Female stereotyping in security research
The following comic strip was done by a group of individuals who participated in the CTF finals. If you want to follow along, the strip exists at http://hackerschool.org/DefconCTF/17/B300.html The strip is a well written write up with cute illustrations. documenting the teams progression through the investigation. However, there are parts of this strip that as a woman in the security industry, I find inherently offensive and feel enforce negative stereotypes. The comic strip begins with an introduction to the characters:
We meet some hacker dudes, and are also introduced to the cute Tiffany, “Heroine, cheer-leader purpose.”
I have mostly kept my pie hole shut in regards to negative stereotyping in the security industry for fear that I will appear a “bitchy” or “angry” feminist. But had I not consistently experienced negative experiences due to my gender, I probably would have overlooked the mysogny in this strip. I am anomally in the hacker industry; I am a somewhat attractive female who can hold her own in a technical conversation. It is too often that people are surprised when they realize I know what they are talking about. I sigh internally and try not to be frustrated when people at conferences ask me “who are you here with? Who is your boyfriend?” My femininity is questioned. I try not to have my self-esteem shattered when on two seperate occasions someone has asked me if I am transgendered because they cannot possibly believe that a woman is technically apt and into security research.
They can’t believe that I did graduate and post-graduate work in Computer Science, that I am a security consultant for one of the most amazing firms in the business. I can hold my own in a pentest. I have found some wicked bugs.
“Your hands don’t look masculine,” they say.
I am not a horse face, 5’2”, barely 100lbs with obvious feminine curves, and so I am either labled a transvestite or someone’s girlfriend who could not possibly know about computers. In no other field has this happened to me. Truth be told, there are several well-known transgendered women in the community, but I am not one of them. Sigh.
When I first joined the SILC network several years ago I was told by another female to change my nick because she felt it was too sexually suggestive. She said that the men would not take me seriously and had no time for that sort of nonsense. If I wanted to get anywhere in the industry and be taken serioiusly, I needed appear masculine. “In fact, best not to tell people at all that you are a woman.” I am sad that she played into that stereotype and sad that I listened to her misguided advice. I now feel that her suggestion was more a display of her own insecurities. (My nick actually referenced nothing sexual).
At few years ago at Defcon I was listening to a good friend [name redacted], and very well known and respected security researcher and consultant give a talk. At question and answer time he jokingly made the statement that “women do psychology and men do computer science.” Frustrated and flustered by this gross stereotype I approached the microphone and stated that he was obviously wrong, that there were many women in that very room who loved computer science and security. There are some very intelligent women in the security industry. Jody can write a heap overflow exploit like no other. Do I even need to mention Pusscat? He corrected himself.
These stereotypes do not exist in all corners of security research. I have received nothing but a warm welcome, encouragement, collaboration, and teaching from my SILC friends. I have fantastic friends who give me the recognition as a security researcher and woman that I deserve. I am tremendously thankful for those people. But in general, whether we are male or female, please stop reinforcing the idea that women are merely cheerleaders, need to be masculine, girlfriends of someone at the conference, or cannot by default understand PE format and assembly instructions.
