nipped in the bud.

    1. diodesign (Written by Reg staff) Silver badge

      "I'm sorry but you don't get to gripe about it later."

      Er, yes, you absolutely do get to gripe about it - how you were coerced into doing something you really didn't want to do simply just to work in the career of your choice. Some of us just fill out an application form and go through interviews. Some people have to, well, you get the idea.

      This is exactly the sort of thing you should complain about. Loudly. Repeatedly. Until the abuse stops.


      1. JoMe

        Re: "I'm sorry but you don't get to gripe about it later."

        "Er, yes, you absolutely do get to gripe about it - how you were coerced into doing something you really didn't want to do simply just to work in the career of your choice. Some of us just fill out an application form and go through interviews. "

        It's a choice that the skilled don't need to make. The unskilled, people who would never have a career in that line, are the ones faced with a choice. You aren't forced to say yes; but note if you say no that you'll have to stand on your own merit. Clearly that's not always enough, as can be evidenced in pretty much every complainants early career: the clear lack of ability is easy to see. But, instead of learning the ropes, coming up through other means where by they can learn the skills they lack, they CHOSE the easy alternative.

        It's exactly the same when some pretty girl flirts with you for a free beer. They don't have money to spend on getting drunk, so they flap their assets. Same in a casino when someone is winning big: all the girls come around.

        Don't try make out as though there was no beneficial return here. Damn, if I had lady parts myself I'd be making a play at becoming a high paid movie star, and no problem using those ass...ets... to get it.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I'm sorry but you don't get to gripe about it later."

          This is more about you not using your 'assets' and being harassed because you're not.

  16. Denarius Silver badge

    slightly off topic but

    Well done El Reg. I am aware of a leading linux female in this burg being harassed by a visiting Open Sauce character. She found out she was not alone and inside the community his harassment was well known and ignored seemly due to his status. In $WORK days, especially in "politically sensitive" jobs, whistleblowers or mere complainers were set upon the by the PHB and self-appointed clevers mobs if the Cause or local/cult Great Leader was maligned. This behavior of circling the wagons is the current incarnation of tribalism. Perhaps the mitigation ( I doubt there can be a cure for the human condition) is recovery of the citizen concept. How this is to be done I have no idea. I note the current concept of citizen by the wokes is more a mindless conformity to the shoutiest of the most easily offended.

  17. EGeee

    An age-old problem....

    Speaking as a woman, and as a techie, I can confirm that a large part of why close-knit groups of males tend to shout down or ignore accusations of sexual misconduct and harassment is that men don't know if their other male friends are badly behaved towards woman. In a sort of reverse confirmation bias, they simply don't see these problem men outside of the sausage-heavy environments they know them from. As a result, they rarely see the men in question interact with women. They're certainly never on the receiving end.

    Add to this a large number of men who aren't making women uncomfortable with their behaviour due to power play or maliciousness. They simply don't know how to interact with women, having spent their life in male-centric environments.

    Another issue is the human tendency not to believe bad things you're told about your friends, especially where the report is coming from a third party you don't know well. This is something we can all be guilty of in the right circumstances.

    Of course the only effective way to improve the situation is to increase the numbers of woman in cybersecurity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like