My prediction for this comment thread . . .
. . . a bunch of victim-blaming and other commentary which validate the entire premise of the article.
Cassie was studying for the computer security industry qualification CISSP when the harassment started. A friend she had met at a nearby hacker meetup offered to help her prepare for the exams, and guide her through the world of infosec. "He asked me about what my goals are and offered to mentor me. He also offered to provide …
This post has been deleted by its author
Yeah, I'm bracing for Blowhard Bob, or one of his identical clones, to burst in with his normal rhetoric about an "SJW Conspiracy" and how he is being persecuted. I can see it now, all full of randomly capitalized words and full of complaints about how everyone gets so offended these days (And completely lacking in self-awareness of how easily he gets offended).
Harassment is a serious issue, but from personal experience, false accusations are also thrown about.
Unscrupulous people kill careers undeservedly, so they can get ahead.
The punishment for a false accusation should be equal to what is served out for a real one.
Forget the gloves, she was daft enough to appear in a virtually identical picture in the splash image of another Reg article :). Now we can see her true face!
[Cue sequence of tacky facial recognition animations and graphics, followed by a rapidly zooming-in map of her current location along with a mugshot and brief profile on one side of the screen]
https://search.theregister.co.uk/?q=watch+online+today+boost+innovation&advanced=1&author=&date=the+dawn+of+time&results_per_page=20
https://regmedia.co.uk/2018/09/14/femalecoder.jpg?x=328&y=218&crop=1
For reference, this article's image:
https://regmedia.co.uk/2019/10/11/shutterstock_woman_cliche_hacker.jpg
Tools commonly used by harassers to make evidence gathering difficult are fairly common in the security world. Tools to cover one's tracks, and circumventing surveillance are extremely common in the cybersecurity world, especially when doing pen-testing and forensics type work. Just last year my local group had a problem with a harasser that was using all sorts of tools to cover their tracks, such as using tor, proxying through compromised servers. They were only caught when they were found hiding in the bedroom closet of one of their victims. They had found their victim's home after taking a pen test job at a place their victim had worked for in the past and they manged to get their hands on their background check records. Despite being caught red-handed in their victim's apartment, they were only found guilty of trespassing, and were sued in court for breach of contract for having used information gained from the penetration test. All the digital evidence the prosecution had was purely circumstantial, so their entire case rested on witness testimony, which since there weren't enough people willing to take stand against one of their peers, didn't exactly sway the jury. They had heavy encryption on their storage devices, and used ephemeral operating systems. The prosecution had a difficult time making their case because the tools that would be suspicious for a normal person to have, but would be suspicious if a security researcher to -not- have.
I'm not saying those tools should be outlawed or their use restricted in anyway. What I am saying is that because of the nature of the industry, those in it need to be much more vigilant when it comes to harassment and to be much readier to take victims at their word instead of demanding evidence, because sometimes there just isn't any.
For the record, the harasser had at it for several years and their harassment included all manner of things from basic lewd messages left to using a drone to pictures of her in her own apartment. One incident involved him breaking into her apartment, stealing her underwear, then having it sent to her place of work.
//Anon because I testified against the harasser and they aren't too happy about their stay in the clink.
Sounds like the harrassers are highly skilled And talented and simply need to be offered a opportunity where they can utilize their passion for those skills in a less socially demonized application.
Put them to work in the espionage industry. People of socially unpopular talents and skill sets and no socially acceptable way to express and hone those skillsets, will eventually find their perspective had adjustted to create justification to apply those skills.
Human Motivation is like flowing water . You cannot stop it sustainably, eventually it will always find or create a new path, you can only redirect it safely by providing a legitimate path and environment in which those behaviors and mentalities are acceptable to perfect and practice.
Ugh, the "Idle hands are the devils playthings" excuse. That reasoning of why someone does something has been true. People will do bad things because they get something they want without expending effort and there is nothing discouraging them from doing it, neither legal nor social.
Yes, humans want to do things, but we as a society need to show people that being a predator will not be accepted. We need to show others in our communities that such behavior will not be tolerated, and encourage people towards positive behaviors.
Besides, he wasn't all that skilled, everything he did is something that everyone in the group learned years ago and are fairly basic techniques for a penetration tester (Covering tracks to avoid detection by logging and monitoring systems, using stolen identities to get around security procedures or elevate privilege, using weak systems to pivot an attack, and so on). The only remarkable skill he had was using those skills to be a shitty person. We have plenty of training materials and lab resources that if he did want to challenge himself, there were more than ample opportunities to do so, we also had plenty of open contracts that would keep someone occupied.
