17 Dec 2014

Changing the culture of the hackers

1:12 pm on 17 December 2014

“I have no idea what’s going on, but it seems to be important,” a friend leans over and says to me, before nodding authoritatively.

The man on stage continues his presentation, which appears to suggest someone can hack a network using YouTube videos and QR codes. I fear for future internet users’ future cat videos. The 1000-strong crowd whispers its astonishment.

This is Kiwicon, the hacker convention, beloved of black hoodie-wearing men and, as Elle Hunt wrote last year, those who “have hair far longer than is the norm or the fashion of the day”.

Hackers get a bad rap in the media, and the wider tech community is not known for its inclusivity or tolerance, especially in the year that included #Gamergate. (Actually, it’s about ethics in computer security.)

But this year’s con seems friendlier. In a nod to the 1980s theme, it opens with a smoke-filled Delorean on stage – fulfilling, one assumes, childhood dreams of the organisers. Amid frequent “I am Rawshark” jokes, head-banging metal, and impenetrable technical talks, is the frequent message that blaming people for making security mistakes is pointless and harmful.

On the first day of the conference, one talk goes off the rails – transphobic, islamaphobic, sexist and inappropriate jokes fill the 45 minutes. People turn to Twitter to complain – if you want a community with diversity, it said, this doesn’t help. Kiwicon has a pretty simple code of conduct: don’t be a shitweasel. And it is decided that this talk doesn’t comply, and the speakers are kicked out. It’s a bold move – but organiserse say they really do want to change the community.

“We’re all familiar with malware and viruses, but actually a lot of the delivery mechanisms are human-centric,” says Laura Bell, who owns a security firm in Auckland. If people don’t open the emails or go to the sites, she says, the technical side of computer security is lost. “We spend 90 per cent of our technical conferences… building tools to spot the malware, but we never spend any time doing the personable side, trying to solve the delivery problem.”

Part of the problem, Etsy head of security Rich Smith suggests, is that computer security people have a tendency to blame the person who made the mistake that led to a security breach. His slide “don’t hire assholes” was the most tweeted of the conference.

“Definitely in the security industry, there’s people that are very technically competent, but they maybe conduct themselves in the way that is the most constructive to kind of associate people with security.”

“If people feel there is going to be negative consequences from them explaining what went wrong and why,” he says, “then they’re not going to tell you the full story.” There will always be security mistakes, but learning from them, not apportioning blame, is more helpful, he thinks.

Security specialist Leigh Honeywell says there’s a culture of finger-pointing in the community that doesn’t help anyone. She says that is slowly changing. “I’ve been in the field for ten years, and I have watched things go from the kinds of stuff you’re seeing in New Zealand – court orders and people being sued and that kind of crap… But there has been this attitude shift that ‘hey, if people have found a vulnerability in your piece of software, they are doing you a favour.”

You can hear more from Kiwicon in On The Dial this week.

Cover Image: Flickr user 4nitsirk