If you’ve not seen it yet, there’s a meme going around saying DEFCON is cancelled. It seemed to be purely a good fun troll, but it’s been gaining in popularity over the last couple of weeks.
Then this morning I found what appears to be the official meme manifesto, and it made me wince a bit. Kind of like something good that’s slightly turned.
Let me try to explain.
First, I think the piece is trying to do multiple things at the same time.
- I think it’s trying to be funny, which it is.
- It’s trying to troll some noobs, which it does.
- And finally, it’s trying to say some serious things about the industry, which is where I think it lands squarely in the Uncanny Valley.
The Uncanny Valley is where something like a CG character is almost perfect but is off just enough to cause alarm (see Tom Hanks above). And, importantly, if it were less perfect—in a movie the character would be more cartoony, and in a piece of satire it would be more obviously so—it would be accepted without issue. But because it sits right on the line it causes unease. And that’s precisely the sensation I got.
A few points from the text:
I believe that we are in a post-hacker world. We still need innovative security researchers but we need professionals. We need to shed the “hacker” persona that is denigrating us. We should strive to be professionals, making the Internet a safer place rather than exposing vulnerabilities that can be leveraged by criminals and terrorists.
This one is a clear attack on those who think it’s immature to pursue true research and disclose vulnerabilities, and I absolutely agree with the point. There are nuances of course, but in general this is not something that the community benefits by giving up.
It is my belief that attendance at amateur conferences such as ShmooCon, Summercom, Toorcon, HOPE and even CCC will soon begin to dwindle. As current attendees mature they will become the next generation of security professionals, not hackers. What I’ve said is probably disturbing to some of you, but it is our current reality.
This is also a solid and deeply cutting point, saying that too many professional types have lost the curiosity and true hacker nature.
Professionals have professional credentials. If you want to participate in the security industry, you should obtain the appropriate certifications. ISC2, SANS, EC-Council and many vendors offer well regarded security certifications.
This one is a bit ‘on the nose’, but entertaining.
The next two sections are where I started feeling the Spidey Sense go off. On the national security topic I get the point of opposing blind trust in the government, but I worry it’s hinting at the position that anything under the guise of NATSEC is bad. That’s unhelpful.
Then it talks about privacy, and makes fun of the notion that nothing should be considered private. This is a hard one because I agree with the straw man that they’re knocking over, which is the “if you’ve got nothing to hide” argument. 100% agree.
But I also think privacy is going away, and that it is inevitable. This is because of the future of technology, data exchange, society, etc.—not because christian republicans are awesome, and ‘Merica. They’re two separate forces. I oppose one, and I believe the other to be inevitable. The piece conflates these two in an overly simplistic way.
Then we get this vibe as well. It’s actually all throughout the piece, but it’s most pronounced here.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
I plan on writing a book covering many topics during my growth form a hacker to a security professional. Feel free to approach me at Black Hat or other conferences to discuss these issues.
The “professional” bashing is the weakest part of the piece, and it’s what produced the Uncanny Valley feel for me.
It’s basically taking real, solid points, making them well and in a funny way, and then at the same time bashing hackers and/or wannabes who are transitioning to being professionals.
This is non-binary.
- There are many hackers who become security professionals
- There are many non-hackers who pretend to be hackers and then become security professionals
- There are many non-hackers who don’t pretend to be hackers and become security professionals
- There are many noobs who are neither, and who are trying to become one or both
I don’t get the professional hate, or the conflation of complex topics. It’s not useful.
- National security is a thing, and it needs good security people to help.
- You can’t blindly trust the government, because ‘Merica.
- You can’t give up privacy because some Republican told you you’re a criminal if you don’t.
- It’s ok to be a wild hacker in your younger years and then become a professional later in life.
- Becoming a professional doesn’t have to mean compromising your values.
If these are in conflict for you it’s because you see the world too simplistically. The world is messy, and it requires nuanced and constant re-evalutation to navigate practicality while remaining true to core principals you believe in.
I wish things were as simple as this manifesto makes them out to be. It was easier for me when they were. But that’s the Fox News approach. It’s compartmentalizing everything into neat boxes so that you know who’s a real hacker, who’s a sell-out, that the government is bad, etc.
I get it. It’s clean. But reality isn’t clean. And true hackers figure out how to be good, in a dirty world, as a professional.
I agree with 90% of what’s being said here, and trolling noobs should never go out of style, but we shouldn’t pretend that the world is simple, because it isn’t.