What needed to happen to keep him from doing those things was people in his life teaching him how to act like a person and to hold him accountable when he strayed from those expectations. He needed to experience negative consequences for predatory behavior instead of it being excused as "Boys will be boys" or "He hurts you because he actually likes you!". Or that behavior being excused because they have some skill or talent that is valued by the group.
Sounds like the harrassers are highly skilled And talented and simply need to be offered a opportunity
No. A fundamental personality trait of anyone working in security is that you can trust them to follow the rules/do the right thing, even if they think no one is watching. You watch them anyway, obv.
"Rockstars" are notorious for every kind of bad behaviour. This is true in the musical genre that gave us the term, and it's an inherited trait in every other business that lets itself be beguiled by the same idea. By definition, they are people to whom the usual rules don't apply.
Hackers, similarly, are often motivated by a dislike of rules. In some cases they try to act as if they don't apply, and have to be harshly reminded that they do, by those of us who value our peace. Many hackers secretly, or not so secretly, aspire to "rockstar" status as a sort of superpower that will allow them to transcend the frustrating limitations of mere mortals (which explains why that godawful sophomoric bilge The Matrix was so popular in certain circles).
I will never willingly work with anyone who considers themself a "rockstar", or who aspires to be one. While this rule may make me miss out on a 1% chance of getting insanely rich, it will also spare me a 99% chance of getting brutally abused and/or set up to take the fall for a sociopath.
Every time I see a job posting for a "rockstar" it makes me want to do the interview trash talking, drinking, making irrational demands, and smashing things before leaving. It's tempting when they brag about using cutting-edge tech like Java 6, Spring, and Hadoop. "I'm sorry, but I DON'T REMEMBER WHAT JAVA 6 LOOKS LIKE. WHERE YOU EVEN BORN WHEN IT CAME OUT? DOES YOUR FATHER KNOW THAT YOU TOOK HIS SPRING FRAMEWORK?"
"The thing is, you never hear from the people that are quietly doing the work, because they are just doing the work," noted Quintin. "The people that are doing the work don't want the attention, they don't have time to go on stage, they do it quietly and they are not being recognized."
Amen.
so much about this post, but it would have turned into a book. A pointless book because I cannot think of an answer to this awful situation.
I have tried to imagine the fear and pain that the victims must go through. I have failed. All I have managed to come up with is that something must be done. I cannot remember saying anything so pathetically useless in my life
My heart goes out to the victims. (Though fat lot of good that will do them)
Ishy
It is disheartening and despicable to realize that we are in the 3rd Millennium CE and there are still men who treat women as objects to be acquired, without acknowledging that they are also people.
I do not understand that mentality. If you really think a woman is just an object, then go buy yourself a Real Doll. You'll have exactly what you want and women will have what they want : not you.
Just because you've got CISSP doesn't mean your are a hacker or anything like it.
But many people in infosec do work on investigations and so are probably very aware of what is possible and to some extent how to cover their tracks. A bit like the police going criminal.
I'm in the public sector and glad to say I haven't seen or even heard of this from my infosec peers. The women in our nitch are some of the most respected in it.
CISSP is a management qualification - holders of it manage security departments (including physical security, fire suppression and so on). I would be surprised if any CISSP was doing hands-on technical work on a day-to-day basis. For that you would be looking for holders of SSCP, OSCP and suchlike.
DISCLAIMER
***
The problem with those debates is they are usually overly emotional and not very constructive. So let's all stay nice and well-collected, shall we? Come to think of it, let's just shout "she deserved it!" or "victim blaming!" (depending on your opinion), OK? ;-)
***
Now let's go though this step-by-step:
A dude finds a girl attractive, but she thinks he's a bit creepy or something. So she is "making it clear she is not interested", but nevertheless "the man continued to pester her with messages", "approaches her at infosec events" and even "invites himself over".
Since the guy doesn't seem to respect her "no" there are different possibilities we should consider:
1) The guy is a total freak, close to a rapist. This is what the article seems to suggests anyway. In this case she could call the police and get a warranty that he has to stay away from her.
2) The girl didn't make herself as clear as she expected. It is not uncommon that people think they are clear when they just weren't. What to do here? See the next point.
3) Another possibility: The guy is not very experienced with girls, has a crush on her and can't read her signs or thinks he will win her heart by being stubborn. For me this seems to be the most realistic scenario, since this happens all the time, especially with "nerdy" guys who naturally have spent more time in front of a screen than interacting with other people in RL. The best way to deal with this (for both of them!) is to overcome the first escape reflex and have a "real talk" to tell him that there is no way that she will get with him. And let's face it, most people (guys and girls alike) are terribly bad at this. It's not about "sending signals", it's about LITERALLY saying: "Dude, you are only a friend for me. I will NOT be your girlfriend. You are not my type. I am not interested in you physically. There are other men/women I find more attractive. Did you get it?". If she is unable to do this, she might consider bringing a friend with her. This is still fair play if she feels overly uncomfortable in a situation alone with him. It is NOT fair play, however, to avoid this conversation and trying to set up a whole community against him.
