Vanity, Vendors, and Vulnerabilities

Tonight on InfoSec Twitter, this gem was making the rounds:

Hello cybersecurity and election security people,
I sometimes embed your tweets in the Cybersecurity 202 newsletter. Some of you have a habit of swearing right in the middle of an otherwise deeply insightful tweet that I’d like to use. Please consider not doing this.

Identity redacted.

As tempting as it is to just senselessly dunk on the guy, in the spirit of fairness, let’s list the things he did right:

  1. His tweet was politely worded.

It’s something? He could’ve been another Karen, after all!

What Joe got wrong with this tweet is just the latest example of a widespread issue in and around the security community–especially on social media and content aggregator websites.

The structure of the problem goes like this:

  • Someone: “Here’s some content I made and decided to share for free.”
  • Person: “Your use of {profanity, cringe-inducing puns, work-safe furry art} (select one) prohibits me from using your content to further my own career goals. You should change what you’re doing.”

It’s a problem I’ve personally been on the receiving end of. A lot. I even wrote a post about this before, although that focused specifically on the anti-furry sentiment. Unfortunately, this problem is bigger than being repulsed by cute depictions of anthropomorphic animals (which, when sincerely held, are often thinly-veiled dog-whistles for homophobia).

Superficial Professionalism Can Fuck Right Off!

(Art by Khia.)

I totally sympathize with information security professionals who desire to be taken seriously by their business colleagues. That’s why sometimes you’ll see them don a three-piece suit, style their hair like every other corporate drone, and adopt meaningless corporate jargon as if any of it makes sense. You’re doing what you have to do to put food on your table and pay your bills. You’re not a problem.

The problem happens when this desire to appear professional leaks outside of the self and gets projected onto one’s peers.

“Knock it off, guys! You’re making it harder for me to blend in with these soulless wretches–I mean, the finance department!”

How about “No”?

Information Security Is More Than Just a Vocation

I’ve lost count of the hackers I’ve met over the years–white hat hackers, to be clear–who hack for the sheer fun and joy of it, rather than out of obligation to their corporate masters.

Information security–and all of its sub-disciplines, including cryptography–can simultaneously be a very serious and respectable professional discipline, and a hobby for nerds to enjoy.

The sheer entitlement of expecting people who are just having fun with their own skills and experience to change what they’re doing because you stand to benefit from them changing their behavior is similar to another egocentric demand we hear a lot: The cry for “responsible” disclosure.

Weirdness Yields Greatness

The strength of the information security community (read: not the industry, the community) is our diversity.

Pop quiz! What do a gothic enby (and the Bay Area’s only hacker), the woman who leads cryptography at a FAANG company, the man who discovered the BEAST and CRIME attacks against TLS, several of the most brilliant trans folks you’ll ever meet, an Italian immigrant, the co-inventor of the Whirlpool hash function, the Egyptian “father of SSL” mathematician, and some gay dude with a fursona who writes blog posts about software security for fun all have in common?

Sure, we all work in cryptography, but our demographics are all over the place.

This is a feature, not a bug.

If people who are sharing great content–be it on Twitter or on their personal blog–do something that prevents you from sharing their content with your coworkers, the problem isn’t us.

No, the real problem is your coworkers and bosses, and the unquestioned culture of anal-retentive diversity-choking bullshit that pervades business everywhere.

Remember, security industry:

Homogeneity leads to blind spots

If I find a zero-day in your product and want to share it alongside a dancing GIF of my fursona, that’s my prerogative. If you choose to ignore it because of the artistic expression, that’s entirely your choice to make, and your problem to deal with.

In closing, I’d like to offer a simple solution to the mess many technologists, managers, journalists, and even senior vice presidents find themselves in; wherein they can’t readily be more accepting of profanity or quirky interests that are prone to superficial, knee-jerk judgments:

Question it.

Ask yourself “Why?” Ask your team “Why?” Ask your boss “Why?” and keep asking until everyone runs out of canned responses to your questions.

Aversion stems from one of two places:

  1. Fear of negative consequences
  2. Severe reverence towards tradition, even at the expense of innovation

But it’s very easy to confuse these two. You might think you’re avoiding a negative consequence when in reality you’re acting in service of the altar of tradition. Knock that shit out!

Tradition is what humans do when they’re out of ideas. “We don’t know how to be better, and we’ve always done it this way, so we’ll just keep doing what works.” Fuck tradition.

Art by @loviesophiee

Honorable Mentions

If you’re worried about looking bad, here are some notable entities that have shared my work since I started this blog in April 2020:

A Google RFC for AES-GCM in OpenTitan cites one of my blog posts.

There are probably others, but it’s late and I need sleep.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

2 replies on “Vanity, Vendors, and Vulnerabilities”

I totally agree with this.
The /int/ wiki guide to learning japanese is absolutely epic. One of the best guides i’ve seen. Is it professional?
No. Absolutely not. Not in any sense. I’m pretty sure it called me a [homophobic slur].
Anyway, good blog post. 👍

Bark My Way

This site uses Akismet to reduce spam. Learn how your comment data is processed.