It's always nice to hear both sides, don't you think? I have seen more than one case where people tried to pull off a smear campaign. I'm not telling that she is a liar, I'm just telling that outsiders have no chance to tell if it's the truth or not. And that's exactly the reason why we all should public witch hunting like the plague. The whole idea of denouncing people within a scene based on hearesay is just very bad style and leads to very bad results. If someone is an idiot, go tell this person to eff** himself. If necessary call the coppers, put him into jail, put pepper spray in his face or whatever. And of course you can tell all you friends that this person is an idiot. But this is something completely different than trying to put someone on a public "walk of shame", which is exactly the solution some people suggest.
See I don't get this. Why would anyone lie about this? What's their motivation? They're gonna trash their reputation if they're found to be lying. This is just willful blindness and victim blaming. Yes it's happened, like 0000.5% of the time.
I've been harassed. In my 20's I worked in a computer room, had to call the on call VP in to make a decision about a solaris machine, per protocol.
He said "oh now everything seems fine, you fixed it" and slapped me on the butt, so hard it hurt the next day. Not like a pat, like assault.
My first thought was "UGH, now I HAVE to do something, wtf why did you do that dude!?" Whatever HIS problem was, was now my problem, that's the most annoying part. Plus that sh*t hurt.
It was found that 4 women complained about him before then when company policy was 3 strikes your out, but he was a VP. They investigated.
All my AMAZING male coworkers (and female, they said he said stuff to them) spoke up too when they investigated internally. He was heard yelling when he got fired "Do you know who I AM?!" . He had 4 daughters... weird.
tl;dr: Women don't *ask* for it. I dressed in jeans and tshirts, fyi. lol (like that should even be a question but just saying)
You see, in modern society we have to PROVE someone is guilty. If two girls (who don't know each other) tell the same story about a guy we have a strong evidence. If the victim has mails, chats, pictures or witnesses (unbiased or even better unbeknownst to the victim) that's strong evidence.
f course it can be frustrating if bad people get away with doing bad stuff, but if we can't prove anything we cannot automatically assume somone's guilty only because one person says so. Yes, that can be terribly frustrating sometimes, but that's how our society works. If I accuse someone I have the burden of proof, not the other way around.
"Victim blaming" is something completely different. The first difference is that in victim blaming we have a victim in the first place. It sounds something like this: "Yeah she got harassed, but it's her fault for wearing a short skirt." You see the difference between this and "She claimed she was harassed, but she has no evidence."?
The second difference is that victim blaming tries so discredit the victim. Something like this: "She is totally nuts, we can't believe her." This is another difference, because society says: "Yes, I want to believe her, but unless she has some sort of evidence this is yet unproven."
As for your question why someone would do this: People (men and women alike) do all kind of crazy stuff. Or do you assume all women are good people? For many college teachers (especially in sports) there is this rule to never be alone with a girl under any circumstances. And this is first and foremost to protect the teacher, because there were many cases were girls claimed they were harassed, the teacher was fired and later it turned out that is was a false accusation. The problematic part is you don't even have to prove anything, you can totally ruin careers only by the loss of reputation that comes with such accusations. That's why we must stop whisper campaigns, in the long run they do more damage than good.
Just to say thanks very much to Shaun for writing this article, and to The Register for publishing it. All too often (as the article itself says), these actions are excused and ignored. Part of the answer is to admit what's been happening for so long and to talk about it, including in the media. So, keep up the good work!
Gossip has been the weapon of the powerless for millenia - its also the way of getting the word out to others to be wary of a particular individual when other options are unavailable. Look at the use of NDAs in harassment settlements eg "Sir" Philip Green, Harvey Weinstein, etc. Even when a victim has the courage to speak up and sue the harasser, they can end up forced to stay quiet.
> This was certainly the case for Cassie, who said that after she finally stepped up and tweeted about the harassment she was receiving
I think taking it in public might be the worst possible solution, since tempers will flare quite badly when doing it (even if it takes a good measure of courage to do it). The article didn't tell if other solutions were tried before it went to that (restraining order? Asking help from the organizer of the tech meetup?)
Anyway f*ck those assholes who make life harder for everyone else
It's not just infosec -- rockstar salespeople, rockstar executives, rockstar people-who-invented-your-billion-dollar product -- they all unfortunately get free passes. Google just paid an executive to go away to avoid further sexual harassment charges, and employees are reporting behavior from management that indicates anyone who's a rockstar will have any bad behavior ignored, paid for or worked around. Many of the companies I've worked for have justified leaving some rainmaker salesperson alone and letting him do whatever by offsetting his insane sales figures with cost of goods sold and still coming up with a very positive number. Same reason you pay out the salespersons' insane expense accounts -- what's a $1000 steak dinner compared to a million in insanely high margin revenue?
Out of the sales/exec realm and into infosec/IT/development...there are just too many excuses companies can make for employees' bad behavior, and having a toxic personality is almost a badge of honor. Add to that the hero-worship culture and the secrecy/knowledge hoarding of infosec, and you've got quite a brew. I work with developers who happen to know a lot about various obscure systems that keep money flowing into our company...they're far from rockstars but they love the attention they get. Tech companies seem to be willing to go even further. If you're at a FAANG company, Microsoft, etc. and your stuff generates enough revenue, they'll just put a staff of handlers in front of you. (Saw this first-hand dealing with a couple of geniuses who built an Azure service our company is using.)
It's time to get rid of nerd culture and make people at least adhere to basic social norms. I know that's going to upset a lot of "freedom-loving" people who feel they can say whatever they want. But, if I went around making some of my opinions about our company known, I wouldn't be working there very long.
First type, which is abhorrent, is the described form. Unwanted advances clearly rebuffed. No problem with that being labelled harassment.
The second type - "this for that" - I get frustrated hearing about. For example, starlets complaining that some movie bigshot gave them a break - their big break as it turns out - for sex. It's a simple transaction that they could have refused, but then no big break. How many women have gotten a break and landed their dream career because of "this for that", and then go on to complain that they were harassed? Far too many. If you willingly engaged, and then gained from the encounter, I'm sorry but you don't get to gripe about it later.
The other problem we have is what counts as harassment. To some women, you don't even need to do more than looking in their direction to be a sexual predator. This demeans and undermines the real cases of harassment and rape, and I wish that would be nipped in the bud.
Er, yes, you absolutely do get to gripe about it - how you were coerced into doing something you really didn't want to do simply just to work in the career of your choice. Some of us just fill out an application form and go through interviews. Some people have to, well, you get the idea.
This is exactly the sort of thing you should complain about. Loudly. Repeatedly. Until the abuse stops.
C.
"Er, yes, you absolutely do get to gripe about it - how you were coerced into doing something you really didn't want to do simply just to work in the career of your choice. Some of us just fill out an application form and go through interviews. "
It's a choice that the skilled don't need to make. The unskilled, people who would never have a career in that line, are the ones faced with a choice. You aren't forced to say yes; but note if you say no that you'll have to stand on your own merit. Clearly that's not always enough, as can be evidenced in pretty much every complainants early career: the clear lack of ability is easy to see. But, instead of learning the ropes, coming up through other means where by they can learn the skills they lack, they CHOSE the easy alternative.
It's exactly the same when some pretty girl flirts with you for a free beer. They don't have money to spend on getting drunk, so they flap their assets. Same in a casino when someone is winning big: all the girls come around.
Don't try make out as though there was no beneficial return here. Damn, if I had lady parts myself I'd be making a play at becoming a high paid movie star, and no problem using those ass...ets... to get it.
Well done El Reg. I am aware of a leading linux female in this burg being harassed by a visiting Open Sauce character. She found out she was not alone and inside the community his harassment was well known and ignored seemly due to his status. In $WORK days, especially in "politically sensitive" jobs, whistleblowers or mere complainers were set upon the by the PHB and self-appointed clevers mobs if the Cause or local/cult Great Leader was maligned. This behavior of circling the wagons is the current incarnation of tribalism. Perhaps the mitigation ( I doubt there can be a cure for the human condition) is recovery of the citizen concept. How this is to be done I have no idea. I note the current concept of citizen by the wokes is more a mindless conformity to the shoutiest of the most easily offended.
Speaking as a woman, and as a techie, I can confirm that a large part of why close-knit groups of males tend to shout down or ignore accusations of sexual misconduct and harassment is that men don't know if their other male friends are badly behaved towards woman. In a sort of reverse confirmation bias, they simply don't see these problem men outside of the sausage-heavy environments they know them from. As a result, they rarely see the men in question interact with women. They're certainly never on the receiving end.
Add to this a large number of men who aren't making women uncomfortable with their behaviour due to power play or maliciousness. They simply don't know how to interact with women, having spent their life in male-centric environments.
Another issue is the human tendency not to believe bad things you're told about your friends, especially where the report is coming from a third party you don't know well. This is something we can all be guilty of in the right circumstances.
Of course the only effective way to improve the situation is to increase the numbers of woman in cybersecurity.